Sey C Solution
Effective 1 May 2026 · Version 1.0

Privacy policy.

What we collect, why we collect it, how we look after it, and what control you have. Written to be readable, drafted to be defensible.

01

About us

Sey C Solution (“we,” “us,” “our,” or the “Studio”) is a sole proprietorship operated by Christian Dodin, based at Anse Boileau, Mahé, Republic of Seychelles. We design, develop, and ship websites, brand identities, AI systems, and search-led growth programmes for businesses across Seychelles, East Africa, and beyond. We also operate our own products — SeyFind (seyfind.com) and SeyTax (seytax.seycsolution.com).

This Privacy Policy explains how we collect, use, share, store, and protect personal data when you visit our marketing website at seycsolution.com, contact us, engage us for services, or subscribe to communications from us.

Sey C Solution is the data controller for the purposes of the Seychelles Data Protection Act, 2023, the EU General Data Protection Regulation (GDPR), the United Kingdom GDPR, and equivalent state-level privacy laws in the United States including the California Consumer Privacy Act and California Privacy Rights Act (CCPA / CPRA).

02

Scope

In short — This Policy covers visitors, prospective clients, active clients, and subscribers. If you’re using our products, see their own policies.

This Policy applies to all personal data we process about:

  • Visitors to our marketing website
  • Prospective clients who contact us about a potential engagement
  • Active and former clients with whom we have, or have had, a written services agreement
  • Subcontractors, suppliers, and partners we work with
  • Subscribers to our communications

It does not cover personal data processed within our products. SeyFind and SeyTax each maintain separate privacy policies tailored to their specific data handling. The controller remains Sey C Solution in all cases, but the specific processing activities are governed by those products’ own policies.

03

Data we collect

In short — The categories of data depend on how you interact with us. For most visitors: very little. For clients on an engagement: as much as the project legitimately requires.

3.1 Marketing website visitors

Collected automatically when you visit seycsolution.com:

  • IP address (for security, rate limiting, and abuse prevention)
  • User-agent string, browser, device type, and operating system
  • Pages visited and the referring URL
  • Date and time of access

We currently do not deploy third-party advertising trackers or marketing pixels on seycsolution.com. If we add analytics in the future, we will obtain consent where required and update this Policy.

3.2 People who contact us

When you submit our contact form, email us, or message us via WhatsApp or phone, we collect:

  • Name
  • Email address
  • Company or organisation name (optional)
  • Project type and budget range
  • Message content and any files or links you attach
  • Date and time of contact

3.3 Active clients (service engagements)

Once we begin a paid engagement under a written agreement, we may additionally process:

  • Billing and payment details (handled by our payment processors — we do not store full card data)
  • Access credentials and authorisation tokens you provide to client systems (CMS, hosting, analytics, cloud accounts) for the purpose of delivering services. These are held under appropriate access controls and revoked at the end of the engagement
  • Content provided for use in deliverables — text, images, brand assets, business data
  • Names and contact details of stakeholders authorised to give instructions on your behalf
  • Project-related correspondence

3.4 Subscribers

If you opt in to receive communications from us, we collect your email address, a consent record (date, time, and source of consent), and engagement signals (opens, clicks) used for measurement.

3.5 Special category data

We do not knowingly collect special category personal data under GDPR Article 9 (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, or data concerning sexual orientation). If you provide such data in a message to us, we will process it only to respond and will delete it as soon as is reasonably practicable.

04

Lawful bases (GDPR / UK GDPR)

In short — We always have a lawful reason to process your data. Here are the reasons we rely on.

We rely on the following lawful bases under Article 6 of the GDPR and the UK GDPR:

Responding to your enquiry
Pre-contractual measures (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f))
Delivering services under an agreement
Performance of a contract (Art. 6(1)(b))
Sending marketing or newsletter communications
Consent (Art. 6(1)(a))
Website security, fraud prevention, and abuse mitigation
Legitimate interests (Art. 6(1)(f))
Business records and meeting tax / accounting obligations
Legal obligation (Art. 6(1)(c))
Defending or pursuing legal claims
Legitimate interests (Art. 6(1)(f))

Where we rely on legitimate interests, we have conducted a balancing assessment and concluded that our interests do not override your rights and freedoms. You may object to legitimate-interests-based processing at any time (see Section 11).

05

How we use data

In short — Only to do what you asked, run our business legally, and keep things secure. We never sell your data.

