Privacy Policy
1. Introduction
Subcontext Ltd ("we", "us", or "our"), a company registered in England and Wales (Company No. 17019645) with its registered office at 124 City Road, London, EC1V 2NX, and registered with the Information Commissioner's Office under reference ZC098511, is committed to protecting personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection legislation.
This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use the Subcontext platform and services ("Service"). It covers data relating to our customers ("Customers"), their authorised users, and the individuals with whom Customers communicate through the Service ("Contacts").
This Privacy Policy should be read alongside our Terms of Service, Cookie Policy, and Acceptable Use Policy.
2. Data Controller and Data Processor Roles
2.1 Subcontext as Data Controller
Subcontext is the data controller for personal data relating to Customers and their authorised users — that is, data collected for the purpose of providing, managing, and billing the Service (Account information, payment data, usage data, security data).
2.2 Subcontext as Data Processor
Subcontext acts as a data processor on behalf of Customers for personal data relating to Contacts. Customers are the data controllers for Contact data and are responsible for establishing a lawful basis for processing, providing privacy notices to Contacts, and responding to Contact data subject requests.
The specific terms governing our data processor obligations are set out in our Data Processing Agreement ("DPA"), which is available upon request and forms part of our Terms of Service.
2.3 Contact Information
For all data protection enquiries, including exercising your rights:
Subcontext Ltd — Data Protection 124 City Road, London, EC1V 2NX Email: hello@subcontext.com
3. Data We Collect
3.1 Customer Account Data
When you register for and use the Service, we collect:
- Identity data: first name, last name, display name, company name
- Contact data: email address
- Credential data: encrypted password, two-factor authentication secrets, backup codes
- Organisation data: organisation name, slug, settings, feature flags, compliance profile
- Membership data: role, status, and organisational associations
3.2 Billing and Payment Data
- Subscription information: plan selection, billing cycle
- Payment transactions: processed securely by Stripe, Inc. We do not store payment card numbers. Stripe's privacy policy governs the handling of card data.
- Transaction records: payment amounts, dates, status, invoice references
3.3 Conversation and Messaging Data
When Customers use the Service to communicate with Contacts, we process:
- Message content: the full text of messages exchanged between Agents and Contacts in web chat sessions (including via the embeddable web chat widget)
- AI-generated responses: content generated by AI Agents in response to Contact messages
- Conversation metadata: direction, status, timestamps, read status, escalation status
- Contact identifiers: name, email address, phone number, external identifiers, and custom attributes as provided by Customers
- Consent records: opt-in/opt-out status, consent timestamps, opt-out method
3.4 AI Processing Data
The Service processes data through third-party large language model ("LLM") providers to power AI Agents. This includes:
- Conversation inputs: Contact messages, conversation history, and context provided to AI models for response generation
- Knowledge base content: documents and other materials configured by Customer as Agent knowledge sources
- Policy and safety screening data: message content submitted to AI models for content screening, escalation detection, and guardrail evaluation
3.5 Tool Execution Data
When an Agent invokes a configured Tool:
- Tool inputs and outputs: the parameters supplied to each Tool call and the responses returned, including any HTTP requests and responses exchanged with external services
- Audit metadata: the identity of the Tool invoked, timestamps, and the outcome of each call
3.6 Technical and Usage Data
- Device data: IP address, browser type and version, operating system, device identifiers, time zone
- Usage data: pages visited, features used, API calls made, session duration
- Audit logs: a record of all significant actions taken within the Service, including user identity, action type, target, IP address, user agent, and timestamp
- LLM API call logs: AI model provider, model name, input/output token counts, processing duration, and associated costs
- Security data: sign-in attempts (successful and failed), account lockouts, session tokens, two-factor authentication events
- Error and performance data: application errors, response times, and diagnostic information
3.7 Embedded Widget Data
The Service may be embedded on third-party websites via the web chat widget. When a visitor interacts with the embedded widget, we collect:
- Conversation data: as described in Section 3.3
- Technical data: IP address, browser type, referring page URL
- No additional tracking: embedded widgets do not set advertising or analytics cookies
3.8 Cookies
We use strictly necessary cookies to operate the Service. We do not use advertising or behavioural tracking cookies. For full details, please see our Cookie Policy.
