Privacy Policy
Effective 31 March 2026
Spikefrost Limited (Company Number 16978632)
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Contact: privacy@spikefrost.com
1. Introduction
Spikefrost is a software platform operated by Spikefrost Limited, a company registered in England and Wales (Company Number 16978632). This Privacy Policy describes how personal data is collected, used, stored, and protected when you access or use Spikefrost's websites, applications, and services.
By using Spikefrost, you acknowledge and agree to the practices described in this policy.
2. Legal Entity and Scope
2.1 Data Controller
Spikefrost Limited
Company Number: 16978632
Registered Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Where this policy refers to "Spikefrost", "we", "us", or "our", it refers to Spikefrost Limited.
2.2 Data Protection Contact
- Email: privacy@spikefrost.com
- Designated Data Protection Contact: Hikmet Reha Gunduz
- Website: https://www.spikefrost.com
3. Information We Collect
We collect information necessary to operate, secure, and improve the platform.
3.1 Information You Provide
- Account details (name, email, company information)
- Authentication credentials
- Payment information (processed by Stripe)
- Communications and support requests
- Project configurations, agent settings, and workflow data
- Any other information you choose to provide
3.2 Information Generated Through Use
- Platform usage data, logs, timestamps, and interaction events
- Configuration data (agents, workflows, projects)
- Technical data (IP address, browser type, device information, operating system)
- Performance metrics and error logs
- Cookies and similar tracking technologies (see Section 12)
3.3 Information from Third-Party Sources
Where you authenticate using third-party services (Google, GitHub, other OAuth providers), we receive:
- Basic profile information (name, email address)
- Authentication tokens
- Profile identifiers
We will inform you of the specific data collected at the point of authentication.
3.4 Special Categories of Personal Data
We do not intentionally collect special categories of personal data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation) unless voluntarily provided by you. If such data is provided, it will only be processed where legally permitted under UK GDPR.
4. Legal Basis for Processing
We process your personal data on the following legal bases under Article 6 of the UK GDPR:
4.1 Contract Performance (Article 6(1)(b))
Processing necessary to:
- Provide and operate Spikefrost services under our Terms of Service
- Manage your account and authenticate access
- Process payments and provide customer support
- Deliver requested features and functionality
4.2 Legitimate Interests (Article 6(1)(f))
Processing necessary for our legitimate interests, including:
- Improving platform performance, reliability, and user experience
- Maintaining security and preventing fraud
- Conducting analytics
- Developing new features
- Communicating service-related updates
- Enforcing our Terms of Service
We have conducted a legitimate interest's assessment to ensure that our interests do not override your fundamental rights and freedoms.
4.3 Legal Obligation (Article 6(1)(c))
- Tax and accounting requirements
- Regulatory compliance and reporting
- Responding to lawful requests from law enforcement
- Compliance with court orders
4.4 Consent (Article 6(1)(a))
- Marketing communications
- Non-essential cookies
- Any other processing where consent is the appropriate legal basis
You have the right to withdraw your consent at any time. Withdrawal will not affect the lawfulness of processing based on consent before withdrawal. To withdraw consent, contact privacy@spikefrost.com or use the unsubscribe mechanism provided in marketing communications.
5. How We Use Information
We use collected data for the following purposes:
5.1 Service Provision
- Provide, operate, and maintain Spikefrost
- Authenticate users and manage accounts
- Enable creation and management of AI agents, workflows, and projects
- Process and execute user instructions and commands
5.2 Platform Improvement
- Analyse usage patterns
- Develop new features, products, and services
- Conduct research and testing
5.3 Security and Fraud Prevention
- Maintain security and prevent misuse
- Detect, investigate, and prevent fraud
- Monitor for security breaches
5.4 Communications
- Send service-related updates, security alerts, and administrative messages
- Respond to support requests
- Provide customer support and troubleshooting
5.5 Legal and Compliance
- Comply with legal obligations
- Establish, exercise, or defend legal claims
- Enforce our Terms of Service
5.6 Marketing
Send information about new features, products, and services (where you have opted in or where we have a legitimate interest).
We do not sell personal data to third parties.
6. AI Processing and Model Providers
6.1 AI-Powered Features
Spikefrost enables interaction with AI-powered agents through third-party AI model providers. User inputs and outputs may be processed by these providers solely to deliver requested functionality.
6.2 AI Model Providers
- User prompts are transmitted to third-party providers using a system-generated identifier
- We do not include your name, email, or other personal information in prompts
- We recommend you avoid including personal data in prompts
- Data is routed through EEA-based infrastructure
- All providers act as data processors under Article 28 UK GDPR
- Sub-processor list available on request
6.3 Data Processed by AI Providers
- User prompts, instructions, and inputs
- Generated outputs and responses
- Configuration data and agent settings
- Usage metadata (timestamps, model selection)
6.4 Training Data
Your data is NOT used to train proprietary or third-party AI models unless you provide explicit written consent. We have contractual safeguards in place with our AI providers prohibiting the use of customer data for model training purposes. Enterprise customers may have additional controls.
