Privacy Policy

Last Updated: February 2025
Effective Date: February 2025
Document Version: 2.0

1. Introduction

This Privacy Policy explains how Seifert Consulting LTD (Company number: 15699499) ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use the Comms Centre web application (the "Service").

Registered Office Address:
71-75 Shelton Street
Covent Garden
London
United Kingdom
WC2H 9JQ

We are committed to being transparent about what data we collect and how we use it, and to handling your personal data in accordance with UK data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

Data Controller: Seifert Consulting LTD
Company Number: 15699499
Registered Office: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Data Protection Contact: info@seifert-consulting.com

3. What Information We Collect

3.1 Information You Give Us

When you create an account and use the Service, you provide us with:

  • Account information: Your name, email address, and password.
  • Profile information: Your role, preferences, and settings.
  • Content: Text, files, images, audio recordings, video files, and documents you upload or create.
  • Communications: Messages you send us (such as support requests or feedback).
  • Integration credentials: When you connect third-party services (like Google Drive or Canva), we store authentication tokens needed to maintain those connections.

3.2 Information We Collect Automatically

When you use the Service, we automatically collect:

  • Usage data: Which features you use, how often, and how you interact with the Service.
  • Log data: Your IP address, browser type, device type, operating system, and referring URLs.
  • Session data: Authentication tokens, session identifiers, and login timestamps.
  • Technical data: Error logs and performance metrics.

3.3 Information Generated by the Service

The Service creates additional data as you use it:

  • AI-generated content: When you use AI features, your input is sent to our AI provider (Anthropic Claude) and the generated output is stored as part of your Content.
  • Workspace context ("Working Memory"): The Service builds and maintains a context profile for your workspace, which may include learnings from your interactions (such as preferences you express or corrections you make), summaries of past conversations, and recent activity logs. This is stored in the database as part of your Tenant's data, protected by Row Level Security, and is used to improve the relevance of AI outputs for your workspace. See Section 6.2 for full details.
  • Transcriptions: When you transcribe audio or video files, the media is sent to our transcription provider (AssemblyAI) and the resulting text is stored as part of your Content.
  • Processed files: When you upload documents (such as PDFs or Word files), we may extract text content for use within the Service.

3.4 Information from Third Parties

We may receive information from:

  • Authentication providers: If you sign in using Google, we receive your name, email address, and profile picture from Google.
  • Connected integrations: If you connect Google Drive or Canva, we may receive basic profile information and data needed to interact with those services on your behalf.
  • Organisation administrators: If you use the Service through an organisation, your admin may provide us with your name and email address when setting up your account.

4. How We Use Your Information

4.1 To Provide and Run the Service

We use your information to:

  • Create and manage your account.
  • Authenticate your identity and secure your sessions.
  • Deliver the features and functionality you use.
  • Process your Content through AI and transcription features when you choose to use them.
  • Send you service-related emails (such as 2FA codes, password resets, and notifications).
  • Provide customer support.

4.2 To Improve the Service

We use information to:

  • Understand how the Service is being used so we can make it better.
  • Identify and fix bugs and performance issues.
  • Develop new features.
  • Conduct internal analytics using anonymised and aggregated usage data (such as feature adoption and performance metrics) that cannot identify you or your Content. To be clear: this means understanding how the platform is used — it does not mean training AI models on your data.

4.3 To Keep the Service Secure

We use information to:

  • Detect and prevent fraud, abuse, and security incidents.
  • Monitor for unauthorised access.
  • Enforce our Terms of Service.

4.4 To Meet Legal Requirements

We use information when we need to:

  • Comply with laws, regulations, or legal processes.
  • Respond to lawful requests from authorities.
  • Protect our rights, property, or safety.

5. Legal Basis for Processing

Under UK GDPR, we rely on the following legal bases:

Legal Basis When We Use It
Contract Processing needed to provide the Service you signed up for — such as account management, delivering features, and customer support.
Legitimate interests Processing for our reasonable business purposes — such as improving the Service, security monitoring, and analytics — where these do not override your rights.
Legal obligation Processing required by law — such as tax, accounting, or responding to legal requests.
Consent Where we ask for your specific permission — such as for optional marketing communications. You can withdraw consent at any time.

