Shortdesk Privacy Policy
Last updated
Last updated
This Privacy Policy explains how Shortdesk collects, uses, and protects personal data. It applies to visitors to our website (shortdesk.io), prospective customers, customers (referred to here as "you" or "Clients"), and recipients of email or messages sent through our services.
This policy works alongside our Terms of Service. Where we process personal data on behalf of a Client (for example, the personal data of their prospects, candidates, or contacts) we do so as a processor; that processing is governed by a separate Data Processing Agreement (DPA), summarised in Section 4 below.
Shortdesk Ltd is registered in Scotland at 20 Margaret Thomson Crescent, Edinburgh, EH6 7FD. Company number SC888902. We are the data controller for personal data we collect about you directly.
We are registered with the Information Commissioner's Office (ICO) under registration number ZC157499.
Contact for any privacy enquiry, data subject request, or data protection concern:
We collect the following categories of personal data:
Contact data — name, email address, postal address, phone number, job title, company name. Collected when you fill out a form on our website, book a discovery call, sign up for a service, or otherwise contact us.
Account data — login credentials (hashed), account preferences, tier and subscription details, configuration choices you make during onboarding.
Communication data — content of emails, chats, support messages, and call notes you send to us or that we send to you.
Billing data — payment card details (processed by Stripe; we do not store full card numbers), billing address, VAT number, transaction history.
Usage data — pages visited, features used, timestamps, IP address, browser type, device information, referring URL.
Marketing data — your preferences for receiving marketing communications, responses to campaigns.
Cookies and similar technologies — see Section 13.
We do not knowingly collect special category data (health, race, religion, etc.) or data relating to children under 16.
When you are a Client, you may send personal data through Shortdesk workflows — for example, names and email addresses of sales prospects, CVs of job candidates, recipient details for outbound campaigns.
For this data:
You may request a separate DPA — recommended for clients moving non-trivial volumes of personal data. Contact privacy@shortdesk.io.
| Purpose | Data used | Lawful basis (UK GDPR Article 6) |
|---|---|---|
| Provide our website and services to you | Account, contact, usage data | Contract performance |
| Process your subscription and bill you | Billing, contact, account data | Contract performance |
| Communicate about your account (transactional emails, support, service updates) | Contact, account, communication data | Contract performance; legitimate interest |
| Provide customer support | Communication, account, usage data | Contract performance; legitimate interest |
| Marketing communications (newsletters, product updates) | Contact, marketing data | Consent (you can withdraw at any time); legitimate interest for B2B prospects |
| Analyse and improve our services | Usage data (often aggregated and pseudonymised) | Legitimate interest |
| Detect fraud, abuse, and security incidents | All categories as needed | Legitimate interest; legal obligation |
| Comply with legal and regulatory obligations | All categories as needed | Legal obligation |
Where we rely on legitimate interest, we have assessed that our interest does not override your fundamental rights and freedoms. You can object at any time (see Section 12).
We use a small number of third-party service providers to deliver our services. Each is contractually bound to appropriate data protection terms. Current sub-processors:
| Provider | Purpose | Location |
|---|---|---|
| Airtable | Structured data storage for client configuration and operational data | USA (with SCCs + UK Addendum) |
| Anthropic | AI inference (Claude API) for drafting, scoring, and classification | USA (with SCCs + UK Addendum). Anthropic confirms data sent via the API is not used to train models. |
| Stripe | Payment processing and subscription billing | USA / Ireland (Stripe Payments Europe) |
| Google (Workspace + OAuth) | Email delivery for our own outbound; OAuth provider for Clients who choose to connect Gmail | USA (with SCCs + UK Addendum + Data Privacy Framework) |
| Microsoft (Azure / Microsoft 365) | OAuth provider for Clients who choose to connect Outlook | USA / Ireland (with SCCs + UK Addendum + Data Privacy Framework) |
| Vercel | Hosting for shortdesk.io | USA (with SCCs + UK Addendum) |
| Cloudflare | Tunnel and DNS for our self-hosted automation infrastructure | USA (with SCCs + UK Addendum) |
| Twilio | SMS, WhatsApp, and similar messaging delivery (only used where Clients explicitly opt in) | USA / Ireland (with SCCs + UK Addendum) |
| Slack | Internal communication and Client notifications where the Client uses Slack | USA (with SCCs + UK Addendum) |
Our automation engine (n8n) runs on infrastructure under our direct control, located in the United Kingdom.
This list may change. We will give reasonable notice of any new sub-processor that processes Client data. The current authoritative list is available on request and will be maintained at shortdesk.io/sub-processors when published.
Shortdesk's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
You may revoke our access to your Gmail at any time via your Google Account security settings.
We use Anthropic's Claude API for AI-powered features (drafting emails, scoring CVs, summarising messages, generating briefings). When data is sent to Anthropic via the API:
We do not use any other AI provider for generative processing.
Our self-hosted automation infrastructure is in the United Kingdom. Some of our sub-processors are located outside the UK, primarily in the United States and Ireland.
Where we transfer personal data outside the UK, we rely on:
We retain personal data only as long as necessary for the purposes set out in Section 5:
When data is no longer needed, we securely delete or anonymise it.
We implement appropriate technical and organisational measures to protect personal data:
No system is 100% secure. We will notify the ICO and affected individuals as required by law if a breach occurs that is likely to result in a risk to rights and freedoms.
You have the following rights regarding your personal data:
To exercise any of these rights, email privacy@shortdesk.io. We will respond within one month (extendable by two further months for complex requests, in which case we will tell you).
You can also complain to the ICO directly at ico.org.uk or 0303 123 1113. We would, of course, appreciate the chance to address your concerns first.
We use a minimal set of cookies on shortdesk.io:
We do not use cookies for advertising or cross-site tracking. If we add additional cookies, we will publish a Cookie Notice and update this policy.
Our services are intended for business users and are not designed for individuals under the age of 16. We do not knowingly collect data from children. If you believe we have collected data from a child, contact privacy@shortdesk.io and we will delete it.
We may update this policy as our services or legal obligations evolve. Material changes will be notified to active Clients by email at least 14 days before they take effect. The "Last updated" date at the top reflects the current version.
For any privacy-related question, request, or complaint:
For general enquiries, contact team@shortdesk.io.