Hael · Trust

Privacy Notice

Version
v1
Effective
Last reviewed

View change history

Privacy Notice

1. Data controller

Agent X Ltd. is the data controller for personal data processed through this service. You can reach our Data Protection Officer at dpo@agent-x.example or by post at Agent X Ltd, Privacy Office, 1 Compliance Way, London EC1A 1AA, United Kingdom.

2. What personal data we process

We process the following categories of personal data:

  • Account data — name, email address, organisation, role
  • Authentication data — hashed passwords, MFA factors, session metadata
  • Usage data — IP address, browser fingerprint, page visits, audit events
  • Communications — support tickets, feedback you choose to send us

3. Lawful basis for processing

We rely on the following lawful bases under Article 6(1) of the UK GDPR and EU GDPR:

  1. Performance of a contract (Art. 6(1)(b)) — to provide the platform you signed up for
  2. Legitimate interests (Art. 6(1)(f)) — for security monitoring, fraud prevention, and audit logging
  3. Legal obligation (Art. 6(1)(c)) — to retain records required by tax, accounting, and AI-governance regulation
  4. Consent (Art. 6(1)(a)) — for non-essential cookies and marketing communications

4. Retention periods

| Category | Retention | | --- | --- | | Account data | Lifetime of account + 30 days | | Authentication logs | 13 months | | Audit log entries | 7 years (regulatory requirement) | | Cookie consent records | 2 years | | Support tickets | 3 years |

5. Your rights

Under the UK Data Protection Act 2018, UK GDPR, EU GDPR, and the California Consumer Privacy Act, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing
  • Object to processing based on legitimate interests
  • Data portability in a structured, commonly used format
  • Withdraw consent at any time
  • Lodge a complaint with a supervisory authority

To exercise any right, submit a request via our Privacy Request Form or email dpo@agent-x.example. We respond within 30 days.

6. International transfers

Personal data is stored in the United Kingdom (London, eu-west-2) by default. Where transfers outside the UK/EU are necessary, we rely on Standard Contractual Clauses (2021/914) and complete Transfer Impact Assessments as required by Schrems II.

7. Sub-processors

A current list of sub-processors is published at /sub-processors. We provide 30 days' advance notice of any new sub-processor via the RSS feed and email subscriber list.

8. Supervisory authority

You may lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or your local EU Data Protection Authority.

9. Changes to this notice

Material changes are announced at least 30 days in advance. Version history is published at /trust/changelog.

Need a copy for procurement? Download the versioned PDF.Download PDF