Last updated: Monday 20th April 2026 · Version 1.0
This Privacy Policy explains how Digitonic Ltd ("Digitonic", "we", "us", or "our") collects, uses, discloses, and safeguards personal data when you visit our website, create an account, or use the FAQSIR platform (the "Service"). FAQSIR is a software-as-a-service application that helps investor relations teams publish AI-generated FAQs, summaries, news articles, and videos derived from company announcements and knowledge documents.
We act as a data controller for personal data we collect about our account holders, prospects, and website visitors. Where our customers upload their own investor or stakeholder data to the Service, we act as a data processor on their behalf, and our customer is the controller.
At a glance. We collect the data required to create and secure your account, process payments, deliver AI-generated investor relations content, and comply with law. We never sell personal data. You have rights over your data under UK GDPR, EU GDPR, and applicable US state laws.
The data controller is Digitonic Ltd, a company registered in the United Kingdom under company number SC397173, with its registered office at 5 Renfield Street, Glasgow G2 5EZ.
You can reach our privacy team at support@faqsir.com
Account data: full name, work email address, password (stored as a salted hash), and any profile information you add.
Authentication data: two-factor authentication secrets, recovery codes, email verification status, password reset tokens, and "remember me" tokens.
Site & tenant data: the name, description, branding, team members, roles (Owner, Admin, Client), and invitation records for each investor relations workspace ("Site") you create.
Billing data: billing name and address, VAT/tax identifiers, Stripe customer ID, subscription ID and status, plan, trial dates, invoice history, payment method brand and last four digits. We do not store full card numbers — these are held by Stripe.
Knowledge content: documents, URLs, announcements, scripts, prompts, Q&A records, and other materials you upload or enter so that the Service can generate FAQs, news articles, summaries, and videos.
Third-party credentials: OAuth tokens, refresh tokens, and channel identifiers that you authorise us to store (for example, YouTube publishing credentials).
Support communications: messages, screenshots, and attachments you send to our support team.
Log & device data: IP address, browser type and version, operating system, referring URL, pages viewed, session identifiers, user agent strings, and timestamps.
Usage data: feature interactions, credit consumption, generation counts, API calls, error events, and performance traces.
Cookies & similar technologies: session cookies, authentication cookies, CSRF tokens, and analytics identifiers. See Section 12.
Payment status from Stripe (success, failure, dispute, refund).
Email delivery events from Postmark, Resend, Mailgun, or Amazon SES (delivered, bounced, complained, opened where applicable).
AI provider metadata (job status, output identifiers, usage tokens).
Publicly available information scraped via Zyte where you direct us to a URL for content extraction.
Purpose | Data used | Legal basis (UK/EU) |
|---|---|---|
Create and secure your account, authenticate users, enforce 2FA, prevent abuse | Account, authentication, log, device | Contract; legitimate interests (security) |
Provide the Service — generate FAQs, summaries, news articles, videos, and publish content | Knowledge content, site data, OAuth credentials | Contract |
Process subscriptions, credits, trials, invoices, and tax | Billing data | Contract; legal obligation (accounting) |
Communicate service messages (receipts, security, product updates, policy changes) | Account, billing | Contract; legal obligation |
Send marketing emails and newsletters | Account, usage | Consent (or soft opt-in where permitted) |
Monitor performance, debug, and resolve errors | Log, device, usage, error traces | Legitimate interests (reliability) |
Analyse aggregated usage to improve the Service | Usage, log | Legitimate interests (product improvement) |
Prevent fraud, abuse, and violations of our Terms | All categories | Legitimate interests; legal obligation |
Comply with legal requests, court orders, and regulatory duties | As required | Legal obligation |
We rely on the following legal bases in Article 6(1) UK/EU GDPR:
Performance of a contract — to provide the Service you have signed up for.
Legitimate interests — to secure, improve, and operate the Service, provided those interests are not overridden by your rights.
Consent — for non-essential cookies, marketing to new contacts, and certain optional integrations. You can withdraw consent at any time.
Legal obligation — to keep accounting records, respond to lawful requests, and comply with tax and financial crime rules.
The Service uses large language models and generative video models to produce investor relations content from the material you upload. The following applies:
Prompts, reference documents, and generated outputs are transmitted to these providers over TLS and processed subject to the providers' enterprise terms.
We have configured the Service so that customer content is not used to train the underlying foundation models where the provider offers such a setting.
AI output is probabilistic and may contain inaccuracies. We therefore display disclaimers and recommend human review before publication. See our separate Disclaimer.
