Privacy Policy

Last Updated: 17 May 2026

This Privacy Policy explains how Cyridium Ltd (“Cyridium”, “we”, “us”, or “our”) collects, uses, discloses, and protects personal information when you use our multi-tenant SaaS content management system and related services (“Service”).

We are committed to protecting your privacy and complying with the UK GDPR, the Data Protection Act 2018, the Data (Use and Access) Act 2025 (DUAA), and other applicable laws.

1. Information We Collect

We collect the following categories of personal data:

Account & Contact Information: Name, email address, phone number, company name, billing address, and login credentials.
Billing & Payment Information: Details necessary to process payments (handled by our payment providers — we do not store full card details).
Usage & Technical Data: IP address, browser type, device information, pages visited, usage patterns, and interaction data.
Client Content: Content, files, and data you upload or create through the Service (processed but not used for our own marketing).
Support & Communication Data: Information provided when contacting us or using support features.
Cookies & Similar Technologies: See the dedicated Cookies section below.

We do not knowingly collect data from children under 16.

2. How We Use Your Information & Lawful Bases

We process personal data on the following lawful bases (primarily under UK GDPR Article 6):

Performance of a contract — to provide the Service, process payments, manage subscriptions, and deliver support.
Legitimate interests — to improve the Service, ensure security, prevent fraud/abuse, conduct internal analytics, and communicate important updates.
Legal obligations — to comply with tax, accounting, anti-money laundering, or other regulatory requirements.
Consent — where required (e.g., for certain non-essential cookies or optional marketing). You can withdraw consent at any time.

Specific purposes include: providing and improving the Service (including multi-tenant isolation), processing payments and subscriptions, security/fraud prevention, customer support, analytics, and legal compliance.

3. Cookies and Tracking Technologies

We use cookies and similar technologies for:

Strictly necessary functions (authentication, security, basic site operation).
Analytics and performance (our own internal tools, hosted on our infrastructure — no third-party analytics unless disclosed).
Functional preferences (e.g., language, theme).

Under the DUAA and PECR, strictly necessary cookies do not require consent. For analytics and other non-essential cookies, we rely on legitimate interests or obtain consent via a cookie banner. You can manage preferences through your browser or our banner.

We do not use cross-site tracking cookies for behavioural advertising.

See our separate [Cookie Policy] (recommended to create/link one) for full details.

4. Sharing and Disclosure of Information

We do not sell personal data. We share data only as described:

Service Providers & Processors (bound by DPAs):
- Payment Processors: Stripe (for card payments) and TrueLayer (for open banking/pay-by-bank). They process billing and transaction data as necessary. See Stripe Privacy Policy and TrueLayer Privacy Notice for their practices.
- Hosting, cloud infrastructure, email delivery, and support tools.
Third-Party Integrations: When you (as a Client) add tools like Google Analytics, Meta Pixel, or advertising networks, your site visitors’ data is processed by those third parties. You are responsible for their compliance.
Legal & Compliance: Where required by law, court order, or to protect rights/safety.
Corporate Transactions: In mergers, acquisitions, etc.
Tenant Isolation: Client data and content remain segregated. We do not access it except as needed for service delivery, support, or legal reasons.

5. International Data Transfers

Our primary processing is in the UK. Where data is transferred outside the UK (e.g., to US-based sub-processors like certain Stripe entities), we use appropriate safeguards such as the UK International Data Transfer Agreement/Addendum, Standard Contractual Clauses, or (where applicable) the UK Extension to the EU-U.S. Data Privacy Framework. Stripe complies with the DPF.

6. Data Security and Retention

We use reasonable technical and organisational measures (encryption, access controls, etc.). No system is 100% secure.

We retain personal data only as long as necessary:

Account/billing data: for the duration of the relationship plus up to 7 years for tax/legal purposes.
Usage data: shorter periods (e.g., 12–24 months) for analytics.
Upon termination, we enable data export for a reasonable period (e.g., 30 days) before potential deletion (subject to backups and legal holds).

7. Your Rights

Under UK GDPR (and equivalent rights elsewhere), you may have rights to: access, rectification, erasure, restriction, objection, portability, and withdrawal of consent.

For automated decision-making (if any, e.g., basic fraud scoring), you can request human intervention.

Contact us to exercise rights. We respond within one month (extendable where permitted). UK residents may also complain to the ICO.

8. Changes to This Policy

We may update this policy. We will post the new version with a revised date. Material changes will be notified via email or in-app notice where appropriate. Continued use constitutes acceptance.

9. Contact Us

For privacy questions or to exercise your rights:
Email: compliance@cyridium.co.uk
Post: Cyridium LTD, 19 Brambles Crescent, Blythe Valley, Solihull, B90 8DJ, United Kingdom

We are registered with the UK's Information Commissioner's Office (ICO) as a data controller.

Our registration number is [ZC135949]. You can verify our registration here