Privacy Policy
Last updated: 24 March 2026
1. Who we are and what this policy covers
Subphonic is an AI-powered communications intelligence platform. We believe that privacy and transparency are not just legal obligations — they are part of how we build products and earn trust.
This policy is published by aiphoria Limited, trading as subphonic ("subphonic", "we", "us", "our"). We are registered in England and Wales (company number 14968896), registered office at 30 St. Giles, Oxford, England, OX1 3LE. We are registered as a data controller with the UK Information Commissioner's Office (ICO registration number ZB810902).
This policy explains how we collect, use, and protect personal data when you:
- visit or use our website at subphonic.ai or aiphoria.net;
- register for or use our services, including the Focus portal and Transact platform (together, "the Services"); or
- interact with us as a prospective, current, or former customer, partner, or supplier contact.
What this policy covers — and what it does not
This policy covers our activities as a data controller — where we determine the purpose and means of processing your personal data. This includes:
- visitors to our website;
- individuals who contact us with enquiries;
- customer, partner, and supplier contacts; and
- service users — individuals who hold a login to our Focus portal or Transact platform. For these individuals, we are the data controller of their account data, credentials, settings, and usage activity within the Services.
This policy does not cover personal data that our business customers upload to or capture through Focus or Transact — for example, call recordings, transcripts, and AI-generated outputs. In relation to that data we act as a data processor on behalf of our business customers, who are the data controllers. That processing is governed by the data processing agreements we hold with those customers. If you are an individual whose data appears in a customer's recordings or transcripts, please contact that customer directly.
Applicable law
This policy is designed to comply with UK GDPR and the Data Protection Act 2018. Where we offer services to EEA individuals, we also seek to comply with EU GDPR. If you are unsure which law applies to you, please contact us.
2. The personal data we collect
2.1 Contact data
Your name, email address, telephone number, postal address, and social media account identifiers. Source: you and/or your employer.
2.2 Account data
Account identifier, name, email address, business name, account creation and modification dates, service settings, role, and communication preferences.
2.3 Customer relationship data
Your name, employer, job title, contact details, CRM classification, and records of communications between us.
2.4 Communication data
Data relating to communications between us — website enquiries, emails, and support tickets — including content and associated metadata.
2.5 Service data
Data generated through your use of our Services as an account holder: usage logs, feature interaction records, search queries within the Focus portal, settings and configurations, and audit trail information. This does not include communications content processed on behalf of business customers, which is covered by separate data processing agreements.
2.6 Usage data
Data generated automatically when you visit our website or use our Services: IP address, browser type and version, device and OS, pages visited, links clicked, time on pages, referral URLs, and session identifiers. Typically collected via cookies — see Section 3.
2.7 A note on third-party data
Please do not supply us with another person's personal data unless we specifically prompt you to do so.
3. Cookies and similar technologies
We use cookies and similar tracking technologies on our website and within our Services. Where not strictly necessary, we will ask for your consent before placing them.
- Strictly necessary — required for our website and Services to function. Cannot be disabled.
- Functional — remember your preferences and settings.
- Analytics — help us understand how visitors use our website so we can improve it.
- Marketing — track campaign effectiveness. Only placed with your consent.
You can manage your cookie preferences at any time via our cookie settings tool. See our separate Cookie Policy for full details.
4. How and why we use your personal data
We only process personal data where we have a valid legal basis. The table below sets out our processing purposes and legal bases.
| Purpose | Data used | Legal basis |
|---|---|---|
| Operating our website and Services — managing accounts, processing orders, invoices, support | Contact, account, service | Legitimate interests (administration of our website, Services and business) |
| Managing relationships and communications — enquiries, account management, complaint handling | Contact, account, customer relationship, communication | Legitimate interests (maintaining relationships, enabling use of our Services) |
| Personalisation — improving and tailoring your experience | Account, service, usage | Legitimate interests; consent where cookies are involved |
| Direct marketing — communications by email, SMS, post, or telephone | Contact, account, customer relationship | Legitimate interests (B2B); consent where required under PECR |
| Research and analytics — understanding how our website and Services are used | Usage, service | Legitimate interests (monitoring, improving and securing our Services) |
| Record keeping — maintaining business records and database back-ups | All relevant categories | Legitimate interests (efficient and accurate business administration) |
| Security and fraud prevention — protecting our website, Services, and users | All relevant categories | Legitimate interests (protecting our business, Services, and users) |
| Insurance and risk management — coverage, managing risk, professional advice | All relevant categories | Legitimate interests (proper protection of our business) |
| Legal claims — establishing, exercising, or defending legal claims | All relevant categories | Legitimate interests (protecting legal rights) |
| Legal compliance and vital interests — complying with legal obligations | All relevant categories | Legal obligation; vital interests |
A note on legitimate interests
Where we rely on legitimate interests, we carry out a balancing assessment to ensure our interests do not override your rights. You may request a copy of our legitimate interests assessment by contacting us.
