Privacy Policy
← Legal
DANTE
Privacy Policy
Operator Knoesis Technologies Limited Last updated March 2026 Framework UK GDPR  ·  DPA 2018 Platform DANTE Political Intelligence
This Privacy Policy explains how Knoesis Technologies Limited collects, uses, stores, and protects personal data in connection with the DANTE Platform. Please read this document carefully.

PRIVACY POLICY

Knoesis Technologies Limited | DANTE Platform | Last Updated: 03/2026

1. INTRODUCTION AND SCOPE

This Privacy Policy ("Privacy Policy" or "Policy") describes how Knoesis Technologies Limited, a company incorporated and registered in England and Wales under Company Number 16019207, collects, uses, processes, stores, and protects information in connection with the DANTE Platform ("Platform").

This Privacy Policy applies to all customers ("Customers" or "you") who create an Account, access, or use the Platform. This Privacy Policy should be read in conjunction with our Terms and Conditions of Service ("Terms"), which govern your use of the Platform. Capitalised terms not defined in this Privacy Policy have the meanings assigned to them in the Terms.

By creating an Account, accessing the Platform, or using our services, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your information as described in this Privacy Policy and the Terms. If you do not agree with this Privacy Policy, you must not access or use the Platform.

This Privacy Policy is designed to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all other applicable data protection laws and regulations in force in the United Kingdom.

2. KEY DEFINITIONS AND DATA PROTECTION ROLES

2.1 Data Protection Terminology

Personal Data means any information relating to an identified or identifiable natural person (a "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Processing means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Data Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.

Anonymisation means the process of rendering data permanently and irreversibly unable to identify an individual, either alone or in combination with other data, such that the data is no longer considered personal data under UK GDPR.

2.2 Our Data Protection Roles

Knoesis acts in different data protection roles depending on the type of data being processed:

(a) Data Processor for User Data: With respect to User Data (personal data of your Authorised Users and candidates), you are the data controller and Knoesis is the data processor. We process User Data solely on your documented instructions as set forth in the Terms and the Data Processing Addendum (Schedule A to the Terms). Our role as processor is governed by Schedule A, which sets forth detailed processor obligations, security measures, and data subject rights procedures.

(b) No Personal Data in Campaign Data: Campaign Data (as defined in the Terms) consists solely of aggregated, anonymised, non-personal data and contains no personal data of individual voters or members of the public. You warrant that all Campaign Data has been properly aggregated and anonymised prior to provision to Knoesis. Because Campaign Data contains no personal data, UK GDPR controller/processor obligations do not apply to Campaign Data processing.

(c) Data Controller for Operational Data: Knoesis acts as an independent data controller for operational data we collect directly in connection with Platform operation, including Account information, payment and billing data, technical and usage data, and cookies and similar technologies. We determine the purposes and means of processing such operational data as described in this Privacy Policy.

(d) Data Controller for Calibration Data: Knoesis acts as an independent data controller for Calibration Data. Calibration Data is derived from Campaign Data, anonymised User Data, and public election outcomes through anonymisation and aggregation processes that render the data permanently incapable of identifying individuals or specific campaigns. Knoesis retains perpetual, irrevocable rights to use Calibration Data for Platform improvement, model training, and related purposes as set forth in Clause 5.3 of the Terms. Because Calibration Data is properly anonymised, it is not personal data under UK GDPR.

3. INFORMATION WE COLLECT

3.1 Account Information

When you request creation of an Account, we collect:

(a) Organisation information: organisation name, registered address, company registration number, VAT registration number (if applicable), and primary contact details;

(b) Contact person information: name, email address, telephone number, and job title of the individual authorised to bind your organisation and act as primary point of contact;

(c) Subscription configuration: requested Subscription Tier, number of Contracted Wards, ward identification codes, number of Authorised User seats, and support level;

(d) Electoral campaign information: campaign name, electoral contest details, territory, and election date.

