What does this document do
This document sets out what information Graphium collects about people, what we use it for and who we share it with. It explains what legal rights individuals have in relation to their information and what to do if they have any concerns about how their information is being used.
We sometimes need to update this document, to reflect any changes to our business activities or to comply with new legal requirements. We will notify you of any important changes before they take effect.
If you have any questions about this document or the way Graphium uses information, please get in touch by emailing info@graphium.ai.
Who should read this document
The information in this document will be relevant to you if you:
Who we are
We are Graphium Technologies Limited, a company registered in England and Wales under company number 13451839 whose registered office is at:
46/47 High Street,
Newport, Wales,
NP20 1GA
(Graphium, we, us, our)
Our legal status under UK data protection law
As a company located in the UK, Graphium is subject to UK data protection law and is regulated by the Information Commissioner’s Office (ICO), the regulator responsible for ensuring organisations comply with their data protection obligations. For all visitors to our website, Graphium is the controller for your personal data (which means we decide what information we collect and how it is used). If you are a key contact or a User, most of the time our customer is the controller and Graphium is their processor (which means we must follow the instructions they give us). In limited circumstances Graphium is the controller for your personal data, for example for any feedback you give us.
If you are identified or could be identified by any information included in a file that our customer or their User has uploaded, our customer is always the controller and Graphium is their processor. If you have any questions about how they have collected your personal data and what they use it for, you should read their privacy information or contact them directly.
What we do
Our customers are UK organisations that conduct or sponsor scientific studies and want to better understand trends and gaps in their research. Customers purchase our software-as-a-service, which allows users to upload multiple files (e.g. research reports) to a secure location for analysis. Our software analyses the files to identify and collate topics of scientific significance to convert unstructured data into a visual.
Our customer contracts and user terms specify that no personal data (which is any information that can or could be used to identify a living person) should be uploaded for analysis. Our technology is intended to help our customers review topics of scientific significance, and not information about people. However, we can acknowledge that there may be occasions where personal data might inadvertently be uploaded (e.g. because a report cites an author).
If you are a User who connects to the Graphum Service with your Microsoft credentials, Microsoft will separately collect and analyse information about how you use their products and services. You should read the Microsoft Privacy Statement if you would like further details.
We have grouped together the different types of personal that we collect and where we receive it from below:
Identity data – first name, last name, job title, employer
Contact data – work email address, work telephone number, social media handle
Feedback and enquiry data – any responses you give when you rate our services or reply to a survey, any information you send when you contact us, submit an enquiry on our website or comment on our social media corporate accounts or content.
Marketing data – your status as a marketing recipient (e.g. opted out), your preferred method of communication and how you have interacted with our communications
Usage data – login credentials, access permissions, audit logs, clickstream to and on our website, download or upload errors, length of visit, page interaction
Technical data – internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and type of device used to access Graphium website or software.
We sometimes anonymise the personal data we collect (so it can no longer identify you as an individual) and then combine it with other anonymous information so it becomes aggregated data. Aggregated data helps us identify trends (such as the number of key personnel with similar role title or percentage of website visitors visiting a particular webpage on our website). Data protection law does not govern the use of aggregated data and the various rights described in Section 9 do not apply to it.
Whilst our customer contracts and user terms specify that files containing personal data should not be uploaded for analysis, Graphium cannot guarantee information within uploaded files are fully anonymised. Where Graphium becomes aware a file contains personal data, we promptly notify the User and our customer the breached our terms of use and request such file is deleted.
UK data protection law requires controllers to identify a legal justification (also known as a lawful basis) to collect and use your personal data. There are six lawful basis which organisations can rely on to justify their collection and use of personal data. Whenever Graphium acts as a controller for personal data (please see Section 1 for an explanation of when Graphium acts as a controller and when we act as a processor), we rely on the following lawful basis:
The table below provides more detail about the reasons Graphium may use your personal data. If we intend to use your personal data for a new reason that is not listed in the table, we will update this document and notify you.
