Privacy Policy

Last updated: June 8, 2026

Applies to: semlr.com, slidexchange.com, and all related Semlr services

Your Privacy Matters to Us

Welcome! This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the Semlr platform — including Semlr Studio (semlr.com) and slideXchange (slidexchange.com) — and any related services we provide (collectively, the "Services").

We are Semlr US Limited, a Delaware C corporation ("Semlr US," "we," "us," or "our"), a wholly owned subsidiary of Semlr Limited, a Bermuda corporation ("Semlr Limited," our "Parent Company"). Semlr US Limited is the primary contracting entity for users located in the United States. For users located outside the United States, Semlr Limited (Bermuda) is the relevant data controller. References to "Semlr" in this Policy include both entities where applicable.

By using the Services, you agree to the practices described in this Policy. If you have questions, our Privacy Officer is always happy to help — reach us at legal@semlr.com.

The short version — our commitments to you:

✓  We collect only what we need to run the Services.

✓  We never sell, rent, or trade your personal data or your content.

✓  We never use your content to train AI models.

✓  We keep your data secure using industry-standard protections.

✓  We are transparent about what we collect and why.

✓  We honour your privacy rights, wherever you live.

✓  We only share your data as described in this Policy or with your explicit permission.

1. Our Privacy Officer

Semlr has designated a Privacy Officer responsible for overseeing our compliance with applicable data protection laws and serving as your point of contact for privacy-related questions and complaints.

Privacy Officer: Akiva Elias, COO

Email: legal@semlr.com

Organisation: Semlr Limited, Bermuda (on behalf of both Semlr entities)

The Privacy Officer role satisfies the requirements of Bermuda's Personal Information Protection Act 2016 (PIPA) and acts as a single point of contact for all applicable privacy frameworks, including GDPR/UK GDPR and CCPA/CPRA.

2. What Information We Collect

We collect only what we genuinely need to provide, improve, and protect our Services. Here is what that includes:

Information You Give Us Directly

  • Account information: your name and email address when you sign up.

  • Organisational information: if your account is set up through an enterprise agreement, we may receive your contact details from your employer or institution.

  • Payment information: for paid subscriptions, payment details are collected and processed by our third-party payment provider. We do not store full card numbers on our own servers.

  • Communications: any information you include when you contact us for support, business enquiries, or partnership discussions.

Information We Collect Automatically

When you use our Services, we automatically collect certain technical and usage information to keep things running smoothly and to improve the platform ("Usage Data"), including:

  • your IP address and approximate location (country/city level);

  • browser type, version, and operating system;

  • pages you visit, links you click, and features you use;

  • date and time of your visits;

  • how you arrived at our site (e.g., from a search engine or a shared link);

  • device type and screen resolution; and

  • errors you encounter and page load times.

We collect this information using cookies and similar tracking technologies. See Section 7 for details on cookies and how to manage them.

Your Content

Our Services let you upload, store, share, and process presentations, documents, PDFs, and other materials ("Content"). We store your Content on your behalf solely to provide the Services. See Section 5 for our content commitments.

Information from Third Parties

If you connect a third-party service or sign in using a third-party account (such as Google or LinkedIn), we may receive basic profile information from that provider, subject to their own privacy policies. We request only the minimum permissions needed.

Sensitive Personal Information

We do not intentionally collect sensitive personal information (such as health data, financial account numbers, racial or ethnic origin, religious beliefs, or biometric data). Please do not upload content containing sensitive personal information of others unless it is strictly necessary for your use of the Services and you have appropriate consent or legal authority to do so.

3. How We Use Your Information

We use your information only for clear, legitimate purposes. We do not use it in ways you would not expect.

  • To provide and run the Services: your account information and content are needed to make the platform work, including sharing, collaboration, and analytics features.

  • To communicate with you: we may use your email address to send service updates, security notices, and policy changes. With your opt-in consent, we may also send product news and tips. You can unsubscribe at any time.

  • To improve our Services: we use Usage Data to understand how people use the platform so we can make it better for everyone.

  • To personalise your experience: we may surface features or suggestions that are more relevant to how you use the Services.

  • To detect and prevent fraud and abuse: we monitor for unauthorised access, policy violations, and illegal activity to protect you and other users.

  • To comply with legal obligations: we process data where required by applicable law or regulation.

