Privacy Policy

Effective date: 16 April 2026

This Privacy Policy explains how Plotnikov IT Ltd trading as infery.ai ("we", "us", "our") collects, uses, and shares personal data when you use our website, application, API, Playground, and documentation (collectively, the "Service"). It is issued under the UK GDPR and the Data Protection Act 2018, and it reflects requirements of the EU GDPR and the California Consumer Privacy Act where those apply to you.

1. Who we are

We are the data controller for personal data processed in connection with the Service. Our details:

Controller: Plotnikov IT Ltd, trading as infery.ai
Address for service: 18 Cornfield Crescent, Edinburgh, EH4 4UF, United Kingdom
EU Representative (Art. 27 GDPR): elKYC OÜ, Ahtri tn 12, Kesklinna linnaosa, Tallinn 10151, Estonia — inferyai@elkyc.com
Privacy contact: privacy@infery.ai

We have not appointed a Data Protection Officer because our processing activities do not meet the Article 37 UK/EU GDPR thresholds. We will appoint one if that changes.

2. Scope

This policy covers personal data processed when you visit our website, create or use an account, call our API, use the Playground, or contact us. It does not cover third-party websites linked from the Service.

3. Data we collect

Account data

Email address, display name, hashed password, OAuth provider identifiers, account settings, and session data.

Billing data

Stripe customer identifier, invoice history, and last four digits of the card for display. We do not see, process, or store full payment card numbers — Stripe does.

Usage metadata

Request timestamp, model selected, token counts, HTTP status, latency, request ID, IP address, user-agent, and API key reference. We use this for billing, diagnostics, security, and abuse detection.

Inputs and Outputs

Prompts, files, and other content you submit ("Inputs"), and the content generated by the selected AI model ("Outputs"). These are passed to the subprocessor you select and retained only as described in Section 6.

Playground chat history

Where you use the Playground, your chat sessions are stored in your workspace so you can return to them. Retention depends on your subscription plan (see Section 9).

Server logs and cookies

Security logs (IP, headers, request metadata) and cookies as described in Section 12.

Support correspondence

Emails and messages you send us, plus any attachments, so we can answer you.

4. Legal bases for processing

Contract (Art. 6(1)(b)): to create and operate your account, deliver the Service, process payments, and respond to you.
Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent fraud and abuse, investigate incidents, and generate aggregated analytics. You can object at any time.
Consent (Art. 6(1)(a)): for marketing emails, non-essential cookies, and enabling providers based in the People's Republic of China (see Section 8).
Legal obligation (Art. 6(1)(c)): to keep tax and accounting records (HMRC requires six years), and to respond to lawful requests.

5. How we use your data

To create and operate your account and workspaces.
To route your requests to the AI subprocessor you select.
To bill you, issue invoices, handle refunds, and comply with tax law.
To provide customer support.
To secure the Service, detect and investigate abuse, and enforce our Terms and Acceptable Use Policy.
To generate aggregated analytics that do not identify you.
To send transactional emails. Marketing emails only with your separate consent.

We do not sell personal data, and we do not share it with advertisers.

6. AI-specific data handling

We do not train any model on your Inputs or Outputs. Where our subprocessors offer training controls, we disable training on customer data. Where a subprocessor does not offer such a control, we disclose that in our Subprocessors list.

When you call the Service, your Inputs are transmitted to the AI subprocessor selected by you or by your workspace settings. Outputs are returned through us to you. We do not human-review Inputs or Outputs in the ordinary course, except where content is flagged by automated abuse systems or where review is required by law.

Retention windows

Request and response payload logs: 30 days, then automatic deletion.
Playground chat history: time-to-live per subscription plan, up to a maximum of 24 months.
Usage metadata for billing and tax: 6 years, as required by HMRC.
Audit and security logs: 12 months.
Account data: for the life of the account plus reasonable wind-down, then deletion or anonymisation unless legally required to retain.

