Privacy Policy

Last updated: 27 April 2026 · UK GDPR compliant · Governed by English law

This Privacy Policy explains what personal data SamtHQ collects, why we collect it, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

SamtHQ is operated by Faras Enoon, a sole trader based in the United Kingdom. For the purposes of the UK GDPR, Faras Enoon is the data controller for personal data processed through samthq.com.

Data Controller: Faras Enoon
Email: samthq10@gmail.com
Jurisdiction: England and Wales

2. What Data We Collect

2.1 Account Data

—Full name
—Email address
—Password (stored as a cryptographic hash — we never see your plain-text password)
—Company name (optional)

2.2 Usage and Analysis Data

—Content you upload for analysis (text, images, video, audio)
—Analysis results, scores, findings, and recommendations
—Context Brief information (target audience, platform, goal, geographic market, brand tone)
—Feature usage patterns
—Number of analyses run and remaining quota

2.3 Billing Data

Billing is handled by Stripe Inc. We receive subscription plan, status, and Stripe identifiers only. We do not receive or store your full payment card number, CVV, or bank account details.

2.4 Waitlist Data

If you join our waitlist, we collect your email address and selected role, used solely to notify you when access is available.

2.5 Technical Data

IP address (for rate limiting — not stored permanently), browser type, device type, pages visited, and referring URL.

3. How We Use Your Data

Purpose	Legal Basis	Data Used
Providing the Service	Contract performance	Account data, content, results
Processing payments	Contract performance	Account data, billing data
Transactional emails	Contract performance	Email address
Fraud prevention and limit enforcement	Legitimate interests	Account data, IP address, usage data
Improving the Service	Legitimate interests	Anonymised usage patterns only
Support requests	Legitimate interests	Communications data
Legal compliance	Legal obligation	As required by law
Marketing communications	Consent	Email — only where opted in

Important: We do not use your uploaded Content to train AI models or build datasets. Your Content is processed solely to generate your analysis.

4. How Your Content is Processed

To generate analyses, your Content is transmitted to third-party AI providers under API agreements that restrict use for model training.

Anthropic, Inc. (Claude) — text analysis and formula detection

OpenAI, LLC (GPT-4o) — visual analysis and attention mapping

5. Data Sharing

5.1 Third-Party Providers

Provider	Purpose	Location
Supabase Inc.	Database, authentication, file storage	EU (AWS)
Vercel Inc.	Platform hosting	US/EU
Stripe Inc.	Payment processing	US/EU
Anthropic, Inc.	AI text analysis	US
OpenAI, LLC	AI visual analysis	US
Resend Inc.	Transactional email	US

5.2 We Do Not Sell Your Data

We do not sell, rent, or trade your personal data to third parties for marketing or any commercial purpose.

6. Data Retention

Data Type	Retention Period
Account data	Duration of account + 30 days after closure
Uploaded Content	Duration of account; free inactive accounts: 12 months
Analysis results	Duration of account + 30 days after closure
Billing records	7 years from transaction date (HMRC requirement)
Support correspondence	3 years from last contact
Waitlist data	Until unsubscribe or 24 months from collection
IP address logs	30 days

7. Your Rights Under UK GDPR

Contact samthq10@gmail.com to exercise any right. We respond within one calendar month.

✓

Right of Access

Request a copy of the personal data we hold about you.

✓

Right to Rectification

Request correction of inaccurate or incomplete personal data.

✓

Right to Erasure

Request deletion where data is no longer necessary or you withdraw consent.

✓

Right to Restriction

Request restricted processing in certain circumstances.

✓

Right to Data Portability

Receive your data in a structured, machine-readable format where processing is consent or contract based.

✓

Right to Object

Object to processing based on legitimate interests.

Right to Complain

Lodge a complaint with the ICO at ico.org.uk or call 0303 123 1113.

8. Cookies

We use only strictly necessary cookies. No advertising, tracking, or cross-site profiling cookies are used.

Cookie	Purpose	Duration
Authentication (Supabase)	Maintaining your logged-in session	Session / 7 days
CSRF token	Preventing cross-site request forgery	Session

9. Security

Security measures include:

—TLS encryption for all data in transit
—Cryptographic password hashing — plain-text passwords are never stored
—Row Level Security (RLS) ensuring users can only access their own data
—Server-side API key handling — secrets never exposed in client-side code
—Signed URLs and access controls on file uploads

In the event of a breach likely to risk your rights, we will notify you and the ICO within 72 hours as required by UK GDPR.

10. Children's Privacy

SamtHQ is not directed at individuals under 18. We do not knowingly collect personal data from children. Contact samthq10@gmail.com if you believe we have done so inadvertently.

11. Changes to This Policy

We will notify you of material changes at least 14 days before they take effect. Continued use after changes take effect constitutes acceptance.

12. Contact

SamtHQ
Data Controller: Faras Enoon (Sole Trader)
Email: samthq10@gmail.com
We respond to all privacy enquiries within 5 business days.