Privacy Policy

Last updated: September 28, 2025

Who we are. Entropy Labs Ltd (company number 14885101), 107 Newsome Road, Huddersfield, HD46ND, UK ("Entropy Labs", "we", "us") operates Aftertone (the "Service"). Contact: support@aftertone.io.

Scope. This Policy explains how we collect, use, disclose and protect personal data when you visit aftertone.io, use our apps, or interact with us. It does not cover employee/applicant data (we publish a separate notice for those).

Age. The Service is for 18+ only. We do not knowingly collect data from minors. If you believe a minor has provided data, contact us and we'll delete it.

1. Roles and key definitions

• Service Data (Controller): account, billing, support, product telemetry, marketing preferences. For this, Entropy Labs Ltd is the controller.
• Customer Data (Processor): content you or your organisation submits to the Service (e.g., tasks, files, comments, prompts) that may contain personal data. For this, we act as processor to your organisation (the controller). Processing is governed by our Data Processing Addendum (DPA) upon request; these controller/processor terms prevail for Customer Data.
• Personal data / personal information: information that identifies or can reasonably be linked to a person.
• Sub-processor: a vendor we engage to process Customer Data on our behalf.

2. What we collect (Service Data)

We collect the minimum necessary for the stated purposes:

• Identifiers & account data: name, email, password hash, organisation, role, verification tokens.
• Commercial & payment data: plan, invoices, VAT details, partial card info via our payment processor (we do not store full card numbers).
• Usage & device data: app interactions, feature flags, crash/diagnostic logs, device/OS, IP-derived coarse location, timestamps, cookies/SDK telemetry.
• Support & communications: messages, attachments, call/chat recordings where applicable.
• Marketing preferences: opt-ins, unsubscribes, campaign events.
• Integration data: identifiers and tokens necessary to connect third-party services you choose to link (e.g., calendar, storage, SSO).

We do not intentionally collect special category data. Do not upload sensitive data unless your organisation's DPA explicitly allows it and you have a lawful basis.

Sources. Directly from you; your employer/organisation; our Service; third-party identity providers; publicly available sources (for fraud prevention and business contact validation).

3. Why we use data (Service Data) & legal bases (UK/EU)

• Provide the Service & fulfil contract (Art. 6(1)(b)): account creation, authentication, core features, support.
• Security, fraud and abuse prevention (legitimate interests Art. 6(1)(f); legal obligations Art. 6(1)(c)): logging, rate-limits, incident response.
• Product analytics & improvement (legitimate interests): telemetry, A/B tests, quality assurance—pseudonymised/aggregated where possible.
• Billing & tax (contract/legal obligation): invoicing, VAT compliance, audits.
• Marketing to existing users (legitimate interests/PECR soft opt-in for similar products) and marketing to new individuals (consent where required by PECR/ePrivacy).
• Compliance (legal obligations): responding to lawful requests, enforcing terms.
• Personalised pricing/offers (legitimate interests/consent where required): limited profiling using non-sensitive factors (region, tenure, usage). We do not profile on protected characteristics.

Where we rely on consent, you may withdraw it at any time (this won't affect prior processing).

4. What we do as processor (Customer Data)

We process Customer Data only: (i) on documented instructions (your settings and the DPA); (ii) to provide, secure, and support the Service; (iii) to comply with law. We do not sell Customer Data, use it for targeted advertising, or mine it to build standalone profiles. We may generate aggregated/de-identified insights that do not identify individuals or customers.

5. Cookies & similar technologies

We use:

• Essential cookies (authentication, security, load balancing),
• Functional/analytics (product analytics, diagnostics), and
• Optional (if any) for marketing/attribution.

Where required, we obtain consent via a cookie banner and honour your preferences. You can manage settings in-product or via your browser. See our Cookie Notice for details.

6. Disclosures & recipients

We share data with:

• Sub-processors (hosting, databases, analytics, support tooling, email delivery, payments, logging). We publish a current list at aftertone.io/subprocessors.
• Third-party integrations you enable (e.g., identity providers, file storage). Their terms/privacy policies apply.
• Professional advisers & auditors (under confidentiality).
• Corporate transactions (merger, acquisition, financing) under appropriate safeguards.
• Legal/regulatory where required by law or to enforce rights, protect users, or prevent harm.

We do not "sell" personal information and we do not "share" it for cross-context behavioural advertising as defined by the CPRA. If this ever changes, we will update this Policy and provide required opt-outs.

