Introduction

Who we are

Scope of this Notice

How and why we collect data

Other relevant policies and terms

The data we collect

How and why we use personal data

Automated processing & AI output

Cookies & similar technologies

When we act as a processor

International transfers

Data retention

Your rights

Security

Children

Changes to this notice

Privacy Policy

  1. Introduction

This Privacy Notice explains how Didymos Limited ("Didymos", "we", "our", "us") collects, uses, shares and secures personal data when you visit our websites, create an account, or use our platform (the "Service").

  1. Who we are

Didymos Limited is a private company registered in England & Wales (Company No. 12345678). Our registered office is Didymos Limited, 13b Kings Grove, London, England, SE15 2LY. We are the controller of the personal data described in this Notice (except where Section 6 states we act as a processor).

Contact us at Didymos customer support for any privacy‑related questions.If you request that your account be deleted, Didymos will delete all retained information on you, in line with the deletion policies outlined below. Didymos will not directly or indirectly transfer any data for any monetization-related service.

You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at any time (www.ico.org.uk) or your local supervisory authority in the EEA.

  1. Scope of this Notice

This Notice applies to:

  • Visitors to didymos.ai and any sub‑domains;

  • Users who use our Service to create an run synthetic user testing;

It does not apply to third‑party websites or services that integrate with Didymos; their privacy practices are governed by their own policies.

  1. How and why we collect data

In the course of using Didymos, engaging with Didymos’ websites, or corresponding with the team at Didymos, you provide us with or we collect various pieces of personal data.

We collect and use the data outlined below to provide a contracted service to you or to further operate and develop our business.

Your personal data will not be sold, distributed, or leased to any third parties. We only share your personal data in cases in which it is necessary for us to provide our services.

We do not collect information regarding your race, ethnicity, religious or philosophical beliefs, political beliefs, sexual orientation, genetic information, or information about your health.

We will not discriminate against you should you exercise any of the rights described in our privacy policy.

  1. Other relevant policies and terms

This Privacy Notice should be read alongside:

  • Website Terms of Service

  • Terms of Use

  • Cookie Policy

  • Service Providers & Subprocessors

  1. The data we collect

Category

Examples

Source

Legal basis*

Account Data

Name, email, job title, organisation, password hash, authentication tokens

You

Contract

Test Content

Prompts, scenario descriptions, GUI screenshots, audio/video of sessions (which may contain personal data)

You

Contract; legitimate interests (product improvement)

Audience Definition Data

Interview transcripts, support tickets, customer research and analytics data

You

Contract; legitimate interests (product improvement)

Usage & Log Data

IP address, browser type, device IDs, access timestamps, feature usage events

Automated collection

Legitimate interests (security & analytics)

Marketing Data

Newsletter preferences, content engagement metrics

You / cookies

Consent

‍*Additional lawful bases listed in Section 5.

We use Stripe to manage billing and never store your full payment‑card details. Stripe is a PCI‑DSS Level 1 provider.

We never deliberately collect special‑category data (race, health, etc.).

  1. How and why we use personal data

Purpose

Details

Lawful basis

Provide & secure the Service

Create accounts, authenticate users, process tests, store results, prevent fraud

Contract; legitimate interests (security)

Improve & develop features

Analyse aggregated usage, train proprietary evaluation models, conduct A/B tests

Legitimate interests; consent for non‑essential cookies

Customer support

Respond to tickets, troubleshoot, reproduce issues

Contract

Marketing

Send product updates, event invites, newsletters

Consent; soft opt‑in for existing UK/EU customers

Legal & compliance

Tax, accounting, respond to lawful requests

Legal obligation; legitimate interests

  1. Automated processing & AI output

We use large‑language models (currently GPT‑4.1 mini) and other third‑party AI systems to generate synthetic user feedback. We do not make solely automated decisions that produce legal or similarly significant effects on individuals. You may request human review of any decision that affects you (see Section 10).

  1. Cookies & similar technologies

We use first‑ and third‑party cookies and JSON Web Tokens (JWT) to:

  • keep you signed in;

  • remember preferences;

  • measure site performance.

