Privacy Policy

Last updated: 1 March 2026

1. Introduction

1.1 Polyglyph Analytica Limited, trading as "8pimax" ("Company", "we", "us", or "our"), is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you visit our website, use our platform, access our API, or otherwise interact with our services (collectively, the "Services").

1.2 This Privacy Policy should be read in conjunction with our Terms and Conditions, which are available at /terms. Capitalised terms used but not defined in this Privacy Policy have the meanings given to them in the Terms and Conditions.

1.3 By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this Privacy Policy, you must not use our Services.

2. Data Controller

2.1 For the purposes of the UK General Data Protection Regulation (the "UK GDPR") and the Data Protection Act 2018, the data controller in respect of personal data collected directly from you (such as account registration data, billing information, and website usage data) is:

  • Company Name: Polyglyph Analytica Limited
  • Trading As: 8pimax
  • Registered Address: Montclare, Orpington Bypass, Badgers Mount TN14 7AG, United Kingdom
  • Email: privacy@8pimax.com

2.2 Where our customers ("Customers") use our Services to process personal data of their own end users ("End Users"), the Customer is the data controller and we act as a data processor on the Customer's behalf. In such circumstances, the Customer's privacy policy governs the processing of End User data, and End Users should refer to the relevant Customer's privacy policy for information about how their data is processed.

3. Data Protection Officer

3.1 We have appointed a Data Protection Officer ("DPO") who is responsible for overseeing questions in relation to this Privacy Policy and our data protection practices. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact the DPO using the details set out below:

  • Data Protection Officer: Sejuti Roy
  • Email: dpo@8pimax.com
  • Postal Address: Data Protection Officer, Polyglyph Analytica Limited, Montclare, Orpington Bypass, Badgers Mount TN14 7AG, United Kingdom

3.2 You have the right to make a complaint at any time to the Information Commissioner's Office ("ICO"), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.

4. Information We Collect

We collect and process the following categories of personal data:

4.1 Account and Registration Data

When you create an account or register to use our Services, we collect:

  • Full name and job title;
  • Email address;
  • Company or organisation name;
  • Telephone number (if provided);
  • Billing address and country;
  • Password (stored in hashed form only); and
  • Authentication tokens from third-party identity providers (where you register via Google, GitHub, or similar services).

4.2 Payment and Billing Data

When you subscribe to a paid plan, we collect:

  • Payment card details (processed and stored exclusively by our payment processor, Stripe Payments UK Ltd — we do not store full card numbers on our systems);
  • Billing name and address;
  • VAT registration number (where applicable); and
  • Transaction history and invoice records.

4.3 Technical and Usage Data

When you access our website or use our Services, we automatically collect:

  • IP address and approximate geolocation;
  • Browser type and version, operating system, and device type;
  • Referring website URL and pages visited;
  • Date and time of access, session duration, and clickstream data;
  • API request metadata, including request timestamps, endpoints accessed, HTTP method, response status codes, and latency;
  • Error logs, including error codes, stack traces (server-side only), and related diagnostic information; and
  • SDK and integration version information.

4.4 Communication Data

When you contact us or we contact you, we collect:

  • The content of emails, support tickets, and other correspondence;
  • Your name and contact details provided in connection with such communications; and
  • Records and metadata of interactions with our support team.

4.5 Banking Data Provider Credentials

When you connect Banking Data Providers through our platform, we collect and securely store:

  • API keys and credentials for Banking Data Providers (encrypted at rest using AES-256);
  • Configuration settings for each connected provider; and
  • Provider-specific metadata necessary to maintain the connection.

4.6 Financial Data (Transient Processing Only)

Important: Our platform operates as a stateless data relay. When Customers use our API to access Financial Data (including account information, transaction data, balance data, and identity verification data), this data flows through our infrastructure in real time but is not persisted, cached, or stored by us beyond what is strictly necessary for the immediate processing and delivery of the API response. We do not retain copies of End User financial data after the API response has been delivered to the Customer.

