Privacy Policy

Last updated: 19 June 2026

This Privacy Policy explains how Excite Foundry Ltd (registered in England and Wales, registered office at 85 Great Portland Street, London, W1W 7LT) collects, uses, and protects personal information when you use RetentionIQ ("the Service") at retention-iq.com.

1. Information we collect

• Account information — your name, email address, and company affiliation, provided when you sign up or sign in.
• Authentication tokens — secure access tokens (e.g. Klaviyo API keys, Shopify access tokens) issued by the platforms you connect, used to access only the accounts you have explicitly authorized.
• Connected account data — from your Klaviyo and Shopify accounts: email and SMS campaign and flow data, engagement and deliverability metrics, audience and segment configurations, subscriber and customer profiles, order and product-catalog data, and account metadata.
• Service-generated content — predictions, scores, segments, analyses, summaries, drafted copy, and recommendations the Service produces from the data above.
• Usage data — pages visited, features used, session duration, and interaction patterns within the Service.

2. How we use information

We use the information we collect to:

• Provide retention analytics, predictions (churn, lifetime value, dormancy), and recommendations across email, SMS, and other channels.
• Power features such as copy generation, subject-line and promotion recommendations, segmentation, and AI-assisted insights.
• Execute only the changes you explicitly approve on your connected platforms — every action is previewed, approved by you, and reversible.
• Operate, debug, secure, and improve the Service.
• Communicate with you about your account, billing, security, and Service updates.

We do not sell your data, we do not use it to deliver advertising to you or anyone else, and we do not use it to train general-purpose AI models.

3. Legal basis for processing (UK GDPR / EU GDPR)

Excite Foundry Ltd processes personal data under the following lawful bases set out in Article 6 of the UK GDPR and EU GDPR:

• Contract (Art. 6(1)(b)) — processing necessary to deliver RetentionIQ to you under our Terms of Service, including authentication, account management, billing, and the core retention-analytics and execution features you have subscribed to.
• Legitimate Interests (Art. 6(1)(f)) — processing necessary to operate, secure, debug, and improve the Service, to detect and prevent fraud or abuse, to maintain audit logs, and to send service-related notices. We balance these interests against your rights and have determined they do not override your fundamental rights and freedoms.
• Consent (Art. 6(1)(a)) — where you explicitly authorise us to connect a third-party account (Klaviyo, Shopify) on your behalf. You may withdraw this consent at any time by revoking the connection in your RetentionIQ account or directly with the third-party platform.
• Legal Obligation (Art. 6(1)(c)) — where processing is required to comply with applicable law, including tax, accounting, and regulatory record-keeping obligations in the United Kingdom.

Where we process your subscribers' and customers' personal data, we do so as your processor; you are the controller of that data and are responsible for the lawful basis on which you collected it. Where we rely on Legitimate Interests for our own processing, you have the right to object; contact privacy@retention-iq.com.

4. Third-party services & sub-processors

RetentionIQ integrates with third-party services to deliver its functionality. Your use of each integration is governed by the respective provider's terms and privacy policy. Our current sub-processors are:

• Klaviyo — your connected email/SMS marketing platform: the source of engagement data and the destination where approved changes are written.
• Shopify — your connected commerce platform, for order, customer, and product-catalog data.
• Google Cloud Platform — hosting, databases, storage, and secret management (United States).
• Anthropic (Claude) and Google (Gemini) — for natural-language analysis and content generation. Per their API terms, content sent for processing is not used to train their foundation models.
• SendGrid — transactional email (sign-in links, notifications).
• Stripe — payment processing for paid subscriptions, where applicable.
• Google OAuth — optional sign-in.

Each sub-processor is bound by contractual obligations consistent with this Policy and applicable data-protection law. We do not authorise any sub-processor to use your data for its own purposes.

5. Data storage and security

Your data is stored on Google Cloud Platform infrastructure in the United States. We use industry-standard security practices including encryption in transit (TLS 1.2+), encryption at rest (AES-256), encrypted storage of access tokens and API credentials (Google Cloud Secret Manager / KMS), role-based access controls, multi-tenant isolation by organisation, and audit logging of state-changing actions.

RetentionIQ is designed so that no change is ever written to your connected platforms without your explicit approval. Proposed changes are previewed, queued for one-click approval, recorded in an audit log, and reversible.

6. Security incident and breach notification

In the event of a confirmed or reasonably suspected security incident affecting personal data under our control, we will:

• Notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of a personal data breach where it is likely to result in a risk to the rights and freedoms of data subjects, as required by Article 33 of the UK GDPR.
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the UK GDPR.
• Notify affected customers of any incident materially affecting their data or their connected third-party accounts.

7. Sharing

We do not sell your personal information. We share data only:

• With the sub-processors listed above, and only as necessary to provide the Service you have requested.
• With service providers acting on our behalf under written confidentiality obligations.
• If required by law or valid legal process, or to protect our or our users' legal rights.
• In connection with a corporate transaction (merger, acquisition, restructuring), in which case the acquiring entity will be bound by this Policy.

8. Your rights

You have the right to access, correct, or request deletion of your personal data; to export your content and data; and to revoke any third-party integration at any time through your account settings or the relevant platform's permissions page. To exercise any of these rights, email privacy@retention-iq.com. We will respond within 30 days.

9. California resident rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) grants you the following rights in addition to those described above:

• Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to Delete — request deletion of personal information we have collected from you, subject to exceptions permitted by law.
• Right to Correct — request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing — Excite Foundry Ltd does not sell personal information and does not share personal information for cross-context behavioural advertising as those terms are defined under the CPRA.
• Right to Non-Discrimination — we will not discriminate against you for exercising any of these rights.

To exercise any of these rights, email privacy@retention-iq.com from the email address associated with your account. We will verify your request and respond within 45 days.

10. Data retention

We retain your data for as long as your account is active. If you delete your account, we will remove your personal data and the customer data we process on your behalf from our active systems within 30 days, except where retention is required by law (e.g., billing records). Residual backup copies expire on our standard backup-retention schedule (no longer than 90 days). Aggregated, anonymized analytics may be retained for Service improvement.

11. International transfers

Excite Foundry Ltd is established in the United Kingdom, and our infrastructure is hosted in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. Where applicable, we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or equivalent safeguards.

If you are located in the United Kingdom or European Economic Area, you have additional rights under the UK GDPR and EU GDPR, including the right to lodge a complaint with a supervisory authority. The UK supervisory authority is the Information Commissioner's Office at ico.org.uk.

12. Children's privacy

RetentionIQ is a business-to-business service intended for professional marketers. It is not directed to children, and we do not knowingly collect personal information from individuals under the age of 16.

13. Changes to this Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 14 days before they take effect. Continued use after changes take effect constitutes acceptance of the updated Policy.

14. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at privacy@retention-iq.com.