Privacy Policy

1. Introduction

XIFY ("we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our contact management and marketing automation platform.

This policy applies to all users of XIFY services, including field service businesses and their customers. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

2. Data Controller

XIFY is the data controller responsible for your personal data. You can contact us at:

• Email: privacy@xify.dev
• Support: support@xify.dev

3. Information We Collect

3.1 Information You Provide

When you create an account or use our services, we collect:

• Account Information: Name, email address, phone number, company name, business type
• Billing Information: Payment details processed securely through Stripe (we do not store full card numbers)
• Contact Data: Customer contacts you upload or create (names, addresses, phone numbers, emails, postcodes)
• Communication Content: SMS messages, emails, and notes you create within the platform
• Booking Information: Appointment details, service names, team assignments

3.2 Information Automatically Collected

• Usage Data: Pages visited, features used, time spent, interaction patterns
• Device Information: IP address, browser type, operating system, device identifiers
• Cookies: Session cookies for authentication and preferences (see Cookie Policy below)
• Log Data: Server logs including timestamps, error reports, performance metrics

4. How We Use Your Information

We process your personal data for the following purposes under lawful bases:

4.1 Service Delivery (Contract Performance)

• Providing contact management and CRM functionality
• Sending SMS and email campaigns on your behalf
• Processing booking requests and reminders
• Enabling team collaboration and task assignment
• Managing your account and subscriptions

4.2 Legitimate Interests

• Improving and optimizing our platform
• Preventing fraud and ensuring security
• Analyzing usage patterns to enhance features
• Providing customer support and technical assistance

4.3 Legal Compliance

• Meeting regulatory requirements (GDPR, PECR, tax laws)
• Responding to legal requests and court orders
• Protecting our legal rights and preventing misuse

4.4 Consent

• Sending marketing emails about our services (you can opt-out anytime)
• Using cookies for analytics and preferences

5. Your Customer Data

When you upload customer contacts to XIFY, you act as the data controller for that data, and we act as a data processor. You are responsible for:

• Having a lawful basis to collect and process your customers' data
• Obtaining proper consent before sending marketing communications
• Complying with PECR when sending SMS and email campaigns
• Responding to data subject requests from your customers
• Keeping customer data accurate and up-to-date

We process your customer data only on your instructions and in accordance with our Data Processing Agreement.

6. Data Sharing and Disclosure

We share your data only in these circumstances:

6.1 Service Providers

• Supabase: Database and authentication services (EU/UK servers)
• Stripe: Payment processing (PCI-DSS compliant)
• Twilio: SMS delivery services
• Resend: Email delivery services
• Vercel: Website hosting and CDN

All third-party processors have appropriate data protection agreements in place.

6.2 Legal Requirements

We may disclose data when required by law, court order, or to protect our rights and safety.

6.3 Business Transfers

If XIFY is acquired or merges with another company, your data may be transferred to the new entity.

7. International Data Transfers

Your data is primarily stored on servers located in the UK and EU. If we transfer data outside the UK, we ensure adequate safeguards through:

• Standard Contractual Clauses approved by the ICO
• Adequacy decisions for countries with equivalent protection
• Binding Corporate Rules for multinational service providers

8. Data Security

We implement industry-standard security measures:

• Encryption: TLS/SSL for data in transit, AES-256 for data at rest
• Access Controls: Role-based permissions and multi-factor authentication
• Monitoring: 24/7 security monitoring and intrusion detection
• Backups: Regular encrypted backups with disaster recovery plans
• Audits: Regular security assessments and penetration testing

9. Data Retention

We retain your data for as long as necessary:

• Account Data: Until you delete your account, plus 30 days backup retention
• Billing Records: 7 years to comply with UK tax law
• Communication Logs: 12 months for support and compliance purposes
• Marketing Data: Until you unsubscribe or withdraw consent

When data is deleted, it is permanently removed from our active systems within 30 days and from backups within 90 days.

10. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restriction: Limit how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Rights Related to Automated Decision-Making: We do not use automated decision-making

To exercise these rights, email us at privacy@xify.dev. We will respond within 30 days.

11. Cookies

We use the following types of cookies:

• Essential Cookies: Required for authentication and security (cannot be disabled)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use our platform (can be disabled)

You can manage cookie preferences in your browser settings. Note that disabling cookies may affect platform functionality.

12. Children's Privacy

XIFY is not intended for individuals under 18 years of age. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of significant changes via email or platform notification. Continued use of XIFY after changes constitutes acceptance of the updated policy.

14. Complaints and Regulatory Authority

If you have concerns about how we handle your data, please contact us first at privacy@xify.dev.

You also have the right to lodge a complaint with the UK supervisory authority:

• Information Commissioner's Office (ICO)
• Website: ico.org.uk
• Helpline: 0303 123 1113

15. Contact Us

For privacy-related questions or to exercise your rights:

• Email: privacy@xify.dev
• Support: support@xify.dev