5. Legal Basis for Processing

5.1 We only process your personal data where we have a valid legal basis for doing so under the UK GDPR. The legal bases we rely on are:

5.2 Performance of a Contract (Article 6(1)(b))

We process your account data, payment data, and usage data as necessary for the performance of the contract between you and us (i.e., our Terms and Conditions), including to:

  • Create and manage your account;
  • Provide, operate, and maintain the Services;
  • Process payments and manage billing;
  • Provide customer support; and
  • Communicate with you about your account and the Services.

5.3 Legitimate Interests (Article 6(1)(f))

We process certain personal data where it is necessary for our legitimate interests (or those of a third party) and where your interests and fundamental rights do not override those interests. Our legitimate interests include:

  • Improving, optimising, and developing our Services and platform;
  • Monitoring usage patterns and analysing trends to enhance user experience;
  • Detecting, preventing, and investigating fraud, security incidents, and abuse;
  • Enforcing our Terms and Conditions and protecting our legal rights;
  • Administering and protecting our business, including troubleshooting, system maintenance, data analysis, and testing; and
  • Sending non-marketing service communications (such as system updates, security alerts, and maintenance notifications).

5.4 Consent (Article 6(1)(a))

Where we rely on your consent to process personal data, we will ask for your explicit consent at the time of collection. You have the right to withdraw your consent at any time by contacting us at privacy@8pimax.com. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. We rely on consent for:

  • Sending marketing communications and newsletters;
  • Placing non-essential cookies and similar tracking technologies; and
  • Any other processing activities where consent is the appropriate legal basis.

5.5 Legal Obligation (Article 6(1)(c))

We process personal data where it is necessary for compliance with a legal obligation to which we are subject, including tax reporting, regulatory compliance, and responding to lawful requests from public authorities.

6. How We Use Your Information

6.1 We use the personal data we collect for the following purposes:

  • Service delivery: To provide, maintain, and improve the Services, including processing API requests, managing connections to Banking Data Providers, and delivering webhook notifications;
  • Account management: To create, administer, and secure your account, authenticate your identity, and manage your subscription;
  • Billing and payments: To process transactions, issue invoices, manage subscriptions, and handle refunds;
  • Communication: To send you service-related communications, including technical notices, security alerts, system updates, support responses, and administrative messages;
  • Analytics and improvement: To analyse usage patterns, monitor performance, diagnose technical issues, and improve the functionality and user experience of the Services;
  • Security and fraud prevention: To detect, prevent, and respond to security incidents, fraud, abuse, and other harmful activities;
  • Legal compliance: To comply with applicable laws, regulations, legal processes, and governmental requests; and
  • Marketing: With your consent, to send you marketing communications about our products, services, and promotions.

7. Cookies and Tracking Technologies

7.1 We use cookies and similar tracking technologies to collect and store information when you visit our website and use our Services. Cookies are small text files placed on your device by a web server.

7.2 Types of Cookies We Use

  • Strictly necessary cookies: These are essential for the operation of our website and Services. They enable core functionality such as authentication, session management, and security. These cookies cannot be disabled.
  • Functional cookies: These allow us to remember choices you make (such as language preferences, locale settings, and display preferences) and provide enhanced, personalised features.
  • Analytics cookies: These help us understand how visitors interact with our website by collecting and reporting information. We use privacy-focused analytics to minimise the collection of personal data. These cookies are placed only with your consent.

7.3 You can control and manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website and Services. Most browsers allow you to refuse cookies or alert you when cookies are being sent. For more information on managing cookies, please visit www.allaboutcookies.org.