7. Subprocessors

We use vetted third parties to help us deliver the Service — including cloud hosting, payments, email delivery, analytics, and the AI providers themselves. A current list is at /subprocessors. We give at least 30 days' notice of new subprocessors by email and in-app banner so you can object.

8. International transfers

The Service is operated from the United Kingdom. Personal data may be transferred to the European Economic Area, the United States, and — only with your explicit consent — the People's Republic of China.

UK ↔ EU and UK → US

Transfers to the EU rely on the UK's adequacy decision. Transfers to the US rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (UK IDTA), or the EU-US Data Privacy Framework where the subprocessor is certified.

UK → People's Republic of China (Alibaba Qwen, DeepSeek)

PRC-based AI providers are not available by default. Until a workspace-level opt-in control is shipped, these providers are disabled at the platform level and can be enabled only by explicit request to support@infery.ai. Enabling them constitutes your explicit consent under Article 49(1)(a) UK/EU GDPR to transfer your Inputs and Outputs to China, where Standard Contractual Clauses are not currently available. Risks include the PRC Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, and potential government access to data. Consent can be withdrawn at any time by disabling the providers or by contacting us — withdrawal does not recall data already transferred.

9. Retention

Specific retention periods are listed in Section 6. Account data is kept for the life of the account. Billing records are kept for six years to meet HMRC requirements. Where we are required or permitted by law to retain data longer, we will.

10. Your UK and EU GDPR rights

Subject to the usual conditions and exceptions, you have the right to:

Access the personal data we hold about you.
Request correction of inaccurate data.
Request erasure of your data ("right to be forgotten").
Restrict our processing.
Receive your data in a portable format.
Object to processing based on legitimate interests, including profiling.
Withdraw consent at any time, without affecting the lawfulness of past processing.
Complain to a supervisory authority — in the UK, the Information Commissioner's Office at ico.org.uk/make-a-complaint/. In the EU, your local DPA.

To exercise these rights, email privacy@infery.ai. We respond within one month.

11. California privacy rights (CCPA / CPRA)

If you are a California resident, in addition to the rights above you have the right to know, delete, correct, and receive a copy of the personal information we hold, and to opt out of "sale" or "sharing" for cross-context behavioural advertising. We do not sell or share personal information as those terms are defined under CCPA/CPRA. We do not offer financial incentives for personal information. You may designate an authorised agent in writing. Requests: privacy@infery.ai.

12. Cookies and similar technologies

We use:

Strictly necessary cookies for authentication, session management, and security. These do not require consent.
Analytics via PostHog to understand product usage. You can opt out via the cookie banner.
Tag management via Google Tag Manager, which loads other analytics tags subject to your consent.

Where required by UK and EU law, we present a consent banner that blocks non-essential cookies until you accept them. You can change your preferences at any time via the banner.

13. Security

We use TLS 1.2+ in transit, AES-256 at rest, workspace-scoped access control, least-privilege for staff, and an incident response procedure. No system is completely secure — we do not warrant uninterrupted or error-free service.

14. Children

The Service is for users aged 18 or over. We do not knowingly collect personal data from anyone under 18. If we learn that we have, we delete the account and data promptly.

15. Automated decision-making

The Service routes your requests to third-party AI models that generate Outputs automatically. We do not make decisions based solely on automated processing that produce legal effects or similarly significant effects concerning you (Article 22 UK/EU GDPR). If you believe an automated decision has materially affected your interests, you may contact privacy@infery.ai to request human review.

16. Changes to this policy

We may update this Policy. Material changes will be notified at least 30 days in advance by email and by in-app banner. The effective date above will be updated on every change. Continued use after the effective date means you accept the update.

17. Contact

Questions or complaints: privacy@infery.ai. Postal: Plotnikov IT Ltd, 18 Cornfield Crescent, Edinburgh, EH4 4UF, United Kingdom. EU Representative: elKYC OÜ, Ahtri tn 12, Kesklinna linnaosa, Tallinn 10151, Estonia — inferyai@elkyc.com. You may also complain directly to the ICO.