Privacy Policy

Who we are

diagnosly ("diagnosly", "we", "us") provides multi-tenant fleet diagnostics and an on-device AI diagnostic assistant for Windows. We are the data controller for the account and billing data described below, and a data processor for the device telemetry we handle on your behalf.

Questions, requests, or complaints: privacy@diagnosly.co.uk.

Data we collect

• Account data (via sign-in). When you sign in with Google, we receive your email address, name, and Google account identifier from Google's OAuth service. We request only the openid, email, and profile scopes — we never request access to your Gmail, Drive, Calendar, or any other Google data. If you sign up with email and password, we store your email and a salted bcrypt hash of your password (never the password itself).
• Device telemetry. The agent you install (observer-core) reads performance counters, Windows event logs, and ETW events from machines you manage. A PII scrubber removes usernames, hostnames, MAC/IP addresses, SIDs, emails, secrets, and BitLocker keys on the device before any payload is sent.
• Diagnosis data. When you run an AI diagnosis, the (already-sanitised) telemetry and your prompt are processed by the LLM provider configured for your tenant in order to produce a result.
• Billing data. Payments and credit top-ups are processed by Stripe. We do not store your full card number; Stripe returns a token plus limited metadata (last four digits, card brand, billing country) that we retain for receipts and fraud prevention.
• Usage & session data. Authentication sessions, audit log entries (who did what, when), and basic technical logs.

How we use your data

• To create and secure your account and authenticate you at sign-in.
• To deliver the service — register devices, run diagnostics, and show results.
• To process payments, track credit balances, and send receipts.
• To maintain security, prevent abuse, and keep an audit trail.
• To send essential service communications (e.g. verification, billing, security notices).

We do not sell your personal data, and we do not use your telemetry or diagnosis data to train shared AI models.

Google user data

diagnosly's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use the email, name, and profile information received from Google solely to create and operate your diagnosly account. We do not transfer this information to third parties except as needed to provide the service, comply with the law, or as part of a merger or acquisition, and we do not use it for advertising.

Legal bases (UK GDPR / GDPR)

• Contract — to provide the service you signed up for.
• Legitimate interests — security, abuse prevention, and improving the service.
• Legal obligation — tax, accounting, and lawful requests.
• Consent — where required (you can withdraw it at any time).

Who we share data with (sub-processors)

We use a small set of vetted providers to run the service:

• Google — sign-in (OAuth).
• Stripe — payment processing.
• Cloudflare — DNS, TLS, and edge networking.
• Oracle Cloud — compute and the primary database.
• Vercel — hosting for this marketing site.
• Resend — transactional email.
• Anthropic / OpenAI — LLM diagnosis (using the API key configured for your tenant).

A current sub-processor list and a Data Processing Agreement are available on request at legal@diagnosly.co.uk.

Data retention

We keep account and billing data for as long as your account is active and as required for legal and accounting purposes after closure. Audit logs are retained per your plan (90 days on Pro, longer on Enterprise). Telemetry is retained only as long as needed to provide diagnostics and case memory. You can request deletion at any time (see below).

Your rights

Subject to applicable law, you can request access to, correction of, or deletion of your personal data; object to or restrict certain processing; and request a portable copy. To exercise any of these, email privacy@diagnosly.co.uk. You also have the right to lodge a complaint with your local data protection authority (in the UK, the Information Commissioner's Office).

Security

Data is encrypted in transit (TLS 1.3) and sensitive fields are encrypted at rest. Full detail of our security controls is on the Security page. To report a vulnerability, email security@diagnosly.co.uk.

Children

diagnosly is a business and IT tool not directed at children. We do not knowingly collect personal data from anyone under 16.

Changes

We may update this policy from time to time. Material changes will be reflected by the "Last updated" date above and, where appropriate, notified to you by email.