Legal
Privacy Policy
Last updated: June 2026
1. Who we are
Insy8 ("we", "us", "our") provides an operations platform for merchant teams. This policy explains what personal data we collect, how we use it, who we share it with, and the rights available to you.
When we process personal data from systems a merchant connects to Insy8, the merchant is normally the controller and Insy8 acts as processor under our Terms of Service or other signed agreement.
2. Data we collect and why
Data from connected systems
If a merchant authorises an integration, Insy8 may receive data from third-party commerce, accounting, messaging, delivery, and operations systems. Depending on the connector enabled, this may include:
- Customer or contact details, such as name, email address, phone number, and billing or delivery address
- Order, invoice, fulfilment, and payment-related records
- Product, inventory, location, and delivery workflow data
- Workspace events, exceptions, approvals, comments, and audit history
We use this data only to provide, secure, maintain, and improve the service for the merchant that authorised the connection. We do not sell personal data and we do not use merchant customer data for advertising.
Data from merchants and team members
- Account information, such as name, email address, role, workspace membership, and hashed password
- Support and commercial communications with us
- Workspace activity, including actions taken, decisions made, comments, and configuration changes
Automatically collected data
- Operational logs, including IP address, browser or device metadata, request path, timestamps, and error details
- Security and audit records needed to protect accounts, investigate abuse, and maintain service integrity
3. Legal bases
Where Insy8 acts as controller, we rely on the following GDPR legal bases:
- Contract. To create accounts, provide workspaces, support authorised users, and deliver the service.
- Legitimate interests. To secure the platform, prevent misuse, debug issues, improve reliability, and communicate about the service.
- Legal obligation. To keep records required for tax, accounting, compliance, or lawful requests.
- Consent. Where we ask for consent for optional communications or optional processing.
Where we act as processor, we process personal data on the merchant's documented instructions.
4. How we store and protect data
- Application infrastructure runs on cloud infrastructure in the EU/EEA where available
- Primary application data is stored in a managed PostgreSQL database in the EU/EEA
- Background jobs and short-lived operational queues are processed through managed infrastructure
- Private export artifacts are encrypted, access-controlled, and expire automatically
- All data in transit is encrypted using TLS/HTTPS
- OAuth access tokens, API credentials, and application secrets are encrypted or stored in managed secret storage
- Access to production systems is restricted to authorised personnel who need it to operate or support the service
5. Sharing and sub-processors
We share personal data only where needed to provide, secure, support, or comply with legal obligations for the service. Recipient categories include:
- Cloud hosting, storage, and secrets-management providers
- Managed database and background processing providers
- Error monitoring, observability, and security tooling providers
- Email, SMS, and other messaging providers used to deliver authorised communications
- Third-party commerce, accounting, delivery, and operations services that a merchant authorises us to connect with
- Professional advisers, regulators, or authorities where required by law
Our sub-processors are required to protect personal data and process it only for the purposes we authorise.
6. International transfers
Some providers or authorised connectors may process data outside the EU/EEA. Where that happens, we use an appropriate transfer mechanism, such as an adequacy decision, Standard Contractual Clauses, or another lawful safeguard. Merchants are responsible for ensuring that the connectors they authorise are appropriate for their own compliance obligations.
7. Retention and deletion
We retain workspace data for as long as the workspace is active or as otherwise required to provide the service. Operational logs are retained for limited periods for security, debugging, and reliability. We may retain minimal records where required for legal, accounting, audit, or dispute-resolution purposes.
If a merchant disconnects an integration, terminates the service, or requests deletion, we delete or anonymise personal data in accordance with our agreement, legal obligations, and technical backup cycles.
Where a connected platform sends us a valid privacy deletion or access request, we process it according to that platform's requirements and our obligations to the merchant.
8. Automated processing
Insy8 does not make automated decisions about individuals that produce legal or similarly significant effects. The platform may organise work, surface exceptions, and record decisions, but human users remain responsible for business decisions made in the workspace.
9. Your rights
Depending on your location and our role, you may have rights to access, correct, delete, restrict, object to, or receive a copy of personal data. You may also have the right to complain to your local data protection authority.
For data controlled by a merchant, please contact that merchant first. For data controlled by Insy8, send requests to info@insy8.com.
10. Changes to this policy
We may update this policy from time to time. We will update the date at the top of this page and, where changes are material, notify affected merchants by email or in-product notice.
11. Contact
For privacy questions or data requests, contact info@insy8.com.
This policy is in process and may be updated as our legal and compliance setup evolves.