6. How We Share Your Information

6.1 Service Providers

We share data with trusted third-party providers who help us operate the Service. Each provider only receives the data necessary for the service they provide.

Provider What They Do What Data They May Receive
Supabase Database hosting, authentication, file storage, real-time features Account data, Content, files, authentication tokens
Anthropic (Claude) AI content generation and analysis Text content you submit to AI features
AssemblyAI Audio and video transcription Audio/video files you submit for transcription
Resend Email delivery Email addresses, email content (2FA codes, notifications)
Render.com Application hosting All data processed through the Service passes through Render infrastructure
Google (Drive/Docs) Document creation and storage (optional) Content you choose to export to Google Drive; your Google account info
Canva Design creation (optional) Content you choose to send to Canva; your Canva account info

For legacy accounts, we may also use:

Provider What They Do What Data They May Receive
Airtable Database (being phased out) Account data, Content
Vercel Blob File storage (being phased out) Uploaded files

All service providers are contractually required to protect your data and to use it only for the purpose of providing their service.

6.2 AI Processing — Important Details

When you use AI features, the text you submit is sent to Anthropic (Claude) for processing. You should know that:

  • No client data is used for AI model training — by us or by our providers. We use Anthropic's API, which has a zero-training policy: data sent through the API is not used to train, fine-tune, or improve Anthropic's models. Your content is processed to generate a response, and is not retained or learned from by the AI provider.

Workspace Context ("Working Memory")

To deliver relevant, high-quality AI outputs, the Service maintains persistent workspace context for your Tenant. This is called "Working Memory" and may include:

  • Your organisation's identity, positioning, and strategic goals (from your onboarding profile).
  • Voice and tone preferences (communication style, formality, phrases to use or avoid).
  • Target audiences and their characteristics.
  • Content and PR strategy information.
  • Learnings discovered from your interactions (such as corrections you make, preferences you express, or patterns the AI identifies as successful).
  • Guidelines you set for AI behaviour.
  • Summaries of past chat conversations.
  • Recent workspace activity.

This workspace context is sent to the AI model alongside your request so that it can produce outputs tailored to your specific needs.

Important points about Working Memory:

  • All workspace context belongs to you. It is stored securely within Supabase as part of your Tenant's data, protected by Row Level Security (RLS) policies that enforce isolation from all other clients at the database engine level.
  • You have full control. You can view, edit, export, and delete your Working Memory at any time through the admin interface. When you delete it, it is permanently removed from our database.
  • It only benefits your workspace. Workspace context is never shared with, visible to, or used to improve outputs for any other client or Tenant.
  • The AI model itself does not learn or retain anything. Working Memory is application-level context that we send to the AI with each request. The AI model processes it and forgets it — it does not build its own memory, profiles, or knowledge base from your data.
  • Client identity and company context is stored in your workspace, not in the AI model. Your organisation's name, sector, positioning, and other identifying information exists only in your Tenant's data within the database. It is included in AI requests to provide relevant outputs, but it is not encoded in, retained by, or accessible to the AI model outside of that specific request.

Other AI processing details:

  • AI processing happens in real time. Your input (including workspace context) is sent, a response is generated, and the response is stored in your account. The AI provider does not retain a copy.
  • We use prompt caching to improve performance and reduce costs. Cached prompts are temporary (typically minutes to hours), transient, isolated per client, and are not used for AI training.
  • You control when AI features are used. Content is only sent to the AI provider when you actively trigger an AI feature. No automatic or background AI processing occurs without your action.
  • For full details on Anthropic's data practices, see anthropic.com/privacy.

6.3 Transcription Processing — Important Details

When you use transcription features, your audio or video file is sent to AssemblyAI for processing. You should know that:

  • Files are transmitted securely and processed to generate a text transcript.
  • AssemblyAI may temporarily store files during processing. Refer to assemblyai.com/privacy for their data handling practices.
  • Transcription is only triggered when you actively upload a file or use the Quick Capture feature.

