Privacy Policy website is available for your personal use and viewing. The access and use of is featured in the Privacy Policy below.
Learn More
Giant yellow lock and 2 characters one with key to show privacy
Down arrow


Privacy Policy
Last Updated: 14/11/22

Section 1: Overview

What does this document do
This document sets out what information Graphium collects about people, what we use it for and who we share it with. It explains what legal rights individuals have in relation to their information and what to do if they have any concerns about how their information is being used.

We sometimes need to update this document, to reflect any changes to our business activities or to comply with new legal requirements. We will notify you of any important changes before they take effect.

If you have any questions about this document or the way Graphium uses information, please get in touch by emailing  

  • Visit our website at or interact with our corporate accounts on social media platforms
  • Are a key contact working for an existing or prospective customer of Graphium
  • Have been provided login credentials and access to our software-as-a-service (User)
  • Are a person identified in any file uploaded by a customer or their Users

Who should read this document
The information in this document will be relevant to you if you:

Who we are
We are Graphium Technologies Limited, a company registered in England and Wales under company number 13451839 whose registered office is at:

46/47 High Street,
Newport, Wales,
NP20 1GA

(Graphium, we, us, our)

What we do
Our customers are UK organisations that conduct or sponsor scientific studies and want to better understand trends and gaps in their research. Customers purchase our software-as-a-service, which allows users to upload multiple files (e.g. research reports) to a secure location for analysis. Our software analyses the files to identify and collate topics of scientific significance to convert unstructured data into a visual.  

Our customer contracts and user terms specify that no personal data (which is any information that can or could be used to identify a living person) should be uploaded for analysis. Our technology is intended to help our customers review topics of scientific significance, and not information about people. However, we can acknowledge that there may be occasions where personal data might inadvertently be uploaded (e.g. because a report cites an author).  

Black triangle with explanation mark to show warning

If you are a User who connects to the Graphum Service with your Microsoft credentials, Microsoft will separately collect and analyse information about how you use their products and services. You should read the Microsoft Privacy Statement if you would like further details.

Section 2: Information Graphium collects or receives

We have grouped together the different types of personal that we collect and where we receive it from below:

Personal Data

Received From

Identity data – first name, last name, job title, employer

  • Customer
  • You

Contact data – work email address, work telephone number, social media handle

  • Customer
  • You

Feedback and enquiry data – any responses you give when you rate our services or reply to a survey, any information you send when you contact us, submit an enquiry on our website or comment on our social media corporate accounts or content.

  • You
  • Customer
  • Third party feedback services
  • Social media platforms

Marketing data – your status as a marketing recipient (e.g. opted out), your preferred method of communication and how you have interacted with our communications

  • You (including via cookies and similar technologies)

Usage data – login credentials, access permissions, audit logs, clickstream to and on our website, download or upload errors, length of visit, page interaction

  • You (including via cookies and similar technologies)

Technical data – internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and type of device used to access Graphium website or software.

  • You (including via cookies and similar technologies)

We sometimes anonymise the personal data we collect (so it can no longer identify you as an individual) and then combine it with other anonymous information so it becomes aggregated data. Aggregated data helps us identify trends (such as the number of key personnel with similar role title or percentage of website visitors visiting a particular webpage on our website). Data protection law does not govern the use of aggregated data and the various rights described in Section 9 do not apply to it.

Whilst our customer contracts and user terms specify that files containing personal data should not be uploaded for analysis, Graphium cannot guarantee information within uploaded files are fully anonymised. Where Graphium becomes aware a file contains personal data, we promptly notify the User and our customer the breached our terms of use and request such file is deleted.

Section 3: How Graphium uses your information

UK data protection law requires controllers to identify a legal justification (also known as a lawful basis) to collect and use your personal data. There are six lawful basis which organisations can rely on to justify their collection and use of personal data.  Whenever Graphium acts as a controller for personal data (please see Section 1 for an explanation of when Graphium acts as a controller and when we act as a processor), we rely on the following lawful basis:

The table below provides more detail about the reasons Graphium may use your personal data. If we intend to use your personal data for a new reason that is not listed in the table, we will update this document and notify you.


