UK GDPR Compliance Policy

Maddie AI is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 for all personal data of UK residents.

This policy outlines our specific commitments and procedures for processing personal data of individuals in the United Kingdom.

We have appointed a Data Protection Officer (DPO) who oversees our UK GDPR compliance program and serves as the point of contact for data protection matters.

We process personal data only when we have a lawful basis under UK GDPR Article 6, including consent, contractual necessity, legal obligation, vital interests, public task, or legitimate interests.

For special category health data, we rely on additional conditions under UK GDPR Article 9, including explicit consent, medical purposes, or public health interests.

We maintain records of our processing activities and the lawful basis for each type of processing in accordance with UK GDPR requirements.

UK residents have the right to be informed about how their personal data is processed, including the purposes, legal basis, and retention periods.

You have the right to access your personal data and receive a copy of the information we hold about you, free of charge in most cases.

You may request rectification of inaccurate personal data or completion of incomplete data that we hold about you.

In certain circumstances, you have the right to erasure ('right to be forgotten'), restriction of processing, or objection to processing.

You have the right to data portability, allowing you to obtain and reuse your personal data for your own purposes across different services.

When transferring personal data outside the UK, we ensure appropriate safeguards are in place as required by UK GDPR.

We rely on adequacy decisions by the UK government, standard contractual clauses approved by the ICO, or other approved transfer mechanisms.

All international transfers are documented and regularly reviewed to ensure ongoing compliance with UK data protection requirements.

We implement data protection by design and by default principles in all our systems and processes.

Technical and organizational measures are in place to ensure that only personal data which is necessary for each specific purpose is processed.

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities as required by UK GDPR.

Regular reviews and updates of our data protection measures ensure ongoing compliance with evolving requirements.

We have procedures in place to detect, report, and investigate personal data breaches in accordance with UK GDPR requirements.

Personal data breaches likely to result in a risk to individuals' rights and freedoms will be reported to the ICO within 72 hours of becoming aware of the breach.

Individuals will be notified directly of breaches that are likely to result in a high risk to their rights and freedoms.

We maintain detailed records of all personal data breaches, including their effects and remedial action taken.