HomeAbout UsServices — Revenue & Operational Automation — Private AI Infrastructure InsightsContact Book Free AI Audit
Legal

GDPR Statement

Last updated: March 2026

Our Commitment

AiSynapse is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This statement sets out our obligations and approach as both a data controller and, where applicable, a data processor for our clients.

1. Our Role Under UK GDPR

AiSynapse operates in two distinct capacities depending on the context:

  • Data Controller: When we collect and process personal data of website visitors, enquirers, and our own clients through aisynapse.co.uk and our business operations.
  • Data Processor: When we process personal data on behalf of our clients as part of delivering our AI automation and infrastructure services. In this capacity, we act strictly on the documented instructions of our clients.

2. Lawful Basis for Processing

AiSynapse relies on the following lawful bases for processing personal data:

  • Legitimate interests — for processing enquiry and contact data to respond to potential clients
  • Contract performance — for processing data necessary to deliver our contracted services
  • Legal obligation — where processing is required to comply with applicable law
  • Consent — where explicitly obtained, for specific processing activities

3. Data Processing Agreements

Where AiSynapse processes personal data on behalf of a client (acting as a data processor), we enter into a Data Processing Agreement (DPA) with that client as required by UK GDPR Article 28. Our DPA sets out the subject matter, duration, nature, and purpose of the processing, the type of personal data processed, and the obligations and rights of both parties. Clients may request our standard DPA at any time via our contact page.

4. Division II — Private AI Infrastructure and Data Sovereignty

AiSynapse's Division II Private AI Infrastructure services are specifically designed for organisations with elevated data protection requirements. Key features relevant to GDPR compliance include:

  • All AI processing occurs on hardware physically located within the client's own premises or a dedicated environment under their control
  • No personal data is transmitted to AiSynapse servers, third-party cloud providers, or external AI APIs during normal operation
  • No cross-border data transfers are involved in the processing of client data
  • The client retains full data sovereignty — all data remains within their physical and legal control at all times
  • AiSynapse provides a written deployment statement confirming the data architecture as part of all Division II implementations

This architecture is specifically suitable for organisations regulated by the FCA, SRA, ICO, and other bodies with specific data residency or handling requirements.

5. Sub-Processors

Where AiSynapse uses third-party sub-processors in the delivery of Division I services (such as CRM platforms and automation tools), we ensure that appropriate data processing agreements are in place with those sub-processors. A current list of sub-processors is available upon request. Clients will be notified of any material changes to our sub-processor list.

6. Data Subject Rights

AiSynapse respects and upholds all data subject rights under UK GDPR, including the right to:

  • Access personal data we hold
  • Rectification of inaccurate data
  • Erasure ("right to be forgotten") where applicable
  • Restriction of processing
  • Data portability
  • Object to processing based on legitimate interests

Requests should be submitted via our contact page. We will respond within 30 days in accordance with UK GDPR requirements.

7. Data Security

AiSynapse implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction. These measures include encrypted communications, access controls, regular security reviews, and — for Division II deployments — locally encrypted storage with no external network access required for AI processing.

8. Data Breach Notification

In the event of a personal data breach, AiSynapse will notify the relevant supervisory authority (the ICO) within 72 hours where required under UK GDPR Article 33. Where we are acting as a data processor, we will notify the relevant data controller without undue delay upon becoming aware of a breach, in accordance with our contractual obligations and UK GDPR Article 33(2).

9. International Transfers

AiSynapse does not routinely transfer personal data outside the United Kingdom. Where any transfer is necessary, we ensure that appropriate safeguards are in place in accordance with UK GDPR Chapter V, including adequacy decisions or standard contractual clauses as applicable.

10. Contact and Supervisory Authority

For any data protection queries or to exercise your rights, please contact us via our contact page.

You also have the right to lodge a complaint with the UK's supervisory authority: the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.