GDPR Compliance
Last updated: 22 February 2026
Our Commitment
Sendifai Limited ("Sendifai") is committed to protecting personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the UK Data Protection Act 2018.
This page explains how we comply with data protection requirements and how we support our customers in meeting their own obligations.
Our Role Under Data Protection Law
When We Are a Data Controller
We are the data controller when we collect and process personal data about our customers, website visitors, and prospective customers. This includes account information, billing data, usage analytics, and support communications.
When We Are a Data Processor
We are the data processor when we process personal data on behalf of our customers through the Platform. This includes contact lists, email campaign data, CRM records, pastoral care information, and engagement analytics. In this role, our customers are the data controllers and they determine what data is processed and why.
Our obligations as a data processor are set out in our Data Processing Agreement (DPA).
Legal Bases for Processing
When acting as a data controller, we process personal data under the following legal bases:
- Performance of contract (Art. 6(1)(b)) — to create accounts, provide the Platform, process payments, and deliver support
- Legitimate interests (Art. 6(1)(f)) — for service improvements, security, fraud prevention, and service-related communications
- Consent (Art. 6(1)(a)) — for marketing communications (withdrawable at any time)
- Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and regulatory requirements
When acting as a data processor, our customers determine the appropriate legal basis for processing their contacts' data.
Your Rights
Under the UK GDPR and EU GDPR, data subjects have the following rights:
| Right | Article | Description |
|---|---|---|
| Access | Art. 15 | Obtain a copy of the personal data we hold about you |
| Rectification | Art. 16 | Have inaccurate personal data corrected |
| Erasure | Art. 17 | Have your personal data deleted in certain circumstances |
| Restriction | Art. 18 | Limit how we process your data |
| Data portability | Art. 20 | Receive your data in a structured, commonly used format |
| Object | Art. 21 | Object to processing based on legitimate interests or for direct marketing |
| Withdraw consent | Art. 7 | Withdraw consent at any time where processing is based on consent |
| Automated decisions | Art. 22 | Not be subject to solely automated decisions with legal or significant effects |
How to Exercise Your Rights
Contact legal@sendifai.com with your request. We will respond within one month. For complex requests, we may extend this by a further two months and will inform you of any extension.
If you are a contact of one of our customers (i.e., your data is in the Platform because a Sendifai customer uploaded it), please contact that organisation directly in the first instance. They are the data controller for your data. We will assist our customers in responding to data subject requests.
Data Protection Measures
Technical Measures
- Encryption in transit (TLS) and at rest
- Row-level security on database tables ensuring organisations can only access their own data
- Authentication and access controls via Supabase Auth
- Error monitoring and incident detection via Sentry
- Log management and observability via Axiom
- Automated security headers and HTTPS enforcement
Organisational Measures
- Data processing agreements with all sub-processors
- Regular review of sub-processor security practices
- ICO registration under the UK Data Protection Act 2018
- Professional indemnity and cyber insurance coverage
- Documented incident response procedures
- Breach notification within 72 hours to the ICO and without undue delay to affected controllers
Sub-Processors
We use the following sub-processors, all bound by data processing agreements:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS SES) | Email delivery infrastructure | EU (London) |
| Postmark (ActiveCampaign) | Transactional email delivery | USA |
| Supabase | Database hosting and authentication | EU |
| Vercel | Application hosting | Global CDN |
| Stripe | Payment processing | USA |
| Google Workspace | Business email | EU |
| OpenAI | AI content generation | USA |
| Anthropic | AI assistant features | USA |
| Sentry | Error monitoring | USA |
| Axiom | Log management | USA |
For transfers to sub-processors outside the UK/EEA, we rely on UK International Data Transfer Agreements (IDTAs), EU Standard Contractual Clauses (SCCs), and supplementary technical measures.
We will notify customers of material changes to our sub-processor list via email at least 14 days before the change takes effect.
AI and Data Protection
Our Platform includes AI features powered by OpenAI and Anthropic. When customers use these features:
- Prompts and inputs are sent to the AI provider to generate outputs
- Both providers operate under data processing agreements with Sendifai
- Neither provider uses customer data to train their models
- AI-generated content should be reviewed before use, as it may contain inaccuracies
- Customers should inform their contacts if AI is used to generate communications, where required by applicable transparency obligations
Data Processing Agreement
Our DPA is available at www.sendifai.com/legal/dpa. It covers:
- Scope, nature, and purpose of processing
- Types of personal data and categories of data subjects
- Controller and processor obligations
- Security measures
- Sub-processor management and notification
- Data subject rights assistance
- Breach notification (within 48 hours to the controller)
- Data return and deletion upon termination
- Audit rights
Data Protection Contact
For any data protection enquiries:
- Email: legal@sendifai.com
- Address: Sendifai Limited, Suite 111, 60 Tottenham Court Road, London, W1T 2EW, United Kingdom
Supervisory Authority
You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
For complaints relating to EU GDPR, you may also contact your local data protection authority.