4. Lawful Basis for Processing
4.1 Customer Data (Subcontext as Controller)
We process Customer personal data on the following lawful bases under Article 6 of the UK GDPR:
| Purpose | Lawful Basis |
|---|---|
| Providing and managing the Service | Contract (Article 6(1)(b)) |
| Processing payments and billing | Contract (Article 6(1)(b)) |
| Account security and fraud prevention | Legitimate interests (Article 6(1)(f)) |
| Service improvement and analytics | Legitimate interests (Article 6(1)(f)) |
| Legal and regulatory compliance | Legal obligation (Article 6(1)(c)) |
| Marketing communications (where applicable) | Consent (Article 6(1)(a)) |
4.2 Contact Data (Subcontext as Processor)
We process Contact data on Customer's instructions as a data processor. The lawful basis for processing Contact data is determined by the Customer as data controller. Customers are responsible for ensuring they have established a valid lawful basis before processing Contact data through the Service.
5. AI Processing and Automated Decision-Making
5.1 How AI Processes Personal Data
The Service uses AI to generate conversational responses, screen content for policy compliance, detect escalation triggers, and execute tool-based actions. This processing involves transmitting personal data (including conversation content and Contact information) to third-party LLM providers.
5.2 Automated Decision-Making
The Service performs automated decision-making in the following contexts:
- Content screening: AI-powered evaluation of message content against configured policies, which may result in messages being blocked or flagged
- Escalation detection: AI-powered detection of situations requiring human intervention, which may trigger automatic escalation
- Tool execution governance: automated approval or denial of Agent tool actions based on configured policies
These automated decisions may affect how Contacts are communicated with but do not produce legal effects or similarly significant effects on Contacts without human involvement. Where Customers deploy Agents in contexts where automated decisions could have significant effects on individuals, Customers are responsible for implementing appropriate human oversight and informing Contacts of their rights under Article 22 of the UK GDPR.
6. Data Sharing and Sub-Processors
6.1 We Do Not Sell Personal Data
We do not sell, rent, or trade personal data to third parties for their marketing purposes.
6.2 Sub-Processors
We share personal data with the following categories of sub-processors to provide the Service:
| Category | Providers | Data Shared | Purpose |
|---|---|---|---|
| Cloud hosting | Amazon Web Services (AWS) | All Service data | Infrastructure hosting, storage, compute |
| AI model providers | AWS Bedrock in EU (Anthropic, Meta models) | Conversation content, knowledge base content, screening inputs | AI response generation, content analysis |
| SMS verification | Twilio | Contact phone numbers, verification codes | Platform contact-method verification (SMS / WhatsApp verification codes) |
| Email delivery | Amazon SES | User email addresses, notification content | Platform notification email (account alerts, password reset, invite emails) |
| Payment processing | Stripe | Customer billing data, payment amounts | Payment collection and processing |
All sub-processors are bound by data processing agreements requiring them to process data only on our instructions and to implement appropriate security measures. A current list of sub-processors is available upon request.
6.3 Other Disclosures
We may also share personal data with:
- Professional advisers: lawyers, auditors, and insurers where necessary
- Law enforcement and regulators: where required by law, regulation, or valid legal process, or where we reasonably believe disclosure is necessary to protect rights, safety, or the public interest
- Business transfers: in connection with a merger, acquisition, reorganisation, or sale of assets. We will notify affected parties of any such transfer.
7. International Transfers
Personal data may be transferred to, and processed in, countries outside the United Kingdom. AI model inference is performed via AWS Bedrock in the EU (Ireland). Some supporting infrastructure providers (notably Stripe for payments and Twilio for verification codes) are based in the United States.
