Z
Zyph

Privacy Policy

Last updated: 13 February 2026

Zyph ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the Zyph platform ("Service").

1. Data Controller

Zyph is the data controller for the personal data processed through the Service. You can contact us at privacy@zyph.co.uk.

2. Data We Collect

2.1 Account Data

When you register, we collect:

  • Name
  • Email address
  • Password (stored as a bcrypt hash; we never store plaintext passwords)
  • Optional: avatar URL

2.2 Workspace and Content Data

We store data you create through the Service, including:

  • Short links and their destination URLs
  • Bio pages and their content
  • Tags, experiments, and routing rules
  • Webhook configurations
  • Custom domain settings

2.3 Analytics Data

When someone clicks a Short Link, we collect:

  • IP address (hashed with a per-workspace salt for privacy)
  • User agent string (browser and operating system)
  • Referrer URL
  • Geographic location (country level, derived from IP by Cloudflare)
  • Timestamp
  • Bot detection classification

2.4 Technical Data

We automatically collect:

  • Browser type and version
  • Device type
  • Request metadata (method, path, response time)
  • Error logs (via Sentry, for debugging and reliability)

3. How We Use Your Data

We process your data for the following purposes:

  • Service delivery: To create and manage your account, links, and workspaces.
  • Analytics: To provide click analytics, campaign tracking, and performance insights.
  • Security: To detect abuse, prevent fraud, enforce rate limits, and protect the Service.
  • Communication: To send account-related emails (verification, password reset, security alerts).
  • Improvement: To monitor performance, fix bugs, and improve the Service.

4. Legal Basis for Processing (UK GDPR)

We process your data based on:

  • Contract: Processing necessary to provide the Service you signed up for (Article 6(1)(b)).
  • Legitimate interests: Security monitoring, abuse prevention, and service improvement (Article 6(1)(f)).
  • Consent: Where you have given explicit consent, such as for optional analytics cookies (Article 6(1)(a)).
  • Legal obligation: Where required by law (Article 6(1)(c)).

5. Data Sharing

We do not sell your personal data. We may share data with:

  • Infrastructure providers: Cloudflare (CDN and edge computing), our hosting provider (server infrastructure), and database services — all under data processing agreements.
  • Error tracking: Sentry (for error monitoring and debugging).
  • Email delivery: Our email service provider (for transactional emails).
  • Legal compliance: When required by law, court order, or to protect our legal rights.

6. Data Retention

  • Account data: Retained while your account is active and for 30 days after deletion to allow recovery.
  • Analytics data: Subject to your workspace's data retention setting (default: 90 days). This is configurable per workspace and enforced automatically.
  • Audit logs: Retained for the duration of your subscription plan's analytics retention period.
  • Server logs: Retained for up to 30 days for debugging and security purposes.

7. Data Security

We implement appropriate technical and organisational measures, including:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Password hashing with bcrypt (cost factor 12)
  • IP address hashing with per-workspace salts
  • Two-factor authentication (TOTP)
  • Rate limiting and brute-force protection
  • CSRF protection, Content Security Policy, and security headers
  • Regular automated backups
  • Role-based access control within workspaces

8. International Transfers

Your data may be processed in the European Economic Area (EEA) and the United Kingdom. Where data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

9. Your Rights

Under the UK GDPR, you have the right to:

  • Access: Request a copy of your personal data.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your data ("right to be forgotten").
  • Restriction: Request that we limit processing of your data.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, you may withdraw at any time.

To exercise these rights, contact us at privacy@zyph.co.uk. We will respond within 30 days.

10. Cookies

We use cookies and similar technologies as described in our Cookie Policy.

11. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice within the Service. The "Last updated" date at the top indicates the most recent revision.

13. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

14. Contact

For privacy-related enquiries, contact us at privacy@zyph.co.uk.