Generated videos and files may be temporarily cached by the provider and are also stored on our own Amazon S3 buckets for delivery.
We share personal data only with the categories of recipients below, and only to the extent necessary. We do not sell or rent personal data.
Processor | Purpose | Location |
|---|---|---|
Amazon Web Services (AWS) — EC2, S3, RDS | Hosting, database, and file storage | [AWS REGION] |
Stripe | Payment processing, subscription billing, invoicing | US/IE |
OpenAI | Generative text (FAQs, articles, summaries) | US |
HeyGen | AI video generation | US |
Zyte | Web content extraction on your instruction | IE |
Postmark / Resend / Mailgun / Amazon SES | Transactional and marketing email delivery | US/EU |
Sentry | Error monitoring and performance tracing | US/EU |
Google (Tag Manager, Analytics, YouTube OAuth) | Tagging, analytics, and authorised video publishing | US/EU |
We may also disclose personal data to professional advisers (lawyers, auditors, accountants), to prospective buyers in a corporate transaction, and to authorities where required by law.
Some of our processors are located outside the UK and the European Economic Area, including the United States. Where we transfer personal data internationally we rely on appropriate safeguards, including:
The UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.
The European Commission's Standard Contractual Clauses (2021/914).
The EU–US Data Privacy Framework and its UK Extension where the recipient is certified.
Adequacy decisions where available.
You can request a copy of the safeguards in place for a specific transfer by emailing support@faqsir.com.
Category | Retention period |
|---|---|
Account and profile data | For the life of the account, then deleted or anonymised within 90 days of closure (except where we must retain it for legal reasons). |
Knowledge documents, generated content, videos | Until you delete them or your account is closed, subject to a grace period for recovery. |
Billing records and invoices | [6–7] years to comply with tax and accounting law. |
Security, audit, and access logs | Up to 12 months (longer where required to investigate an incident). |
Support communications | Up to 3 years. |
Marketing contacts | Until you unsubscribe, then suppressed to honour your opt-out. |
We implement appropriate technical and organisational measures to protect personal data, including: TLS encryption in transit; encryption at rest for the database and S3 buckets; hashed passwords (bcrypt/argon2); optional and enforced two-factor authentication; role-based access control and tenant isolation; least-privilege IAM; audit logging; regular backups; vulnerability scanning; and staff confidentiality obligations. No system is completely secure, and we cannot guarantee absolute security.
If we become aware of a personal data breach that is likely to affect your rights, we will notify the relevant supervisory authority and, where required, affected users without undue delay.
If you are in the UK or the EEA, you have the following rights under UK GDPR and EU GDPR:
Access — to a copy of the personal data we hold about you.
Rectification — to correct inaccurate or incomplete data.
Erasure — to ask us to delete personal data in certain circumstances.
Restriction — to limit how we process your data while a concern is resolved.
Portability — to receive data you provided in a structured, machine-readable format.
Objection — to object to processing based on legitimate interests or direct marketing.
Withdraw consent — at any time where consent is the legal basis.
Complain — to the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.
Automated decisions — we do not make decisions that produce legal or similarly significant effects about you using automated processing alone.
To exercise any right, email support@faqsir.com. We will respond within one month and may ask for proof of identity.
If you are a resident of California, Colorado, Connecticut, Virginia, Utah, or another US state with a comprehensive privacy law, you may have the right to know what personal information we collect, to request deletion or correction, to opt out of targeted advertising, sale, or profiling with legal effects, and to appeal a refused request. We do not sell personal information or share it for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA. You can exercise these rights by emailing support@faqsir.com. We will not discriminate against you for exercising a privacy right.
We use a small number of cookies to operate the Service:
Strictly necessary: session, authentication, and CSRF cookies that keep you signed in and protect against cross-site request forgery.
Functional: preferences such as tenant selection and UI state.
Analytics: Google Tag Manager / Google Analytics to measure aggregate usage, subject to your consent where required.
You can manage cookies through your browser or, where shown, our cookie banner. Blocking strictly necessary cookies will break authentication.
The Service is intended for business use by investor relations professionals and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.
We may update this Policy from time to time. If changes are material we will notify account holders by email or an in-app notice at least 14 days before they take effect. The "Last updated" date at the top reflects the current version. Continued use of the Service after changes take effect constitutes acceptance of the revised Policy.
Questions, requests, or complaints about privacy should be directed to:
Digitonic Limited— Privacy Team
4th Floor, The Forsyth Building, 5 Renfield Street, Glasgow, G2 5EZ
Email: support@faqsir.com