Privacy Policy


Effective Date: February 1, 2026


This Privacy Policy describes how Tylly Ltd (“Tylly”, “we”, “our”, or “us”) collects, uses, and protects personal information when you visit our website at tylly.ai (the “Site”) or engage with our services.


We take privacy seriously. This document is written to be clear, accurate, and aligned with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable.



1. Who We Are


Tylly Ltd is a private limited company registered in England and Wales.


Company name: Tylly Ltd
Company number: 16997695
Registered office: Vanburgh Court, 40 Stoke Road, Slough, England, SL2 5XQ
Contact email: contact@tylly.ai


Tylly also operates a representational office in Paris, France through a France-based associate. All legal, contractual, and data protection responsibilities remain with the UK entity.


For the purposes of UK GDPR and EU GDPR, Tylly Ltd acts as the Data Controller for personal information collected through this Site and through our commercial activities.



2. Information We Collect


We collect personal information in three contexts: when you submit our contact form, when we deliver services to you as a client, and when you browse the Site.


2.1 Information you provide via our contact form


When you fill out our consultation form, we collect:


  • First name and last name

  • Professional email address

  • Company name

  • Your role within the company

  • Service category you are interested in (AI agents, automation, IT services, etc.)

  • Country of your business


2.2 Information we infer through commercial enrichment


When you submit your company name through our form, we use third-party APIs to enrich the lead with publicly available business information (such as company registration data, sector, and size). This enrichment is limited to UK and France-based companies and is performed solely to qualify the relevance of the engagement.


2.3 Information collected through service delivery


When you become a client, we collect additional information necessary to deliver the engagement, which may include:


  • Business contact details of stakeholders involved in the project

  • Operational data shared with us during scoping and discovery

  • Credentials and access tokens required to build the agreed system (handled securely and destroyed or transferred at the end of the engagement)

  • Project-related communications and documents


We never train AI models on client data. We never share client data across engagements.


2.4 Information collected automatically when you browse the Site


We use limited analytics and functional cookies. See Section 7 (Cookies) for details.



3. How We Use Your Information


We use the personal information we collect for the following purposes:


PurposeLegal Basis (UK GDPR)Responding to your consultation requestLegitimate interests (Article 6(1)(f)) — to engage with prospects in a B2B contextQualifying lead relevance through enrichment APIsLegitimate interests (Article 6(1)(f)) — to assess fit before engagementDelivering services under contractPerformance of contract (Article 6(1)(b))Sending operational and project updatesPerformance of contract (Article 6(1)(b))Maintaining business records and accountingLegal obligation (Article 6(1)©)Improving the Site and servicesLegitimate interests (Article 6(1)(f))Publishing testimonials with your name, role, photo, and quoteConsent (Article 6(1)(a)) — collected in writing before publication


We do not use personal data for automated decision-making that produces legal or similarly significant effects on you.



4. How We Share Your Information


We do not sell personal data. We share personal information only with the following categories of recipients, and only to the extent necessary:


4.1 Service providers (Data Processors)


The following third-party tools process personal data on our behalf:


  • Framer (website hosting) — Site visit data

  • Google Workspace (email, productivity) — Email correspondence and contact records

  • Airtable (CRM) — Lead and client records

  • n8n (automation orchestration) — Workflow execution and webhook data

  • OpenAI API (AI processing, where applicable) — Content processed during automated workflows

  • Anthropic API (AI processing, where applicable) — Content processed during automated workflows

  • Stripe (payment processing, when applicable) — Billing and payment data

  • WhatsApp Business (client communication, when applicable) — Message content


Each provider is bound by its own data protection obligations. Where required, we maintain Data Processing Agreements with these providers.


4.2 Professional advisors


We may share data with our accountants, lawyers, and insurers when necessary to operate the business or comply with legal obligations.


4.3 Legal authorities


We may disclose personal data when required by law, court order, or to protect the legitimate interests of Tylly Ltd, its clients, or third parties.


4.4 Business transfers


If Tylly is involved in a merger, acquisition, or asset sale, personal data may be transferred. Affected individuals will be notified prior to the transfer.



5. International Data Transfers


Some of our service providers (notably those based in the United States) may process personal data outside the United Kingdom and the European Economic Area.


When such transfers occur, we rely on appropriate safeguards as required by UK GDPR and EU GDPR, including:


  • Standard Contractual Clauses (SCCs) approved by the European Commission

  • The UK International Data Transfer Agreement (IDTA)

  • The EU-US Data Privacy Framework (DPF) where the receiving organisation is certified


You may request a copy of the safeguards in place by contacting us.



6. How Long We Keep Your Information


We retain personal data only for as long as necessary for the purposes for which it was collected.


Data categoryRetention periodLead data (non-converted prospects)24 months from last contactActive client recordsDuration of the engagement plus 6 years (UK accounting and tax obligations)Project deliverables and configurationsDuration of maintenance subscription, then transferred or destroyedEmail correspondence6 years (UK statutory limitation period for contract claims)Marketing consent recordsUntil consent is withdrawnSite analytics data14 months maximum


When data is no longer needed, we delete it securely or anonymise it for analytical purposes.



7. Cookies and Tracking


Our Site uses cookies and similar technologies. We use:


  • Strictly necessary cookies — required for the Site to function. These do not require consent.

  • Analytics cookies — help us understand how visitors interact with the Site. These require your consent.


We display a cookie consent banner on your first visit and on subsequent visits where consent has been withdrawn or expired. You can review and update your preferences at any time using the cookie settings link in the Site footer.


We do not currently use marketing or advertising cookies. If we introduce them in the future, this Policy will be updated and consent will be re-requested.



8. Your Rights


Under UK GDPR and EU GDPR, you have the following rights regarding your personal data:


  • Right of access — You may request a copy of the personal data we hold about you.

  • Right to rectification — You may request correction of inaccurate or incomplete data.

  • Right to erasure (“right to be forgotten”) — You may request deletion of your data, subject to our legal obligations to retain it.

  • Right to restrict processing — You may request that we limit how we use your data.

  • Right to data portability — You may request your data in a structured, machine-readable format.

  • Right to object — You may object to processing based on legitimate interests.

  • Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.


To exercise any of these rights, contact us at contact@tylly.ai. We will respond within one calendar month, which may be extended by two further months for complex requests.


If you are not satisfied with our response, you have the right to lodge a complaint with:


  • UK residents — The Information Commissioner’s Office (ICO), ico.org.uk

  • EU residents — Your local data protection authority (e.g., the CNIL in France: cnil.fr)



9. Security


We implement appropriate technical and organisational measures to protect personal data against accidental loss, unauthorised access, alteration, or disclosure. These include:


  • Encrypted data transmission (HTTPS, TLS)

  • Access control and authentication on internal systems

  • Limited access to personal data on a need-to-know basis

  • Secure handling and rotation of client credentials

  • Regular review of third-party providers’ security postures


Despite these measures, no system is fully secure. In the event of a personal data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority within the timeframes required by law.



10. Children


Our Site and services are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected such data, we will delete it promptly.



11. Changes to This Policy


We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. The “Effective Date” at the top of this document indicates when the current version came into force.


For material changes, we will notify affected individuals through our Site or by email where appropriate. Continued use of the Site after changes constitutes acknowledgement of the updated Policy.



12. Contact


For any question, concern, or request related to this Privacy Policy or your personal data, please contact:


Tylly Ltd
Vanburgh Court, 40 Stoke Road, Slough, England, SL2 5XQ
Email: contact@tylly.ai


We aim to respond to all enquiries within 5 business days.