What we do not do
We do not sell your personal data. We do not use personal data from our website or your account to train AI models without your explicit consent. We do not make solely automated decisions that produce legal or similarly significant effects about you without human review.
5. Sharing your personal data
5.1 Group companies
We may share your personal data with other members of the aiphoria group of companies where reasonably necessary for the purposes in this policy.
5.2 Professional advisers and insurers
We may share personal data with insurers, lawyers, accountants, and other professional advisers where necessary.
5.3 Service providers and sub-processors
We share personal data with trusted third-party suppliers subject to written data processing agreements. Categories include:
- Cloud infrastructure and hosting providers
- Customer relationship management (CRM) platforms
- Accounting, billing, and invoicing platforms
- Email and communication platforms
- Marketing service providers
- Analytics providers
- Information security providers
An up-to-date sub-processor list is available on request or at the Trust Center.
5.4 Legal and regulatory requirements
We may disclose personal data where required by law, court order, or regulation, or to protect vital interests.
5.5 Business transfers
In the event of a merger or acquisition, personal data may transfer to the relevant third party. We will notify you if this affects your data.
6. International transfers
- UK to EEA / EEA to UK — transfers made in reliance on applicable adequacy decisions.
- Other countries — we use UK IDTAs, EU Standard Contractual Clauses, the EU-US Data Privacy Framework, and/or the UK-US Data Bridge mechanism as applicable.
For further information contact our DPO at dpo@aiphoria.co.uk.
7. How long we keep your data
- Account data — for the duration of your account and a reasonable period afterwards.
- Customer relationship data — up to six years after the end of the business relationship.
- Marketing data — until you object or withdraw consent, or the data is no longer relevant.
- Website usage data — typically in aggregated or anonymised form after 26 months.
Our full retention schedule is available on request. We may retain data beyond these periods where required by law or for legal claims.
8. How we protect your data
- Encryption — data encrypted in transit (TLS) and at rest (256-bit AES).
- Access controls — role-based permissions and two-factor authentication.
- Security standards — ISO 27001 and, where applicable, BS10008.
- Audit logging — access to personal data is logged and audited.
- Supplier security — key suppliers are required to maintain appropriate security standards.
You are responsible for keeping your account password confidential. We will never ask you for it.
9. Your rights
Under data protection law, you have the following rights:
| Right | What it means |
|---|---|
| Access | You can ask for a copy of the personal data we hold about you. |
| Rectification | You can ask us to correct inaccurate or complete incomplete personal data. |
| Erasure | You can ask us to delete your personal data in certain circumstances. |
| Restriction | You can ask us to restrict our processing of your personal data in certain circumstances. |
| Objection | You can object to processing based on legitimate interests, and to direct marketing at any time. |
| Portability | You can ask us to provide your personal data in a structured, machine-readable format. |
| Withdraw consent | Where we rely on consent, you can withdraw it at any time without affecting prior lawful processing. |
| Complain | You have the right to lodge a complaint with a supervisory authority. |
To exercise any right, contact us in writing using the details in Section 12. We will respond within one calendar month.
Supervisory authorities
UK: Information Commissioner's Office — ico.org.uk | Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF | 0303 123 1113.
EEA: your local data protection authority — see edpb.europa.eu for a full list.
10. Automated processing and AI
We use AI-based technologies within our Services but do not make solely automated decisions about you that produce legal or similarly significant effects without human involvement. You retain the right to object to any profiling in connection with your account.
11. Keeping your information up to date
Account holders can update certain information within account settings. For other updates, contact us using the details in Section 12.
12. Our details and how to contact us
Company: aiphoria Limited, trading as Subphonic
Registered address: 30 St. Giles, Oxford, England, OX1 3LE
Company number: 14968896
ICO registration number: ZB810902
Contact us by post at the address above, via subphonic.ai/contact, or by telephone (see our website).
Data Protection Officer: dpo@aiphoria.co.uk
13. Our role as a data processor
When business customers use Focus or Transact to process communications, we act as a data processor — not a data controller. This policy does not apply to that processing.
For information about our Data Processing Agreement or security and compliance posture, visit the Trust Center or contact dpo@aiphoria.co.uk.
14. Changes to this policy
We may update this policy from time to time. We will update the "last updated" date at the top and, where changes are material, notify you by email or via a notice in the Services.
This policy was last updated on 24 March 2026.