Kupaly — Privacy Policy
Version: 2026-06-07
Effective date: 7 June 2026
This Privacy Policy explains how Neirfeno Limited (trading as Kupaly, company number SC514019) collects, uses, stores, and shares personal data when you use the Kupaly service (Service).
It should be read with our Terms and Conditions. The Terms govern your use of the Service; this policy governs personal data.
1. Who we are and how to contact us
| Data controller | Neirfeno Limited (t/a Kupaly) |
| Registered office | 7 Thorter Way, Dundee, Scotland, DD1 3DF |
| Support & privacy enquiries | support@kupaly.com |
| ICO registration | ZB673603 |
For data protection enquiries, email support@kupaly.com with the subject line Privacy.
You may also complain to the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.
2. Who this policy applies to
The Service is a business-to-business (B2B) workforce-management platform. Personal data is processed about:
| Person | Typical role |
|---|---|
| Business owners and managers | Set up and administer a business on the Service |
| Staff members | Use the Service as part of their employment or engagement with a customer business |
| Support correspondents | Contact us by email |
Depending on the data, we act as data controller, data processor, or both — see section 3.
3. Controller and processor roles
3.1 When we are the data controller
We are the data controller for personal data we process to run Kupaly as a product, including:
- user account and authentication data;
- app profile data (for example display name and device tokens for push notifications);
- terms acceptance records;
- support correspondence with us;
- operational logs and security records relating to the Service.
If you are an individual User, contact us to exercise your rights in respect of this data (section 12).
3.2 When we are the data processor
When a business customer (Customer) uses the Service, the Customer is the data controller for personal data about its workforce and operations processed through the Service — for example:
- staff names, roles, and membership details;
- rotas, shifts, availability, and time-off records;
- chat messages and AI interactions in a business context;
- notifications and workforce actions.
We process that data only on the Customer's instructions (through their use of the Service and our Terms) to provide, secure, and improve the Service.
If you are a staff member or manager, and your query relates to workforce data your employer controls, contact your employer (the Customer) first. We will assist the Customer as required by law and our Terms.
4. Personal data we collect
We collect only what we need to provide and improve the Service. Categories include:
4.1 Account and identity
| Data | Source | Purpose |
|---|---|---|
| Email address and authentication identifiers | Sign-in (Firebase Authentication) | Account access and security |
| Display name | You or your sign-in provider | Shown in the app |
| Client platform (iOS, Android, web) | Your device | Support, terms acceptance, compatibility |
We do not store email on the main app profile document; identity fields are held in our authentication provider.
4.2 Membership and workforce (Customer-controlled)
| Data | Examples |
|---|---|
| Membership profile | Name, role (staff/manager/owner), status, tags, assigned locations |
| Optional HR fields | Date of birth (where provided — used for young-worker scheduling checks), contracted hours, leave balances |
| Preferences | Per-category notification opt-ins |
4.3 Chat and AI interactions
| Data | Notes |
|---|---|
| Chat messages | User messages (up to 4,000 characters) and assistant replies shown in the membership chat |
| Server-side processing context | Tool calls, model prompts, and responses used to operate the assistant (not all shown in chat) |
| Usage metadata | Token counts, model identifiers, retry counts, timestamps — exported to our analytics store for operations and improvement |
Chat may contain information you or your colleagues choose to type, including details about schedules, availability, time off, and other workplace matters.
4.4 Workforce records (outcomes)
When the assistant or system performs actions, we store structured records — for example rotas, shift assignments, time-off requests, swap requests, and approvals. These records may be retained after chat text is deleted (section 9).
4.5 Device and notifications
| Data | Purpose |
|---|---|
| FCM push tokens and installation identifiers | Deliver push notifications to your devices |
| In-app notification rows | Show and dismiss notifications in the app |
4.6 Terms and compliance
| Data | Purpose |
|---|---|
| Terms version accepted, acceptance time, platform | Demonstrate you agreed to the current Terms |
4.7 Support and communications
If you email support@kupaly.com, we process your email address, message content, and any information you include.
5. How we use personal data
We use personal data to:
| Purpose | Examples |
|---|---|
| Provide the Service | Authentication, chat, rota views, notifications, workforce actions |
| Operate AI features | Route requests, generate responses, execute approved tools |
| Improve the Service | Analyse interactions, evaluate models, fix errors, develop features — see section 6 |
| Enforce terms and security | Fair-usage limits, abuse detection, incident investigation |
| Comply with law | Respond to lawful requests from authorities |
| Support customers | Answer enquiries and handle complaints |
We do not sell personal data.
6. AI processing and product improvement
The Service uses third-party AI providers (currently Amazon Web Services Bedrock) to process chat and related requests. Message content and context are transmitted to those providers in the UK or EEA (section 8) for inference.
6.1 Identifiable data in improvement activities
Because of how large language models work, activities to train, evaluate, tune, and improve AI features may involve identifiable personal data contained in chat and interaction logs — not only anonymised or aggregated data. We use such data to:
- improve accuracy and safety of the assistant;
- monitor token usage and quality of service;
- debug failures and develop new capabilities.
This processing is described in our Terms and is part of providing and improving the Service during the preview programme.
6.2 Analytics export
We export message context and usage metrics (including message text, model outputs where available, token counts, business and membership identifiers, and message identifiers) to Google BigQuery for operational analytics. Access is restricted to authorised personnel and systems.