Legal Justification

To onboard organisations as a customer

Legitimate interest – necessary to conclude contract and correspond with key contacts within the customer’s organisation

To provide our service to our customer

Legitimate interest – necessary to perform our obligations under the contract with our customer

To make it easier for Graphium users to connect their research data to the Graphium service (where they have authenticated with their Microsoft Account)

Legitimate interest – necessary to optimise our service and provide improved user experience)

To investigate and respond to complaints

Legitimate interest – necessary to remedy errors, improve service and protect our reputation

To respond to requests for technical support and other queries

Legitimate interest – necessary to perform our obligation under the contract with our customer and ensure our software, applications and website are functioning correctly

To process payments and recover any monies owed to us

Legitimate interest – necessary to recover debts due

To better understand how our website and services are used

Legitimate interest – necessary to improve our services and provide our customer with an overview of their Users’ engagement with the service

To provide and protect our services, websites and internal systems

Legitimate interest – necessary to provide our services and website, monitor and improve network security and prevent fraud

To lodge or respond to a legal claim

Legitimate interest – necessary to enforce our contractual or legal right or to effectively respond to a claim made against Graphium

To notify you about changes to this privacy notice

Legal obligation

To enable a person to exercise their legal rights

Legal obligation

To send marketing communications

Legitimate interest – necessary to promote and grow our business

Section 4: Marketing

Graphium only provides our services to organisations (which means we operate on a Business-to-Business basis, also known as B2B). We only ever send marketing communications to work contact details, and we always include a link in our emails so that you can unsubscribe at any time. We will also remove your details from our system if our customer informs us you no longer work for them.

Graphium uses Close CRM and HubSpot to help us deliver and monitor the communications we send. Their digital tools let us see whether a recipient has clicked any of the links in our email, which help us understand what content that recipient appears to be interested in and allow us to personalise the content of future of our messages.

Pixels (which are a similar technology to cookies) within those emails enable us to see:

Section 5: Who Graphium shares your information with

We share (or may share) your personal data with:

Our staff: Graphium employees (or other types of workers) who have contracts containing confidentiality and data protection obligations.  

Our customers (existing and prospective): where we correspond or administer our services. Our customer is the controller for the information they receive from us (which means they make their own decisions about how they use that information). If you have any questions about how they use the information they receive, you should ask to see their privacy information.  

Users: the personal data that a User can view, access, edit, download or delete varies depending on their account permissions. Our customer is responsible for deciding which of its Users have which level of permission. Users must accept the Graphium user terms before they can access our services (which contain terms that set out what they can and cannot do).

Our supply chain: other organisations we engage to help us provide our services and website. We ensure these organisations only have access to the information required to provide the support we use them and have a contract with them that contains confidentiality and data protection obligations.

Regulatory authorities: such as HM Revenue & Customs.

Our professional advisers: such as our accountants or legal advisors where we require specialist advice to help us conduct our business.

Any actual or potential buyer of our business.

If Graphium were asked to provide personal data in response to a court order or legal request, we would seek legal advice before disclosing any information and carefully consider the impact on your rights when providing a response. Where Graphium acts as processor for that information, we will also check with the controller before any information is released (unless the law does not allow us to do so).

Section 6: Where your information is located or transferred to

Graphium will only transfer personal data outside the UK where we have a valid legal mechanism in place (to make sure that your personal data is guaranteed a level of protection, regardless of where in the world it is located, e.g. by only sending it to territories approved by or under contracts approved by UK Secretary of State). We use cloud servers for our infrastructure with servers located in the UK.  

If you have been registered by our customer as a User or access our service whilst abroad then your personal data may be stored on services located in the same country that our customer or you are.

Section 7: How Graphium keeps your information safe

We have implemented security measures to prevent your personal data from being accidentally or illegally lost, used or accessed by those who do not have permission. These measures include:

If there is an incident which has affected your personal data and we are the controller, we will notify the regulator and keep you informed (where required under data protection law).  Where we act as the processor for the affected personal data, we notify the controller and support them with investigating and responding to the incident.

