Privacy Policy

1. Introduction

This Privacy Policy explains how Serval Systems Limited ("Serval", "we", "us", "our") collects, uses, shares, and protects personal data when you use the Serval platform (the "Service"), visit our websites, or otherwise interact with us.

Serval is a business-to-business sales CRM and growth platform. It is used by our customers ("Customers") — typically employers operating sales teams — to manage prospects, leads, calls, calendar bookings, and sales workflows.

Important: Personal data about prospects, leads, contacts, and end-customers that is uploaded into or generated within Serval by a Customer ("Customer Data") is processed by us on behalf of that Customer, who acts as the data controller. We act as a processor. If you are an end-prospect or contact and have questions about how your data is used in Serval, please contact the Customer who is using Serval to engage with you. This Policy explains both (a) our processing as a controller of Authorised User and website data, and (b) our role as a processor of Customer Data.

2. Who we are

Controller: Serval Systems Limited, a company registered in England and Wales under company number [NUMBER], with its registered office at 124-128 Kemp House, City Road, London EC1V 2NX.

Contact: [privacy@serval.example] | 124-128 Kemp House, City Road, London EC1V 2NX

Data Protection lead: [NAME OR ROLE] — [email]

We are registered with the UK Information Commissioner's Office (ICO) under registration number [INSERT ICO NUMBER].

3. Key terms

Personal data — any information relating to an identified or identifiable natural person, as defined in the UK GDPR.

Customer — the business that subscribes to Serval and uses the Service to manage its sales activity.

Authorised User — an individual (typically an employee or contractor of a Customer) authorised by the Customer to use the Service.

Customer Data — personal data uploaded, inputted into, or generated within the Service by or on behalf of a Customer, including contact records, lead data, call recordings, transcripts, notes, calendar entries, and message content.

Service Data — data we collect about the use and operation of the Service, including authentication events, usage telemetry, audit logs, and aggregated metrics.

4. Personal data we collect

4.1 Account and Authorised User data (we are controller)

Identity data: name, job title, employer, business email, business phone.
Authentication data: hashed password, session tokens, multi-factor enrolment, login timestamps and IP.
Profile data: avatar, role, sales team / group membership, working hours, daily lead cap.
Communications: support tickets, correspondence with our team, feedback you provide.
Productivity metrics: talk time, wrap-up time, admin time, outcomes recorded, calls completed, banding (green/amber/red), as part of the agent productivity scoring system.

4.2 Customer Data (we are processor)

Customers determine what data to load into the Service. Typical categories include:

Prospect / lead contact details (name, business, phone, email, address).
Call recordings and AI-generated transcripts of conversations between Authorised Users and prospects.
Disposition codes, outcomes, notes, and free-text added by Authorised Users.
Calendar slot bookings, including names, emails, phone numbers, and the time selected.
Message content for SMS confirmations, reminders, and email communications sent via the Service.
Where the Customer enables connected modules, additional data submitted into those workflows.

4.3 Telephony data

When telephony is enabled (via Aircall or Twilio), inbound and outbound calls made through the Service generate caller and called numbers, call duration, recording audio, voicemail audio, AI-generated transcripts, and conversation intelligence summaries.

4.4 Website and product telemetry

Device and connection information: IP address, browser type and version, operating system, referrer.
Product analytics: pages viewed, features used, error events, performance metrics.
Cookies and similar technologies (see section 12).

4.5 Billing and payment data

Where the Customer pays by card, billing is handled by our payment processor (Stripe). We receive limited card metadata (last four digits, expiry, card brand), billing contact, and invoice records. We do not store full card numbers.

5. How we use personal data

5.1 As controller

To provide and operate the Service (account management, authentication, support).
To bill Customers and collect payment.
To monitor, secure, debug, and improve the Service.
To communicate with Authorised Users about service notices, security alerts, and product updates.
To send marketing communications about Serval, where permitted and subject to your right to opt out.
To meet our legal, regulatory, and accounting obligations.
To investigate and prevent fraud, abuse, and violations of our Terms of Service.

5.2 As processor

We process Customer Data strictly on the documented instructions of the Customer for the purposes of providing the Service — including, where the Customer enables them: AI-powered call summarisation, suggested outcome codes, scheduled SMS and email reminders, calendar slot booking, productivity reporting, and lead allocation.

Where AI features are enabled, Customer Data may be passed to AI sub-processors solely to generate the output requested by the Customer (e.g. transcript summary, suggested outcome). AI sub-processors are contractually prohibited from using Customer Data to train their general models.

6. Legal bases for processing (UK GDPR Article 6)

Contract — to provide the Service to the Customer and to administer Authorised User accounts.
Legitimate interests — to secure the Service, prevent fraud, improve the product, and send service communications and limited business-to-business marketing where balanced against your rights.
Legal obligation — to meet tax, accounting, regulatory, and law-enforcement obligations.
Consent — for non-essential cookies and certain marketing where required.

For Customer Data, the legal basis is determined by the Customer as controller. Common bases relied on by Customers include legitimate interests for B2B prospecting and contract for engaging with their existing customers.

