shortdesk.IO
Legal

Shortdesk Privacy Policy

Last updated

1. About this policy

This Privacy Policy explains how Shortdesk collects, uses, and protects personal data. It applies to visitors to our website (shortdesk.io), prospective customers, customers (referred to here as "you" or "Clients"), and recipients of email or messages sent through our services.

This policy works alongside our Terms of Service. Where we process personal data on behalf of a Client (for example, the personal data of their prospects, candidates, or contacts) we do so as a processor; that processing is governed by a separate Data Processing Agreement (DPA), summarised in Section 4 below.

2. Who we are

Shortdesk Ltd is registered in Scotland at 20 Margaret Thomson Crescent, Edinburgh, EH6 7FD. Company number SC888902. We are the data controller for personal data we collect about you directly.

We are registered with the Information Commissioner's Office (ICO) under registration number ZC157499.

Contact for any privacy enquiry, data subject request, or data protection concern:

3. The data we collect

We collect the following categories of personal data:

Contact data — name, email address, postal address, phone number, job title, company name. Collected when you fill out a form on our website, book a discovery call, sign up for a service, or otherwise contact us.

Account data — login credentials (hashed), account preferences, tier and subscription details, configuration choices you make during onboarding.

Communication data — content of emails, chats, support messages, and call notes you send to us or that we send to you.

Billing data — payment card details (processed by Stripe; we do not store full card numbers), billing address, VAT number, transaction history.

Usage data — pages visited, features used, timestamps, IP address, browser type, device information, referring URL.

Marketing data — your preferences for receiving marketing communications, responses to campaigns.

Cookies and similar technologies — see Section 13.

We do not knowingly collect special category data (health, race, religion, etc.) or data relating to children under 16.

4. Personal data Clients send through our services

When you are a Client, you may send personal data through Shortdesk workflows — for example, names and email addresses of sales prospects, CVs of job candidates, recipient details for outbound campaigns.

For this data:

  • You are the controller. You determine the purpose and lawful basis for processing.
  • Shortdesk is the processor. We process the data strictly on your instructions, as set out in your Terms of Service and any DPA we have in place.
  • You warrant in the Terms of Service that you have an appropriate lawful basis (consent, legitimate interest, contract, etc.) for putting that personal data into our service, and that you comply with PECR, UK GDPR, CAN-SPAM, and any other applicable laws when sending outbound communications.

You may request a separate DPA — recommended for clients moving non-trivial volumes of personal data. Contact privacy@shortdesk.io.

5. How and why we use your personal data

PurposeData usedLawful basis (UK GDPR Article 6)
Provide our website and services to youAccount, contact, usage dataContract performance
Process your subscription and bill youBilling, contact, account dataContract performance
Communicate about your account (transactional emails, support, service updates)Contact, account, communication dataContract performance; legitimate interest
Provide customer supportCommunication, account, usage dataContract performance; legitimate interest
Marketing communications (newsletters, product updates)Contact, marketing dataConsent (you can withdraw at any time); legitimate interest for B2B prospects
Analyse and improve our servicesUsage data (often aggregated and pseudonymised)Legitimate interest
Detect fraud, abuse, and security incidentsAll categories as neededLegitimate interest; legal obligation
Comply with legal and regulatory obligationsAll categories as neededLegal obligation

Where we rely on legitimate interest, we have assessed that our interest does not override your fundamental rights and freedoms. You can object at any time (see Section 12).

6. Sub-processors

We use a small number of third-party service providers to deliver our services. Each is contractually bound to appropriate data protection terms. Current sub-processors:

ProviderPurposeLocation
AirtableStructured data storage for client configuration and operational dataUSA (with SCCs + UK Addendum)
AnthropicAI inference (Claude API) for drafting, scoring, and classificationUSA (with SCCs + UK Addendum). Anthropic confirms data sent via the API is not used to train models.
StripePayment processing and subscription billingUSA / Ireland (Stripe Payments Europe)
Google (Workspace + OAuth)Email delivery for our own outbound; OAuth provider for Clients who choose to connect GmailUSA (with SCCs + UK Addendum + Data Privacy Framework)
Microsoft (Azure / Microsoft 365)OAuth provider for Clients who choose to connect OutlookUSA / Ireland (with SCCs + UK Addendum + Data Privacy Framework)
VercelHosting for shortdesk.ioUSA (with SCCs + UK Addendum)
CloudflareTunnel and DNS for our self-hosted automation infrastructureUSA (with SCCs + UK Addendum)
TwilioSMS, WhatsApp, and similar messaging delivery (only used where Clients explicitly opt in)USA / Ireland (with SCCs + UK Addendum)
SlackInternal communication and Client notifications where the Client uses SlackUSA (with SCCs + UK Addendum)

Our automation engine (n8n) runs on infrastructure under our direct control, located in the United Kingdom.

