Privacy Policy
This policy describes how Xegen Ltd (“we”, “us”) collects and uses personal information when you visit our website or use SupportLayer (the “Service”). We process personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Who we are
The data controller for the website and Service is Xegen Ltd, registered in Scotland (company number SC745778). For privacy enquiries, contact us at hello@supportlayer.app.
What data we collect
Depending on how you use SupportLayer, we may process:
- Account & profile data: name, email address, organization name, role, authentication factors (e.g. MFA enrollment metadata), and similar details you provide when registering or administering a workspace.
- Service content: tickets, messages, attachments, internal notes, tags, and other content you or your users submit to the Service (which may include personal data about your customers or colleagues).
- Technical & usage data: IP address, device and browser type, approximate location derived from IP, timestamps, diagnostic logs, and security-related events needed to operate and protect the Service.
- Support & contact data: information you send via our contact form or email, including your name, email, and message content.
- Billing data: where you purchase a paid plan, payment-related information processed by our payment provider (we typically do not store full card numbers on our systems).
Why we use it & legal bases
We only use personal data where we have a valid legal basis under UK GDPR. These include:
- Performance of a contract (Art. 6(1)(b)): to provide the Service, authenticate users, deliver features you request, and communicate about your account or subscription.
- Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent abuse, improve reliability, analyze aggregated usage, and operate our business—balanced against your rights. You may object to certain processing as described below.
- Legal obligation (Art. 6(1)(c)): to comply with applicable law, regulation, or lawful requests from public authorities.
- Consent (Art. 6(1)(a)): where we rely on consent (for example, non-essential cookies or certain marketing communications), we will ask separately and you may withdraw consent at any time.
Sharing & subprocessors
We use trusted third parties to host infrastructure, send email, process payments, monitor errors, and similar functions. They may process personal data only on our instructions and under appropriate contractual safeguards. A current list of categories of subprocessors is available on request at hello@supportlayer.app.
We do not sell your personal data. We may disclose information if required by law, to protect rights and safety, or in connection with a merger or asset sale subject to appropriate confidentiality.
International transfers
Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards apply—such as the UK International Data Transfer Agreement / Addendum, standard contractual clauses approved for UK use, or transfers to countries covered by UK adequacy regulations—unless a specific derogation applies.
Retention
We retain personal data only as long as necessary for the purposes above, including legal, accounting, and dispute-resolution needs. Account data is generally kept for the life of the workspace plus a reasonable period thereafter unless you ask us to delete it sooner and we have no overriding obligation to retain it. Technical logs may be kept for shorter rolling periods. Backup copies may persist for a limited time after deletion.
Security
We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. No method of transmission over the Internet is completely secure; we encourage strong passwords and MFA where available.
Your rights (GDPR)
If UK GDPR applies to our processing of your personal data, you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify inaccurate data or complete incomplete data (Art. 16).
- Erasure (“right to be forgotten”) in certain circumstances (Art. 17).
- Restrict processing in certain circumstances (Art. 18).
- Data portability for data you provided, where processing is based on consent or contract and automated (Art. 20).
- Object to processing based on legitimate interests or for direct marketing (Art. 21).
- Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal, where we rely on consent.
- Lodge a complaint with the UK Information Commissioner’s Office (ICO): ico.org.uk/make-a-complaint.
To exercise these rights, contact hello@supportlayer.app. We will respond within one month where required by law (extensions may apply for complex requests). We may need to verify your identity before acting on a request.
If you are an end user of a customer’s SupportLayer workspace, that customer is often the controller of your data; we may direct privacy requests to them where appropriate, but we will assist as required by law.
Cookies & similar technologies
We use cookies and similar technologies that are strictly necessary for the Service (for example, session and security cookies) based on our legitimate interests and/or contract. Where we use optional analytics or marketing cookies, we will obtain consent where required. You can control cookies through your browser settings.
Children
The Service is not directed at children under 16, and we do not knowingly collect their personal data. If you believe we have done so, contact us and we will take steps to delete the information.
Changes
We may update this policy from time to time. We will post the revised version on this page and update the “Last updated” date. Material changes may be communicated by email or in-product notice where appropriate.
Contact
Questions about this policy or our use of personal data: hello@supportlayer.app. You may also use our contact form.
This policy is provided for transparency and does not constitute legal advice. For contractual terms governing use of the Service, see our Terms of Service.