Legal

Privacy Policy

Effective date: 1 January 2026 · Version 1.0

⚠ Draft — Replace with your finalised legal text This page is a structural skeleton for a UK GDPR-compliant privacy notice. The section structure and data category tables reflect common SaaS/API platform practices; however, the body text must be reviewed and approved by your legal counsel and a qualified DPO before this page goes live.

Contents

Who We Are
What Data We Collect
How We Use Your Data
Legal Basis for Processing
Third Parties and Data Sharing
International Transfers
Data Retention
Security
Your Rights
Cookies
Children's Privacy
Changes to This Policy
Contact & Complaints

1. Who We Are

1FRX Ltd ("1FRX", "we", "us", "our") is the data controller responsible for your personal data in connection with the 1FRX platform and services. We are registered in England and Wales.

[PLACEHOLDER — Company registration number, registered address, ICO registration number.]

Questions or requests relating to this Privacy Policy should be sent to hello@1frx.com.

2. What Data We Collect

We collect the following categories of data, depending on how you interact with us:

Category	Examples	Source
Account data	Name, email address, company name, billing address	Provided directly by you on sign-up
Authentication data	Hashed passwords, API key identifiers (not raw keys)	Generated on account creation
Usage data	API call timestamps, endpoint called, response codes, credit consumption	Automatically collected during API use
Technical data	IP address, browser type, device OS, referring URL	Automatically collected via server logs and analytics
Payment data	Last 4 digits, card type, billing postcode	Provided by payment processor (we do not store full card numbers)
Content data	Prompts, uploaded documents, configuration inputs submitted to the API	Provided directly by you during API use
Communications data	Emails, support messages	Provided directly by you

    Camera and voice data (Aria / video call features): If you use the voice assistant or video call features, your microphone and camera may be accessed in your browser. Audio frames are processed in real time for voice recognition and are not stored or logged after processing. Camera frames used for contextual awareness are discarded immediately after analysis.
  

3. How We Use Your Data

We use your data for the following purposes:

Providing the Services: Authenticating your account, processing API requests, and delivering outputs.
Billing and payments: Processing subscriptions, issuing invoices, and managing your plan.
Account management: Sending transactional emails (e.g. API key alerts, billing notifications).
Security and fraud prevention: Detecting and preventing misuse, abuse, and unauthorised access.
Product improvement: Analysing aggregated, anonymised usage patterns to improve platform performance and features.
Legal compliance: Meeting obligations under applicable law (e.g. financial record-keeping, AML/KYC where applicable).
Marketing communications: Sending product updates and announcements, where you have opted in or where we have a legitimate interest (you can unsubscribe at any time).

4. Legal Basis for Processing (UK GDPR)

Purpose	Legal basis
Providing the contracted Services	Performance of a contract (Art. 6(1)(b))
Billing and financial records	Legal obligation (Art. 6(1)(c))
Security, fraud prevention	Legitimate interests (Art. 6(1)(f))
Product analytics (aggregated)	Legitimate interests (Art. 6(1)(f))
Marketing emails (opted-in)	Consent (Art. 6(1)(a))
Marketing emails (existing customers)	Legitimate interests (Art. 6(1)(f)), subject to soft opt-out

5. Third Parties and Data Sharing

We do not sell your personal data. We may share data with the following categories of third parties as necessary to operate the platform:

Payment processors: [PLACEHOLDER — e.g. Stripe] to handle billing. They act as data controllers for payment data under their own privacy policies.
Infrastructure providers: [PLACEHOLDER — e.g. Vercel, Cloudflare, AWS] for hosting and CDN services. Data is processed under data processing agreements.
AI model providers: [PLACEHOLDER — e.g. Anthropic, OpenAI] for AI-powered features. Inputs submitted to these services are subject to their respective data policies.
Analytics providers: [PLACEHOLDER — e.g. Plausible, PostHog] for aggregated usage analytics.
Legal and regulatory authorities: Where required by applicable law, court order, or regulatory request.

6. International Transfers

Some of our service providers are located outside the UK and EEA. Where data is transferred internationally, we ensure that appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or equivalent standard contractual clauses. [PLACEHOLDER — list specific countries/regions if known.]

7. Data Retention

Data type	Retention period
Account data	Duration of account + [X years] after deletion
API usage logs	[90 days] rolling
Billing records	7 years (UK legal requirement)
Support correspondence	[2 years] from last interaction
Voice / camera frames	Not retained — processed in real time and discarded
Submitted content (prompts, documents)	[PLACEHOLDER — state whether you retain these and for how long]

8. Security

We implement appropriate technical and organisational measures to protect your data, including:

HTTPS/TLS encryption for all data in transit.
HMAC-signed API keys that are hashed at rest — raw keys are never stored after generation.
Access controls restricting data access to authorised personnel only.
Regular security reviews of API endpoints and infrastructure.

No transmission over the internet is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay where required.

9. Your Rights

Under the UK GDPR, you have the following rights with respect to your personal data:

Access Request a copy of the personal data we hold about you.

Rectification Request correction of inaccurate or incomplete data.

Erasure Request deletion of your data where there is no lawful reason to retain it.

Restriction Request that we limit the processing of your data in certain circumstances.

Portability Receive your data in a structured, machine-readable format.

Object Object to processing based on legitimate interests or for direct marketing.

Withdraw consent Where processing is based on consent, withdraw it at any time.

Automated decisions Not be subject to solely automated decisions that significantly affect you.

To exercise any of these rights, email hello@1frx.com. We will respond within one calendar month. We may ask you to verify your identity before processing the request.

10. Cookies

We use cookies and similar tracking technologies as follows:

Cookie	Type	Purpose
`session`	Strictly necessary	Maintains your authenticated session.
[PLACEHOLDER]	Analytics	Aggregated, anonymised usage statistics.

Strictly necessary cookies cannot be disabled without impacting the functionality of the Services. Analytics cookies require your consent where applicable.

11. Children's Privacy

The Services are not directed at persons under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at hello@1frx.com and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date above and notify account holders by email at least 14 days before the changes take effect. The current version is always available at 1frx.com/privacy.html.

13. Contact & Complaints

For privacy-related queries or to exercise your rights:

Email: hello@1frx.com
Subject line: Privacy Request — [your name]
[PLACEHOLDER — Registered address]

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.