Legal Basis: We process Account information based on our legitimate interests in operating our business, managing customer relationships, and providing the Platform services you have requested (Article 6(1)(f) UK GDPR), and as necessary to perform our contract with you (Article 6(1)(b) UK GDPR).

Data Minimization: We collect only the Account information that is necessary to create and manage your Account, verify your organisation's identity, configure your subscription, communicate with you regarding the Platform and billing matters, and fulfill our contract with you. We do not collect excessive or unnecessary information.

3.2 User Data (Processed as Data Processor)

User Data consists of personal data of Authorised Users and candidates that you provide to us for Platform access and functionality. We process User Data solely as a data processor on your behalf and on your documented instructions. User Data includes:

(a) Authorised User information: names, email addresses, user credentials (usernames and hashed passwords), job titles, telephone numbers, and account permissions;

(b) Candidate psychometric data: psychometric assessment results and personality profiles voluntarily provided by candidates for ward-matching analysis functionality. Provision of psychometric data is entirely voluntary and not required for Platform use. Candidates who do not provide psychometric data can still access all other Platform features;

(c) Authentication and access data: login timestamps, IP addresses used to access the Platform, session identifiers, multi-factor authentication settings, and access logs.

Psychometric data does not impact or affect the core underlying operation of the Platform. All Platform features and analytical capabilities function fully without psychometric data. Provision of psychometric data enables optional ward-matching analysis functionality only. Candidates who do not provide psychometric data can access and use all other Platform features without limitation or disadvantage.

Psychometric data constitutes special category data under Article 9 UK GDPR. Customer, as data controller for User Data including psychometric data, is solely responsible for establishing and documenting an appropriate lawful basis for processing special category data under Article 9 UK GDPR. This includes obtaining explicit consent from candidates where required, or establishing another lawful basis such as processing being necessary for reasons of substantial public interest. Knoesis, as data processor, relies entirely on Customer's determination that an adequate lawful basis exists under Article 9 UK GDPR. Knoesis does not independently assess or verify the lawfulness of Customer's processing of special category data. Customer warrants that it has established and documented an appropriate Article 9 lawful basis before providing psychometric data to Knoesis.

You are the data controller for all User Data. You are responsible for:

Our obligations as data processor for User Data are set forth in detail in Schedule A (Data Processing Addendum) to the Terms, including:

Legal Basis: As data processor, we do not determine the legal basis for User Data processing. You, as data controller, are responsible for establishing and documenting the appropriate legal basis under Article 6 UK GDPR (and, where applicable, Article 9 UK GDPR for special category data).

3.3 Campaign Data (No Personal Data)

Campaign Data consists of aggregated, anonymised, non-personal data that you provide to the Platform for analysis and generation of Outputs. Campaign Data includes:

(a) Ward identification codes and geographic parameters;

(b) Campaign budget constraints and resource allocation parameters;

(c) Aggregated survey data and aggregated polling information;

(d) Policy positions, messaging content, and strategic choices;

(e) Campaign performance metrics and field operation results;

(f) Images submitted for visual content analysis through the vision system (subject to Image Credit availability).

You represent, warrant, and covenant that Campaign Data:

Because Campaign Data contains no personal data, UK GDPR controller/processor obligations do not apply to Campaign Data processing. You remain solely responsible for ensuring compliance with UK GDPR and all other applicable data protection laws in your own collection, processing, and aggregation of any personal data before such data is aggregated and provided to Knoesis as Campaign Data.

Use of Campaign Data: We use Campaign Data to generate Outputs for you, to operate and improve the Platform, and to create Calibration Data as described in Clause 4.5 below.

(d) Accidental Personal Data in Campaign Data: If, despite the prohibitions and warranties set forth in Clause 3.3, personal data is inadvertently included in Campaign Data by Customer, we shall treat such personal data as User Data and process it in accordance with Schedule A (Data Processing Addendum) to the Terms. Customer shall promptly notify us upon discovering that personal data has been included in Campaign Data. Customer shall indemnify, defend, and hold harmless Knoesis from all claims, liabilities, damages, costs, and expenses (including regulatory fines, penalties, and legal fees) arising from or relating to the inclusion of personal data in Campaign Data in violation of Customer's warranties, including any investigation, enforcement action, or penalty imposed by the Information Commissioner's Office or any other supervisory authority.

