top of page

Data Protection Policy

​

1. Introduction

Datapher AI Limited ("the Company") is committed to protecting the personal data of its customers, clients, employees, and all other stakeholders in compliance with the UK Data Protection Act 2018 and the General Data Protection Regulation (GDPR). This policy outlines how the Company collects, uses, stores, and protects personal data.

​

2. Purpose

The purpose of this policy is to ensure that the Company processes personal data fairly, lawfully, and transparently. It also ensures that the Company upholds the rights of data subjects and complies with all applicable data protection laws.

​

3. Scope

This policy applies to all employees, contractors, and third parties who handle personal data on behalf of the Company. It covers all personal data processed by the Company, whether in electronic or paper form.

​

4. Data Protection Principles

The Company adheres to the following principles when processing personal data:

  1. Lawfulness, Fairness, and Transparency: Personal data will be processed lawfully, fairly, and in a transparent manner.

  2. Purpose Limitation: Personal data will be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

  3. Data Minimization: Personal data collected will be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

  4. Accuracy: Personal data will be accurate and, where necessary, kept up to date. Inaccurate personal data will be corrected or deleted without delay.

  5. Storage Limitation: Personal data will be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed.

  6. Integrity and Confidentiality: Personal data will be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.

 

5. Legal Basis for Processing

The Company will only process personal data where there is a lawful basis to do so, including:

  • The data subject has given consent.

  • Processing is necessary for the performance of a contract.

  • Processing is necessary to comply with a legal obligation.

  • Processing is necessary to protect the vital interests of the data subject or another person.

  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

  • Processing is necessary for the purposes of the legitimate interests pursued by the Company or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

 

6. Data Subject Rights

The Company recognizes and upholds the rights of data subjects, including:

  • Right to be informed: Data subjects have the right to be informed about the collection and use of their personal data.

  • Right of access: Data subjects have the right to access their personal data and obtain information about how it is being processed.

  • Right to rectification: Data subjects have the right to have inaccurate personal data corrected or completed if it is incomplete.

  • Right to erasure: Data subjects have the right to request the deletion of their personal data in certain circumstances.

  • Right to restrict processing: Data subjects have the right to request the restriction or suppression of their personal data in certain circumstances.

  • Right to data portability: Data subjects have the right to obtain and reuse their personal data across different services.

  • Right to object: Data subjects have the right to object to the processing of their personal data in certain circumstances.

  • Rights related to automated decision-making and profiling: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects them.

 

7. Data Collection and Use

The Company will only collect personal data that is necessary for the purposes specified in this policy or as otherwise required by law. The types of personal data collected may include, but are not limited to:

  • Contact information (e.g., name, email address, phone number)

  • Financial information (e.g., bank details, transaction history)

  • Identification information (e.g., passport number, national insurance number)

  • Usage data (e.g., IP address, browser type, interaction with our software)

Personal data will be used solely for the purposes for which it was collected, and the Company will ensure that all data processing activities are lawful.

 

8. Data Security

The Company will implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, or damage. These measures include:

  • Encryption of personal data at rest and in transit.

  • Access controls to limit access to personal data to authorized personnel only.

  • Regular security assessments and audits.

  • Secure storage solutions for physical and electronic data.

  • Regular employee training on data protection and security practices.

9. Data Retention and Deletion

Personal data will be retained only for as long as necessary to fulfil the purposes for which it was collected or as required by law. Once personal data is no longer needed, it will be securely deleted or anonymized.

 

10. Data Breach Response

In the event of a data breach, the Company will promptly assess the situation and take appropriate actions to mitigate the impact. This includes:

  • Containing and managing the breach.

  • Investigating the cause of the breach and preventing recurrence.

  • Notifying affected individuals and the Information Commissioner’s Office (ICO) within 72 hours if the breach is likely to result in a risk to the rights and freedoms of individuals.

 

11. Third-Party Data Processing

The Company may engage third-party service providers to process personal data on its behalf. These third parties will be required to comply with the Company’s data protection policies and ensure the security of personal data. The Company will enter into Data Processing Agreements (DPAs) with all third-party processors.

 

12. International Data Transfers

If personal data is transferred outside the European Economic Area (EEA), the Company will ensure that appropriate safeguards are in place to protect the data in accordance with GDPR requirements. This may include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.

  • Binding Corporate Rules (BCRs).

  • Certification under an approved certification mechanism (e.g., the EU-U.S. Privacy Shield, if applicable).

 

13. Compliance and Monitoring

The Company will regularly review and update this policy to ensure compliance with data protection laws and best practices. Compliance will be monitored through regular audits, and any non-compliance will be addressed promptly.

 

14. Roles and Responsibilities

  • Data Protection Officer (DPO): The Company will appoint a Data Protection Officer (if applicable) to oversee compliance with this policy and data protection laws.

  • Employees: All employees are responsible for adhering to this policy and protecting personal data within their control.

  • Third-Party Processors: Third parties processing data on behalf of the Company are required to comply with this policy and applicable data protection laws.

 

15. Review and Updates

This policy will be reviewed annually or as required to reflect changes in legal or regulatory requirements, business practices, or technological advancements.

 

16. Contact Information

For any questions or concerns regarding this policy or the Company’s data protection practices, please contact:

info@datapher.ai

bottom of page