Privacy notice

"Sylure", "we", "us" and "our" refers to the entity operating the Sylure platform and this website (the "Company"). If you are using Sylure through your employer or another organisation, that organisation may be the data controller for personal data in customer uploads and DSAR workflows.

This notice covers: (a) visitors to our marketing website, (b) people who contact us for a demo or commercial discussions, and (c) users of the Sylure service (account holders). Where the Sylure service processes personal data contained in your organisation's uploaded bundles, Sylure typically acts as a processor on behalf of the customer (the controller).

• To provide and operate the Sylure service: upload intake, scanning, exposure mapping, DSAR workflows, reporting and audit exports.
• To respond to demo requests, enquiries and support tickets.
• To secure the platform and website, prevent misuse, and investigate incidents.
• To improve reliability and performance. Where we analyse usage, we aim to use aggregate-only data and avoid unnecessary access to customer content.

• Website enquiries and demos: legitimate interests and/or steps taken at your request prior to entering into a contract.
• Service account data: performance of a contract and legitimate interests (security and fraud prevention).
• Customer upload processing: performance of a contract with the customer and processing on the customer's documented instructions.

We share personal data with service providers who help us run the website and platform (for example, hosting and storage providers), strictly on a need-to-know basis and subject to contractual safeguards. For the Sylure service, uploads are stored in object storage and processed by our backend systems to generate results for your workspace.

We aim to host and process data in the UK or EEA where possible. If personal data is transferred outside the UK, we use appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU Standard Contractual Clauses.

We retain personal data only for as long as necessary for the purposes described above, subject to legal and operational requirements.

When a customer deletes an upload bundle, we remove the underlying stored bundle and associated derived outputs in line with the retention and purge logic. Limited records may remain for audit and integrity purposes (for example, a deletion event), without the underlying content.

We implement technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure or destruction. These include access controls and role-based permissions, audit logging, transport encryption, and evidence minimisation (masked by default) with hash-first indexing for matching.

Under UK GDPR you may have rights to access, rectify, erase, restrict or object to processing of your personal data, and the right to lodge a complaint with the Information Commissioner's Office (ICO).

If your personal data is contained in a customer upload processed by Sylure on behalf of an organisation, please contact that organisation (the controller) to exercise your rights.

For privacy questions or to exercise rights relating to website or account data, use the contact form on this site. If you require a data processing addendum (DPA) or sub-processor information for procurement, please include that in your message.

We may update this notice from time to time to reflect changes in our services, legal requirements or operational practices. We will post the updated version on this page with a revised "Last updated" date.