Legal Bases for Processing (GDPR / UK GDPR)

If you are in the European Economic Area (EEA) or the United Kingdom, we process your personal data under one of the following legal bases:

  • Contract performance: processing your account data to deliver the Services you signed up for.

  • Legitimate interests: processing Usage Data to improve our Services, prevent fraud, and maintain security — where our interests do not override your fundamental rights.

  • Legal obligation: processing data where required by applicable law.

  • Consent: for marketing emails and non-essential cookies — you can withdraw consent at any time.

4. Our Commitment: We Will Never Sell or Misuse Your Data

We want to say this plainly, because it matters:

  • We do not sell your personal information to anyone, for any price, ever.

  • We do not rent or trade your personal information.

  • We do not share your personal information with advertisers or data brokers.

  • We do not use your Content to train artificial intelligence or machine learning models — yours or anyone else's.

  • We do not use your Content for any purpose other than providing the Services to you.

This is a core commitment of ours. If that ever changes, we will give you meaningful notice and the opportunity to object before it takes effect.

5. Your Content and How We Handle It

You own your content. We hold it in trust.

When you upload Content to the platform, you retain full ownership of it. Nothing in this Policy or our Terms of Service transfers ownership of your content to Semlr.

We store and process your Content only to:

  • deliver the sharing, viewing, and analytics features of the platform;

  • allow you and your chosen recipients to access it;

  • comply with a legal obligation or lawful government or court order; or

  • respond to a genuine emergency involving a risk of serious harm to a person.

Additionally, we may process your Content using automated trust and safety screening tools (such as automated file or text scanning) solely to detect, prevent, and remediate violations of the Prohibited Content provisions in our Terms of Service.

We do not access your Content for any other reason without your explicit permission.

You are responsible for ensuring that your Content is lawful, that you have the rights to upload and share it, and that it complies with our Terms of Service.

Important note on financial and regulated records: our platform is not designed or certified for use as the primary repository for financial statements, accounting records, audit documentation, or any content subject to mandatory legal retention requirements. We do not retain user Content for the seven-year period typically required for financial records, unless a specific written enterprise agreement requires otherwise. Please use a purpose-built records management system for regulated content.

6. When We Share Your Information

We share only what is necessary, only with people we trust, and only as described here.

Service Providers

We work with carefully selected third-party vendors to help us operate the Services — for example, for cloud hosting, analytics, customer support, and email delivery. These providers:

  • process your data only on our behalf and under our documented instructions;

  • are contractually prohibited from using your data for their own purposes; and

  • are required to maintain security standards at least equivalent to ours. 

Our primary data infrastructure is hosted in the United Kingdom. Your data may also be processed in other countries where our service providers operate. We ensure appropriate safeguards are in place for all international transfers (see Section 10).

Legal Requirements

We may disclose your information when we genuinely and reasonably believe it is necessary to:

  • comply with applicable law, regulation, legal process, or a valid government request;

  • detect, investigate, or prevent fraud, unauthorised access, or security incidents;

  • enforce our Terms of Service; or

  • protect the rights, property, or safety of Semlr, our users, or the public.

Where permitted by law, we will notify you before disclosing your data in response to a legal request.

Business Transitions

If Semlr undergoes a merger, acquisition, or sale of all or a substantial part of its assets, your data may be transferred to the successor entity. Any such successor will be bound by this Privacy Policy or one providing equivalent or greater protection.

Semlr Group Companies

Semlr US Limited and Semlr Limited (Bermuda) may share data between them for internal operational purposes, security, and legal compliance. Such sharing is governed by an internal data sharing agreement providing equivalent protections to this Policy.

With Your Permission

Outside the situations above, we share your data only with your explicit prior consent.

7. Cookies and Tracking Technologies

What Are Cookies?

Cookies are small text files placed on your device when you visit our website. They help us recognise you, remember your preferences, and understand how you use our Services.

What We Use Them For

  • Essential cookies: necessary for the site to function (e.g., keeping you logged in and maintaining your session). You cannot opt out of these without affecting how the Services work.

  • Analytics cookies: help us understand how visitors use the Services so we can improve them. This data is aggregated and not linked to identifiable individuals.

  • Preference cookies: remember your settings and preferences to make your experience smoother.

We do not use advertising or cross-site tracking cookies.

