
Last updated: July 2026
This Privacy Policy describes how Llow Group Limited, trading as Serff.ai (“Serff.ai”, “we”, “us” or “our”), collects, stores, uses and discloses personal data regarding individuals who:
Please read this Privacy Policy carefully. You are not legally required to provide us with personal data, but without it we may be unable to provide the Serff.ai Services to you.
This Privacy Policy forms part of our Terms and Conditions. Capitalised terms not defined here have the meaning given in the Terms.
Serff.ai is the data controller for personal data described in this Policy, except where we act as data processor on behalf of a customer (see section 10).
Controller: Llow Group Limited (company no. 14334541), 3rd floor, 86–90 Paul Street, London EC2A 4NE, United Kingdom.
Data Protection Officer: Callum Rimmer, contact@llow.io.
ICO registration: we are registered with the UK Information Commissioner’s Office (registration C1340741).
2.1 Account and profile data — when you register, we collect your name, email address, workplace or company name, password (stored as a hash, not in clear), and, optionally, other profile details you provide. If you sign up via a federated identity provider (for example a magic-link email flow, or a social login), we receive the identifiers and profile details that provider passes to us.
2.2 Authentication and API-usage data — API keys, OAuth client IDs and secrets you issue, MCP session tokens, request logs (including timestamp, endpoint, tool name, response size, error status), IP address, user-agent string, and quota accounting data.
2.3 Content you submit — search queries, alert filters, webhook payload templates, custom prompts and any other data you enter into the Serff.ai Services.
2.4 Billing data — if you subscribe to a paid tier, our payment processor Stripe collects your payment-method details (card number, billing address, etc.) directly. We receive from Stripe a customer identifier, subscription status, invoice history and the last four digits of your card, but we do not store your full card details on our systems.
2.5 Automatically-collected data — connectivity, technical and aggregated usage data such as IP address and general location, device and browser attributes, session identifiers, cookie and tracking-technology data (as described in our Cookie Policy), timestamps of activity, and the pages you visit on the Sites.
2.6 Communications — records of correspondence with our support team, feedback you submit, and content of any calls with our team where we notify you that the call is being recorded.
2.7 Public filing content — the Serff.ai Services surface public regulatory filings sourced from the National Association of Insurance Commissioners’ SERFF system and US state insurance-department portals. These filings are not personal data of yours and are not subject to this Policy. They are public records.
We use personal data to:
a) provide, operate and secure the Serff.ai Services; b) authenticate you and enforce access controls and quotas; c) provide customer support and technical assistance; d) invoice, collect payment and administer subscriptions; e) send transactional communications you need to receive (billing notices, service updates, security alerts); f) with your consent where required, send marketing communications about new features and offerings, from which you can unsubscribe at any time; g) analyse and improve the Serff.ai Services (including via aggregated, anonymised or pseudonymised usage statistics); h) detect, investigate and prevent fraud, abuse and security incidents; and i) comply with our legal and regulatory obligations.
We do not sell your personal data.
We do not use your queries, prompts or content to train third-party large-language models. Requests we send to our AI sub-processors (Google Gemini, Anthropic Claude) are transmitted under contractual terms that prohibit those providers from using the data to train their public models.
Automated decision-making. The Serff.ai Services use machine-learning models (including large-language models, embedding models and retrieval-augmented generation) to rank, summarise and surface filings. These are informational tools and do not produce decisions that have a legal or similarly significant effect on you. You remain responsible for any decisions you take based on Serff.ai output.
For users in the United Kingdom or European Economic Area, our lawful basis under the UK GDPR / EU GDPR is:
The Serff.ai Services and all supporting infrastructure (application hosting, authentication, primary databases, backups and disaster-recovery snapshots) are located in the United States.
Where personal data is transferred out of the United Kingdom or European Economic Area (for example to our US-based service providers), we rely on the following transfer safeguards as applicable:
We may engage selected third-party companies and individuals to perform services complementary to our own. Such service providers include hosting and server co-location services, communications and content delivery networks (CDNs), data and cyber-security services, billing and payment processing services, fraud detection and prevention services, web analytics, e-mail distribution, marketing and monitoring services, session or activity recording services, remote access services, data optimisation and enrichment services, AI-model inference providers, social and advertising networks, content providers, e-mail, voicemails, support and customer relation management systems, and our legal, compliance and financial advisers (collectively, “Service Providers”).
