DATAPHER AI

Website Privacy Policy

Datapher ai (Datapher AI Limited)

Version: 28.10.2024

We, Datapher AI Limited, a company incorporated and existing under the laws of England and Wales, with registration number 15532682, with its registered office at 25 Eccleston Place Victoria, London SW1W 9NF, England, represented by Roma Singhal, Chief Business Officer (“Company”, “we”, “our” or “us”) take your privacy very seriously. Please read this Privacy Policy carefully as it contains important information on how and why we collect, store, use and share any personal data relating to you in connection with your use of our services. It also explains your rights in relation to your personal data and how to contact us or a relevant regulator in the event you have a complaint.

We collect, use and are responsible for certain personal data about you. We are the controller of personal data obtained when you register on our website, place an order, subscribe to our newsletter, respond to a survey, or fill out a form, meaning we are the organisation legally responsible for deciding how and for what purposes it is used.

When we do so we are subject to the UK General Data Protection Regulation (UK GDPR). We are also subject to the EU General Data Protection Regulation (EU GDPR) in relation to services we offer in the European Economic Area (EEA).

This Privacy Policy is divided into the following sections:

Introduction;
Definitions;
Scope (What this policy applies to);
Data protection principles;
Basis for processing personal data;
Personal data we collect about you;
How your personal data is collected;
How and why we use your personal data;
Marketing;
Who we share your personal data with;
Where Will We Store the Data;
How long your personal data will be kept;
Cookies;
Documentation and records;
Data subject (individual) rights;
Data subject (individual) obligations;
Information security;
Data breaches;
International transfers;
Training;
Consequences of failing to comply;
Changes to this Privacy Policy;
How to complain.

1. Introduction

1.1. The Company obtains, keeps and uses personal data (also referred to as personal information) for a number of specific lawful purposes, as set out in this Privacy Policy concerning various data subjects.

1.2. This Privacy Policy sets out how we comply with our data protection obligations and seek to protect personal data relating to our workforce. Its purpose is also to ensure that our staff and our clients understand and comply with the rules governing the collection, use and deletion of personal data to which they may have access in the course of their work.

1.3. We are committed to complying with our data protection obligations, and to being concise, clear and transparent about how we obtain and use personal data relating to our workforce, and how (and when) we delete that data once it is no longer required.

2. Definitions

3. Scope (What this policy applies to)

This Privacy Policy applies to the personal data of individuals who interact with our website, including but not limited to website visitors, individuals who contact the Company through any communication channels, and those who subscribe to our updates or services.

4. Data protection principles

4.1. The Company will comply with the following data protection principles when processing personal data:

4.1.1. we will process personal data lawfully, fairly and in a transparent manner;

4.1.2. we will collect personal data for specified, explicit and legitimate purposes only, and will not process it in a way that is incompatible with those legitimate purposes;

4.1.3. we will only process the personal data that is adequate, relevant and necessary for the relevant purposes;

4.1.4. we will keep accurate and up to date personal data, and take reasonable steps to ensure that inaccurate personal data are deleted or corrected without delay;

4.1.5. we will keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; and

4.1.6. we will take appropriate technical and organisational measures to ensure that personal data are kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

5. Basis for processing personal data

5.1. In relation to any processing activity we will, before the processing starts for the first time, and then regularly while it continues:

5.1.1. review the purposes of the particular processing activity, and select the most appropriate lawful basis (or bases) for that processing, i.e.:

(a) that the data subject has consented to the processing;

(b) that the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(d) that the processing is necessary for the protection of the vital interests of the data subject or another natural person;

(e) that the processing is necessary for the purposes of legitimate interests of the Company or a third party, except where those interests are overridden by the interests of fundamental rights and freedoms of the data subject – see paragraph 5.2 below.

