Privacy Policy
Last updated: 22 February 2026
1. Who We Are
Sendifai Limited ("Sendifai", "we", "us", "our") is a company registered in England and Wales (Company No. 16990374), with registered address at Suite 111, 60 Tottenham Court Road, London, W1T 2EW, United Kingdom.
We are registered with the UK Information Commissioner's Office (ICO) under the Data Protection Act 2018.
Data protection contact: legal@sendifai.com
2. About This Policy
This Privacy Policy explains how we collect, use, store, and share personal data when you:
- Visit our website at www.sendifai.com ("Website")
- Create an account and use our platform ("Platform")
- Communicate with us by email or other channels
- Subscribe to our communications
3. Our Role Under Data Protection Law
Sendifai operates in two distinct roles:
Data Controller — We are the data controller when we collect and process your personal data as a customer, website visitor, or prospective customer. This includes your account details, billing information, and usage data.
Data Processor — We are the data processor when we process personal data on behalf of our customers. For example, when a customer uploads their contact lists, sends email campaigns, manages pastoral care records, or uses CRM features through our Platform. In this capacity, our customers are the data controllers and they determine the purposes and means of processing their contacts' data.
4. What Data We Collect
4.1 Data We Collect Directly From You (as Controller)
Account and registration data:
- Full name, email address, phone number (if provided)
- Organisation name and type
- Password (stored in hashed form only)
- Billing address
Payment and billing data:
- Payment is processed by Stripe. We do not store your full card details. We receive only the last four digits, card type, and expiration date for display purposes.
- Billing history and invoice records
Communications data:
- Emails and messages you send to our support, sales, or legal addresses
- Feedback and survey responses
Usage and technical data:
- IP address, browser type and version, operating system, device information
- Pages visited on our Website and Platform
- Session duration, referring URL, and interaction data
- Error and performance logs (collected via Sentry and Axiom)
4.2 Data Our Customers Upload to the Platform (as Processor)
When customers use our Platform, they may upload or input personal data about their own contacts, including but not limited to:
- Names, email addresses, phone numbers, physical addresses
- Group memberships, organisational roles, and tags
- Family and household relationships
- Attendance and engagement records
- Pastoral care notes, prayer requests, and care case records
- Life events and personal milestones
- Custom fields defined by the customer
- Communication preferences and consent records
We process this data solely on behalf of our customers and in accordance with their instructions.We do not access, use, or share this data for our own purposes except as necessary to provide the Platform services or comply with law.
4.3 Data Generated Through Platform Use
Campaign and delivery data:
- Email open tracking (via tracking pixels), link click tracking
- Bounce and delivery status, unsubscribe requests
- Spam complaint reports
- SMS and WhatsApp delivery status (where applicable)
AI feature data:
When customers use AI-powered features (such as Isla, our AI assistant, or AI content generation), we process the prompts provided and the outputs generated. This data may be sent to third-party AI providers (OpenAI and Anthropic) under data processing agreements. These providers do not use your data to train their models.
5. How We Use Your Data
5.1 As Data Controller
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Creating and managing your account | Performance of contract (Art. 6(1)(b)) |
| Providing and operating the Platform | Performance of contract (Art. 6(1)(b)) |
| Processing payments and billing | Performance of contract (Art. 6(1)(b)) |
| Sending service communications (security alerts, billing notices, product updates) | Legitimate interest (Art. 6(1)(f)) |
| Responding to support requests | Performance of contract (Art. 6(1)(b)) |
| Preventing fraud, abuse, and enforcing our policies | Legitimate interest (Art. 6(1)(f)) |
| Improving our Website, Platform, and services | Legitimate interest (Art. 6(1)(f)) |
| Analysing usage patterns and trends | Legitimate interest (Art. 6(1)(f)) |
| Sending marketing communications | Consent (Art. 6(1)(a)) — you can withdraw at any time |
| Complying with legal and regulatory obligations | Legal obligation (Art. 6(1)(c)) |
5.2 As Data Processor
When processing data on behalf of our customers, we act only on their documented instructions. The lawful basis for processing is determined by the customer as data controller. Our obligations as processor are set out in our Data Processing Agreement.