Managing Your Cookie Preferences

You can control and delete cookies through your browser settings. Most browsers allow you to block or delete specific types of cookies. Disabling essential cookies may affect the functionality of our Services.

For users in the EEA or UK, we present a cookie consent banner that allows you to accept or decline non-essential cookies. You can change your preferences at any time.

We honour Global Privacy Control (GPC) signals from your browser as an opt-out of data sharing for California residents under CPRA.

8. How Long We Keep Your Data

We keep your data only as long as necessary to provide the Services and meet our legal obligations. Our standard retention periods are:

  • Account data (name, email, login history): retained until you delete your account, plus 30 days to allow account recovery.

  • User Content (uploaded files and presentations): retained until you delete your account. Files you delete are held in a soft-delete state for 30 days (to allow recovery), then permanently deleted.

  • Usage and analytics data: retained for the life of the business to support longitudinal analysis of user growth, platform usage trends, and service improvement. This data is aggregated or anonymised where possible.

  • Support and legal correspondence: retained for up to 3 years after the matter is resolved, or as required by law.

  • Payment records: retained for 7 years to comply with financial record-keeping requirements.

If you would like to request deletion of your data before these periods expire, see Section 9 for how to exercise your rights.

Note: we are not a long-term archive. Please maintain your own backups of any content you need to keep.

9. Your Privacy Rights

Wherever you live, you have meaningful rights over your personal information. We want exercising them to be easy.

Rights Available to All Users

  • Access: ask us what personal information we hold about you.

  • Correction: ask us to correct inaccurate or incomplete information.

  • Deletion: ask us to delete your personal information, subject to legal exceptions.

  • Data portability: request a copy of your personal data in a common, machine-readable format.

  • Opt out of marketing: unsubscribe from marketing emails at any time via the unsubscribe link in any email or by contacting us at legal@semlr.com.

EEA and UK Residents (GDPR / UK GDPR)

You also have the right to:

  • object to processing based on legitimate interests;

  • restrict our processing of your data in certain circumstances;

  • withdraw consent at any time, where processing is consent-based; and

  • lodge a complaint with your local data protection authority.

UK users may contact the Information Commissioner's Office (ICO) at ico.org.uk. EEA users may contact their national supervisory authority.

Bermuda Residents (PIPA)

You have rights under Bermuda's Personal Information Protection Act 2016, including the right to access, correct, and request deletion of your personal information. Complaints may be directed to our Privacy Officer at legal@semlr.com or to Bermuda's Office of the Privacy Commissioner at privacy.bm.

California Residents (CCPA / CPRA)

As a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to know: request disclosure of the categories and specific pieces of personal information we have collected about you.

  • Right to delete: request deletion of personal information we hold about you, subject to certain exceptions.

  • Right to correct: request correction of inaccurate personal information.

  • Right to opt out of sale or sharing: we do not sell or share your personal information. We will honour any opt-out request, including via Global Privacy Control (GPC) signals.

  • Right to limit use of sensitive personal information: we do not collect sensitive personal information beyond what is necessary for the Services.

  • Right to non-discrimination: we will never treat you differently for exercising your privacy rights.

To submit a California privacy request, email legal@semlr.com with the subject line "California Privacy Request."

How to Exercise Your Rights

Contact our Privacy Officer at legal@semlr.com with your request. We will respond within 30 days (or the timeframe required by applicable law). We may need to verify your identity before processing your request. There is no fee for making a request.

10. International Data Transfers

Semlr serves users around the world, so your data may be transferred to and processed in countries other than the one where you live, including the United Kingdom, the United States, and other countries where our service providers operate.

For transfers of personal data from the EEA or UK to countries without an adequacy decision, we rely on approved safeguards including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission; and

  • the UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs, as applicable.

For transfers from Bermuda to overseas recipients, Semlr ensures that those parties provide a comparable level of protection to that required under PIPA, typically through contractual mechanisms or reliance on recognised adequacy standards.

Questions about international transfers? Contact our Privacy Officer at legal@semlr.com.

11. How We Protect Your Data

We take security seriously and apply the principle of least privilege — only people who genuinely need access to your data have it. Our safeguards include:

  • encryption of data in transit using TLS;

  • encryption of Content at rest;

  • role-based access controls limiting internal access to personal data;

  • regular security reviews and vulnerability assessments;

  • dedicated server infrastructure for Semlr data at our third-party hosting provider; and

  • incident response procedures to detect, contain, and remediate security events.