5.1.2. except where the processing is based on consent, satisfy ourselves that the processing is necessary for the purpose of the relevant lawful basis (i.e., that there is no other reasonable way to achieve that purpose);

5.1.3. document our decision as to which lawful basis applies, to help demonstrate our compliance with the data protection principles;

5.1.4. include information about both the purposes of the processing and the lawful basis for it in our relevant privacy notice(s);

5.1.5. where 'special category data is processed, also identify a lawful special condition for processing that data (see paragraph 6.3.2 below), and document it; and

5.1.6. where criminal records data is processed, also identify a lawful condition for processing that data, and document it.

5.2. When determining whether the Company’s legitimate interests are the most appropriate basis for lawful processing, we will:

5.2.1. conduct a legitimate interests assessment (LIA) and keep a record of it, to ensure that we can justify our decision;

5.2.2. if the LIA identifies a significant privacy impact, consider whether we also need to conduct a data protection impact assessment (DPIA);

5.2.3. keep the LIA under review, and repeat it if circumstances change; and

5.2.4. include information about our legitimate interests in our relevant privacy notice(s).

6. Personal data we collect about you

6.1. The personal data we collect about you depends on the particular activities carried out through our website. We will collect and use the following personal data about you:

title;
first name;
last name;
e-mail address;
mailing address;
information to check and verify your identity, e.g., date of birth;
your gender, if you choose to give this to us;
phone number;
your billing information, transaction and payment card or other payment method information;
bank account and payment details;
details of any information, feedback or other matters you give to us by phone, email, post or via social media;
your use of our services;
information about the services we provide to you;
information about how you use our website and technology systems; your responses to surveys, competitions and promotions.

6.2. Sometimes you can choose if you want to give us your personal data and let us use it. Where that is the case, we will tell you and give you the choice before you give the personal data to us. We will also tell you whether declining to share that personal data will have any effect on use of our services.

6.3. Special category data. Special category data is sometimes referred to as ‘sensitive personal data’ or ‘sensitive personal information’. We may from time to time need to process special category data. We will only process special category data if:

6.3.1. we have a lawful basis for doing so as set out in paragraph 5.1.1 above, e.g., it is necessary for the performance of the contract or to comply with our legal obligations; and

6.3.2. one of the special conditions for processing special category data applies, e.g.:

(a) the data subject has given explicit consent;

(b) the processing is necessary to protect the data subject’s vital interests, and the data subject is physically incapable (c) of giving consent;

(d) processing relates to personal data which are manifestly made public by the data subject;

(e) the processing is necessary for the establishment, exercise or defense of legal claims; or

(f) the processing is necessary for reasons of substantial public interest.

6.4. Special category data will not be processed until:

6.4.1. the assessment referred to in paragraph 6.3 has taken place; and

6.4.2. the individual has been properly informed (by way of a privacy notice or otherwise) of the nature of the processing, the purposes for which it is being carried out and the legal basis for it.

7. How your personal data is collected

7.1. We collect personal data from you:

directly, when you enter or send us information, such as when you fill in the contact form on our website, communicate with us, contact us (including via email), send us feedback, purchase services via our website, post material to our website and complete customer surveys, and
indirectly, such as your browsing activity while on our website; we will usually collect information indirectly using the technologies explained in the section ‘Cookies’ below and Website Cookie Policy as may be amended from time to time.

8. How and why we use your personal data

8.1. Under data protection law, we can only use your personal data if we have a proper reason, e.g.:

where you have given consent;
to comply with our legal and regulatory obligations;
for the performance of a contract with you or to take steps at your request before entering into a contract; or
for our legitimate interests or those of a third party.

8.2. A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own. You can obtain details of this assessment by contacting us (see section ‘How to contact us’ below).

8.3. The table below explains what we use your personal data for and why.

9. Marketing

9.1. We will use your personal data to send you updates (by email, text message, telephone or post) about our services, including exclusive offers, promotions or information on new products and/or services.

9.2. We have a legitimate interest in using your personal data for marketing purposes (see section ‘How and why we use your personal data’ above). This means we do not need your consent to send you marketing information. If we change our marketing approach in the future so that consent is needed, we will ask for this separately and clearly.

9.3. You have the right to opt out of receiving marketing communications at any time by:

9.4. contacting us at info@datapher.ai;

9.5. using the ‘unsubscribe’ link in emails; or

9.6. updating your marketing preferences on our website.