These Service Providers may have access to your Personal Data, depending on each of their specific roles and purposes in facilitating and enhancing the Serff.ai Services, and may only use it for such limited purposes as determined in our agreements with them.
Our Service Providers shall be deemed ‘data processors’ in circumstances where Serff.ai assumes the role of ‘data controller’; and where Serff.ai acts as ‘data processor’ for our customer, the Service Provider shall be deemed our ‘sub-processor’ (as further explained in section 10).
We retain personal data for as long as necessary to provide the Serff.ai Services, comply with our legal and contractual obligations (including tax and accounting record-keeping), and defend legal claims.
Account data: for the life of your account and for 6 years after account closure, in line with UK tax record-keeping rules.
API request logs: 90 days for hot storage, 12 months for aggregated / anonymised analytics.
Billing records: 6 years, as required by UK tax law.
Marketing consent records: for as long as consent is active plus a reasonable audit period after withdrawal.
We may retain personal data for longer where required by law or in connection with an active dispute.
We apply industry-standard technical and organisational measures to protect personal data, including encryption in transit (TLS 1.2+), encryption at rest, role-based access control, secret management, audit logging, and least-privilege operating practices. We do not guarantee absolute security; no online service can.
If we become aware of a personal data breach affecting your personal data we will notify you and the applicable supervisory authority within the timeframes required by law.
If UK or EU GDPR applies to you, you have the right to: request access to, rectification or erasure of your personal data; restrict or object to our processing; port your data to another controller; and, where processing is based on consent, withdraw that consent at any time.
To exercise any of these rights, email contact@llow.io. We may need to verify your identity before we can act on your request.
If we process personal data about you on behalf of a customer organisation (see section 10), please raise your request with that customer’s administrator; they are the data controller for that data.
If you believe we have handled your personal data unlawfully, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) on 0303 123 1113 or at ico.org.uk, or with your local supervisory authority in the EEA.
In respect of visitors, individual account holders and administrators, Serff.ai acts as the data controller.
Where a customer organisation subscribes to the Serff.ai Services on behalf of its employees or contractors and controls the account, that customer is the data controller and Serff.ai acts as data processor on the customer’s behalf under the terms of our Data Processing Agreement (available on request via contact@llow.io). Our sub-processors act as sub-processors in that context.
If you are an individual whose data is being processed by us on behalf of such a customer, please contact the customer’s administrator directly for any requests or queries.
The Sites use cookies and similar technologies as described in our Cookie Policy. Non-essential cookies are only set with your consent. The api.serff.ai/mcp endpoint does not use cookies — it authenticates via bearer tokens only.
We may contact you with transactional messages you need to receive (billing, service outages, security notifications, password resets). You cannot opt out of these while your account is active.
We may also send you marketing communications about new features and offerings, but only where you have consented (in the UK/EEA) or where the “soft opt-in” applies. You can unsubscribe from marketing at any time via the link in each email, or by emailing contact@llow.io.
The Serff.ai Services are not directed at, or intended for use by, individuals under the age of 16. We do not knowingly collect personal data from children. If we learn that we have, we will delete it.
The Sites contain links to third-party websites, including public regulatory portals (SERFF, state DOI sites) that host original filing content. We are not responsible for the privacy practices of those sites. Please review their privacy policies before providing them with any personal data.
We may update this Privacy Policy from time to time. When we make material changes we will provide notice through the Sites or by email. Continued use of the Serff.ai Services after an update takes effect constitutes acceptance of the update.
For any question, request or complaint relating to this Privacy Policy or your personal data:
Llow Group Limited (trading as Serff.ai)
Attn: Data Protection Officer
3rd floor, 86–90 Paul Street
London EC2A 4NE
United Kingdom
Email: contact@llow.io