7. Who we share personal data with

We do not sell personal data. We share it only with:

Authorised Users within the Customer's account, in line with the Customer's access controls.
Sub-processors we engage to deliver the Service, listed below. Each is bound by a written data processing agreement and is contractually required to apply appropriate security and confidentiality measures.
Professional advisers (legal, accounting, insurance, audit) under duties of confidentiality.
Public authorities or regulators where we are legally required to disclose.
A successor entity in the event of a merger, acquisition, or sale of all or part of our business, subject to confidentiality protections.

7.1 Current sub-processors

An up-to-date list is maintained at [URL]. As of the effective date above:

Sub-processor	Purpose	Location
Aircall SAS	Cloud telephony, call recording, voicemail	EEA / UK
Anthropic, PBC	AI processing (call summarisation, content generation, suggested outcomes)	USA
Google LLC (Workspace APIs)	Calendar free/busy, event creation, Google Meet links	USA / EEA
HeyGen, Inc.	AI video generation (Video Studio feature)	USA
YouTube LLC	Video hosting and publishing (where Customer enables)	USA
Twilio Ireland Limited	SMS delivery, B2C telephony, inbound call routing	EEA / USA
SendGrid (Twilio)	Transactional email delivery	USA / EEA
Replit, Inc.	Application hosting and database infrastructure	USA
Stripe Payments Europe Ltd	Subscription billing and payment processing	Ireland / USA
HubSpot, Inc.	CRM escalation routing (where Customer enables)	USA / EEA

We notify Customers of changes to our sub-processor list in line with the Data Processing Agreement and give them the opportunity to object.

8. International transfers

Some of our sub-processors are located outside the UK and the EEA, principally in the United States. Where we transfer personal data outside the UK, we rely on one or more of the following safeguards:

UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.
EU Standard Contractual Clauses (for EEA-originating data, where relevant).
Adequacy decisions issued by the UK government, including the UK–US Data Bridge where applicable.
Supplementary technical and organisational measures, including encryption in transit and at rest, access controls, and data minimisation.

Copies of the relevant transfer mechanisms are available on request at [privacy@serval.example].

9. How long we keep personal data

Account data: for the duration of the Customer's subscription, plus up to 12 months after termination to support reactivation and dispute resolution.
Customer Data: for the duration of the Customer's subscription. On termination, we delete or return Customer Data within 30 days, subject to legal retention obligations and Customer instructions.
Call recordings and transcripts: for the period configured by the Customer, defaulting to 12 months unless the Customer specifies otherwise.
Authentication and audit logs: up to 24 months for security and incident investigation.
Billing records: for 7 years to meet UK tax and accounting obligations.
Marketing data: until you unsubscribe or object, and for a short period thereafter to maintain suppression lists.

10. Your rights

If you are in the UK or the EEA you have the following rights, subject to legal exceptions:

Right	What it means
Access	Get a copy of the personal data we hold about you.
Rectification	Correct inaccurate or incomplete personal data.
Erasure	Ask us to delete personal data where we no longer have a lawful basis to hold it.
Restriction	Ask us to pause processing in certain circumstances.
Portability	Receive personal data you provided in a structured, machine-readable format.
Objection	Object to processing carried out on the basis of legitimate interests, including direct marketing.
Withdraw consent	Withdraw consent at any time where we rely on it (without affecting prior processing).
Automated decisions	Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights for account data we hold as controller, contact us at [privacy@serval.example]. If your data is held in Serval as Customer Data, please contact the Customer who controls that data; we will assist them in responding.

You also have the right to complain to the UK Information Commissioner's Office (ico.org.uk). We would, however, appreciate the chance to address your concerns first.

11. Security

We apply technical and organisational measures designed to protect personal data, including:

Encryption of data in transit (TLS) and at rest.
Encryption of stored third-party credentials (tenant integration tokens).
Role-based access controls and least-privilege principles for our personnel.
Multi-tenant data isolation at the application and database layer.
Audit logging of authentication events and sensitive actions.
Regular review of dependencies, secrets, and configuration.
Background checks and confidentiality obligations for personnel with access to production systems.
Incident response procedures, including notification to affected Customers within 72 hours of becoming aware of a personal data breach where required by law.

No system is perfectly secure. We encourage Authorised Users to use strong, unique passwords and to enable multi-factor authentication where available.

12. Cookies and similar technologies

We use cookies and similar technologies to operate the Service and our websites. These include:

Strictly necessary cookies — for authentication, session continuity, and security. These cannot be disabled.
Functionality cookies — to remember preferences such as language and dismissed banners.
Analytics cookies — to understand how the Service and websites are used. Set only with consent where required.

You can manage cookies through our cookie banner and your browser settings. A full cookie list is available at [URL].

13. Children

Serval is a business-to-business product and is not intended for children. We do not knowingly collect personal data from anyone under 18. If you believe we hold data about a child, contact us and we will delete it.

14. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified to Customers via the Service or by email. The "Last updated" date at the top of this Policy indicates when it was most recently revised.

15. How to contact us

Email: [privacy@serval.example]

Post: Serval Systems Limited, 124-128 Kemp House, City Road, London EC1V 2NX

Supervisory authority: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom — ico.org.uk