3.4 Payment and Billing Information

We collect payment and billing information to process the Setup Fee, recurring Subscription Fees, and fees for Image Credit Packages. Payment processing is handled by Stripe, Inc. ("Stripe"), our third-party payment processor. We do not directly collect, process, or store full credit card or debit card numbers.

Information collected includes:

(a) Billing contact information: name, email address, billing address, and telephone number;

(b) Payment Method details: the last four digits of the card number, card brand (Visa, Mastercard, etc.), expiry date, and cardholder name, as provided by Stripe;

(c) Transaction information: transaction IDs, payment amounts, payment dates, invoice numbers, VAT amounts, and payment status (successful, failed, pending);

(d) Stripe customer ID and Stripe subscription ID linking your Account to Stripe's systems.

When you provide payment information, you are providing it directly to Stripe, which processes and stores full payment card details in accordance with Payment Card Industry Data Security Standard (PCI DSS) requirements. Stripe's processing of your payment information is governed by Stripe's Privacy Policy, available at https://stripe.com/privacy. We receive only tokenised payment references and limited payment metadata from Stripe, not full card details.

Stripe may be located in the United States or other jurisdictions outside the United Kingdom and European Economic Area. International transfers of payment data to Stripe are subject to appropriate safeguards including Stripe's adherence to Standard Contractual Clauses and the EU-US Data Privacy Framework. Further information about Stripe's data protection practices is available in Stripe's Privacy Policy.

Legal Basis: We process payment and billing information as necessary to perform our contract with you (Article 6(1)(b) UK GDPR) and based on our legitimate interests in receiving payment for services provided and maintaining accurate financial records (Article 6(1)(f) UK GDPR).

3.5 Technical and Usage Data

We automatically collect technical and usage data when you access and use the Platform. This data helps us operate, maintain, improve, and secure the Platform. Technical and usage data includes:

(a) Device and browser information: IP address, browser type and version, operating system, device type, screen resolution, and language settings;

(b) Access logs: dates and times of Platform access, pages and features accessed, actions performed, navigation paths, and referrer URLs;

(c) Feature utilisation: which Platform features and modules are used, frequency of use, duration of sessions, and feature-specific interaction patterns;

(d) Image Credit usage: number of images processed, Image Credit consumption rate, dates and times of image processing, and Image Credit Package purchases;

(e) API usage: API endpoints accessed, request and response data (excluding Campaign Data payloads), API call frequency, and error messages;

(f) Performance metrics: page load times, response times, error rates, system availability, and performance benchmarks;

(g) Security and monitoring data: security events, failed login attempts, unauthorised access attempts, rate limiting triggers, suspicious activity patterns, and security incident logs.

We use technical and usage data to:

Legal Basis: We process technical and usage data based on our legitimate interests in operating, securing, improving, and developing the Platform, preventing fraud and abuse, and understanding how our services are used (Article 6(1)(f) UK GDPR).

Legitimate Interests Assessment: We have conducted a Legitimate Interests Assessment (LIA) in accordance with UK GDPR to balance our legitimate interests against your rights and freedoms. We have determined that our processing of technical and usage data for the purposes described in Clause 4.3 is necessary for our legitimate interests in operating, securing, and improving the Platform, that such processing would be reasonably expected by users, that the processing does not override your interests or fundamental rights and freedoms, and that appropriate safeguards are in place. Documentation of our Legitimate Interests Assessment is available upon request by contacting us at the details in Clause 12.

3.6 Cookies and Similar Technologies

We use cookies and similar tracking technologies to provide, operate, and improve the Platform. A cookie is a small text file stored on your device that enables certain Platform functionality and allows us to recognise your browser across visits.

