Privacy Policy

Last updated: 11 April 2026 • Effective date: 14 January 2026

1. Introduction

This Privacy Policy explains how HEXYL LTD (trading as "Hexyl AI"), a company registered in Scotland (Company Number SC875134), with its registered office at 18 Woodside Place, 2nd Floor, Glasgow, Scotland, G3 7QL ("we", "us", "our"), collects, uses, stores, and protects your personal data when you use our platform at hexyl.ai and any associated services (the "Platform").

We are committed to protecting your privacy and ensuring that your personal data is handled in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

2. Data Controller

HEXYL LTD is the data controller responsible for your personal data. If you have any questions about this Privacy Policy or our data practices, you can contact us at:

HEXYL LTD

18 Woodside Place, 2nd Floor

Glasgow, Scotland, G3 7QL

Email: privacy@hexyl.ai

Where our customers (tenants) use the Platform to manage their own customer data, they act as independent data controllers for their customer data, and we act as a data processor on their behalf.

3. Information We Collect

3.1 Information You Provide Directly

  • Account Information: Name, email address, phone number, job title, and company name when you register for an account or sign up for a trial.
  • Billing Information: Payment card details, billing address, and transaction history (processed securely via Stripe and Global Payments).
  • Communication Data: Messages, emails, and correspondence you send to us, including support tickets and feedback.
  • Content Data: Information you upload, create, or manage through the Platform, including service descriptions, FAQs, articles, and other business content.

3.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, time spent on the Platform, click patterns, and navigation paths.
  • Device Information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
  • Log Data: Server logs including access times, error logs, and referring URLs.
  • Cookies and Similar Technologies: We use cookies, local storage, and similar technologies as described in Section 9.

3.3 Information from Third Parties

  • CRM Integrations: When you connect third-party CRM systems (such as Pabau, Dentally, or Cliniko), we may receive patient/client records, appointment data, and service information as directed by you.
  • Communication Providers: When you use integrated communication channels (Twilio, WhatsApp, SendGrid), we receive message delivery data and interaction logs.
  • Review Platforms: When you connect Google Business Profile or Trustpilot, we receive review data associated with your business.
  • Advertising Platforms: When you connect Google Ads or Meta Ads accounts, we receive campaign performance data.

3.4 AI and Conversational Data

  • Chat Conversations: Messages exchanged between your customers and our AI chatbot or human agents, including metadata such as timestamps, channels, and sentiment scores.
  • Voice Interactions: Call recordings, transcriptions, and call summaries when voice AI features are enabled. Call recordings are stored subject to your configured retention policy.
  • Training Data: Anonymised conversation data may be used to improve AI model accuracy for your specific tenant or industry model, subject to your consent and configuration.

4. How We Use Your Information

We use your personal data for the following purposes:

Purpose Legal Basis (UK GDPR)
Providing and maintaining the Platform Performance of contract (Art. 6(1)(b))
Processing payments and billing Performance of contract (Art. 6(1)(b))
Sending service-related notifications Performance of contract (Art. 6(1)(b))
Customer support and communication Legitimate interest (Art. 6(1)(f))
Improving and developing the Platform Legitimate interest (Art. 6(1)(f))
AI model training and improvement Consent (Art. 6(1)(a)) or Legitimate interest
Analytics and usage reporting Legitimate interest (Art. 6(1)(f))
Marketing communications Consent (Art. 6(1)(a))
Compliance with legal obligations Legal obligation (Art. 6(1)(c))
Fraud prevention and security Legitimate interest (Art. 6(1)(f))

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your data with the following categories of recipients:

  • Service Providers: Third-party companies that help us operate the Platform, including hosting providers, payment processors (Stripe, Global Payments), email delivery services (SendGrid, Amazon SES), and communication providers (Twilio, Meta).
  • CRM Integrations: When you configure integrations with Pabau, Dentally, Cliniko, or other third-party services, data is shared as directed by your integration settings.
  • Professional Advisors: Lawyers, accountants, and auditors where necessary for the administration of our business.
  • Legal Requirements: When required by law, court order, or governmental authority, or to protect our rights, safety, or property.
  • Business Transfers: In connection with a merger, acquisition, reorganisation, or sale of assets, your data may be transferred as part of that transaction.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

