This Privacy Policy explains how d5s Ltd ("d5s", "we", "us") collects, uses, and shares personal data when you visit our website, create an account, or use our AI agent workspace (the "Services"). We are the data controller for personal data processed about our website visitors, waitlist signups, and individual account holders. When you use the Services as part of an organisation account, that organisation is typically the data controller for the content and user data it submits, and d5s acts as its processor under a separate Data Processing Addendum.
1. Personal data we collect
We collect personal data in the following categories:
- Account and contact data, such as your name, email address, company, role, and password hash.
- Waitlist data, such as the answers you provide on our waitlist form (region, use case, team size).
- Usage data, such as the pages and features you use, IP address, browser and device identifiers, and approximate location derived from IP.
- Customer Content you submit to the Services, such as prompts, code, files, and other material. Treat any message to an agent as personal data if it identifies a person.
- Support and communications data, such as emails, chat logs, and meeting notes from conversations you have with us.
- Cookies and similar technologies, limited to strictly necessary cookies for authentication and to a privacy friendly analytics cookie. We do not run advertising cookies on our website.
We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact privacy@d5s.tech and we will delete it.
2. How we use personal data and legal bases
Under the UK GDPR and the EU GDPR, we rely on the following legal bases:
- Performance of a contract, to create and operate your account, provide the Services, and communicate with you about the Services.
- Legitimate interests, to secure the Services, prevent fraud and abuse, debug and improve the product based on aggregated usage data, and contact business users about relevant product updates. Where we rely on legitimate interests, we have assessed that our interests are not outweighed by your rights.
- Consent, for optional analytics, for marketing emails sent to individual (non business) subscribers, and for any processing for which consent is the only available lawful basis. You can withdraw consent at any time.
- Legal obligation, to comply with accounting, tax, and regulatory obligations, and to respond to lawful requests from public authorities.
We do not use Customer Content to train foundation models. Our AI model providers are contractually prohibited from training on Customer Content we send them.
3. How we share personal data
We share personal data with the following categories of recipients:
- Sub processors that host or process data on our behalf. See section 4 for the current list.
- Organisation administrators, if you are a member of an organisation account. Administrators can see membership, usage metrics, and projects inside the organisation workspace.
- Professional advisers, such as lawyers, accountants, and auditors, under duties of confidentiality.
- Acquirers, in connection with a corporate transaction such as a merger, acquisition, or sale of assets. We will notify you of any change in control that affects your data.
- Public authorities, where disclosure is required by law or to protect our rights, users, or the public.
We do not sell personal data, and we do not share personal data for cross context behavioural advertising.
4. Sub processors
The following sub processors help us deliver the Services. We maintain written contracts with each, including GDPR Article 28 terms and Standard Contractual Clauses where the recipient is outside the UK or EEA.
- Amazon Web Services (AWS), Inc. Cloud hosting and storage. Primary region: eu-central-1 (Frankfurt, Germany).
- WorkOS, Inc. Authentication, SSO, and directory sync.
- Anthropic, PBC. AI model inference for selected agent features. Provider is contractually prohibited from training on our data.
- OpenAI, L.L.C. AI model inference for selected agent features. Provider is contractually prohibited from training on our data.
- Vercel Inc. (Vercel AI Gateway). Routing of inference requests to the providers above.
We will update this list when we add, remove, or replace a sub processor. Material changes will be announced at least 30 days in advance where possible, so that organisation customers can object.
5. International transfers
Our primary infrastructure is hosted in the European Union. Some sub processors (including those above) may process data in the United States or other jurisdictions. Where we transfer personal data outside the UK or EEA, we rely on an adequacy decision where one exists, or on the UK International Data Transfer Agreement or EU Standard Contractual Clauses, supplemented by additional technical measures such as encryption in transit and at rest.
6. How long we keep personal data
- Account data: for the life of the account, and up to 90 days after deletion to allow recovery and to meet our own audit requirements.
- Customer Content: for as long as the organisation or individual keeps it in the workspace. When the account is deleted, content is removed from primary storage within 30 days and from backups within 90 days.
- Waitlist data: until the waitlist is closed, or up to 24 months, whichever is shorter.
- Billing and tax records: retained for at least 6 years after the transaction, as required by UK law.
- Security logs: retained for 13 months.
7. How we protect personal data
We apply technical and organisational measures appropriate to the risk of processing, including encryption in transit (TLS 1.2 or higher) and at rest, role based access controls, audit logging, least privilege policies, secret management through encrypted stores, and regular review of sub processors. No system is perfectly secure. We cannot guarantee absolute security and ask that you notify us promptly at security@d5s.tech if you suspect your account has been compromised.
8. Your rights
Subject to applicable law, you have the right to:
- access the personal data we hold about you;
- correct inaccurate or incomplete data;
- request erasure of personal data, where we do not have a legitimate reason to retain it;
- restrict or object to processing based on legitimate interests;
- receive your data in a portable, machine readable format, and ask us to send it to another controller where technically feasible;
- withdraw consent for any processing based on consent;
- lodge a complaint with a data protection authority, in particular the UK Information Commissioner's Office (ico.org.uk) or the supervisory authority in your EU or EEA country of residence.
To exercise any of these rights, write to privacy@d5s.tech. We will respond within one month, or explain why we need longer.
9. Cookies
Our website uses a small number of strictly necessary cookies for authentication and session management, and a privacy friendly analytics cookie to measure aggregate usage. We do not use cookies for advertising or cross site tracking. You can control cookies through your browser settings. A full cookie notice will be published alongside our cookie banner at public launch.
10. California and Nevada residents
If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know the categories of personal information we collect, the right to request deletion, and the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under California law. If you are a Nevada resident, you can opt out of the sale of personal information by contacting us at the address below; we do not currently sell personal information.
11. Changes to this Policy
We will post updates to this Privacy Policy on this page and update the effective date at the top. If the change is material, we will give at least 30 days notice by email to registered users, or by an in product notice, before it takes effect.
12. Contact
d5s Ltd (in formation)
Registered office: to be confirmed following Companies House registration.
Email: privacy@d5s.tech
For security issues, please write to security@d5s.tech.