  • Service delivery — responding to enquiries, scoping and delivering projects, billing, and support
  • Communication — replies, project updates, contract management, and notifications about material changes
  • Security & integrity — preventing fraud, abuse, denial-of-service, and spam; investigating incidents
  • Improvement — internal analytics about how our website and service workflows perform
  • Marketing (with consent) — newsletters, occasional updates, and event invitations
  • Legal — complying with tax, accounting, regulatory, and recordkeeping obligations; protecting our rights
  • Business operations — recordkeeping; due diligence in connection with a merger, acquisition, or business transfer (with notice to you)

We do not:

  • Sell, rent, or trade personal data
  • Use personal data for automated decision-making with legal or similarly significant effects without explicit human oversight (GDPR Article 22)
  • Use personal data submitted to us to train third-party AI models without your consent
06

AI and automated processing

In short — We use AI in our own workflows and some deliverables. We don’t let third parties train on your data, and a human reviews everything we deliver.

We use artificial intelligence (including large language models from third parties such as Anthropic and OpenAI) in our internal workflows and in some service deliverables. When we do:

  • We configure provider integrations to ensure your data is not used to train third-party AI models, where the provider supports this control (Anthropic and OpenAI both offer enterprise / API contracts that exclude training on inputs).
  • We minimise the personal data sent to AI providers — we redact, summarise, or aggregate where possible.
  • AI outputs in deliverables are reviewed by a human before they reach you.
  • We do not use AI to make automated decisions with legal or similarly significant effects about you.

If a specific engagement involves substantial AI processing of your data, we will describe it in the engagement letter and obtain your explicit instructions before proceeding.

07

Cookies and similar technologies

In short — Only essential cookies on the marketing site. No advertising trackers, no fingerprinting. If we ever add analytics, we’ll show you a banner first.

The marketing site uses only essential cookies and similar storage necessary for it to function:

  • Security and rate-limiting tokens (Cloudflare) — set to protect against abuse of the contact form and other endpoints. Expires when no longer needed.
  • Session / state tokens for any in-page functionality you opt into.

We do not currently use analytics, marketing, or advertising cookies on this website. If we add analytics or marketing trackers, we will display a cookie consent banner meeting EU ePrivacy Directive and Seychelles DPA standards, and we will not load non-essential cookies until you consent.

You can control cookies through your browser settings. Disabling essential cookies may prevent parts of the site from functioning.

08

Third parties who process data

In short — A small set of trusted providers. Each is contractually bound to confidentiality and to processing only on our instructions.

Cloudflare, Inc. (US)
Edge hosting, CDN, DDoS protection, rate limiting
Bunny.net / BunnyWay d.o.o. (Slovenia)
Image and asset CDN
Resend, Inc. (US)
Transactional email delivery (contact-form replies, project communications)
Supabase, Inc. (US; data hosted in Mumbai, India)
Database hosting for product back-ends
GitHub, Inc. (Microsoft) (US)
Source code hosting and project tracking
Anthropic, PBC (US)
AI processing (Claude API) for select internal workflows and approved client deliverables
Google LLC (US / EU)
Google Workspace (email, calendar, documents) where used in our operations

We update this list when our processors change. If you would like a current copy of our processor list (a GDPR Article 30 record), contact us.

09

International data transfers

In short — Some of your data may leave Seychelles. We rely on standard contractual clauses and additional safeguards to keep it protected.

Sey C Solution is based in Seychelles. Data we process may be transferred to and stored in other jurisdictions, including:

  • India (Supabase database hosting)
  • United States (multiple service providers above)
  • European Union and United Kingdom (some Google Workspace data)
  • Globally distributed CDN locations

For transfers from the EU / EEA / UK to jurisdictions without an adequacy decision (including the US), we rely on:

  • The European Commission’s Standard Contractual Clauses (SCCs) and the UK Addendum
  • The provider’s own approved transfer mechanisms (for example, the EU–US Data Privacy Framework where the provider is certified)
  • Supplementary measures including encryption in transit and at rest and role-based access controls

For transfers from Seychelles, we ensure recipient jurisdictions provide a comparable level of protection as required by the Seychelles Data Protection Act, 2023, or we obtain your consent.

10

Data retention

In short — We keep data only as long as we need to, and no longer. Periods are set out below.

Contact-form submissions and pre-engagement correspondence
24 months from last contact, unless the engagement converts
Active engagement files and client correspondence
Duration of engagement + 7 years (Seychelles tax / accounting requirements)
Billing and tax records
7 years (Seychelles statutory requirement)
Subscriber lists
Until you unsubscribe + reasonable record of consent
Server logs and security events
Up to 12 months
Closed product accounts (SeyFind / SeyTax)
90 days then deleted (see product policies)

After retention periods elapse, we securely delete or irreversibly anonymise data.

11

Your rights

In short — You have meaningful control over your data. Email us and we’ll respond within 30 days — usually within a week.