This list may change. We will give reasonable notice of any new sub-processor that processes Client data. The current authoritative list is available on request and will be maintained at shortdesk.io/sub-processors when published.

7. Google API Services User Data Policy

Shortdesk's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We use Google user data only to provide and improve the functionality that you have explicitly configured (for example, drafting and sending outbound emails, reading replies in your inbox).
  • We do not use Google user data to develop, improve, or train generalised AI or machine learning models.
  • We do not transfer Google user data to third parties except as needed to provide the service (e.g., Anthropic for AI processing), to comply with applicable law, or as part of a merger, acquisition, or sale with appropriate notice.
  • We do not allow humans to read Google user data, except: (a) with your explicit consent, (b) for security purposes, (c) to comply with applicable law, or (d) where the data is aggregated and used for internal operations in accordance with Google's policy.

You may revoke our access to your Gmail at any time via your Google Account security settings.

8. AI processing disclosure

We use Anthropic's Claude API for AI-powered features (drafting emails, scoring CVs, summarising messages, generating briefings). When data is sent to Anthropic via the API:

  • It is not used to train Anthropic's foundation models, per Anthropic's commercial terms.
  • It is retained by Anthropic for a limited period for service operation and abuse monitoring, then deleted.
  • Sensitive credentials (OAuth refresh tokens, passwords) are never included in prompts.

We do not use any other AI provider for generative processing.

9. International transfers

Our self-hosted automation infrastructure is in the United Kingdom. Some of our sub-processors are located outside the UK, primarily in the United States and Ireland.

Where we transfer personal data outside the UK, we rely on:

  • Adequacy decisions where they exist
  • Standard Contractual Clauses (SCCs) with the UK International Data Transfer Addendum
  • Data Privacy Framework for US sub-processors that have certified
  • Your explicit consent where another mechanism does not apply

10. How long we keep your data

We retain personal data only as long as necessary for the purposes set out in Section 5:

  • Account and contact data — duration of your subscription plus 7 years (UK tax and accounting record-keeping requirements)
  • Billing data — 7 years (HMRC requirements)
  • Communication data — typically 2 years, longer if needed to defend a legal claim
  • Usage data — 13 months for analytics
  • Marketing data — until you unsubscribe, with a suppression list maintained indefinitely to honour your preference
  • Personal data processed for Clients — for the duration of your subscription plus a 30-day export window after termination, then deleted

When data is no longer needed, we securely delete or anonymise it.

11. Security

We implement appropriate technical and organisational measures to protect personal data:

  • Encryption in transit (TLS 1.2 or higher) for all data flowing between systems
  • Encryption at rest for data stored in our sub-processors' platforms
  • Access control: only the founder has admin access to systems; all access is via multi-factor authentication
  • Sub-processor selection based on security posture, certifications (SOC 2, ISO 27001 where available), and contractual data protection commitments
  • Self-hosted automation infrastructure behind a Cloudflare Tunnel with no public IP exposure
  • Sensitive credentials (OAuth refresh tokens, API keys) stored encrypted and access-controlled
  • Regular review of access logs and security advisories

No system is 100% secure. We will notify the ICO and affected individuals as required by law if a breach occurs that is likely to result in a risk to rights and freedoms.

12. Your rights under UK GDPR

You have the following rights regarding your personal data:

  • Right to access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate or incomplete data
  • Right to erasure ("right to be forgotten") — request deletion in certain circumstances
  • Right to restriction — request we limit how we process your data
  • Right to data portability — request your data in a structured, commonly used format
  • Right to object — to processing based on legitimate interest (including direct marketing)
  • Right to withdraw consent — where we rely on consent, you can withdraw it at any time
  • Right to lodge a complaint — with the Information Commissioner's Office (ICO), the UK supervisory authority

To exercise any of these rights, email privacy@shortdesk.io. We will respond within one month (extendable by two further months for complex requests, in which case we will tell you).

You can also complain to the ICO directly at ico.org.uk or 0303 123 1113. We would, of course, appreciate the chance to address your concerns first.

13. Cookies

We use a minimal set of cookies on shortdesk.io:

  • Strictly necessary cookies for site functionality (session, security)
  • Analytics cookies to understand site usage (anonymised where possible)

We do not use cookies for advertising or cross-site tracking. If we add additional cookies, we will publish a Cookie Notice and update this policy.

14. Children

Our services are intended for business users and are not designed for individuals under the age of 16. We do not knowingly collect data from children. If you believe we have collected data from a child, contact privacy@shortdesk.io and we will delete it.

15. Changes to this policy

We may update this policy as our services or legal obligations evolve. Material changes will be notified to active Clients by email at least 14 days before they take effect. The "Last updated" date at the top reflects the current version.

16. Contact

For any privacy-related question, request, or complaint:

For general enquiries, contact team@shortdesk.io.