Privacy Policy

Last updated: 11 February 2026 | UK GDPR Compliant

This Privacy Policy explains how Saiko Music Group Ltd ("Saiko", "we", "us", "our") collects, uses, stores, and protects your personal data when you use the Saiko Intelligence platform ("Platform"). We are committed to protecting your privacy in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

The data controller responsible for your personal data is:

Saiko Music Group Ltd
Hamalworth House, 9 St. Clare Street
City Of London, England, EC3N 1LQ
Email: hello@saikointelligence.com

When we process data on behalf of our clients (e.g., campaign data, creator data), we act as a data processor. See our Data Processing Agreement for details.

2. What Data We Collect

2.1 Account Data

Data Type	Purpose	Legal Basis
Full name	Account identification, display in platform	Contract performance
Email address	Authentication, notifications, communication	Contract performance
Password (hashed)	Account security — stored as bcrypt hash, never in plaintext	Contract performance
Role and permissions	Access control within tenant	Contract performance
2FA secret (encrypted)	Two-factor authentication — Fernet-encrypted at rest	Legitimate interest (security)

2.2 Campaign and Business Data

Data Type	Purpose	Legal Basis
Campaign briefs and budgets	AI strategy generation, campaign management	Contract performance
TikTok creator usernames and analytics	Creator discovery, campaign matching, outreach	Legitimate interest
AI conversation histories	Providing AI strategy service, session continuity	Contract performance
AI memories (user-saved)	Personalised AI experience, preference retention	Contract performance
Outreach message logs	Communication tracking, campaign management	Contract performance

2.3 Technical and Security Data

Data Type	Purpose	Legal Basis
IP address	Login audit, security monitoring, abuse prevention	Legitimate interest (security)
User agent string	Login audit, security monitoring	Legitimate interest (security)
Login timestamps	Audit trail, failed attempt tracking	Legitimate interest (security)
API usage logs	Usage metering, billing, rate limiting	Contract performance

2.4 Data We Do NOT Collect

We do not collect payment card details directly — payments are processed by Stripe.
We do not use tracking cookies or third-party advertising trackers.
We do not collect sensitive personal data (racial/ethnic origin, political opinions, health data, etc.).

3. How We Use Your Data

We process your personal data for the following purposes:

Providing the Service — Operating the Platform, processing AI queries, managing campaigns, facilitating creator discovery and outreach.
Account Management — Authentication, authorisation, team management, invite processing.
Security — Monitoring for suspicious activity, enforcing rate limits, login audit, preventing abuse.
Communication — Service announcements, system notifications, responding to support requests.
Improvement — Analysing aggregate usage patterns to improve Platform features (no individual profiling).

4. Sub-processors and Data Sharing

We share personal data with the following categories of third-party service providers ("sub-processors") who process data on our behalf. See our full Sub-processor List for details.

Sub-processor	Purpose	Location
Anthropic	AI language model processing (campaign strategy, conversation)	United States
RapidAPI	TikTok creator data retrieval	United States
Hostinger	Server hosting and infrastructure	EU / United States
Backblaze B2	Encrypted database backups	United States
Stripe	Payment processing (future)	United States

4.1 International Transfers

Some of our sub-processors are located in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the ICO
Sub-processor compliance with applicable data protection frameworks
Data minimisation — only necessary data is transferred

4.2 No Sale of Data

We do not sell, rent, or trade your personal data to third parties for marketing or any other purpose.

5. Data Retention

Data Category	Retention Period
Active account data	Retained for the duration of your subscription
Account data after cancellation	30-day grace period, then deleted
Data after deletion request	Removed from live systems within 30 days
Backup data after deletion	Purged from all backups within 90 days
Login audit logs	Retained for 12 months for security purposes
API usage logs	Retained for 12 months for billing and analytics

6. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

6.1 Right of Access

You have the right to request a copy of the personal data we hold about you. We will respond within 30 days of receiving your request.

6.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. You can update most account information directly through the Platform.

6.3 Right to Erasure

You have the right to request deletion of your personal data. Upon request, we will delete your data subject to the retention periods described in Section 5. You may request either:

Standard deletion — 30-day grace period with option to reverse, followed by permanent deletion.
Immediate deletion — Processed without grace period upon explicit request.

6.4 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV). You can request a data export through the Platform or by contacting us.

6.5 Right to Object

You have the right to object to processing of your personal data based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.

6.6 Right to Restrict Processing

You have the right to request restriction of processing in certain circumstances, such as while we verify the accuracy of your data or assess an objection.

6.7 Exercising Your Rights

To exercise any of these rights, contact us at hello@saikointelligence.com. We will respond within 30 days. If we need to extend this period, we will inform you within the initial 30-day window.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Passwords hashed with bcrypt (never stored in plaintext)
API keys and 2FA secrets encrypted at rest with Fernet encryption
Tenant data logically isolated — each client's data is separated
Daily encrypted database backups with off-site storage
Rate limiting to prevent brute-force attacks
Login audit with automatic account lockout after 5 failed attempts
HTTPS encryption for all data in transit
Role-based access control (viewer, manager, admin, owner)
30-minute session inactivity timeout

For more information, see our Security page.

8. Cookies

We use only essential session cookies required for authentication and platform functionality. We do not use tracking cookies or third-party advertising cookies. See our Cookie Policy for details.

9. Children's Privacy

The Platform is a business-to-business service not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Platform at least 30 days before they take effect. The "Last updated" date at the top indicates the most recent revision.

11. Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

12. Contact

For any privacy-related questions or to exercise your data rights, contact us at:

Saiko Music Group Ltd
Hamalworth House, 9 St. Clare Street
City Of London, England, EC3N 1LQ
Email: hello@saikointelligence.com