CYPHIC
Legal

Privacy Policy

Last updated: 1st May, 2026

This Privacy Policy explains how Cyphic ("we", "us") collects, processes and protects personal data in connection with Cyphic AI APIs, Cyphic Cloud managed services, Cyphic 360 tiers, and our website. It applies to website visitors, prospective customers, account holders, end users of customer applications and partners. By using any Cyphic service you acknowledge this Policy and our Data Processing Addendum.

1. Data controller and processor roles

Cyphic Ltd. acts as the data controller for the Cyphic website, marketing communications and account management activities. When we score or evaluate signals submitted by customers through the Cyphic AI API, Cloud or 360 services, we act as a data processor on behalf of that customer. Our Data Protection Officer (DPO) can be reached by visiting the Contact page and choosing "Complaints" or "Privacy".

Where Cyphic operates under a written Data Processing Addendum, that DPA supersedes any conflicting term in this Policy.

2. Categories of data we collect

  • Account data — name, work email, company, role, billing currency, locale, password hash, MFA factors.
  • Telemetry — request counts, latency, error codes, region, SDK version, IP truncated to /24. No request bodies.
  • Verdict metadata — hashed identifiers (SHA-256), risk score, model version, decision timestamp, region.
  • Website analytics — anonymised page views, referrer, device class, viewport. No cross-site tracking.
  • Support data — messages, attachments and screen recordings you choose to share with our team.
  • Cookies — strictly-necessary session, anti-CSRF, locale and theme cookies. See our Cookie Policy.

3. What we explicitly do not store

Cyphic does not persist raw request bodies, document contents, biometric templates, payment card data or full PII strings submitted to scoring endpoints. Inputs are processed in-memory and discarded after the verdict is returned. We do not sell, rent or share personal data with advertisers, data brokers or third-party AI training providers.

4. Purposes and legal bases

  • Contract performance — service delivery, billing, support, SLA enforcement.
  • Legitimate interest — security, abuse prevention, fraud detection, service improvement.
  • Legal obligation — tax, anti-money-laundering, lawful disclosure to regulators.
  • Consent — marketing communications and optional analytics. You can withdraw at any time.

5. International data transfers

Cyphic operates localized data edges. Inter-region transfers rely on Standard Contractual Clauses, region pinning where requested and additional safeguards (encryption in transit and at rest, key custody in customer region for Enterprise tiers).

6. Retention

Telemetry and verdict metadata are retained for up to 13 months for audit and abuse-prevention, then irreversibly aggregated. Account records are kept for the duration of the customer relationship plus statutory retention periods (typically 6 years for tax). Support tickets are retained for 24 months. Marketing-consent records are kept for the lifetime of the subscription plus 12 months.

7. Security controls

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Per-region key management with hardware-backed roots of trust.
  • Quarterly third-party penetration testing and continuous SAST / DAST in CI.
  • Production access gated by short-lived credentials, MFA and just-in-time approval.
  • Background-checked personnel under written confidentiality.
  • Audit-anchored logging for all administrative actions.

8. Sub-processors

Cyphic engages a limited number of vetted sub-processors for cloud infrastructure, email delivery, monitoring and payment processing. A current list with regions and purposes is available on request and at our Trust Center. We notify customers of material sub-processor changes with at least 30 days notice.

9. Your rights

  • Access, rectification and erasure of your account data.
  • Data portability for telemetry exports in machine-readable format.
  • Right to object to processing based on legitimate interest.
  • Right to restrict processing while a complaint is investigated.
  • Right to withdraw consent for marketing at any time.
  • Right to lodge a complaint with your local supervisory authority.

10. Automated decisioning

Cyphic returns probabilistic scores and recommendations. We do not make automated decisions with legal or similarly significant effects on data subjects on behalf of customers — the customer remains responsible for the final decision (approve, decline, suspend, review).

11. Children

Cyphic services are not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe a minor has provided us with personal data, contact our DPO and we will delete it.

12. Changes to this policy

We may update this Policy to reflect changes in law, sub-processors, products or operations. Material changes will be announced via in-product notification and email to account administrators at least 14 days before they take effect.

13. Contact

For privacy requests, use the Contact page and select "Complaints" or "Privacy" — your message is routed automatically to our DPO inbox.

Plug the leak in minutes.

300 free tokens. No card. One key for seven products. Local payments worldwide.

AK
BD
CO
DM
EL
+1,240 builders
shipping risk decisions on Cyphic today
Share Cyphic