11.1 Under the Seychelles DPA 2023, GDPR, and UK GDPR

  • Access — receive confirmation of what data we hold about you and a copy of it
  • Rectification — correct inaccurate or incomplete data
  • Erasure (“right to be forgotten”) — request deletion subject to legal and legitimate-interest exceptions
  • Restriction — limit how we process your data in specific circumstances
  • Portability — receive a structured, commonly used, machine-readable copy of data you provided to us
  • Objection — object to processing based on legitimate interests, including profiling and direct marketing
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing
  • Not be subject to solely automated decisions producing legal or similarly significant effects
  • Lodge a complaint with a supervisory authority (see Section 17)

11.2 Additionally, under the CCPA / CPRA (California residents)

  • The right to know what personal information is collected, used, shared, or sold
  • The right to delete personal information held about you
  • The right to opt out of the sale or sharing of personal information (we do not engage in either)
  • The right to correct inaccurate personal information
  • The right to limit use of sensitive personal information
  • The right to non-discrimination for exercising your rights

We do not “sell” personal information as that term is defined under the CCPA / CPRA, and we do not share personal information for cross-context behavioural advertising.

11.3 How to exercise your rights

Email support@seycsolution.com with the heading “Privacy Request” and a description of what you would like to do. We will respond within 30 days (often within 7 business days). If we cannot grant a request in whole or in part, we will explain why and inform you of your right to complain.

We may need to verify your identity before acting on a request.

12

Security

In short — Industry-standard technical and organisational safeguards. Not perfect; nothing is. Contact us immediately if you suspect anything is off.

  • Encryption — TLS 1.2+ for data in transit; AES-256 at rest where supported by our providers
  • Access controls — role-based access; least privilege; multi-factor authentication on all administrative accounts
  • Network protection — Cloudflare WAF, DDoS mitigation, IP rate limiting
  • Secrets handling — credentials stored in encrypted secret managers, never in source code
  • Backups — automated daily encrypted backups with tested recovery procedures (for product databases)
  • Monitoring — log review and anomaly detection
  • Vendor management — Data Processing Agreements with all processors; periodic review
  • Training — Christian and any contractors are briefed on data handling before engagement

No system is perfectly secure. If you suspect unauthorised access to data we hold about you, contact us immediately at support@seycsolution.com.

13

Data breach notification

If a personal data breach is likely to result in a risk to the rights and freedoms of affected individuals, we will:

  • Notify the relevant supervisory authority (the Seychelles Information Commissioner, and others as required) within 72 hours of becoming aware of the breach, as required by the Seychelles DPA 2023 and GDPR Article 33
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34)

Notifications will include the nature of the breach, likely consequences, measures taken or proposed, and a contact point for further information.

14

Children’s privacy

This website and our services are not directed at children. We do not knowingly collect personal data from:

  • Children under 16 in the European Union (or the relevant lower age set by an EU / EEA Member State)
  • Children under 13 in the United States (under the Children’s Online Privacy Protection Act, COPPA)
  • Children under 18 in Seychelles, who cannot lawfully enter binding contracts

If you believe we have inadvertently collected personal data from a child, contact us immediately at support@seycsolution.com and we will delete it without undue delay.

15

Aggregated and anonymised data

We may aggregate or anonymise personal data so that it can no longer be associated with you. Once data is irreversibly anonymised, it is no longer “personal data” and we may use it for any lawful purpose, including improving our services, internal analytics and benchmarking, publishing case studies and statistics (without identifying you), and training internal models on patterns — never on identifiable client data without consent.

16

External links

Our website links to third-party sites (including our own products’ marketing pages, client work, and informational resources). We are not responsible for the privacy practices or content of external sites. We recommend reviewing their policies before providing personal data.

17

Supervisory authorities

In short — If you’re ever unhappy with how we’ve handled your data, talk to us first. If we can’t resolve it together, here’s where to escalate.

Seychelles
Seychelles Information Commissioner, Victoria, Mahé
European Union / EEA
Your national data protection authority (a directory is at edpb.europa.eu)
United Kingdom
Information Commissioner’s Office, ico.org.uk
California, USA
California Privacy Protection Agency, cppa.ca.gov

We encourage you to contact us first at support@seycsolution.com so we can try to resolve any concern directly.

18

Changes to this policy

We may update this Privacy Policy from time to time. When we do:

  • We will update the “Last updated” date at the top
  • For material changes, we will provide notice through the website and, where we have your email, by direct notification at least 30 days in advance of the change taking effect
  • Continued use of our website or services after a change takes effect constitutes acceptance of the updated Policy

Previous versions are available on request.

19

Contact

Sey C Solution
Christian Dodin, Proprietor
Anse Boileau, Mahé, Republic of Seychelles

Privacy enquiries: support@seycsolution.com
General: support@seycsolution.com
WhatsApp: +248 281 7224

We respond to most privacy requests within 7 business days, and always within the 30-day statutory window.

Effective 1 May 2026 · Last updated 26 May 2026 · Version 1.0
© 2026 Sey C Solution. All rights reserved.