8. Data Sharing and Disclosure

8.1 We do not sell, rent, or trade your personal data to third parties. We may share your personal data only in the following circumstances:

8.2 Service Providers and Sub-processors

We share personal data with carefully selected third-party service providers who assist us in operating, maintaining, and improving our Services. These providers process personal data on our behalf and are contractually bound to process such data only as instructed by us and to maintain appropriate security measures. Our current categories of service providers include:

  • Cloud infrastructure: Google Cloud Platform (data hosting, computing, and storage);
  • Payment processing: Stripe Payments UK Ltd (payment card processing and billing);
  • Authentication: Firebase Authentication (identity management and authentication services);
  • Email services: Resend (transactional and service emails);
  • Analytics: Privacy-focused analytics providers (website usage analytics); and
  • Customer support: Support platform providers (helpdesk and ticket management).

8.3 Banking Data Providers

When you use our Services to connect to Banking Data Providers, your credentials and API requests are transmitted to the relevant provider. This transmission is necessary for the performance of the Services. Each Banking Data Provider is an independent data controller in respect of any personal data it processes.

8.4 Legal and Regulatory Disclosure

We may disclose your personal data where required to do so by law, regulation, or legal process, or where we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing in connection with the Services; (d) protect the personal safety of users of the Services or the public; or (e) protect against legal liability.

8.5 Business Transfers

If the Company is involved in a merger, acquisition, reorganisation, sale of assets, or bankruptcy, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal data, as well as any choices you may have regarding your personal data.

9. International Data Transfers

9.1 Your personal data may be transferred to, and processed in, countries outside the United Kingdom. Where we transfer personal data outside the UK, we ensure that appropriate safeguards are in place to protect your data in accordance with the UK GDPR. These safeguards include:

  • Transfers to countries that the UK Secretary of State has determined provide an adequate level of protection for personal data;
  • Use of the International Data Transfer Agreement ("IDTA") or the International Data Transfer Addendum to the EU Standard Contractual Clauses, as approved by the ICO;
  • Binding corporate rules; or
  • Other appropriate safeguards as permitted under Article 46 of the UK GDPR.

9.2 You may request a copy of the relevant safeguards by contacting us at privacy@8pimax.com.

10. Data Retention

10.1 We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. The specific retention periods we apply are as follows:

  • Account data: Retained for the duration of your account and for a period of twelve (12) months following account closure or termination, unless a longer retention period is required by law;
  • Payment and billing data: Retained for a minimum of seven (7) years in accordance with UK tax and accounting requirements;
  • API usage logs and metadata: Retained for thirty (30) to ninety (90) days depending on your subscription plan, after which they are automatically purged;
  • Error and diagnostic logs: Retained for up to ninety (90) days for debugging and performance monitoring purposes;
  • Support correspondence: Retained for twenty-four (24) months following the resolution of the relevant enquiry;
  • Marketing consent records: Retained for as long as the consent is valid and for a period of twenty-four (24) months following the withdrawal of consent; and
  • Financial Data (End User data): Not retained. Financial Data transits our platform in real time and is not persisted.

10.2 When personal data is no longer required, we will securely delete or anonymise it. Anonymised data (from which you can no longer be identified) may be retained indefinitely for statistical and analytical purposes.

11. Data Security

11.1 We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures include, but are not limited to:

  • Encryption: All data in transit is protected using TLS 1.3 encryption. All data at rest, including stored credentials and account information, is encrypted using AES-256;
  • Access controls: Strict role-based access controls, multi-factor authentication for administrative access, and the principle of least privilege;
  • Infrastructure security: Hosting on SOC 2 Type II certified cloud infrastructure with network segmentation, firewalls, and intrusion detection systems;
  • Monitoring and logging: Continuous monitoring of systems and access logs for suspicious activity;
  • Security testing: Regular penetration testing, vulnerability scanning, and security audits conducted by qualified professionals;
  • Incident response: Documented incident response procedures for detecting, reporting, and managing personal data breaches; and
  • Employee training: Regular data protection and information security training for all employees and contractors with access to personal data.

11.2 While we take all reasonable precautions to protect your personal data, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your personal data.

