Serpyn ("we", "our", or "the platform") is a multi-tenant business management SaaS operated by Serpyn Inc. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have over it. By using Serpyn, you agree to the practices described here.
1. Who This Policy Applies To
This policy applies to all users of the Serpyn platform at app.serpyn.com, visitors to serpyn.com, and companies ("organisations") that subscribe to Serpyn's services. If you are an employee or team member accessing Serpyn through your company's account, your organisation is the primary data controller for company data; Serpyn acts as data processor on their behalf.
2. Data We Collect
2.1 Account Data
When you register or are invited to Serpyn, we collect your name, work email address, job title, and a hashed password. We never store plaintext passwords.
2.2 Company & Business Data
Organisations upload and create business records through the platform — including HR data (candidate CVs, interview transcripts, employee profiles), sales orders, financial records, inventory data, procurement requests, and support tickets. This data is owned by the organisation and stored isolated per company — no company can access another company's data.
2.3 Usage & Technical Data
We collect standard server logs: IP address, browser type, pages visited, timestamps, and HTTP response codes. This data is used for security, debugging, and uptime monitoring. We do not use third-party analytics trackers (no Google Analytics, no Meta Pixel) on the main application.
2.4 AI Interaction Data
When you use Serpyn's AI features (Smart Interview evaluation, CV parsing, AI Bot queries, report generation), the relevant content is sent to our AI provider (OpenAI) solely to generate a response. We do not permit OpenAI to train its models on your data under our API agreement. AI query logs are retained in our audit trail for 90 days for security and compliance review.
2.5 Telegram Bot Data
If you connect a Telegram bot to your company account, we store: your Telegram user ID (numeric), your Telegram @username (if public), and a binding to your Serpyn account. Message text sent to the bot is processed in real-time and logged in our audit trail for 90 days. We do not read or store Telegram messages outside the audit trail.
3. Google API Data — Limited Use Disclosure
Serpyn's use of information received from Google APIs adheres to the Google API Services User Data Policy , including the Limited Use requirements.
When you authorise Serpyn to connect your Google account, we may request access to the following scopes depending on the features you enable:
- Email address & profile — to identify your account and display your name and email in the dashboard.
- Google Drive (app files only) — to create and manage files that Serpyn generates on your behalf, such as ActivePieces-automated reports and exports. We do not access pre-existing files in your Drive.
- Google Calendar Events — to allow the AI Bot to view your upcoming events and create meeting invitations when instructed by you.
- YouTube (read-only & analytics) — to allow the AI Bot and marketing module to retrieve your channel data and performance metrics.
- YouTube Upload — to allow ActivePieces automation workflows to upload video content to your YouTube channel on your behalf.
Google data accessed through these scopes is used only to provide the feature you explicitly invoked. It is:
- Not shared with third parties other than our AI provider (OpenAI) for in-context processing.
- Not used to train or improve any AI model.
- Not used for advertising or profiling.
- Not stored beyond what is necessary for the immediate response, except as part of the 90-day security audit log.
You can revoke Serpyn's access to your Google account at any time from Google Account Permissions or from the Connections page in your Serpyn dashboard.
4. Meta (Facebook & Instagram) and X.com Data
If you connect a Facebook Page, Instagram account, or X.com (Twitter) account to Serpyn, we store an OAuth access token encrypted in our database using AES-256-CBC. These tokens are used only when you explicitly trigger a social media feature (e.g., fetching page engagement metrics, posting on your behalf via the AI Bot). Tokens can be revoked at any time from the Connections page in your dashboard, or directly from Meta's App Settings / X.com's Connected Apps.
5. How We Use Your Data
- To provide and operate the Serpyn platform and its features.
- To authenticate your identity and enforce role-based access control.
- To generate AI-powered insights, reports, and bot responses within your company account.
- To detect and prevent fraud, abuse, and security threats (including prompt injection attacks).
- To send transactional emails (account invitations, password resets, rate-limit alerts).
- To comply with legal obligations.
We do not sell your personal data. We do not use your data for advertising.
6. Data Storage & Security
All data is stored on servers hosted at our cloud infrastructure provider. Sensitive tokens (Telegram bot tokens, OAuth access tokens) are encrypted at rest using AES-256-CBC with a per-deployment encryption key. Passwords are hashed using bcrypt. All data in transit is protected by TLS 1.2+.
Access to production data is restricted to authorised engineering personnel only, requires multi-factor authentication, and is logged.
7. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account closure on request.
- Company business data: Retained while the company subscription is active. Exported and deleted within 60 days of subscription termination.
- AI query audit logs: 90 days.
- Server access logs: 30 days.
- OAuth tokens: Deleted immediately when you revoke the connection.
8. Third-Party Services
We use the following sub-processors:
- OpenAI — AI language model inference. Data sent under a zero-data-retention API agreement. OpenAI Privacy Policy
- Telegram — Bot messaging API. Telegram Privacy Policy
- Google — OAuth, Gmail, Drive, Calendar, YouTube APIs. Google Privacy Policy
- Meta — Facebook/Instagram Graph API. Meta Privacy Policy
- X Corp (Twitter) — X API v2. X Privacy Policy
- DuckDuckGo & Jina Reader — Web search and URL fetching for the AI Bot's web search feature. No personal data is sent to these providers.
9. Cookies
Serpyn uses only a single session cookie (serpyn_session) to maintain your
login state. We do not use tracking cookies, advertising cookies, or third-party cookies.
The session cookie is strictly necessary for the application to function and is exempt from
cookie consent requirements under GDPR.
10. Your Rights (GDPR)
If you are in the European Economic Area, United Kingdom, or another jurisdiction with comparable data protection law, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion of your personal data ("right to be forgotten").
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Withdrawal of consent — revoke any OAuth connection at any time without affecting your Serpyn account.
To exercise any of these rights, email us at privacy@serpyn.com. We will respond within 30 days.
11. Children's Privacy
Serpyn is a B2B enterprise platform intended for use by adults in a professional capacity. We do not knowingly collect personal data from anyone under 18 years of age.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, if you are a registered user, notify you by email at least 14 days before the change takes effect. Continued use of Serpyn after the effective date constitutes acceptance of the updated policy.
13. Contact
For privacy-related questions, data requests, or to report a concern:
Email:
privacy@serpyn.com
Website:
serpyn.com