Privacy Policy

1. Introduction

This Privacy Policy explains how Sax AI Limited ("we," "our," or "us") collects, uses, shares, and protects personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

We provide Know Your Business (KYB) services to investment banks in the United Kingdom ("Clients"). In providing these services, we act as a data processor under GDPR, processing personal data on behalf of our Clients, who are the data controllers.

2. Contact Information

Data Controller (for our corporate website and business operations): Sax AI Limited. 76 Wynford Road, London, N1 9SN, UK. Email: dpo@hiresax.com

Data Protection Officer: Santiago Aldonondo Email: dpo@hiresax.com

3. Personal Data We Process

As part of our KYB services, we may process the following personal data on behalf of our Clients:

• Identity Information: Full names, dates of birth, nationality, ID document details (passport, driving license, etc.)
• Contact Information: Addresses, email addresses, phone numbers
• Financial Information: Source of wealth and funds, employment details
• Business Relationship Information: Role within the company (officer, Ultimate Beneficial Owner, signatory)
• Authentication Information: User credentials for our platform
• Technical Information: IP addresses, browser information, device information

4. How We Collect Personal Data

We do not collect personal data directly from individuals. Instead, we receive personal data from our Clients or from users authorized by our Clients who upload data through our application.

5. Purpose and Legal Basis for Processing

We process personal data for the following purposes:

• To provide KYB verification and automation services to our Clients
• To validate the identity and address of individuals involved in business relationships
• To assist our Clients in meeting their regulatory obligations
• To maintain the security of our services
• To improve our services

The legal basis for our processing is:

• Contractual Necessity: We process data according to the contractual terms established with our Clients (the data controllers)

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements.

Personal data will be retained for a maximum of 7 years from the date of collection, after which it will be securely deleted or anonymized unless a longer retention period is required by law.

We will delete or anonymize personal data when:

• There is no longer a business need for the data
• The contract with our Client expires
• A valid erasure request is approved by the data controller
• The maximum retention period of 7 years has been reached

7. Data Sharing and International Transfers

We may share personal data with:

Our third-party service providers who process data on our behalf, including:

• Amazon Web Services (AWS)
• Google Workspace
• Auth0
• Microsoft Azure
• Google Cloud Platform
• Sentry
• Slack

Personal data may be transferred to:

• The United Kingdom (outside the EEA but covered by an adequacy decision)
• Services that process data outside the EEA (e.g., Microsoft Bing Search API)

For any international transfers not covered by adequacy decisions, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs).

8. Data Security

We maintain appropriate technical and organizational measures to protect personal data, including:

• ISO 27001 certified information security management system
• Encryption of personal data
• Regular security assessments
• Access controls
• Staff training on data protection

9. Your Rights

As we primarily act as a data processor, individuals should direct requests regarding their rights to our Clients (the data controllers). However, we will assist our Clients in fulfilling such requests.

These rights include:

• Right to access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Rights related to automated decision making and profiling

Subject Request Handling Process and Timelines

When we receive a data subject request directly:

• We will acknowledge receipt within 3 business days
• We will forward the request to the relevant Client (data controller) within 5 business days
• We will provide all necessary assistance to our Client to fulfill the request

When our Client forwards a data subject request to us:

• We will acknowledge receipt within 2 business days
• We will provide the requested information or complete the requested action within 14 calendar days

In accordance with GDPR requirements:

• Our Clients must respond to data subject requests without undue delay and at the latest within one month (30 calendar days) of receipt
• This period may be extended by up to two additional months when necessary, considering the complexity and number of requests
• We are committed to providing timely assistance to enable our Clients to meet these obligations

10. Automated Decision Making

Our KYB services involve automated processing to verify identity and business information. This may include some elements of profiling and automated decision-making as part of the KYB process. However, our Clients are responsible for implementing appropriate measures to safeguard individuals' rights, such as providing information about the logic involved and ensuring human intervention where necessary.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The most current version will be posted on our website with the effective date.

12. How to Complain

If you have concerns about our data processing activities, please contact our Data Protection Officer at dpo@hiresax.com.

You also have the right to lodge a complaint with a supervisory authority. The UK supervisory authority is the Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/