9.7. We will always treat your personal data with the utmost respect and never sell or share it with other organisations for marketing purposes.

9.8. For more information on your right to object at any time to your personal data being used for marketing purposes, see section ‘Data subject (individual) rights’ below.

10. Who we share your personal data with

10.1. We routinely share or are planning to share personal data with:

payment service providers;

other third parties we use to help us run our business, e.g., website hosts and website analytics providers;

10.2. online services, online media and social media platforms and similar organisations where we might run our marketing campaigns. We only allow those organisations to handle your personal data if we are satisfied they take appropriate measures to protect your personal data.

10.3. We or the third parties mentioned above occasionally also share personal data with:

our and their external auditors, e.g., in relation to the audit of our or their accounts, in which case the recipient of the information will be bound by confidentiality obligations;
our and their professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations;
law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations.

11. Where Will We Store the Data?

11.1. Personal data (and special category data) will be kept securely in accordance with this Privacy Policy.

11.2. Personal data (and special category data) that is no longer required will be deleted permanently from our information systems and any hard copies will be destroyed securely.

11.3. We store all our customer and lead data using the following trusted services:

Google Cloud;
Snowflake; and
MongoDB.

11.4. These storage providers are selected for their commitment to data security and compliance with data protection regulations. While we rely on these reputable services to handle your data, we do not directly control their security measures.

12. How long your personal data will be kept

12.1. Personal data (and special category data) should not be retained for any longer than necessary. The length of time over which data should be retained will depend upon the circumstances, including the reasons why the personal data was obtained.

12.2. Different retention periods apply for different types of personal data. All data retention practices will comply with GDPR and UK GDPR requirements.

13. Cookies

13.1. A cookie is a small text file which is placed onto your device (e.g., computer, smartphone or other electronic device) when you use our website. We use cookies on our website.

13.2. We use cookies to help us remember and process the items in your shopping cart, understand and save your preferences for future visits and compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future. We may contract with third-party service providers to assist us in better understanding our site visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.

13.3. For more detailed information about the cookies used on our platform and how they function, please refer to our Website Cookie Policy.

14. Documentation and records

14.1. We will keep written records of processing activities which are high risk, i.e., which may result in a risk to individuals’ rights and freedoms or involve special category data or criminal records data, including:

14.1.1. the purposes of the processing;

14.1.2. a description of the categories of individuals and categories of personal data;

14.1.3. categories of recipients of personal data;

14.1.4. where possible, retention schedules; and

14.1.5. where possible, a description of technical and organisational security measures.

14.2. As part of our record of processing activities we document, or link to documentation, on:

14.2.1. information required for privacy notices;

14.2.2. records of consent;

14.2.3. controller-processor contracts;

14.2.4. the location of personal data;

14.2.5. DPIAs; and

14.2.6. records of data breaches.

14.3. If we process special category data or criminal records data, we will keep written records of:

14.3.1. the relevant purpose(s) for which the processing takes place, including (where required) why it is necessary for that purpose;

14.3.2. the lawful basis for our processing; and

14.3.3. whether we retain and erase the personal data in accordance with our policy document and, if not, the reasons for not following our policy.

14.4. We will conduct regular reviews of the personal data we process and update our documentation accordingly.

15. Data subject (individual) rights

15.1. You (in common with other data subjects) have the following rights in relation to your personal data:

15.1.1. to be informed about how, why and on what basis that data is processed;

15.1.2. to obtain confirmation that your data is being processed and to obtain access to it and certain other information, by making a data subject access request;

15.1.3. to have data corrected if it is inaccurate or incomplete;

15.1.4. to have data erased if it is no longer necessary for the purpose for which it was originally collected/processed, or if there are no overriding legitimate grounds for the processing (this is sometimes known as ‘the right to be forgotten’);

15.1.5. to restrict the processing of personal data where the accuracy of the data is contested, or the processing is unlawful (but you do not want the data to be erased), or where the employer no longer needs the personal data but you require the data to establish, exercise or defend a legal claim; and

15.1.6. to restrict the processing of personal data temporarily where you do not think it is accurate (and the employer is verifying whether it is accurate), or where you have objected to the processing (and the employer is considering whether the organisation’s legitimate grounds override your interests).