If you notice any unusual activity when browsing our website or using our services, or receive any suspicious correspondence that purports to be sent by Graphium, please let us know as soon as possible by emailing  

Section 8: How long Graphium keeps your information

When our customer ends their contract with us, Graphium deletes information associated with their User accounts and which has been uploaded by Users from our live systems with 30 days of the contract end date. Our back-ups are made every 24 hours so it can take longer for personal data to be completely removed from our systems.

Where we are the controller, we usually keep information for 7 years from the date our contract with our customer ends before we convert it into anonymised information. Sometimes we need to keep it longer to investigate complicated errors or defend ourselves from legal claims. We keep information about prospective customers’ key personnel indefinitely, or until we receive replacement details or a request to remove that person’s details from our mailing list.

The longest we keep information about how visitors browse and interact with our website is 2 years.

If you have asked for information from us or you have subscribed to our mailing list, we keep your details for a reasonable time or until you ask us to stop contacting you.

Section 9: Your legal rights under UK data protection law

Under UK law, you have specific rights in relation to your personal data. If you want to exercise any of these rights, please email We do not respond directly to requests which relate to personal data where Graphium is the processor. In this situation, we forward your request to our customer and await their instruction before we take any action.

UK data protection law grants the following rights:

There are some limited exemptions to these rights, so they may not apply in every scenario and Graphium may decline your request (but we would explain our decision in writing if this was the case). Graphium will also not action a request where we have been unable to confirm your identity (this is one of our security processes to make sure we keep information safe) or if we feel the request is unfounded or excessive.

Section 10: Cookies and similar technologies

Our website and software uses cookies and similar technologies. Cookies are small text files that are downloaded to your device. Cookies contain uniquely generated references which are used to distinguish you from other users. They allow information gathered on one webpage to be stored until it is needed for use on another, allowing our website to provide you with a personalised experience (like remembering your favourites) and provide us with statistics about how you interact with our website.

Cookies are not harmful to your devices (like a virus or malicious code) but some individuals prefer not to share their information (for example, to avoid targeted advertising).

Different types of cookies

Session vs. persistent cookies: cookies have a limited lifespan. Cookies which only last a short time or end when you close your browser are called session cookies. Cookies which remain on your device for longer are called persistent cookies (these are the type of cookies allow websites to remember your details when you log back onto them).

First party vs third party cookies: cookies placed on your device by the website owner are called first party cookies. When the website owner uses other businesses’ technology to help them manage and monitor their website, the cookies added by the other business are called third party cookies.

Categories of cookies: cookies can be grouped by what they help the website or website owner do (the Purpose).

What does Graphium use cookies for?

On the website we use cookies to:  

The cookies we use are: 

Personal Data



What it does




Graphium uses Vimeo to host demo and informational videos, these are then embedded in the Graphium website and makes use of these essential cookies

This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.  

1 day



Graphium uses Vimeo to host demo and informational videos, these are then embedded in the Graphium website and makes use of these essential cookies  

Collects data on the user's visits to the website, such as which pages have been read.

2 years


Graphium enables recaptcha on its forms to prevent unwanted form submissions from bot  

reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis

End of session



Cookie to provide load balancing functionality

This cookie is used by Graphium’s AWS infrastructure to determine when more resource needs to be automatically provisioned

End of session



Cookie to provide load balancing functionality

This cookie is used by Graphium’s AWS infrastructure to determine when more resource needs to be automatically provisioned

End of session



Security token in Graphium web application to prevent Cross-Site Request Forgery attacks

This cookie is necessary to ensure that requests across the Graphium application are only coming from inside the application itself and not a malicious third party  

End of session  



Session token to determine the current user's login status

This cookie is necessary for the Graphium application to verify the current logged in user

End of session  

We can only use cookies with your permission (you will be prompted by a message when you first visit our Website, also known as a cookie banner, where you can choose to accept or decline our cookies).  

You can update your cookie settings on our website by selecting ‘Accept’ or ‘Reject’ on the cookie banner.  Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.