This policy explains how Qyli Ltd ("Qyli", "we") collects and uses personal data when you use Qyli Cyber. We are the data controller for account and website data. Where we process data about your team members on your behalf, you are the controller and we act as your processor — see our Data Processing page.
Data we collect
- Account data — your name, email address and authentication details when you sign up.
- Billing data — handled by Stripe; we store your plan, subscription status and a Stripe customer reference, not your card details.
- Usage data — how you interact with the app, for security and to improve the service.
- Customer-provided data — the names, email addresses and training results of the people you invite to scenarios or phishing simulations. We process this on your behalf.
Why we use it
To provide and secure the service (performance of our contract with you), to take payment, and to improve Qyli Cyber (our legitimate interests). We do not sell personal data or use it for advertising.
Sub-processors
We rely on a small number of trusted providers to run the service:
- Supabase — database and authentication.
- Cloudflare — hosting and content delivery.
- Stripe — payment processing.
- Resend — transactional and invitation email.
- Anthropic — AI used to configure training scenarios.
Retention
We keep account and training data for as long as your account is active, and delete or anonymise it within a reasonable period after closure, unless we must keep it for legal or accounting reasons.
Your rights
Under UK GDPR you can request access to, correction of, or deletion of your personal data, and object to certain processing. Email us to exercise these rights. You may also complain to the Information Commissioner's Office (ICO) at ico.org.uk.