Legal

Privacy Policy

Effective date: 1 January 2026 · Version 1.0

Contents

Who we are
Data we collect
How we use your data
Legal basis for processing
Data sharing and disclosure
Data retention
Security measures
Your rights
Cookies
Changes to this policy
Contact and complaints

Full Deploy Ltd ("Full Deploy", "we", "our") takes data privacy seriously. This Privacy Policy explains what data we collect when you use the Full-Deploy platform, how we use it, and what rights you have. It applies to all customers, users, and visitors.

1. Who we are

Full Deploy Ltd is the data controller for personal data collected through the Full-Deploy platform. We are registered in England and Wales. Our Data Protection contact can be reached at privacy@full-deploy.io.

2. Data we collect

We collect the following categories of data:

Category	Examples	Source
Account data	Name, email address, organisation name	You provide at registration
Authentication data	Hashed password, AIKC token hash, session tokens	Generated during sign-in
Usage & query data	Queries submitted, agent responses, timestamps, quality scores	Generated when using the Service
Billing data	Invoice address, payment method token (not card numbers)	You provide at checkout
Technical & log data	IP address, browser/client type, API request logs	Automatically collected
Audit & security data	Tamper-evident audit log records, PI-AI screening results	Generated automatically
Support data	Communications you send to our support team	You provide when contacting us

We do not collect or store full payment card numbers. Card processing is handled by our PCI-DSS certified payment provider.

We do not use your Query content to train AI models, build profiles for advertising, or share it with third parties except as described in Section 5.

3. How we use your data

To provide the Service — authenticate sessions, route queries through the agent pipeline, screen payloads via PI-AI, and deliver responses.
To maintain security — detect and prevent fraud, abuse, injection attacks, and other threats.
To comply with legal obligations — maintain tamper-evident audit logs for 7 years, respond to lawful requests from authorities.
To bill and administer your account — process payments, send invoices, manage subscriptions.
To improve the Service — analyse aggregated, anonymised usage patterns to improve reliability and performance. Individual query content is never used for this purpose.
To communicate with you — send service announcements, security alerts, and support responses.

4. Legal basis for processing (GDPR)

Where GDPR applies, we process your data on the following legal bases:

Contract performance — processing necessary to provide the Service you have contracted for.
Legitimate interests — security monitoring, fraud prevention, and service improvement (where your interests do not override ours).
Legal obligation — maintaining audit records and complying with lawful requests.
Consent — for optional marketing communications (you may withdraw at any time).

We do not sell your personal data. We may share data with:

Service providers acting as data processors (cloud infrastructure, payment processing, email delivery) under strict data processing agreements.
Law enforcement or regulators where we are legally required to do so, or where necessary to protect the security of the Service or other users.
Successor entities in the event of a merger, acquisition, or asset sale, subject to the same privacy commitments.

All third-party processors are bound by data processing agreements that require them to handle your data only on our documented instructions.

6. Data retention

Data type	Retention period
Account data	Duration of account + 90 days after closure
Query & audit data	7 years (compliance requirement)
Billing records	7 years (tax and financial law)
Technical logs (IP, etc.)	90 days
Support communications	3 years

After these periods, data is securely deleted or anonymised. You may request early deletion of account data by closing your account; statutory obligations (e.g., audit log retention) take precedence.

7. Security measures

We implement layered technical and organisational security measures including:

End-to-end TLS encryption for all data in transit.
Ed25519 per-message signing and Merkle-chained audit logs.
14-bit AIKC colour-key three-factor authentication.
PI-AI real-time injection and threat screening on all tunnel traffic.
PCFSB private encrypted filesystem sandboxes for every session.
SOC 2 Type II controls and annual third-party penetration testing.

Despite these measures, no system is completely immune from security threats. If you discover a vulnerability, please report it responsibly to security@full-deploy.io.

8. Your rights

Subject to applicable law, you have the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you.
Rectification — request correction of inaccurate data.
Erasure — request deletion of your data (subject to retention obligations).
Restriction — request that we restrict processing of your data.
Portability — receive your data in a machine-readable format.
Objection — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email privacy@full-deploy.io. We will respond within 30 days.

9. Cookies

The Full-Deploy web application uses only essential cookies necessary for authentication and session management. We do not use tracking or advertising cookies. We do not use third-party analytics scripts that place cookies.

Essential cookies used:

fd_session — stores your authenticated session token. HttpOnly, Secure, SameSite=Strict.
fd_csrf — CSRF protection token. Short-lived, per-request.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email (to the address on your account) and by posting a notice on our status page at least 14 days before the change takes effect. The effective date at the top of this page will be updated.

Continued use of the Service after the effective date constitutes acceptance of the updated policy.

11. Contact and complaints

Data privacy enquiries: privacy@full-deploy.io
Security disclosures: security@full-deploy.io

If you are in the UK or EEA and believe we have not handled your data correctly, you have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO).

Also see our Terms of Service. This policy was last updated on 1 January 2026.