7. Legal bases (UK GDPR)
We rely on different legal bases depending on our role and the processing:
| Basis | When it applies |
|---|---|
| Contract | Processing necessary to provide the Service you or your employer signed up for |
| Legitimate interests | Security, fraud prevention, service improvement, analytics, and communicating about the Service — balanced against your rights |
| Legal obligation | Compliance with law, regulatory requests, and record-keeping |
| Consent | Where we ask for explicit consent (for example when we introduce optional processing that requires it). You may withdraw consent without affecting lawfulness of prior processing |
When we process workforce data on behalf of a Customer, the Customer determines the appropriate legal basis for its workforce. We process on the Customer's instructions.
8. Where data is stored
We process and store personal data in the UK and EEA only, using:
| Provider | Role |
|---|---|
| Google Cloud / Firebase | Application hosting, authentication, database |
| Google BigQuery | Analytics and message-context logging |
| Amazon Web Services (Bedrock) | AI inference |
| Google Workspace | Support and business email |
We do not deliberately transfer personal data outside the UK/EEA. If this changes, we will update this policy and ensure appropriate safeguards required by UK law.
9. How long we keep data
Retention depends on data type and whether a business account is active.
9.1 While you use the Service
We retain data for as long as needed to provide the Service and as described below.
9.2 After business deactivation or end of service
| Data | Retention |
|---|---|
| Chat message content | Deleted one year after the business is deactivated (or earlier if required by law) |
| Action records (time off, swaps, rotas, approvals, and similar structured outcomes) | Up to seven years for legal compliance, dispute defence, and audit |
| Account, terms acceptance, and related compliance records | Up to seven years where required by law |
| Support emails | As long as needed to resolve the enquiry and for a reasonable period thereafter |
After chat deletion, we may still know who performed which action but not what was said in chat to cause it.
Customers are responsible for exporting data they need before deactivation.
9.3 Backups
Deleted data may persist in encrypted backups for a limited period before being overwritten.
10. Sharing personal data
We share personal data only as needed:
| Recipient | Why |
|---|---|
| Sub-processors (section 8) | Deliver hosting, AI, analytics, and email |
| The Customer (employer) | Managers and owners access workforce data through the Service according to business policies |
| Law enforcement and regulators | Where we are legally compelled or have a lawful basis to report illegal activity |
| Professional advisers | Lawyers, accountants, or insurers under confidentiality, when necessary |
We require sub-processors to protect personal data and process it only on our instructions.
11. Security
We implement technical and organisational measures appropriate to the risk, including access controls, encryption in transit, and separation of customer data by business tenant.
No system is perfectly secure. If we become aware of a personal data breach affecting data we control, we will notify affected parties and regulators as required by law. Customers are responsible for notifying their staff where they are the controller.
12. Your rights
Under UK data protection law, individuals have rights including:
| Right | Summary |
|---|---|
| Access | Request a copy of your personal data |
| Rectification | Correct inaccurate data |
| Erasure | Request deletion in certain circumstances |
| Restriction | Limit processing in certain circumstances |
| Objection | Object to processing based on legitimate interests |
| Portability | Receive data you provided in a structured, machine-readable format where applicable |
| Withdraw consent | Where processing is based on consent |
To exercise rights over account data we control, email support@kupaly.com. We may need to verify your identity.
To exercise rights over workforce data your employer controls, contact your employer first. We will assist them as processor.
We respond within one month, extendable where law permits. You may complain to the ICO (section 1).
Some rights are limited — for example where we must retain data for legal compliance or defence of claims.
13. Illegal content and law enforcement
You must not use the Service unlawfully. If we identify illegal content or activity, we may:
- investigate and take action under our Terms (including suspension);
- report matters to appropriate authorities; and
- disclose records (including chat records, where they still exist) when legally compelled or otherwise required by law.
14. Children
The Service is not intended for anyone under 16. We do not knowingly collect personal data from children under 16. If you believe we have, contact us and we will delete it.
15. Cookies and similar technologies
The web and mobile clients use essential technologies to keep you signed in, protect the Service, and remember necessary preferences. These include authentication session mechanisms operated through Firebase and local device storage.
We do not use advertising or third-party marketing cookies in the Service. If we introduce non-essential cookies or similar technologies, we will update this policy and, where required, ask for consent before use.
16. Automated decision-making
The Service uses AI to interpret requests and may perform actions on your behalf (for example drafting rota changes or recording a time-off request). Employment decisions remain with the Customer and its managers — the Service does not replace human review where your employer requires it.
We do not make solely automated decisions producing legal or similarly significant effects about individuals without human involvement by the Customer.
17. Changes to this policy
We may update this policy from time to time. When we do:
- we will publish a new version with an updated version id (
YYYY-MM-DD); - we will notify business owners by email or in-app notice where changes are material;
- material changes to how we process data may require explicit re-acceptance of updated Terms before continued use of certain features.
18. Summary table
| Topic | Answer |
|---|---|
| Controller | Neirfeno Limited for account/product data; your employer for workforce data |
| ICO number | ZB673603 |
| Location | UK and EEA only |
| AI providers | Third-party (currently AWS Bedrock) — see section 8 |
| Improvement uses identifiable data? | Yes — section 6 |
| Chat retention after deactivation | 1 year, then deleted |
| Action records | Up to 7 years |
| Contact | support@kupaly.com |
Document version 2026-06-07. Cross-reference version 2026-06-07 of the Terms and Conditions.