Privacy Policy.

Stonifi Ltd is a company registered in England and Wales (company number TBD). Registered office: TBD, United Kingdom. Our products (Stonifi CX Platform, Stonifi Mail Hub, Stonifi Studio) are delivered from the UK with engineering teams in Saudi Arabia and the UAE.

Marketing site (stonifi.co.uk): • Information you submit through the contact form: name, work email, company, area of interest, free-text message. • Cookies and analytics — see our Cookies Policy. • Server logs (IP address, user agent, request URL) retained for up to 30 days for security and abuse prevention. Products (stonifi.cloud, stonifi.online): • Account information (name, email, role, tenant) provided when you sign up or are invited. • Operational data you put into the product (sales, inventory, mail content, audit events) — processed on your behalf as a data processor. • Technical telemetry (errors, performance traces) used to keep the service reliable.

• Contract: we need your account information to provide the product. • Legitimate interests: improving the product, preventing abuse, marketing communications you have opted into. • Consent: optional analytics cookies, optional newsletter sign-up. • Legal obligation: tax, accounting, regulatory record-keeping, KYC for Saudi-based customers.

We do not sell personal data. We share it only with: • Sub-processors who help us deliver the service (cloud hosting, email delivery, payment processing, analytics, AI providers like Anthropic for product features). A current list is available on request. • Authorities, when legally required and only after reviewing the order. • A successor entity in the event of a merger or acquisition — you will be notified before any change in controller.

UK customers: data resides in UK regions. KSA + UAE customers: data resides in GCC regions when offered. Mail Hub is self-hosted on your infrastructure — your data never reaches our servers. Cross-border transfers, when needed, rely on UK IDTA / EU SCCs and equivalent KSA mechanisms.

• Marketing leads: deleted 24 months after the last interaction. • Customer account data: retained for the life of the contract plus 6 years for tax and audit defence (or until you request deletion within legal limits). • Server logs: 30 days. • Audit events in products: configurable per tenant — defaults are described in the product documentation.

Under UK GDPR / UK DPA 2018 / KSA PDPL you have the right to access, correct, delete, restrict, port, and object to the processing of your personal data — and to withdraw consent at any time. To exercise any of these, email privacy@stonifi.co.uk. We respond within 30 days. You also have the right to complain to the UK Information Commissioner's Office (ico.org.uk) or the Saudi Data and AI Authority (sdaia.gov.sa).

We use TLS 1.2+ everywhere, Postgres with Row-Level Security, Vault Transit envelope encryption for credentials, and TOTP-based MFA for staff access. ISO 27001 certification is in progress; SOC 2 Type II follows. Our security practices are summarised at /security.

We will update this policy as the product evolves. Material changes will be announced on stonifi.co.uk and sent to active customers by email at least 14 days before they take effect.

Questions about this policy: privacy@stonifi.co.uk. Data Protection Lead: TBD. UK Representative: Stonifi Ltd, [registered address].