15.2. If you wish to exercise any of the rights in paragraphs 8.1.3 to 8.1.6. please contact Roma Singhal, Chief Business Officer at info@datapher.ai.

16. Data subject (individual) obligations

16.1. Individuals are responsible for helping the Company keep their personal data up to date. You should let us know if the data you have provided to the Company changes.

16.2. You may have access to the personal data of other members of staff and suppliers of the Company in the course of your engagement. If so, the Company expects you to help meet its data protection obligations to those individuals. For example, you should be aware that they may also enjoy the rights set out in paragraph 15.1above.

16.3. If you have access to personal data, you must:

16.3.1. only access the personal data that you have authority to access, and only for authorised purposes;

16.3.2. only allow other Company staff to access personal data if they have appropriate authorisation;

16.3.3. only allow individuals who are not Company staff to access personal data if you have specific authority to do so from Roma Singhal, Chief Business Officer;

16.3.4. keep personal data secure (e.g., by complying with rules on access to premises, computer access, password protection and secure file storage and destruction;

16.3.5. not remove personal data, or devices containing personal data (or which can be used to access it), from the Company’s premises unless appropriate security measures are in place (such as pseudonymisation, encryption or password protection) to secure the data and the device; and

16.3.6. not store personal data on local drives or on personal devices that are used for work purposes.
16.4. You should contact Roma Singhal, Chief Business Officer if you are concerned or suspect that one of the following has taken place (or is taking place or likely to take place):

16.4.1. processing of personal data without a lawful basis for its processing or, in the case of special category data, without one of the conditions in paragraph 6.3.2 being met;

16.4.2. any data breach as set out in this Privacy Policy and applicable laws;

16.4.3. access to personal data without the proper authorisation;

16.4.4. personal data not kept or deleted securely;

16.4.5. removal of personal data, or devices containing personal data (or which can be used to access it), from the Company’s premises without appropriate security measures being in place;

16.4.6. any other breach of this policy or of any of the data protection principles set out in paragraph 4.1 above.

17. Information security

17.1. The Company will use appropriate technical and organisational measures to keep personal data secure, and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage. These may include:

17.1.1.making sure that, where possible, personal data is pseudonymised or encrypted;

17.1.2.ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

17.1.3.ensuring that, in the event of a physical or technical incident, availability and access to personal data can be restored in a timely manner; and

17.1.4.a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;

17.1.5.pseudonymisation and encryption of personal data;

17.1.6.ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

17.1.7.ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

17.1.8.ensuring protection of personal data during transmission;

17.1.9.ensuring protection of personal data during storage;

17.1.10.ensuring physical security of locations at which personal data are processed;

17.1.11.ensuring access controls, including role-based access and least privilege principles;

17.1.12.ensuring secure disposal of personal data and equipment used to process personal data;

17.1.13.conducting personnel training and awareness programs on data protection and security;

17.1.14.ensuring third-party compliance with data protection standards when personal data is shared or processed by subcontractors;

17.1.15.encryption of backups and their secure storage;

17.1.16.monitoring and responding to unauthorized access attempts and anomalies in data processing;

17.1.17.implementing data minimization principles, ensuring only necessary data is collected and processed;

17.1.18.maintaining up-to-date software and applying security patches promptly; 17.1.19.securing endpoints, including laptops, mobile devices, and other portable media;

17.1.20.ensuring network security, including firewalls, intrusion detection/prevention systems, and secure network architecture;

17.1.21.segregation of duties to prevent conflicts of interest and reduce the risk of unauthorized access;

17.1.22.ensuring secure configuration and management of cloud services used to process personal data;

17.2. Where the Company uses external organisations to process personal data on its behalf, additional security arrangements need to be implemented in contracts with those organisations to safeguard the security of personal data. In particular, contracts with external organisations must provide that:

17.2.1.the organisation may act only on the written instructions of the Company;