No system is completely immune to attack. We work hard to protect your data, but we cannot guarantee absolute security. You are responsible for keeping your own account credentials secure — please use a strong, unique password and enable multi-factor authentication where available.

If you suspect your account has been compromised, contact us immediately at support@semlr.com.

Data Breach Notification

If we become aware of a security breach that is likely to affect your personal data, we will notify you and applicable regulators as required by law — including within 72 hours under GDPR and as soon as reasonably practicable under PIPA and applicable U.S. state laws. We will also take immediate steps to contain and remediate the issue and keep you informed.

12. Children's Privacy

Our Services are not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information from a child, please contact our Privacy Officer at legal@semlr.com and we will delete it promptly. We comply with the Children's Online Privacy Protection Act (COPPA) and equivalent laws in other jurisdictions.

13. Third-Party Services and Links

Our website and Services may contain links to third-party websites or integrate with third-party tools and platforms (such as Google or LinkedIn). This Privacy Policy applies only to our Services. Once you leave our platform or interact with a third-party service, that third party's privacy policy governs. We encourage you to review those policies before sharing any personal information.

We store your Content with reputable third-party cloud hosting providers whose infrastructure is contractually bound to maintain appropriate security and confidentiality standards. We review our hosting partners' security practices regularly.

14. Enterprise Customers and Data Processing Agreements

If your organisation uses our Services under an enterprise or business agreement, a separate Data Processing Agreement (DPA) may govern the processing of personal data on your behalf. In the event of any conflict between this Privacy Policy and a signed DPA, the DPA controls with respect to that enterprise relationship.

Enterprise DPAs may include custom data retention terms, expanded data portability rights, additional security commitments, and other terms tailored to your organisation's compliance requirements (including GDPR Article 28, CCPA service provider agreements, or PIPA data sharing provisions).

If your organisation requires a DPA, contact our Privacy Officer at legal@semlr.com.

15. Dispute Resolution

If you have a privacy concern or complaint that we have not resolved to your satisfaction, you have the right to contact your applicable data protection authority (see Section 9 for details by region).

Any dispute arising out of this Privacy Policy that is not resolved informally is subject to the dispute resolution provisions of our Terms of Service, including mandatory binding individual arbitration seated in Wilmington, Delaware, under the laws of the State of Delaware.

This Policy does not create rights beyond those required by applicable privacy law. The limitation of liability and indemnification provisions in our Terms of Service apply to claims arising under this Privacy Policy to the maximum extent permitted by applicable law.

16. Our Commitment as a Corporate Citizen

‘`We believe that good privacy practice and good business practice go hand in hand. Here is how we try to live that out:

  • Privacy by design: we consider privacy implications when we build new features, before we build them, not as an afterthought.

  • Data minimisation: we collect only the personal data we actually need. If we don't need it to run the Services, we don't collect it.

  • Transparency: we write our policies in plain language. If you can't understand what we do with your data, we haven't done our job.

  • Accountability: our Privacy Officer and leadership team are personally responsible for our privacy programme.

  • Vendor diligence: we vet the privacy and security practices of our third-party providers before we work with them and monitor them on an ongoing basis.

  • No dark patterns: we do not use manipulative design or confusing interfaces to trick you into sharing more data than you intend to.

We are a global company and we take our obligations to users and to the broader world seriously. We will continue to improve our privacy practices as laws, technology, and expectations evolve.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will update the date at the top of this page. For significant changes — such as changes to what data we collect, how we use it, or whom we share it with — we will provide reasonable advance notice via email or an in-platform notification before the change takes effect.

Your continued use of the Services after the effective date of any revised Policy constitutes your acceptance of the changes. If you do not agree to the revised Policy, please stop using the Services and contact us at legal@semlr.com to request deletion of your data.

18. Contact Us

We love hearing from our users — especially on something as important as privacy. If you have any questions, concerns, or requests related to this Privacy Policy or your personal data, please get in touch:

Privacy Officer: Akiva Elias, COO

Email: legal@semlr.com

Support: support@semlr.com

Websites: semlr.com  |  slidexchange.com

We will respond to all privacy-related requests within 30 days, or within the timeframe required by applicable law. Thank you for trusting us with your data — we do not take that trust lightly.