Search
Type something to search...
to navigateto selectESC to close

Policies

Data Protection

Last updated on 16 July 2025.

1. Introduction

Anomify.ai is a UK-based B2B technology platform committed to protecting the privacy and security of the personal data we process. This Data Protection Policy outlines our approach to data governance, ensuring compliance with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, and other relevant data protection legislation across all jurisdictions where our clients operate. While we are currently registered with the Information Commissioner’s Office (ICO) in the UK, we strive to adhere to the highest international standards of data protection, acknowledging our global client base. This policy details how we collect, use, store, share, and protect data, including specific considerations for data storage, processing, and retention.

2. Scope

This policy applies to all personal data and client data processed by Anomify.ai, regardless of the format or location, and covers all employees, contractors, and third parties acting on behalf of Anomify.ai. It encompasses data received from clients, generated by our platform, and collected for our own operational purposes.

3. Key Data Protection Principles (UK GDPR Aligned)

Anomify.ai adheres to the following principles when processing personal data:

  • Lawfulness, Fairness, and Transparency: Data is processed lawfully, fairly, and in a transparent manner in relation to the data subject.
  • Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Data Minimisation: Data collected is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy: Data is accurate and, where necessary, kept up to date; every reasonable step is taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  • Storage Limitation: Data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Integrity and Confidentiality (Security): Data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
  • Accountability: Anomify.ai is responsible for, and able to demonstrate compliance with, the above principles.

4. Types of Data Processed

Anomify.ai distinguishes between two primary categories of data:

  • Client Data (Processed Data): This refers to the data that our clients upload or connect to our platform for analysis. For this data, Anomify.ai acts as a Data Processor on behalf of our clients (who are the Data Controllers). This data typically includes operational metrics, performance indicators, and other business data, which may or may not contain personal data depending on the client’s use case and data structure.
  • Operational Data (Controller Data): This refers to data collected directly by Anomify.ai for its own business operations. For this data, Anomify.ai acts as a Data Controller. This includes:
    • Client Contact Information: Names, email addresses, phone numbers, job titles of client representatives.
    • Billing and Payment Information: Financial details necessary for invoicing and payments.
    • Usage Data: Information about how clients interact with our platform (e.g., login times, features used, IP addresses, browser types) to improve service and identify issues.
    • Employee/Contractor Data: Information required for employment or contract purposes.

5. Roles and Responsibilities

  • Anomify.ai as Data Processor: For Client Data, we process data strictly in accordance with documented instructions from our clients, as outlined in our service agreements and Data Processing Agreements (DPAs). We implement appropriate technical and organisational measures to ensure data security.
  • Anomify.ai as Data Controller: For Operational Data, we determine the purposes and means of processing. We are directly responsible for ensuring compliance with all applicable data protection laws for this data.
  • Data Protection Officer (DPO): While not legally mandated for all organisations under UK GDPR, Anomify.ai may appoint or designate an individual responsible for overseeing data protection strategy and implementation, ensuring compliance with UK GDPR requirements. This role will provide guidance, monitor internal compliance, and act as a contact point for supervisory authorities and data subjects.

6. Data Processing Activities

6.1. Collection of Data

  • Client Data: Collected directly from clients via secure integrations, APIs, or manual uploads to the Anomify.ai platform.
  • Operational Data: Collected through direct interactions (e.g., contract signing, support requests), automated means (e.g., website analytics, platform usage tracking), and third-party services necessary for our business operations.
  • Contractual Necessity: Processing data for the performance of a contract with our clients (e.g., providing anomaly detection services).
  • Legitimate Interests: Processing data for our legitimate business interests, provided these do not override the fundamental rights and freedoms of data subjects (e.g., improving services, marketing to existing clients, ensuring platform security).
  • Consent: Obtaining explicit consent where required for specific processing activities (e.g., marketing communications to prospective clients).
  • Legal Obligation: Processing data to comply with a legal obligation (e.g., tax, anti-money laundering regulations).

6.3. Purposes of Processing

  • Providing Services: Delivering the Anomify.ai platform’s core anomaly detection, monitoring, and reporting functionalities.
  • Service Improvement: Analysing usage patterns to enhance platform features, performance, and user experience.
  • Customer Support: Responding to inquiries, troubleshooting issues, and providing technical assistance.
  • Billing and Administration: Managing client accounts, processing payments, and fulfilling contractual obligations.
  • Security: Detecting and preventing fraudulent activity, unauthorised access, and other security incidents.
  • Compliance: Meeting legal and regulatory requirements.

7. Data Storage

Anomify.ai commits to storing data securely and efficiently.

  • Storage Locations: Our primary data storage facilities are located within the European Economic Area (EEA) or countries deemed to have an adequate level of data protection by the UK Government (e.g., UK, EU member states). We utilise reputable cloud service providers (e.g., AWS, Google Cloud, Azure) that offer robust security certifications and infrastructure.
  • Separation of Data: Client Data is logically separated and secured within the multi-tenant architecture of our platform to prevent unauthorised access between clients.
  • Redundancy and Backup: Data is subject to regular backup procedures and stored with appropriate redundancy measures to ensure availability and prevent data loss. Backups are encrypted and securely stored.