6.4 Connected Integrations

When you connect Google Drive or Canva:

  • We store OAuth tokens that allow us to interact with those services on your behalf.
  • We only access the data and permissions you have authorised.
  • You can disconnect integrations at any time, which revokes our access.
  • We do not access your wider Google Drive or Canva account beyond the permissions granted.

6.5 Organisation Accounts

If you use the Service through an organisation (Tenant):

  • Your organisation's administrators may be able to see your account information and activity within the Tenant.
  • Content within a Tenant may be visible to other authorised users of that Tenant.
  • Your organisation's own data policies may also apply.

6.6 Legal Requirements

We may share information if required to:

  • Comply with a legal obligation, court order, or government request.
  • Protect the rights, property, or safety of Seifert Consulting LTD, our users, or the public.
  • Enforce our Terms of Service.

6.7 Business Transfers

If Seifert Consulting LTD is involved in a merger, acquisition, or sale of assets:

  • Your data may be transferred to the new entity.
  • We will notify you before your data is transferred and becomes subject to a different privacy policy.

6.8 With Your Consent

We may share information with other parties when you give us explicit permission to do so.

7. Data Security

7.1 How We Protect Your Data

We implement appropriate technical and organisational measures to protect your information, including:

  • Encryption in transit: All data is transmitted using TLS 1.2 or higher (HTTPS).
  • Encryption at rest: Sensitive data (including API keys and integration tokens) is encrypted using industry-standard encryption.
  • Access controls: Role-based access controls limit who can access what data.
  • Authentication security: We support two-factor authentication (2FA), secure session management, and OAuth 2.0 for third-party integrations.
  • Multi-tenancy isolation: Each organisation's data is isolated using Row Level Security (RLS) policies enforced at the database level, ensuring one organisation cannot access another's data.
  • Security headers: We implement Content Security Policy, HSTS, and other security headers to protect against common web attacks.
  • Regular updates: We keep dependencies and infrastructure patched and up to date.

7.2 Limitations

No system is 100% secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security. You are responsible for keeping your account credentials safe and for maintaining the security of any devices you use to access the Service.

7.3 Data Breach Notification

If we become aware of a data breach that affects your personal data:

  • We will notify the Information Commissioner's Office (ICO) within 72 hours where required.
  • We will notify affected users without undue delay where the breach is likely to result in a high risk to your rights.
  • We will take immediate steps to contain and fix the issue.

8. Data Retention

8.1 How Long We Keep Your Data

We keep your personal data for as long as it is needed:

Data Type Retention Period
Account information For as long as your account is active, plus up to 30 days after deletion
Content and files For as long as your account is active; deleted when you delete them or close your account
Workspace context (Working Memory) For as long as your Tenant is active; you can delete individual items or all context at any time; fully deleted when the Tenant is closed
Usage and log data Up to 12 months for analytics; security logs retained as required
Email communications For as long as your account is active
Backup copies Retained for up to 30 days after the source data is deleted
Billing and payment records As required by tax and accounting law (typically 6 years)

8.2 Account Deletion

When you delete your account:

  • We will delete or anonymise your personal data within 30 days.
  • All Content stored in your Tenant (files, text, calendar items, swipe file entries, strategies, etc.) is deleted from our database and file storage.
  • All workspace context (Working Memory), including learnings, guidelines, chat summaries, and activity history, is deleted.
  • Content within shared Tenant workspaces may be retained for other users of that Tenant.
  • Some data may be retained longer where required by law.
  • Backup copies will be deleted within their normal rotation cycle (typically within 30 days).

