Privacy
Policy.

ISAAK LTD (“ISAAK”, “we”, “us” or “our”) is a company registered in England & Wales under company number 14504923. Our registered office is 9 Prince Of Wales Terrace, London W8 5PG, England. We operate the website isaiak.comand the ISAAK Home Architect product (the “Service”).

For the purposes of UK data protection law (the UK GDPR and the Data Protection Act 2018), ISAAK is the controller of the personal data described in this policy. Questions, requests, and complaints can be sent to support@isaiak.com.

We collect only what we need to provide and improve the Service. Specifically:

• Account data — your email address, optionally your name, the password hash, and the dates you signed up, signed in, and last changed your password.
• Content you create or upload — floor plans, briefs, notes, and any images or PDFs you drop into the Service. This content is yours; we process it to produce the drawings and reports you ask for.
• Billing data — if you buy a paid plan, our payment processor (Stripe) collects your payment details. We receive a token, the last four digits of the card, the country, and the billing amount. We never receive or store the full card number.
• Usage data — pages viewed, features used, device type, browser, approximate location (from IP, at country/region level), and error traces. We use this to keep the Service running and to understand what to improve.
• Support correspondence — any emails, form submissions, or phone records you send us.

We use your personal data for the following purposes:

• Running the Service — accounts, sign-in, generating plans, analysing plans, storing your saved work.
• Customer support — answering your questions and resolving issues.
• Product improvement — understanding which features work, fixing bugs, training our own internal heuristics (never on the raw content you upload unless you explicitly opt in).
• Security & fraud prevention — detecting abuse, protecting accounts, keeping the infrastructure up.
• Legal & regulatory — complying with UK law, responding to lawful requests, keeping accounting records.
• Marketing — sending product updates and the fortnightly Guides letter, only to addresses that have opted in. Every email contains a one-click unsubscribe.

We rely on the following lawful bases under Article 6 UK GDPR:

• Contract — to deliver the Service you have signed up for.
• Legitimate interests — to keep the Service secure, to analyse usage at an aggregate level, and to send transactional emails related to your account. You can object at any time.
• Consent — for optional marketing emails and for non-essential cookies. Consent can be withdrawn at any time.
• Legal obligation — to keep VAT, accounting, and regulatory records where we are required to do so.

We do not sell personal data. We share it only with the following categories of service providers (data processors), bound by written contracts:

• Hosting & infrastructure — our application and database are hosted on providers located in the UK, EU, and the United States.
• Payment processing — Stripe Payments UK Ltd, for card and subscription handling.
• Email delivery — a transactional email provider for sign-in links, receipts, and the Guides newsletter.
• Product analytics & error monitoring — privacy-respecting providers, configured to anonymise IPs and to avoid cross-site tracking.
• AI model providers — when you ask ISAAK to generate or analyse a plan, your brief and the plan are processed by one or more large-language-model providers contracted to delete inputs and outputs within 30 days and never train on your content.
• Professional advisers — lawyers, accountants, auditors, under their own confidentiality duties.
• Authorities — where required by a valid legal order.

A current list of named processors is available on request to support@isaiak.com.

Some of our processors are located outside the UK, including in the United States. Where personal data leaves the UK, we rely on one of the following safeguards recognised under Article 46 UK GDPR:

• A UK adequacy regulation, where one exists for the destination country.
• The International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, with any supplementary measures that a transfer risk assessment requires.
• The UK extension to the EU-US Data Privacy Framework, where the US recipient is self-certified.

A copy of the relevant transfer mechanism is available on request.

We keep personal data only as long as we need it. Specifically:

• Account data — while your account is open, plus 30 days after deletion for backup rotation, after which it is purged.
• Plans and briefs — while you keep them in your account, or for 90 days after an anonymous demo use.
• Billing records — six years from the end of the tax year in which the transaction occurred, as required by HMRC.
• Support correspondence — up to three years from the last contact, unless a longer period is needed to defend a legal claim.
• Server logs — 30 days, then aggregated or deleted.

Under UK data protection law you have the following rights, exercisable free of charge in most cases:

• Access — a copy of the personal data we hold about you.
• Rectification — correction of inaccurate or incomplete data.
• Erasure — deletion, where no overriding legal basis requires us to keep the data.
• Restriction — asking us to pause processing while a query is resolved.
• Portability — a machine-readable export of data you provided to us.
• Objection — to processing based on legitimate interests, and to direct marketing at any time.
• Withdrawal of consent — at any time, without affecting earlier lawful processing.
• Complaint to a regulator — the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority in the EEA.

To exercise any of these rights, email support@isaiak.com. We respond within one calendar month.

We use a small set of cookies. Essential cookies (session, CSRF protection, load balancing) are set without consent because the Service would not work without them. Analytics and preference cookies are only set if you accept them from our cookie banner, and can be revoked at any time from the banner or from your browser settings.

We do not use advertising cookies and we do not share cookie data with advertising networks.

We apply layered technical and organisational measures proportionate to the sensitivity of the data we process: TLS in transit, encryption at rest for databases and object storage, hashed passwords, role-based access, audit logging, least-privilege operational access, and regular backups with restore testing. No system is perfectly secure; if an incident occurs that affects your data, we notify the ICO within 72 hours where required, and we notify you without undue delay where the incident is likely to result in a high risk to your rights and freedoms.

The Service is intended for adults. We do not knowingly collect personal data from people under 16. If you believe a child's data has been provided to us, please contact support@isaiak.com and we will delete it.

We may update this policy from time to time. Material changes will be announced by email to registered users and posted on this page at least 14 days before they take effect. The date at the top of the policy always reflects the current version.

For any data-protection question, including access and deletion requests:

• Email: support@isaiak.com
• Post: ISAAK LTD, 9 Prince Of Wales Terrace, London W8 5PG, England
• Phone: +44 7477 487845