8. Data Retention

Anomify.ai retains personal data and client data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

  • Client Data:
    • Retained for the duration of the client’s subscription or contractual agreement with Anomify.ai.
    • Upon termination of the agreement, Client Data will be securely deleted or anonymised within a period specified in the Data Processing Agreement (typically 30-90 days, unless a longer period is required by law or contractual obligation).
    • Clients may have options within the platform to manage their own data retention settings for their specific data.
  • Operational Data:
    • Client Contact & Billing Data: Retained for the duration of the business relationship and for a period of up to seven (7) years thereafter to comply with tax, accounting, and legal obligations.
    • Usage Data: Anonymised or aggregated usage data may be retained indefinitely for analytical purposes to improve our services, but personal identifiers are removed.
    • Support Communications: Retained for up to two (2) years to maintain a record of interactions and improve customer service, unless a specific legal requirement necessitates longer retention.
  • Deletion and Anonymisation: When data is no longer required, it is securely deleted from all active systems, backups, and archives, or anonymised such that it can no longer be associated with an identifiable individual.

9. Data Security

Anomify.ai implements comprehensive technical and organisational security measures to protect data from unauthorised access, disclosure, alteration, and destruction. These measures include:

  • Encryption: Data at rest and in transit is encrypted using industry-standard protocols (e.g., TLS 1.2+, AES-256).
  • Access Control: Strict role-based access controls (RBAC) ensure that only authorised personnel can access data on a “need-to-know” basis. Multi-factor authentication (MFA) is enforced for all internal systems.
  • Network Security: Firewalls, intrusion detection/prevention systems, and regular network vulnerability scanning are employed.
  • Vulnerability Management: Regular security audits, penetration testing, and vulnerability assessments are conducted by independent third parties.
  • Incident Response Plan: A documented incident response plan is in place to quickly detect, respond to, and mitigate data breaches.
  • Employee Training: All employees receive mandatory data protection and security awareness training upon hiring and annually thereafter.
  • Physical Security: Data centres used by our cloud providers adhere to stringent physical security standards.

10. International Data Transfers

As Anomify.ai serves clients globally, data may be transferred to and processed in countries outside the UK or European Economic Area (EEA). When such transfers occur, Anomify.ai ensures that appropriate safeguards are in place to protect the data, including:

  • Adequacy Decisions: Transferring data to countries deemed to provide an adequate level of data protection by the UK Government.
  • Standard Contractual Clauses (SCCs): Implementing UK ICO-approved Standard Contractual Clauses for transfers between controllers and processors, or processor to sub-processor, where an adequacy decision is not in place.
  • Binding Corporate Rules (BCRs): If applicable in the future, for intra-group international transfers.
  • Consent: Obtaining explicit consent from data subjects for specific transfers, where no other legal basis or safeguard applies.
  • We conduct Transfer Impact Assessments (TIAs) to evaluate the risks associated with international data transfers and implement supplementary measures where necessary.

11. Data Subject Rights (UK GDPR)

Individuals have specific rights regarding their personal data, which Anomify.ai respects and facilitates for Operational Data. For Client Data, clients are responsible for responding to data subject rights requests, and Anomify.ai will provide reasonable assistance as a processor. The rights include:

  • Right to be Informed: Individuals have the right to be informed about the collection and use of their personal data.
  • Right of Access: The right to obtain confirmation that their data is being processed and to access that personal data.
  • Right to Rectification: The right to have inaccurate personal data rectified or completed if it is incomplete.
  • Right to Erasure (“Right to be Forgotten”): The right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
  • Right to Restrict Processing: The right to ‘block’ or suppress the processing of personal data.
  • Right to Data Portability: The right to obtain and reuse their personal data for their own purposes across different services.
  • Right to Object: The right to object to processing based on legitimate interests or direct marketing.
  • Rights in Relation to Automated Decision Making and Profiling: The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

To exercise these rights regarding Operational Data, individuals should contact Anomify.ai using the contact details provided below. We will respond to all legitimate requests within one month.

12. Data Breach Notification

In the event of a personal data breach affecting Operational Data, Anomify.ai has procedures in place to assess the risk to individuals’ rights and freedoms. If a breach is likely to result in a high risk, we will notify the ICO and affected data subjects without undue delay, and within 72 hours of becoming aware of the breach where required. For Client Data, Anomify.ai will notify the relevant client (Data Controller) of any breach concerning their data without undue delay, enabling them to fulfil their own notification obligations.

13. Policy Review and Updates

This Data Protection Policy will be reviewed at least annually, or more frequently if there are significant changes in legislation, our processing activities, or technological advancements. Any updates will be published on our website or communicated directly to clients where appropriate.

14. Contact Information

For any questions regarding this Data Protection Policy or Anomify.ai’s data protection practices, please contact:

Anomify.ai Data Protection Team hello@anomify.ai Anomify, 77Stokes Croft, Bristol, BS1 3RD, United Kingdom

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).