Types of cookies we use:

(a) Essential Cookies (Strictly Necessary): These cookies are necessary for the Platform to function and cannot be disabled. They include authentication cookies that maintain your login session, session state cookies that remember your actions within a session, security cookies that detect authentication abuse and protect your Account, and CSRF (Cross-Site Request Forgery) prevention tokens.

(b) Functional Cookies: These cookies enable enhanced functionality and personalisation, such as remembering your preferences (language, display settings, dashboard configuration), storing your recently accessed Contracted Wards for quick navigation, and maintaining user interface customisation settings.

(c) Analytics Cookies: These cookies help us understand how customers use the Platform by collecting information about which features are used, how often features are accessed, which pages are visited, navigation patterns, and time spent on different Platform areas. Analytics data is aggregated and anonymised such that it cannot identify individual users.

We do not use advertising cookies, marketing cookies, or third-party tracking cookies for purposes unrelated to Platform operation. We do not share cookie data with third parties for their own advertising or marketing purposes.

Cookie Duration:

Managing Cookies: You may refuse or delete cookies through your browser settings. Most browsers allow you to view, manage, and delete cookies, and to block cookies from being set. However, please note that disabling essential cookies will prevent you from using the Platform, and disabling functional or analytics cookies may impair Platform functionality or your user experience. Instructions for managing cookies in common browsers:

Legal Basis: Essential cookies are used because they are strictly necessary for providing the Platform services you have requested (Article 6(1)(b) UK GDPR). Functional and analytics cookies are used based on our legitimate interests in improving the Platform and understanding how it is used (Article 6(1)(f) UK GDPR) and, where required by law, based on your consent.

3.7 Communications Data

We collect information related to our communications with you, including:

(a) Support and service communications: the content of support requests, questions, feedback, and our responses, along with associated metadata such as timestamps and communication channels used;

(b) Transactional emails: email open rates, click-through rates, and delivery status for transaction-related emails such as invoices, payment confirmations, subscription updates, and Account notifications;

(c) Policy update notifications: delivery status and receipt confirmation for notifications regarding updates to the Terms, this Privacy Policy, or other legal notices.

Legal Basis: We process communications data as necessary to perform our contract with you (Article 6(1)(b) UK GDPR), to respond to your requests and provide customer support (Article 6(1)(b) UK GDPR), and based on our legitimate interests in improving our services and maintaining records of customer interactions (Article 6(1)(f) UK GDPR).

4. HOW WE USE INFORMATION

4.1 Providing the Platform

We use the information described in Clause 3 to provide, operate, and maintain the Platform, including:

4.2 Billing and Payment Processing

We use payment and billing information to:

4.3 Platform Operation, Maintenance, and Security

We use technical and usage data, security logs, and other operational information to:

4.4 Platform Improvement and Development

We use aggregated and anonymised usage data, performance metrics, and analytics to:

This usage of aggregated, anonymised data does not identify individual customers or individual users.

4.5 Calibration Data: Model Training and Platform Enhancement

As set forth in Clause 5.3 of the Terms, you grant Knoesis an explicit, irrevocable, perpetual, worldwide, royalty-free, fully paid-up, transferable, sublicensable licence to use Calibration Data for improving, calibrating, validating, testing, developing, training, enhancing, and refining the Platform's analytical models, algorithms, machine learning models, predictive capabilities, and related functionality.

Calibration Data is derived from:

(a) Campaign Data (which contains no personal data) after further aggregation and anonymisation;

(b) User Data after anonymisation and removal of all personally identifiable information (e.g., anonymised psychometric data patterns that cannot be linked to specific individuals);

(c) Campaign resource allocation decisions, strategic choices, and performance metrics after anonymisation;

(d) Election Outcome Data from official public sources.

Calibration Data is processed, stored, and maintained in accordance with strict anonymisation standards such that:

Because Calibration Data is properly anonymised, it is not personal data under UK GDPR. Knoesis acts as an independent data controller for Calibration Data and retains perpetual ownership and rights to use Calibration Data indefinitely, including after termination or cancellation of your subscription.