17.2.2.those processing the data are subject to a duty of confidence;

17.2.3.appropriate measures are taken to ensure the security of processing;

17.2.4.sub-contractors are only engaged with the prior consent of the Company and under a written contract;

17.2.5.the organisation will assist the Company in providing subject access and allowing individuals to exercise their rights in relation to data protection;

17.2.6.the organisation will assist the Company in meeting its obligations in relation to the security of processing, the notification of data breaches and data protection impact assessments;

17.2.7.the organisation will delete or return all personal data to the Company as requested at the end of the contract; and

17.2.8.the organisation will submit to audits and inspections, provide the Company with whatever information it needs to ensure that they are both meeting their data protection obligations, and tell the Company immediately if it is asked to do something infringing data protection law.

18. Data breaches

18.1. A data breach may take many different forms, for example:

18.1.1.loss or theft of data or equipment on which personal data is stored;

18.1.2.unauthorised access to or use of personal data either by a member of staff or third party;

18.1.3.loss of data resulting from an equipment or systems (including hardware and software) failure;

18.1.4.human error, such as accidental deletion or alteration of data; 18.1.5.unforeseen circumstances, such as a fire or flood;

18.1.6.deliberate attacks on IT systems, such as hacking, viruses or phishing scams; and

18.1.7.‘blagging’ offences, where data is obtained by deceiving the organisation which holds it.

18.2. The Company will:

18.2.1.make the required report of a data breach to the Information Commissioner’s Office without undue delay and, where possible within 72 hours of becoming aware of it, if it is likely to result in a risk to the rights and freedoms of individuals; and

18.2.2.notify the affected individuals if a data breach is likely to result in a high risk to their rights and freedoms and notification is required by law.

19. International transfers

19.1. The Company may transfer personal data outside the UK on the basis that that country, territory or organisation is designated as having an adequate level of protection or that the organisation receiving the data has provided adequate safeguards by way of binding corporate rules, standard data protection clauses, or of compliance with an approved code of conduct.

20. Training

20.1. The Company will ensure that staff are adequately trained regarding their data protection responsibilities. Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.

21. Consequences of failing to comply

21.1. The Company takes compliance with this policy very seriously. Failure to comply with the policy:

21.1.1.puts at risk the individuals whose personal data is being processed; and

21.1.2.carries the risk of significant civil and criminal sanctions for the individual and the Company; and

21.1.3.may, in some circumstances, amount to a criminal offence by the individual.

21.2. Because of the importance of this policy, an employee’s failure to comply with any requirement of it may lead to disciplinary action under our procedures, and this action may result in dismissal for gross misconduct. If a non-employee breaches this policy, they may have their contract terminated with immediate effect.

21.3. If you have any questions or concerns about anything in this policy, do not hesitate to contact Roma Singhal, Chief Business Officer.

22. Changes to this Privacy Policy

22.1. We may change this Privacy Policy from time to time at our sole and absolute discretion. The up-to-date version will be available on our website, and the date of the version will be included in the notice at the beginning of the Privacy Policy published on the website.

23. How to contact us and how to complain

23.1. Roma Singhal, Chief Business Officer is responsible for data protection compliance within the Company. If you have any questions or comments about the content of this policy or if you need further information, you should contact us via tinfo@datapher.ai.

23.2. You also have the right to lodge a complaint with the Information Commissioner in the UK and/or a relevant data protection supervisory authority in the EEA state of your habitual residence, place of work or of an alleged infringement of data protection laws in the EEA.

23.3. The UK’s Information Commissioner may be contacted using the details at https://ico.org.uk/ make-a-complaint or by telephone: 0303 123 1113.

23.4. For a list of EEA data protection supervisory authorities and their contact details see here.

24. Consent

2By accessing or using our website(s), you agree to the terms outlined in this Privacy Policy. Your use of our website(s) signifies your acceptance of the policies and practices described herein. If you do not agree with any part of this Privacy Policy, please discontinue use of the website(s). Your continued use of the website constitutes your acceptance of any changes or updates to the Privacy Policy.