To onboard organisations as a customer
Legitimate interest – necessary to conclude contract and correspond with key contacts within the customer’s organisation
To provide our service to our customer
Legitimate interest – necessary to perform our obligations under the contract with our customer
To make it easier for Graphium users to connect their research data to the Graphium service (where they have authenticated with their Microsoft Account)
Legitimate interest – necessary to optimise our service and provide improved user experience)
To investigate and respond to complaints
Legitimate interest – necessary to remedy errors, improve service and protect our reputation
To respond to requests for technical support and other queries
Legitimate interest – necessary to perform our obligation under the contract with our customer and ensure our software, applications and website are functioning correctly
To process payments and recover any monies owed to us
Legitimate interest – necessary to recover debts due
To better understand how our website and services are used
Legitimate interest – necessary to improve our services and provide our customer with an overview of their Users’ engagement with the service
To provide and protect our services, websites and internal systems
Legitimate interest – necessary to provide our services and website, monitor and improve network security and prevent fraud
To lodge or respond to a legal claim
Legitimate interest – necessary to enforce our contractual or legal right or to effectively respond to a claim made against Graphium
To notify you about changes to this privacy notice
Legal obligation
To enable a person to exercise their legal rights
Legal obligation
To send marketing communications
Legitimate interest – necessary to promote and grow our business
Graphium only provides our services to organisations (which means we operate on a Business-to-Business basis, also known as B2B). We only ever send marketing communications to work contact details, and we always include a link in our emails so that you can unsubscribe at any time. We will also remove your details from our system if our customer informs us you no longer work for them.
Graphium uses Close CRM and HubSpot to help us deliver and monitor the communications we send. Their digital tools let us see whether a recipient has clicked any of the links in our email, which help us understand what content that recipient appears to be interested in and allow us to personalise the content of future of our messages.
Pixels (which are a similar technology to cookies) within those emails enable us to see:
We share (or may share) your personal data with:
Our staff: Graphium employees (or other types of workers) who have contracts containing confidentiality and data protection obligations.
Our customers (existing and prospective): where we correspond or administer our services. Our customer is the controller for the information they receive from us (which means they make their own decisions about how they use that information). If you have any questions about how they use the information they receive, you should ask to see their privacy information.
Users: the personal data that a User can view, access, edit, download or delete varies depending on their account permissions. Our customer is responsible for deciding which of its Users have which level of permission. Users must accept the Graphium user terms before they can access our services (which contain terms that set out what they can and cannot do).
Our supply chain: other organisations we engage to help us provide our services and website. We ensure these organisations only have access to the information required to provide the support we use them and have a contract with them that contains confidentiality and data protection obligations.
Regulatory authorities: such as HM Revenue & Customs.
Our professional advisers: such as our accountants or legal advisors where we require specialist advice to help us conduct our business.
Any actual or potential buyer of our business.
If Graphium were asked to provide personal data in response to a court order or legal request, we would seek legal advice before disclosing any information and carefully consider the impact on your rights when providing a response. Where Graphium acts as processor for that information, we will also check with the controller before any information is released (unless the law does not allow us to do so).
Graphium will only transfer personal data outside the UK where we have a valid legal mechanism in place (to make sure that your personal data is guaranteed a level of protection, regardless of where in the world it is located, e.g. by only sending it to territories approved by or under contracts approved by UK Secretary of State). We use cloud servers for our infrastructure with servers located in the UK.
If you have been registered by our customer as a User or access our service whilst abroad then your personal data may be stored on services located in the same country that our customer or you are.
We have implemented security measures to prevent your personal data from being accidentally or illegally lost, used or accessed by those who do not have permission. These measures include:
If there is an incident which has affected your personal data and we are the controller, we will notify the regulator and keep you informed (where required under data protection law). Where we act as the processor for the affected personal data, we notify the controller and support them with investigating and responding to the incident.
If you notice any unusual activity when browsing our website or using our services, or receive any suspicious correspondence that purports to be sent by Graphium, please let us know as soon as possible by emailing info@graphium.ai.
When our customer ends their contract with us, Graphium deletes information associated with their User accounts and which has been uploaded by Users from our live systems with 30 days of the contract end date. Our back-ups are made every 24 hours so it can take longer for personal data to be completely removed from our systems.
Where we are the controller, we usually keep information for 7 years from the date our contract with our customer ends before we convert it into anonymised information. Sometimes we need to keep it longer to investigate complicated errors or defend ourselves from legal claims. We keep information about prospective customers’ key personnel indefinitely, or until we receive replacement details or a request to remove that person’s details from our mailing list.
The longest we keep information about how visitors browse and interact with our website is 2 years.
If you have asked for information from us or you have subscribed to our mailing list, we keep your details for a reasonable time or until you ask us to stop contacting you.
Under UK law, you have specific rights in relation to your personal data. If you want to exercise any of these rights, please email info@graphium.ai. We do not respond directly to requests which relate to personal data where Graphium is the processor. In this situation, we forward your request to our customer and await their instruction before we take any action.
UK data protection law grants the following rights:
There are some limited exemptions to these rights, so they may not apply in every scenario and Graphium may decline your request (but we would explain our decision in writing if this was the case). Graphium will also not action a request where we have been unable to confirm your identity (this is one of our security processes to make sure we keep information safe) or if we feel the request is unfounded or excessive.
