GreyX Group's Data Protection Policy

At GreyAI, we are committed to protecting the privacy and security of the data entrusted to us. This Data Privacy and Protection Policy outlines our practices and procedures for handling, storing, and protecting data in compliance with the laws and regulations set forth by the UK and other relevant jurisdictions. As a company, we understand the importance of data privacy and take all necessary measures to safeguard the personal and sensitive information we collect.

Scope

This policy applies to all data collected, processed, and stored by GreyAI, including data from our clients, partners, employees, and any other individuals or entities who interact with our services.

Data Collection and Processing

3.1. Lawful Basis: We collect and process data based on lawful grounds, such as consent, contract performance, legal obligations, and legitimate interests.

3.2. Data Minimization: We only collect and retain data that is necessary for the intended purpose and specified in our data collection notices.

3.3. Data Accuracy: We strive to ensure that the data we collect and process is accurate, up-to-date, and relevant. Individuals have the right to request corrections to their personal information.

3.4. Purpose Limitation: We collect and process data for specific, explicit, and legitimate purposes and do not use the data for any other purposes without obtaining additional consent, if required.

Data Security

4.1. Safeguarding Measures: We implement appropriate technical and organizational measures to protect data from unauthorized access, disclosure, alteration, or destruction. These measures include but are not limited to encryption, access controls, secure storage, and regular security assessments.

4.2. Employee Access: Access to personal data is restricted to authorized employees who have a legitimate need to access such information for business purposes. All employees undergo comprehensive training on data privacy and protection.

4.3. Data Retention: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by law. Upon expiration of the retention period, data is securely deleted or anonymized.

Data Transfers

5.1. International Transfers: In certain cases, data may be transferred to countries outside of the UK or the European Economic Area (EEA). We ensure that appropriate safeguards are in place, such as standard contractual clauses or adequacy decisions, to protect the data when it is transferred to such countries.

5.2. Subprocessors: We engage reputable subprocessors who adhere to similar data privacy and protection standards to process data on our behalf. We maintain contracts with these subprocessors that include appropriate data protection obligations.

Individual Rights

6.1. Right to Access: Individuals have the right to request access to their personal data and information about how it is being processed.

6.2. Right to Rectification: Individuals can request the correction of inaccurate or incomplete data.

6.3. Right to Erasure: Individuals have the right to request the erasure of their personal data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected or processed.

6.4. Right to Restriction: Individuals can request the restriction of processing their personal data in certain situations, such as when the accuracy of the data is contested.

6.5. Right to Data Portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another data controller.

6.6. Right to Object: Individuals can object to the processing of their personal data in certain circumstances, such as when the processing is based on legitimate interests.

6.7. Right to Withdraw Consent: Where the processing of personal data is based on consent, individuals have the right to withdraw their consent at any time.

Compliance and Accountability

7.1. Data Protection Officer (DPO): GreyAI has appointed a Data Protection Officer responsible for overseeing the implementation of this policy and ensuring compliance with applicable data protection laws.

7.2. Data Breach Notification: In the event of a data breach that poses a risk to individuals' rights and freedoms, we will promptly notify the affected individuals and relevant authorities in accordance with applicable legal requirements.

7.3. Internal Policies and Procedures: We have established internal policies, procedures, and controls to ensure ongoing compliance with data protection laws, including regular reviews and assessments of our data privacy practices.

This Data Privacy and Protection Policy serves as a foundation for our commitment to protecting the privacy and security of the data we handle. We regularly review and update this policy to ensure its effectiveness and compliance with applicable laws and regulations. For any questions, concerns, or requests related to data privacy, please contact our Data Protection Officer at [email address].

Handling of Clients' Sensitive Data for AI Training

8.1. Consent and Purpose: We obtain explicit consent from clients before using their sensitive data for AI training purposes. The purpose of using this data is to improve the accuracy and effectiveness of our AI models, ensuring better learning outcomes for our users.

8.2. Anonymization and Pseudonymization: We take utmost care to anonymize or pseudonymize sensitive data before using it for AI training, whenever feasible. This ensures that the data cannot be directly attributed to any individual or organization.

8.3. Restricted Access: Access to clients' sensitive data is strictly limited to authorized personnel who require it for AI training purposes. We maintain rigorous access controls and regularly review access privileges to ensure data confidentiality and security.

8.4. Data Retention: We retain clients' sensitive data only for the duration necessary to achieve the specified AI training objectives. Once the training process is complete, we securely dispose of or anonymize the data, in compliance with applicable laws and regulations.

8.5. Data Security: We employ robust technical and organizational measures to safeguard clients' sensitive data during its handling, storage, and transfer. These measures include encryption, access controls, secure storage, and regular security audits.

8.6. Data Confidentiality: We uphold strict confidentiality agreements with our employees and contractors involved in AI training activities, requiring them to adhere to stringent data protection obligations and maintain the highest standards of confidentiality.

8.7. Third-Party Providers: In some instances, we may engage third-party service providers for AI training purposes. Before engaging any such provider, we perform due diligence to ensure their adherence to stringent data privacy and protection standards.

To read more about how our security is processing your data, visit the link Security.