11.3 In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of individuals, we will notify the ICO without undue delay and in any event not later than 72 hours after becoming aware of the breach, and will notify affected individuals where required by the UK GDPR.

12. Your Rights Under the UK GDPR

12.1 Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are not absolute and are subject to certain conditions and exemptions:

  • Right of access (Article 15): You have the right to request a copy of the personal data we hold about you, together with information about how and why we process it. We will provide this information free of charge, although we may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests.
  • Right to rectification (Article 16): You have the right to request that we correct any personal data that is inaccurate or incomplete. We will respond to such requests without undue delay.
  • Right to erasure (Article 17): You have the right to request that we delete your personal data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected, where you withdraw consent (and there is no other legal basis for processing), or where the data has been unlawfully processed.
  • Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data, where the processing is unlawful but you do not wish us to erase it, or where we no longer need the data but you require it for the establishment, exercise, or defence of legal claims.
  • Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to have that data transmitted to another data controller without hindrance, where the processing is based on consent or the performance of a contract and is carried out by automated means.
  • Right to object (Article 21): You have the right to object to the processing of your personal data where we are relying on legitimate interests as the legal basis for processing, and where there is something about your particular situation which makes you want to object. We will cease processing unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defence of legal claims. You have an absolute right to object to processing for direct marketing purposes.
  • Right to withdraw consent: Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
  • Right not to be subject to automated decision-making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

12.2 To exercise any of your rights, please contact us at privacy@8pimax.com or write to the Data Protection Officer at the address set out in clause 3. We will respond to your request within one (1) month of receipt. This period may be extended by a further two (2) months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one (1) month of receipt of the request.

12.3 We may request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

13. Automated Decision-Making and Profiling

13.1 We may use automated systems for the following purposes:

  • Fraud detection: Automated monitoring of API usage patterns to detect potentially fraudulent or abusive activity;
  • Rate limiting: Automated enforcement of usage limits based on your subscription plan; and
  • Security monitoring: Automated analysis of access patterns to detect potential security threats.

13.2 These automated processes do not produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 of the UK GDPR. Where any automated decision may have a significant effect on you, we will ensure that appropriate safeguards are in place, including the right to obtain human intervention, to express your point of view, and to contest the decision.

14. Children's Privacy

14.1 Our Services are not directed at individuals under the age of eighteen (18). We do not knowingly collect personal data from children under 18. If you are under 18, you must not use our Services or provide any personal data to us.

14.2 If we become aware that we have collected personal data from a child under 18 without verification of parental consent, we will take steps to delete that information as quickly as possible. If you believe we have collected personal data from a child under 18, please contact us at privacy@8pimax.com.

15. Third-Party Links and Services

Our website and Services may contain links to third-party websites, applications, or services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party websites or services. We strongly advise you to review the privacy policy of every site you visit. A link to a third-party website does not imply endorsement of that website, its content, or the organisation that operates it.

16. Changes to This Privacy Policy

16.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this Privacy Policy;
  • Notify you by email to the address associated with your account; and
  • Where appropriate, seek your consent to the changes.

16.2 We encourage you to review this Privacy Policy periodically. Your continued use of the Services after any changes to this Privacy Policy constitutes your acceptance of such changes.

17. Complaints

17.1 If you are unhappy with the way we have handled your personal data or any privacy-related request, you have the right to lodge a complaint with the ICO:

  • Information Commissioner's Office
  • Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  • Telephone: 0303 123 1113
  • Website: www.ico.org.uk

17.2 We would appreciate the opportunity to address your concerns before you approach the ICO. Please contact our Data Protection Officer at dpo@8pimax.com in the first instance.

18. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

  • Company: Polyglyph Analytica Limited (trading as 8pimax)
  • Registered Address: Montclare, Orpington Bypass, Badgers Mount TN14 7AG, United Kingdom
  • General Privacy Enquiries: privacy@8pimax.com
  • Data Protection Officer: Sejuti Roy — dpo@8pimax.com