Privacy Notice
Last updated: 9 April 2026
This Privacy Notice explains how INFIRISK collects, uses, shares, and protects personal data when you use the Service.
1) Who we are
INFIRISK Ltd is the data controller for personal data processed under this Privacy Notice.
- Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
- Privacy contact: privacy@infirisk.com (or hello@infirisk.co.uk)
2) UK data protection law
This Privacy Notice is intended to comply with the UK GDPR and the Data Protection Act 2018.
3) Business customers (controller/processor note)
If you are a Business Customer and you upload personal data about other people (e.g., employees/contractors) into the Service, you are typically the controller of that data and we act as your processor to provide the Service. You are responsible for ensuring you have provided appropriate notices and have a valid lawful basis for any third-party personal data you upload. If you need a Data Processing Addendum (DPA), we can provide one.
4) Personal data we collect
Depending on how you use INFIRISK, we may collect:
- Account data: email, name/display name, role/tier, login metadata; authentication handled via our auth provider
- Contact data: optional phone number and verification/MFA records if enabled
- Directory/business listing data (if applicable): business info, categories/areas, location info, and visibility preferences (show/hide phone/email, contact method, location precision/obfuscation)
- Premises/compliance data (if applicable): records and documents you upload (which may include personal data depending on content)
- Messaging data: message content and attachments you send/receive
- Billing/subscription data: subscription status and payment identifiers (we do not store full card details)
- Security and usage logs: IP address, user agent, timestamps, and activity logs for security and troubleshooting
- AI features (if used): inputs, consent status (where required), and usage metadata; avoid including sensitive info in prompts/messages
- Token and credit data: transaction history, token balances, spend and grant records, and transaction identifiers used to ensure payment integrity.
- News and article data: article content, images, SEO metadata, moderation status, promotion status, and authorship information for articles you publish.
- Channel and community data: posts you make in community channels, your engagement activity, channel memberships, and network participation.
- Review data: ratings and written reviews you submit, business responses to reviews, review challenges, reports, and eligibility records.
- Credential and accreditation data: professional credentials, accreditations, and education history that you choose to display on your profile.
5) How we use personal data
We use personal data to provide and operate the Service, process payments, communicate with you, secure the Service, prevent abuse, and improve features.
- To moderate user-generated content, including articles, community posts, and reviews, in accordance with our Community Guidelines
- To operate our token credit system, including tracking balances, processing transactions, and preventing fraud
- To display your credentials and accreditations on your profile, published articles, and other platform surfaces where you have chosen to make them visible
6) Legal bases (UK GDPR)
We rely on one or more of the following legal bases, depending on the context:
- Contract: to provide the Service you request (accounts, subscriptions, core features).
- Legitimate interests: to secure the Service, prevent abuse, and improve reliability (balanced against your rights).
- Legal obligation: to comply with legal requirements (for example, accounting and tax).
- Consent: where required (for example, marketing communications or certain optional features).
7) Marketing communications
We may send you service messages that are necessary to operate the Service (e.g., verification emails, security alerts, billing notices). We do not send marketing emails unless you choose to opt in (where required). You can opt out of marketing at any time (for example, using an unsubscribe link or by contacting us).
8) Sharing and third parties
We may share personal data with service providers that help us operate INFIRISK (e.g., hosting/auth/database, payments, email/SMS providers if enabled, AI providers if used, postcode/address lookup). We do not sell personal data.
Our sub-processors
We use the following third-party service providers to operate the platform. Each processes data only for the purposes described:
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase | Database, authentication, edge functions | Account data, all user content | EU (AWS Frankfurt) |
| Stripe | Payment processing | Billing data, payment identifiers | US/EU |
| SendGrid | Transactional email delivery | Email addresses, email content | US |
| OpenAI | Content moderation, AI-assisted features | Content submitted to AI features | US |
| Google (Gemini) | AI content generation | Content submitted to AI features | US |
| Hetzner | Server hosting | All data (encrypted at rest) | Germany |
We review our sub-processors periodically. This table was last updated on 9 April 2026.
9) International transfers
Some providers may process data outside the UK. Where required, we use appropriate safeguards (such as adequacy decisions and/or standard contractual clauses).
10) Retention
We keep personal data only as long as needed for the purposes above. Typical retention periods may include:
- Account and profile data: for as long as you have an account, and for a period afterwards as needed for support, dispute handling, or fraud prevention.
- Billing and tax records: typically 6 years (or longer where required) for UK accounting and tax compliance.
- Security logs: typically 14–30 days, unless longer retention is needed to investigate incidents or prevent abuse.
- Support communications: typically up to 24 months.
- Messages and uploads: typically for as long as your account is active or until you delete them, subject to legal and security requirements (including short backup retention).
- Token transaction records: retained for the duration of your account plus up to 6 years afterwards to comply with UK accounting and tax requirements.
- Article content: retained while published or until you delete it. After deletion, content may persist in backups for a limited period in accordance with our standard backup retention schedule.
- Review data: retained while the relevant business relationship exists on the platform. Challenge and report records are retained for moderation audit purposes.
- Channel posts: retained while posted or until you delete them, subject to legal or security requirements.
Retention can vary depending on the data type and the reason we are retaining it.
11) Security safeguards
We use appropriate technical and organisational measures designed to protect personal data, such as access controls, encryption in transit, and secure storage. No system is completely secure, and you are responsible for keeping your account credentials safe.
12) Special category data and sensitive information
Please avoid uploading special category personal data (such as health information) unless it is necessary. If you upload sensitive personal data, you are responsible for ensuring you have a lawful basis to do so and have met any additional legal requirements (such as explicit consent where applicable).
13) Automated processing and AI
Some features of the Service involve automated processing, including AI-assisted tools for generating content (such as descriptions and templates) and for moderating user-generated content (such as screening articles and reviews against our content policies before publication).
AI-assisted outputs are intended as a starting point and should be reviewed before reliance. We do not intend to make decisions that produce legal effects or similarly significant effects on you solely by automated means without appropriate safeguards.
14) Your rights
Depending on your circumstances, you may have rights to:
- access your personal data
- correct inaccurate personal data
- request deletion
- request restriction of processing
- object to processing
- data portability
- withdraw consent (where processing is based on consent)
To exercise your rights, contact privacy@infirisk.com. We may need to verify your identity. We will respond within the timeframes required by law (typically within one month).
If you're in the UK, you can complain to the ICO (Information Commissioner's Office).
15) Changes
We may update this policy and will update the “Last updated” date. If we make material changes, we will take reasonable steps to notify you (for example, by email or in-app notice).