Privacy Notice
Last updated: 15 April 2026
1. Who we are
Imagyze is operated by Signoi Ltd ("Signoi", "we", "us"), a company registered in England and Wales. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Signoi Ltd is the data controller for personal data processed through the Imagyze service.
Contact for data protection matters: privacy@signoi.com
We are registered with the Information Commissioner's Office (ICO). Our registration number will be displayed here once assigned.
2. What this notice covers
This notice explains what personal data we collect when you use Imagyze, why we collect it, how we use and share it, how long we keep it, and your rights. It should be read alongside our Terms of Service.
3. What we collect and why
| Data | Purpose | Lawful basis |
|---|---|---|
| Email address (encrypted at rest) | Sending you your analysis report; identifying your account; detecting re-registration | Performance of a contract (Article 6(1)(b)) |
| Name and company (optional) | Personalising correspondence; distinguishing business from personal users | Legitimate interest (Article 6(1)(f)) |
| SHA-256 hash of email | Pseudonymised identifier for all records; allows us to link your visits without retaining the plain address | Performance of a contract; legitimate interest |
| IP address, user agent, Accept-Language header, browser fingerprint | Abuse prevention, rate-limiting, detecting repeat registrations, approximate geolocation | Legitimate interest (Article 6(1)(f)) — protecting our service from fraud and abuse |
| Uploaded images | Producing the analysis you requested; internal research, development and improvement of the service; quality assurance; aggregated or anonymised statistical analysis (as set out in Section 4 of our Terms of Service) | Performance of a contract; legitimate interest |
| Analysis results (semiotic text, tags, archetype scores, colour/entropy metrics, emotional profile) | Delivering results to you; internal research and improvement | Performance of a contract; legitimate interest |
Session cookies and a blacklist cookie (_bl) |
Keeping you logged in for up to one hour; enforcing suspension of accounts that have uploaded prohibited content or supplied invalid email addresses | Strictly necessary (no consent required under PECR); legitimate interest |
4. Who we share your data with
We use a small number of trusted processors to deliver the service. In each case we have a data processing agreement in place and only the minimum necessary data is shared.
- Amazon Web Services, Inc. (AWS) — hosts our infrastructure and MongoDB database; sends email via Amazon SES when used. Data is processed in AWS UK/EU regions where reasonably possible. DPA available on request.
- Anthropic, PBC — runs the Claude large language model used for semiotic analysis and tag generation. Your uploaded image and the analysis prompts are transmitted to Anthropic's US infrastructure for processing. Anthropic does not train its public models on API data by default. DPA: anthropic.com/legal/dpa.
- SightEngine — runs automated content-moderation checks on uploaded images to detect prohibited content (as required by UK law and our Terms of Service). Your image is transmitted to SightEngine for this check.
- Google Workspace (Gmail SMTP) — used to deliver your analysis report email.
We do not sell your personal data, and we do not share it with any other third parties for marketing purposes.
5. International transfers
Some of our processors (notably Anthropic and, at times, AWS) are located in the United States. Where personal data is transferred outside the United Kingdom, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or an adequacy decision where one applies, to ensure your data receives equivalent protection.
6. How long we keep your data
- Uploaded images and analysis results: retained indefinitely for internal research, development, and service improvement, in accordance with Section 4 of our Terms of Service. Images are held on our infrastructure and are not publicly distributed or sold.
- Account and visit records (hashed email, encrypted email, IP, fingerprint, timestamps): retained for so long as your account is active and for a reasonable period thereafter for abuse prevention.
- Session data: deleted automatically one hour after the last activity.
- Invalid-email records and blacklist flags: retained indefinitely to prevent abuse and repeat registrations with known-bad addresses.
You may request deletion of your personal data at any time under Section 7 below. We will delete it within one month unless a lawful reason to retain it applies (for example, to defend a legal claim or comply with a statutory obligation).
7. Your rights
Under UK GDPR you have the following rights in respect of your personal data:
- Access — to obtain a copy of the personal data we hold about you.
- Rectification — to have inaccurate data corrected.
- Erasure ("right to be forgotten") — to have your data deleted, subject to the limits described in Section 6.
- Restriction — to restrict further processing of your data in certain circumstances.
- Objection — to object to processing based on legitimate interest.
- Portability — to receive your data in a structured, machine-readable format.
- Complaint — to lodge a complaint with the ICO at ico.org.uk/make-a-complaint/ or call the ICO helpline on 0303 123 1113.
To exercise any of these rights, email privacy@signoi.com. We may ask you to verify your identity before acting on the request. We will respond within one month.
8. Security
We apply appropriate technical and organisational measures to protect your personal data, including: encryption of email addresses at rest; HTTPS for all communications; restricted database network access; login authentication and auditing on administrative interfaces; automated intrusion-prevention (fail2ban) on the host; and routine security patching.
9. Cookies
Imagyze uses the following cookies:
session— strictly necessary session identifier used to keep you logged in during a single session (expires after one hour)._bl— a persistent flag set when an account has been suspended for breaching our Terms (for example, uploading prohibited content or supplying an invalid email address). It contains no personal data beyond the suspension flag.
We do not use third-party advertising, analytics, or tracking cookies.
10. Changes to this notice
We may update this notice from time to time. The "Last updated" date at the top reflects the date of the most recent change. Where changes are material we will make reasonable efforts to inform users in advance.
11. Contact
Questions, requests, or complaints about how we handle your personal data: privacy@signoi.com.