  • Account Data: Retained for the duration of your account and for up to 12 months after account closure.
  • Billing and Transaction Data: Retained for 7 years to comply with UK tax and accounting obligations.
  • Chat Conversation Data: Retained according to your tenant configuration settings.
  • Voice Call Recordings: Retained according to your configured retention policy, after which they are automatically purged.
  • Audit Logs: Retained for up to 24 months for security and compliance purposes.
  • Marketing Data: Retained until you withdraw consent or unsubscribe.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption: Data in transit is encrypted using TLS 1.2+. Sensitive data at rest is encrypted using AES-256.
  • Access Controls: Role-based access controls (RBAC) with the principle of least privilege.
  • Infrastructure: Hosted on secure, SOC 2 compliant infrastructure with regular security audits.
  • Database Isolation: Multi-tenant data isolation using PostgreSQL schema-level separation, ensuring complete data segregation between tenants.
  • Monitoring: Continuous security monitoring, intrusion detection, and automated threat response.
  • Incident Response: Documented incident response procedures with notification within 72 hours of a confirmed data breach as required by UK GDPR.

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten").
  • Right to Restriction: Request restriction of processing in certain circumstances.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
  • Rights Related to Automated Decision-Making: Right not to be subject to decisions based solely on automated processing, including profiling.

To exercise any of these rights, please contact us at privacy@hexyl.ai. We will respond to your request within 30 days. For tenant customers, you may also exercise these rights through the Customer Portal's GDPR tools.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Website: ico.org.uk

Helpline: 0303 123 1113

9. Cookies and Tracking Technologies

We use the following types of cookies:

  • Strictly Necessary Cookies: Essential for the Platform to function (e.g., session cookies, authentication tokens, CSRF protection). These cannot be disabled.
  • Functional Cookies: Remember your preferences, such as language settings, theme choices, and dashboard configurations.
  • Analytics Cookies: Help us understand how you use the Platform so we can improve it. We may use Google Analytics with IP anonymisation enabled.
  • Marketing Cookies: Used only with your consent to track advertising campaign effectiveness when you connect Google Ads or Meta Ads integrations.

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect Platform functionality.

For full details on the specific cookies we use, their providers, purposes, and durations, please see our Cookie Policy.

10. International Data Transfers

Your data is primarily processed within the United Kingdom and European Economic Area (EEA). Where data is transferred outside the UK/EEA (for example, to service providers in the United States), we ensure appropriate safeguards are in place, including:

  • UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the UK Secretary of State or European Commission
  • Binding Corporate Rules where applicable

11. AI and Automated Processing

Our Platform uses artificial intelligence and machine learning technologies:

  • Chatbot (RASA): Processes customer messages to understand intent and generate responses. This runs within our closed infrastructure — no customer data is sent to third-party AI providers by default.
  • Voice AI: Processes voice calls using speech-to-text (Whisper), language models, and text-to-speech (Piper), all running locally within our infrastructure.
  • Sentiment Analysis: Automated analysis of customer feedback and reviews to determine sentiment scores.
  • No-Show Prediction: Automated scoring of booking no-show risk based on historical patterns.
  • LLM Fallback: When configured, queries may be routed to external LLM providers (Groq, DeepSeek, OpenAI) for responses. This is configurable per tenant, and tenants can opt out of external LLM routing.

None of these automated processes make legally significant decisions about individuals without human oversight.

12. Children's Privacy

The Platform is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at privacy@hexyl.ai and we will take steps to delete such information.

13. Third-Party Links

The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal data.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also send an email notification to registered users.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

HEXYL LTD

18 Woodside Place, 2nd Floor

Glasgow, Scotland, G3 7QL

Email: privacy@hexyl.ai

Website: hexyl.ai