Privacy Policy
Last updated: 9 July 2026
1. Who we are (the data controller)
Deniable is operated by Karakoram Consulting Limited (“we”, “us”), a company registered in England & Wales under company number 12863954, with its registered office at Lytchett House, 13 Freeland Park, Wareham Road, Poole, Dorset, BH16 6FA, United Kingdom. We operate the website deniable.io and the customer dashboard at app.deniable.io, and are the data controller for the personal data described in this policy; our processing is regulated by the UK Information Commissioner’s Office (ICO). You can reach us about privacy at privacy@deniable.io.
2. The personal data we collect
- Account data — your email address (used for passwordless sign-in), and your name if you provide it.
- Order & billing data — where you purchase a licence: name, email, phone, billing and shipping address. Card details are entered directly into Stripe and are never seen or stored by us.
- Licence data — your licence key(s) and the device aliases you assign.
- Contact / waitlist / demo data — the contact details and message you submit through our contact, waitlist, or book-a-demo forms.
- Usage & device data — with your consent, product-analytics events, approximate location derived from IP, browser and device type, and the campaign parameters of the ad or link that brought you here. We do not use session recording.
We practise data minimisation: activating a licence does not require an email, and we do not ask for identity documents. We do not intentionally collect special-category data.
3. Why we use it, and our legal basis
- To provide the service (accounts, licences, orders, support) — performance of a contract (Art. 6(1)(b)).
- To send transactional email (sign-in links, order confirmations) — contract, and legitimate interests for security.
- Product analytics (PostHog) and advertising measurement (Google Ads, Reddit) — consent (Art. 6(1)(a)), which you give or decline in our cookie banner and can withdraw at any time.
- Responding to enquiries (contact / demo / waitlist) — legitimate interests, or consent where you opted in.
- Fraud prevention, security, and legal compliance — legitimate interests and legal obligation.
4. Cookies and tracking
We set strictly-necessary cookies to run the site. Analytics and advertising cookies are set only after you consent — nothing non-essential loads beforehand, and we honour your browser’s Global Privacy Control / Do-Not-Track signal regardless. For the full list and to change your choice, see our Cookie Policy.
5. Who we share it with (processors and recipients)
We do not sell or rent your personal data. We share it only with the service providers who help us run Deniable:
- Stripe — payment processing.
- PostHog (EU-hosted) — product analytics (consent only).
- Google Ads and Reddit — advertising measurement (consent only).
- Airtable — storing contact / waitlist / demo enquiries.
- Email delivery (SendGrid) — sending sign-in links and confirmations.
- FedEx — shipping, where a physical item is ordered.
- Slack — internal notification of enquiries.
- Mapbox and Google Calendar — address autocomplete and demo scheduling, respectively.
6. International transfers
Some of these providers are based in the United States. Where personal data is transferred outside the EEA / UK, we rely on the EU-US / UK Data Privacy Framework where the provider is certified, and otherwise on the European Commission’s Standard Contractual Clauses, together with additional safeguards. You can request details of the mechanism for any specific provider.
7. How long we keep it
We keep account, licence, and order data for as long as your account is active and as long as we are legally required to (e.g. tax records). Contact and enquiry data is kept only as long as needed to handle your request. Consent-based analytics data is retained per our analytics configuration and deleted when you withdraw consent or exercise erasure. When data is no longer needed, we delete or anonymise it.
8. Your rights
Under the GDPR / UK GDPR you have the right to:
- access a copy of your personal data;
- have inaccurate data corrected (rectification);
- have your data deleted (erasure / “right to be forgotten”);
- restrict or object to processing, including an absolute right to object to direct marketing;
- receive your data in a portable, machine-readable format; and
- withdraw consent at any time, without affecting prior processing.
To exercise any of these, email privacy@deniable.io. We will respond within one month. You can also withdraw analytics/advertising consent instantly via cookie preferences.
9. Complaints
If you believe we have mishandled your data, you have the right to lodge a complaint with a supervisory authority — in the UK, the Information Commissioner’s Office (ICO, ico.org.uk); if you are in the EEA, your local data-protection authority. We would appreciate the chance to address your concern first — please contact us at privacy@deniable.io.
10. Data security
We apply appropriate technical and organisational measures — including encryption in transit, access controls, and data minimisation — to protect your data. No method of transmission or storage is perfectly secure, but we work to protect your data and to notify you and the relevant authority of any breach that legally requires it.
11. Changes to this policy
We may update this policy from time to time. Material changes will be posted here with a new “last updated” date.
12. Contact
Questions about this policy or your data? Email privacy@deniable.io.