Where we transfer data outside the UK, we ensure appropriate safeguards are in place in accordance with Chapter V of the UK GDPR, including:
- Transfers to countries recognised by the UK Secretary of State as providing an adequate level of data protection
- The UK International Data Transfer Agreement (IDTA)
- The EU Standard Contractual Clauses with the UK Addendum, as approved by the Information Commissioner's Office (ICO)
- Additional technical and organisational measures where appropriate (such as encryption in transit and at rest)
Details of the specific transfer mechanisms used for each sub-processor are available upon request.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. The following retention periods apply:
| Data Category | Retention Period |
|---|---|
| Customer account data | Duration of Account plus 12 months after closure |
| Conversation content and messages | Duration of Account plus 90 days after closure |
| Contact data and consent records | Duration of Account plus 90 days after closure |
| Audit logs | 24 months from creation |
| LLM API call logs | 12 months from creation |
| Payment and billing records | 7 years (HMRC requirement) |
| Security logs (sign-in attempts, lockouts) | 12 months from creation |
| Usage and analytics data | 24 months from creation |
| Escalation records | Duration of Account plus 90 days |
Upon Account termination, we delete Customer data within 90 days, except where retention is required by law or where data is contained in backups that are rotated in the ordinary course.
Data sent to third-party LLM providers for inference is subject to those providers' data retention policies. We select providers that do not retain input data beyond the duration of the API request, but we cannot guarantee the data handling practices of third-party providers.
9. Data Security
We implement technical and organisational measures to protect personal data, including:
- Encryption: TLS encryption for data in transit; AES-256 encryption at rest for sensitive data including authentication secrets
- Access controls: role-based access with organisation-level data isolation; two-factor authentication support
- Session management: secure session handling with revocation, expiry, and activity tracking
- Audit trail: comprehensive logging of all significant actions for security monitoring and incident investigation
- Infrastructure security: hosted on AWS with industry-standard security certifications
- Incident response: documented procedures for identifying, containing, and remediating data breaches, including notification obligations under the UK GDPR
No method of transmission or storage is completely secure. While we implement commercially reasonable safeguards, we cannot guarantee absolute security.
10. Your Rights
10.1 Customer Rights (Subcontext as Controller)
Under the UK GDPR, Customers and their authorised users have the following rights:
- Access: request a copy of the personal data we hold about you
- Rectification: request correction of inaccurate or incomplete data
- Erasure: request deletion of your data in certain circumstances
- Restriction: request that we restrict processing of your data in certain circumstances
- Portability: request a copy of your data in a structured, commonly used, machine-readable format
- Objection: object to processing based on legitimate interests or for direct marketing
- Automated decision-making: not be subject to a decision based solely on automated processing that produces legal effects
To exercise these rights, contact us at hello@subcontext.com. We will respond within one month. We may extend this by up to two further months for complex requests, in which case we will inform you within the initial month.
10.2 Contact Rights
If you are a Contact (an individual who has interacted with an AI Agent or received communications through the Service), your data is controlled by the Customer who operates the Agent or initiated the communication. Please direct data subject requests to that organisation in the first instance.
If you are unable to identify or contact the relevant Customer, or if the Customer is unresponsive, you may contact us at hello@subcontext.com and we will use reasonable efforts to assist.
10.3 Right to Complain
You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been infringed:
Information Commissioner's Office ico.org.uk Helpline: 0303 123 1113
11. Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. Where Customers process data of individuals under 18 through the Service, Customers are responsible for compliance with the Age Appropriate Design Code (Children's Code) and obtaining appropriate parental consent.
If we become aware that personal data of a child under 18 has been collected without appropriate consent, we will take steps to delete it promptly.
12. Third-Party Links and Embedded Content
The Service may contain links to third-party websites or embed third-party content. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party service you interact with.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Where changes are material, we will notify Customers by email or by posting a prominent notice within the Service at least 30 days before the changes take effect.
The version number and publication date displayed with this document indicate the current version.
14. Contact
For all privacy and data protection enquiries:
Subcontext Ltd Registered in England and Wales, No. 17019645 ICO registration No. ZC098511 124 City Road, London, EC1V 2NX Email: hello@subcontext.com