Full details are in our separate Cookie Policy, which includes your choices to accept or reject non‑essential cookies.

  1. When we act as a processor

Where a customer uploads personal data (e.g., customer interview transcripts) into the Service, Didymos processes that data solely on the customer’s instructions. Our Data Processing Addendum (DPA) sets out the obligations required by Article 28 UK/EU GDPR, including Standard Contractual Clauses for international transfers.

  1. Sharing your personal data

We share personal data only as necessary with:

  1. Service providers – cloud hosting, compute, email delivery, payment processing, analytics; all under written contracts and assessed for security.

  2. AI model vendors – currently OpenAI (USA) for GPT‑4 inference. Prompt content and generated output are transmitted under SCCs + UK Addendum.

  3. Professional advisers – lawyers, auditors, insurers.

  4. Authorities – where required by law or to protect rights, property or safety.

  5. Successors – in connection with a merger, acquisition or sale (with notice to you where required).

We never sell or rent personal data.

  1. International transfers

Didymos is UK‑based but uses providers in the United States and EEA. When we transfer personal data outside the UK/EEA we rely on:

  • UK International Data Transfer Agreement (IDTA)

  • EU Standard Contractual Clauses (2021/914) plus UK Addendum

  • Adequacy regulations (where available)

  1. Data retention

Data type

Retention period

Account & billing records

7 years after account closure (tax & audit)

Test content & outputs

Until you chose to delete them

Logs & analytics

12 months (aggregated thereafter)

Marketing preferences

Until you withdraw consent

  1. Your rights

Under UK GDPR / EU GDPR you can:

  • Access your personal data

  • Correct inaccuracies

  • Erase data (“right to be forgotten”)

  • Restrict or object to processing

  • Data portability

  • Withdraw consent at any time

To exercise any right, email hello@didymos.ai. We may need to verify your identity and respond within one month.

California residents

If you reside in California, the Supplemental CCPA/CPRA Notice in Appendix A explains additional rights, including the right to opt‑out of the sale/share of personal information and the right to limit use of sensitive personal information.

  1. Security

All personal data is hosted on Supabase (Frankfurt, DE). Supabase maintains SOC 2 Type II and HIPAA reports and provides the following controls:

  • End‑to‑end encryption – TLS 1.3 in transit; AES‑256 encryption at rest for all databases and object storage.

  • Role‑based access control (RBAC) and least‑privilege IAM policies.

  • Isolated production network with automated OS and container patching.

  • Continuous vulnerability scanning & dependency monitoring (Snyk, Dependabot).

  • Annual third‑party penetration tests – summary reports available on request under NDA.

  • 24 × 7 logging and alerting to detect and respond to suspicious activity.

A live list of sub‑processors, their locations, and change‑notification history is available in our Service Providers & Subprocessors policy.

  1. Children

Our Service is intended for business users aged 18 +. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us to have it deleted.

  1. Changes to this notice

We may update this Notice from time to time. We will post any changes on this page and, for material changes, provide a prominent notice (e.g., email or in‑app alert). The “Last updated” date at the top indicates when it was most recently revised.

Appendix A – California Privacy Notice (CPRA)

This Appendix applies only to “consumers” as defined by the California Consumer Privacy Act (as amended by the California Privacy Rights Act).

Categories collected

See Section 4 above for the categories of personal information we collect.

Purposes, sharing and retention

See Sections 5, 8 and 10.

Your CPRA rights

You may:

  1. Know the categories and specific pieces of personal information we hold.

  2. Delete personal information (subject to statutory exceptions).

  3. Correct inaccurate personal information.

  4. Opt‑out of the sale or sharing of personal information.

  5. Limit the use of sensitive personal information.

  6. Not be discriminated against for exercising any CPRA right.

Submit requests via hello@didymos.ai. We will verify your request using the information associated with your account and respond within 45 days (90 days for complex requests).



Last Updated: 8th of June, 2025

No more second guessing.
Try Didymos today.

Join the waitlist

Join the waitlist

No more second guessing. Try Didymos for free today.

Book a demo

Book a demo

No more second guessing. Try Didymos for free today.

Book a demo

Book a demo