6. Who We Share Data With
We share personal data only in the following circumstances:
Sub-processors (service providers):
| Provider | Purpose | Data Location |
|---|---|---|
| Amazon Web Services (AWS SES) | Email delivery infrastructure | EU (London, eu-west-2) |
| Postmark (ActiveCampaign) | Transactional email delivery | USA (with SCCs) |
| Supabase | Database hosting, authentication | EU |
| Vercel | Website and application hosting | Global CDN (EU primary) |
| Stripe | Payment processing | USA (with SCCs) |
| Google Workspace | Business email | EU |
| OpenAI | AI content generation features | USA (with DPA) |
| Anthropic | AI assistant features | USA (with DPA) |
| Sentry | Error monitoring and diagnostics | USA (with SCCs) |
| Axiom | Log management and observability | USA (with SCCs) |
All sub-processors are bound by data processing agreements requiring them to protect personal data to standards equivalent to this Policy.
Legal and regulatory disclosures:
- Where required by law, regulation, or legal process
- To protect the rights, safety, or property of Sendifai, our customers, or others
- To the ICO or other supervisory authorities as required
Business transfers:
In connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity with equivalent protections.
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.
7. International Data Transfers
Our primary infrastructure is hosted in the United Kingdom and European Union. Where data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, including:
- UK International Data Transfer Agreements (IDTAs)
- EU Standard Contractual Clauses (SCCs)
- Adequacy decisions where applicable
- Supplementary technical measures (encryption in transit and at rest)
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account plus 12 months after closure |
| Billing and transaction data | 7 years (UK tax and accounting requirements) |
| Campaign and analytics data | Duration of account; aggregate anonymised data may be retained indefinitely |
| Customer-uploaded contact data | Duration of account; deleted within 30 days of account closure or customer request |
| Support communications | Up to 3 years after last communication |
| AI prompts and outputs | Not retained beyond the session unless saved by the customer |
| Website analytics | 26 months |
9. Your Rights
Under the UK GDPR and Data Protection Act 2018, you have the following rights:
- Right of access (Art. 15) — obtain a copy of the personal data we hold about you
- Right to rectification (Art. 16) — have inaccurate data corrected
- Right to erasure (Art. 17) — have your data deleted in certain circumstances
- Right to restrict processing (Art. 18) — limit how we use your data
- Right to data portability (Art. 20) — receive your data in a structured, commonly used format
- Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing
- Right to withdraw consent (Art. 7) — withdraw consent at any time where processing is based on consent
- Rights related to automated decision-making (Art. 22) — not be subject to decisions based solely on automated processing that produce legal or similarly significant effects
To exercise any of these rights, contact legal@sendifai.com. We will respond within one month, extendable by a further two months for complex requests.
If you are a contact of one of our customers (i.e., your data was uploaded to our Platform by a Sendifai customer), please direct your data rights requests to that organisation in the first instance. We will assist our customers in fulfilling such requests.
10. Cookies
We use cookies and similar technologies on our Website and Platform. Full details of the cookies we use and how to manage them are set out in our Cookie Policy.
11. Children's Data
Our Platform is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16.
Our customers may process data about minors as part of their legitimate activities (for example, churches managing youth group memberships). In such cases, the customer is the data controller and is responsible for ensuring appropriate consent and safeguards.
12. Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit (TLS) and at rest
- Row-level security on database tables
- Access controls and authentication requirements
- Regular security monitoring via Sentry and Axiom
- Incident response procedures
- Professional indemnity and cyber insurance coverage (Hiscox)
- Sub-processor security assessments
No method of transmission or storage is 100% secure. If you become aware of any security incident, contact support@sendifai.com immediately.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by prominent notice on our Website. The "Last updated" date at the top indicates when this Policy was last revised.
14. Complaints
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would appreciate the opportunity to address your concerns first. Please contact legal@sendifai.com.
15. Contact Us
Sendifai Limited
Suite 111, 60 Tottenham Court Road, London, W1T 2EW, United Kingdom
- Data protection enquiries: legal@sendifai.com
- Support: support@sendifai.com
- Website: www.sendifai.com