6.5 AI Limitations
AI outputs may be inaccurate, incomplete, or biased. You are responsible for:
- Reviewing and validating all outputs
- Ensuring compliance with applicable laws and regulations
- Making informed decisions based on AI outputs
7. Data Sharing and Disclosure
We may share personal data only in the following circumstances:
7.1 Service Providers (Data Processors)
- Cloud hosting providers
- AI model providers (see Section 6)
- Payment processors (Stripe)
- Analytics and monitoring services
- Customer support tools
- Email and communication services
All service providers are bound by Article 28 UK GDPR data processing agreements requiring them to:
- Process data only on our documented instructions
- Implement appropriate security measures
- Maintain confidentiality
- Assist with data subject rights requests
- Delete or return data upon termination
7.2 Legal Requirements
We may disclose personal data in response to:
- Court orders or subpoenas
- Law enforcement requests
- Legal claims
- Protection of rights, property, or safety
7.3 Business Transfers
In the event of a merger, acquisition, asset sale, or bankruptcy, personal data may be transferred. We will provide notice and inform you of your choices.
7.4 With Your Consent
We may share your data with third parties where you have given explicit consent.
7.5 Aggregated and Anonymised Data
We may share aggregated or anonymised data that does not constitute personal data under UK GDPR.
8. Data Storage and Security
8.1 Security Measures
Technical Measures:
- TLS 1.3+ encryption in transit
- AES-256 encryption at rest
- Multi-factor authentication
- Regular security testing
- Intrusion detection systems
- Secure development practices
Organisational Measures:
- Role-based access controls
- Staff training on data protection
- Confidentiality agreements
- Incident response procedures
- Regular security audits
- Documented security policies
No system is completely secure. Data transmission over the internet carries inherent risks.
8.2 Data Storage Locations
Primary data storage is within the European Economic Area (EEA), specifically Ireland and the Netherlands. Third-party providers may process data outside the UK/EEA, subject to the safeguards described in Section 9.
9. International Data Transfers
9.1 Transfers Outside the UK
- EEA (Ireland, Netherlands): Primary infrastructure, covered by adequacy decision
- United States: Payment processing, analytics, and error monitoring, subject to Section 9.2 safeguards
- Other jurisdictions: As required by service providers
9.2 Transfer Safeguards
Where personal data is transferred outside the UK, we ensure the following safeguards are in place:
- EU-UK Adequacy Decision
- ICO International Data Transfer Agreement (IDTA)
- ICO Addendum to EU Standard Contractual Clauses (SCCs)
- Transfer Risk Assessments (TRAs) evaluating local data protection laws, government access to data, onward transfer restrictions, and enforceability of data subject rights
9.3 Copies of Safeguards
Copies of the relevant transfer safeguards are available on request at privacy@spikefrost.com.
10. Data Retention
10.1 Retention Periods
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data | Duration of active account + 6 years | Legal obligations, contract enforcement |
| Usage logs | 12 months | Security, performance, troubleshooting |
| Support communications | 3 years after case closure | Customer service, dispute resolution |
| Financial records | 7 years | UK tax and accounting requirements |
| Marketing consent records | Until consent withdrawn + 3 years | Compliance demonstration |
| Security logs | 3 years | Security monitoring, legal defence |
| AI inputs/outputs | Duration of active project, deleted on user request | Service provision, troubleshooting |
| Analytics/cookie data | Per provider default (14-26 months) | Performance, improvement |
| Backup copies | Up to 90 days | Disaster recovery |
10.2 Early Deletion
You may request earlier deletion of your data. We may retain data where required by law, necessary for legal claims, or contained in backup systems subject to automated deletion schedules.
10.3 Anonymisation
Where possible, we will anonymise or pseudonymise personal data after the applicable retention period expires.
11. Your Rights Under UK GDPR
11.1 Right of Access (Article 15)
You have the right to obtain confirmation of whether your personal data is being processed, access to that data, and information about how it is used. To submit a Subject Access Request (SAR), contact privacy@spikefrost.com.
11.2 Right to Rectification (Article 16)
You have the right to have inaccurate or incomplete personal data corrected. You can update most information directly through your account settings.
11.3 Right to Erasure (Article 17)
You have the right to request deletion of your personal data where:
- It is no longer necessary for the purposes it was collected
- You withdraw consent and there is no other legal basis
- You object to processing based on legitimate interests
- Data has been unlawfully processed
- Deletion is required by legal obligation
Limitations may apply where retention is necessary for compliance with legal obligations, legal claims, or archiving purposes.
11.4 Right to Restriction (Article 18)
You have the right to restrict processing where:
- The accuracy of data is contested
- Processing is unlawful but you prefer restriction over erasure
- We no longer need the data but you need it for legal claims
- You have objected to processing pending verification
11.5 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
11.6 Right to Object (Article 21)
You have the right to object to processing based on legitimate interest grounds. You have an absolute right to object to processing for direct marketing purposes.