7. International transfers

We host and process using reputable providers in the UK, EEA, and (where needed) other countries. When transferring personal data internationally we use lawful safeguards:

• EEA/UK → third countries: EU Standard Contractual Clauses (SCCs) and the UK Addendum/IDTA, plus transfer impact assessments.
• US recipients: where applicable, we may rely on the EU-US Data Privacy Framework and the UK Extension (Data Bridge) for certified vendors; otherwise SCCs/UK Addendum.
• Adequacy decisions (where applicable) are used preferentially.

8. Security

We apply appropriate technical and organisational measures: encryption in transit, access controls, least-privilege, MFA for admin access, audit logging, vulnerability management, and regular backups. No system is 100% secure. If we become aware of a personal-data breach likely to result in a risk to individuals, we will notify the relevant controller (for Customer Data) and/or authorities and affected individuals as required by law.

9. Retention

We keep personal data only as long as necessary for the purposes collected, including to comply with legal, accounting, or reporting obligations.

Indicative periods (may vary by customer plan/region):

• Account & billing records: life of account + up to 6 years (tax/contract limitation).
• Product telemetry & logs: 12–24 months;
• Support tickets: 3 years;
• Backups: typically 30–90 days rolling;
• Marketing prefs: until you opt out or the list is refreshed/culled.

We may retain aggregated/de-identified data indefinitely.

10. Your rights

UK/EU/EEA (UK GDPR/EU GDPR). You can access, rectify, erase, restrict, port, and object to processing (including for direct marketing). Where processing is based on consent, you can withdraw consent. Lodge complaints with the ICO (ico.org.uk) or your local EEA authority.

United States (CPRA, VCDPA, CPA, CTDPA, UCPA, others). You can access, delete, correct, obtain a portable copy, and opt out of targeted advertising, sale, and certain profiling. We currently do not sell or share personal information or engage in targeted advertising; if that changes, we will provide opt-out mechanisms (including a "Do Not Sell or Share" link). You have a right to non-discrimination for exercising rights.

Brazil (LGPD). Rights to confirm, access, correct, anonymous/block/delete unnecessary or excessive data, portability, information on sharing, withdraw consent, and review of automated decisions.

Canada (PIPEDA/Quebec Law 25). Rights to access, rectify, and information on automated decisions; withdraw consent where applicable.

Japan (APPI), Singapore (PDPA), Australia, South Africa (POPIA). Broadly similar access/correction and consent/legitimate-purposes frameworks; you may request access, correction, and withdrawal of consent where applicable.

How to exercise. Email support@aftertone.io with the subject "Privacy Request". We must verify your identity and, where you act as an agent (US), your authority. We will respond within 1 month (UK/EU) or 45 days (US), extendable where permitted. For Customer Data where we are processor, contact your organisation's admin; we will assist them.

Appeals (US states that require it). If we decline your request, you may appeal by replying to our decision email; we will review within required timelines.

11. Automated decision-making & profiling

We do not make decisions producing legal or similarly significant effects solely by automated means. We use limited profiling (e.g., fraud detection, abuse prevention, non-sensitive pricing/promotion personalisation). In the UK/EEA you may object; if we ever introduce impactful automated decisions, we will provide required notices and human review options.

12. Marketing

• Emails/SMS. We send service emails (transactional) and, where permitted, marketing communications. Individuals can opt-out anytime via the unsubscribe link or by emailing us. We follow PECR/ePrivacy for electronic marketing (soft opt-in for existing customers; consent for new individuals where required; B2B marketing permitted with easy opt-out).
• Third-party marketing. We do not share your personal data with third parties for their own marketing.

13. Sub-processors & third parties

We maintain a current list of sub-processors at aftertone.io/subprocessors describing their function, location, and the safeguards we apply. We use due diligence, contracts, and audits where appropriate. You can subscribe to change notifications where offered.

14. Organisation (enterprise) controls

If you use the Service under an organisation account:

• Your admins may access, monitor, export, or control your account and content.
• We may disclose usage, security, and billing information to admins.
• If your association ends, admins may suspend or reassign your access.

15. Regional information & contacts

• Controller (global): Entropy Labs Ltd, 107 Newsome Road, Huddersfield, HD46ND, UK; support@aftertone.io.
• Supervisory authority (UK): Information Commissioner's Office, ico.org.uk.
• EU Representative (Art. 27 GDPR): If and where required, we appoint an EU representative; current details are published on our site and available on request at support@aftertone.io.
• Data Protection Officer: We are not legally required to appoint a DPO at this time. We have designated a privacy lead reachable at support@aftertone.io. If that changes, we will update this Policy.

16. Data portability & export

You can export your data via in-product tools (where available) or by request. For Customer Data, administrators control export.

17. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice (e.g., email or in-product). Continued use after the effective date means you accept the changes.

18. How to contact us

Questions, requests, or complaints: support@aftertone.io (subject: Privacy). We will respond within applicable legal timelines.