8.3 Practical Limitations on Deletion

In the interests of transparency, there are some practical limitations you should be aware of:

  • AI processing is transient. When you use AI features, your input is sent to Anthropic's API, a response is generated, and no copy is retained by the AI provider. There is nothing to "recall" or delete at the AI provider because nothing is stored.
  • Transcription processing is transient. Audio and video files sent to AssemblyAI for transcription are temporarily held during processing and then deleted by AssemblyAI. Once transcription is complete, the original media is no longer held by the transcription provider.
  • Backups operate on a rotation cycle. After deletion, your data may persist in encrypted backups for up to 30 days until the backup cycle rotates. During this period, backup data is not accessible or usable — it exists only for disaster recovery.
  • Data exported to third-party integrations (such as Google Drive or Canva) is governed by those services. We cannot delete data you have exported to external platforms — you would need to delete it directly from those services.
  • Anonymised and aggregated analytics data (which cannot identify you or your organisation) may be retained after account deletion, as it is no longer personal data.

8.4 How to Request Deletion

You can request deletion of your account and data by emailing support@commscentre.io. We will confirm what will be deleted and provide a timeline.

9. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

9.1 Right to Access

You can request a copy of the personal data we hold about you.

9.2 Right to Correction

You can ask us to correct any inaccurate or incomplete personal data.

9.3 Right to Deletion

You can ask us to delete your personal data in certain circumstances (for example, if it is no longer needed for the purpose it was collected).

9.4 Right to Restrict Processing

You can ask us to limit how we use your data in certain circumstances.

9.5 Right to Data Portability

You can request your data in a structured, commonly used, machine-readable format so you can transfer it to another service.

9.6 Right to Object

You can object to processing based on our legitimate interests. We will stop unless we have compelling legitimate grounds to continue.

9.7 Rights Related to Automated Decisions

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects. Our AI features are tools to assist you — they do not make automated decisions about you.

9.8 How to Exercise Your Rights

Contact us at: info@seifert-consulting.com

We will respond within one month. For complex requests, we may extend this by up to two additional months (we will let you know if this is the case).

We will not charge a fee for most requests. If a request is clearly unfounded or excessive, we may charge a reasonable fee or refuse the request.

10. International Data Transfers

10.1 Where Your Data May Be Processed

Your data may be processed in:

  • The United Kingdom
  • The European Economic Area (EEA)
  • The United States (where some of our service providers are based, including Anthropic, AssemblyAI, and Render.com)

10.2 How We Protect Transfers

When data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the ICO.
  • Ensuring the recipient country has an adequate level of data protection.
  • Contractual obligations requiring providers to protect your data.

11. Cookies and Tracking

11.1 What We Use

We use cookies and similar technologies to:

  • Keep you logged in and maintain your session (essential).
  • Remember your preferences and settings (functional).
  • Understand how the Service is used so we can improve it (analytics).

11.2 Types of Cookies

Type Purpose Required?
Essential Authentication, security, core functionality Yes — the Service cannot work without these
Functional Remembering your preferences and settings No — but the experience is better with them
Analytics Understanding usage patterns to improve the Service No

11.3 Managing Cookies

You can control cookies through your browser settings. Blocking essential cookies will prevent you from using the Service. We will respect your cookie preferences.

12. Children's Privacy

The Service is not intended for anyone under 18. We do not knowingly collect personal data from children. If you believe we have collected data from someone under 18, please contact us immediately at info@seifert-consulting.com and we will delete it.

13. Third-Party Links

The Service may contain links to external websites. We are not responsible for the privacy practices or content of those sites. We encourage you to read their privacy policies before sharing any personal data.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will:

  • Post the updated policy on our website.
  • Send an email notification to registered users.
  • Show a notice within the Service.

Your continued use of the Service after changes take effect means you accept the updated policy. If you disagree, you should stop using the Service and request deletion of your data.

15. Complaints

If you are not happy with how we handle your personal data, you have the right to complain to:

Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Telephone: 0303 123 1113

We would appreciate the chance to address your concerns first — please contact us at info@seifert-consulting.com.

16. Contact Us

Privacy inquiries: info@seifert-consulting.com
Support: support@commscentre.io
Website: https://commscentre.io

Company Name: Seifert Consulting LTD
Company Number: 15699499
Registered Office: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

Document Version: 2.0
Next Review: February 2026

This Privacy Policy is designed to comply with UK GDPR and the Data Protection Act 2018. We are committed to protecting your privacy and being transparent about how we handle your data.