11.7 Right to Withdraw Consent
You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. Contact privacy@spikefrost.com or use the unsubscribe link in marketing communications.
11.8 Right to Lodge a Complaint
You have the right to lodge a complaint with the UK supervisory authority:
- Information Commissioner's Office (ICO)
- Website: https://ico.org.uk/make-a-complaint/
- Phone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
11.9 Exercising Your Rights
To exercise any of the above rights:
- Email: privacy@spikefrost.com
- Subject line: "Data Subject Rights Request - [Type of Request]"
- Include your name, email address, and details of your specific request
We will respond within one calendar month (extendable by two additional months for complex requests). We may verify your identity before processing. Requests are generally free of charge; we may charge a reasonable fee for manifestly unfounded or excessive requests.
12. Cookies and Tracking Technologies
12.1 What Are Cookies
Cookies are small text files stored on your device when you visit our website or use our services.
12.2 Types of Cookies We Use
Essential Cookies (no consent required):
- Session management
- Security tokens
- Load balancing
- User preferences
Performance and Analytics Cookies (consent required):
- Usage analytics
- Error tracking
- A/B testing
Functional Cookies (consent required):
- Preferences and personalisation
- Chat functionality
Marketing Cookies (consent required):
- Campaign tracking
- Attribution
- Retargeting
12.3 Third-Party Cookies
Some cookies are set by third-party providers including analytics, payment processing, error monitoring, and marketing services. Contact privacy@spikefrost.com for the current list of third-party cookie providers.
12.4 Managing Cookie Preferences
You can manage cookies through:
- Browser settings: Chrome, Firefox, Safari, and Edge all provide cookie management controls
- Cookie Preference Centre: Available on first visit, through account settings, or by contacting us
Impact of refusing cookies:
- Essential cookies: refusing may prevent core functionality
- Performance/analytics cookies: does not affect core service
- Marketing cookies: does not affect functionality
12.5 Do Not Track
We do not currently respond to Do Not Track (DNT) browser signals.
13. Automated Decision-Making and Profiling
13.1 Automated Decision-Making
Spikefrost does not use automated decision-making that produces legal or similarly significant effects on individuals without human intervention.
13.2 Profiling
We do not currently use profiling as defined under UK GDPR. If this changes, we will update this policy and obtain your consent where required. You have the right to object to profiling as described in Section 11.6.
14. Children's Privacy
Spikefrost is not intended for use by individuals under the age of 13. We do not knowingly collect personal data from children under 13. If you believe that a child's personal data has been collected, please contact privacy@spikefrost.com immediately.
For users under 18, we recommend reviewing this policy with a parent or guardian.
15. Data Breach Notification
15.1 Our Obligations
In the event of a personal data breach, we will:
- Notify the ICO within 72 hours where required under Article 33 UK GDPR
- Notify affected data subjects without undue delay where the breach is likely to result in a high risk to rights and freedoms (Article 34), including the nature and categories of data affected, likely consequences, measures taken or proposed, and contact details for further information
15.2 Exceptions
Direct notification to individuals may not be required where encryption has been applied rendering data unintelligible, subsequent measures have ensured the high risk is no longer likely, or it would involve disproportionate effort (in which case a public communication will be made).
15.3 Your Responsibility
If you become aware of any unauthorised access to your account, please notify us immediately at security@spikefrost.com.
16. Third-Party Links and Services
Spikefrost is not responsible for the privacy practices of third-party websites or services linked from our platform. We encourage you to review the privacy policies of any third-party services you access.
Where you connect third-party integrations (such as GitHub, Slack, or cloud providers), data shared with those services is governed by this Privacy Policy, the third party's own privacy policy, and any integration-specific consent you provide.
17. Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred. We will:
- Provide notice of any such transfer
- Ensure any successor entity is bound by privacy commitments equivalent to this policy
- Inform you of your choices regarding your personal data
18. Changes to This Privacy Policy
18.1 When We May Update
We may update this Privacy Policy to reflect changes in our practices, legal or regulatory requirements, technical developments, or industry best practices.
18.2 How We Will Notify You
Material changes: We will notify you via email at least 30 days before changes take effect, provide a clear explanation of the changes, and obtain consent where required by law.
Non-material changes: We will update the "Last updated" date and post the revised policy on this page.
18.3 Continued Use
Continued use of Spikefrost after changes take effect constitutes acceptance of the updated policy. If you do not agree, you may close your account by contacting support@spikefrost.com.
19. Contact Information
Data Protection Contact
Email: privacy@spikefrost.com
Designated Data Protection Contact: Hikmet Reha Gunduz
General Enquiries
Website: https://www.spikefrost.com
Email: support@spikefrost.com
Postal Address
Spikefrost Limited
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Supervisory Authority
Information Commissioner's Office (ICO)
Website: https://ico.org.uk/make-a-complaint/
Phone: 0303 123 1113
20. Legal Framework
This Privacy Policy is governed by and construed in accordance with:
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations (PECR)
- Other applicable UK data protection legislation