We use Calibration Data to:

You acknowledge that the accuracy, predictive power, analytical capabilities, and effectiveness of the Platform depend fundamentally upon Knoesis's ability to calibrate, validate, and train its models using real-world campaign data and election outcomes, and that the perpetual licence granted under Clause 5.3 of the Terms is essential to Platform development and Knoesis's competitive positioning.

Right to Withdraw and Object: Because the licence to use Calibration Data granted under Clause 5.3 of the Terms is explicit, irrevocable, and perpetual, and because Calibration Data has been anonymised such that it is no longer personal data under UK GDPR, you cannot withdraw consent to, object to, or restrict the use of Calibration Data after it has been created from your Campaign Data or anonymised User Data. This limitation is disclosed to you before you provide any data to the Platform and before Calibration Data is created. By using the Platform and providing Campaign Data and User Data, you acknowledge and accept that Calibration Data will be created and used by Knoesis indefinitely in accordance with Clause 5.3 of the Terms, and you waive any right to withdraw consent to or object to such use. If you do not agree to the creation and perpetual use of Calibration Data, you must not use the Platform.

4.6 Legal Compliance and Protection

We may use and disclose information as necessary to:

5. INFORMATION SHARING AND DISCLOSURE

We do not sell, rent, or trade personal data to third parties for their own marketing purposes. We share information only in the limited circumstances described below.

5.1 Service Providers and Sub-Processors

We engage third-party service providers and sub-processors to assist with Platform operation and data processing. These service providers have access to information only as necessary to perform their functions and are contractually obligated to maintain confidentiality and security, process data only on our instructions, and comply with applicable data protection laws.

Our key service providers and sub-processors include:

(a) Firebase / Google Cloud Platform (Google LLC): We use Firebase, a service provided by Google LLC (a company organised under the laws of Delaware, United States), for User Data storage, authentication services, and cloud infrastructure. Firebase processes and stores User Data on our behalf as a sub-processor. Firebase may process data in the United States and other jurisdictions outside the United Kingdom and European Economic Area. International transfers to Firebase are subject to appropriate safeguards including Google's adherence to Standard Contractual Clauses approved by the UK Information Commissioner's Office and the EU-US Data Privacy Framework. Firebase's data protection practices are described in Google's Privacy Policy, available at https://policies.google.com/privacy.

(b) Stripe, Inc.: We use Stripe, Inc. (a company organised under the laws of Delaware, United States) for payment processing services. Stripe processes payment and billing information as described in Clause 3.4. Stripe acts as an independent data controller for payment data and processes such data in accordance with its own Privacy Policy, available at https://stripe.com/privacy. Stripe may process payment data in the United States and other jurisdictions. International transfers to Stripe are subject to appropriate safeguards including Stripe's adherence to Standard Contractual Clauses and the EU-US Data Privacy Framework.

(c) Cloud Infrastructure and Hosting Providers: We may use additional cloud infrastructure providers for backup, disaster recovery, content delivery, and other technical services. All such providers are subject to written data processing agreements imposing confidentiality and security obligations at least as protective as those in this Privacy Policy and the Terms.

(d) Security and Monitoring Services: We may engage third-party security providers for threat detection, intrusion prevention, security monitoring, and incident response services.

We maintain an up-to-date list of sub-processors, which is available to customers upon request. We provide at least thirty (30) days' advance notice before engaging new sub-processors or making changes to existing sub-processors, as set forth in Schedule A to the Terms. You may object to sub-processor engagement in accordance with the procedures specified in Schedule A.

5.2 Legal Requirements and Protection

We may disclose information if required to do so by law or if we believe in good faith that such disclosure is necessary to:

(a) Comply with legal obligations, court orders, subpoenas, warrants, or other legal process;

(b) Respond to claims or legal proceedings, including responding to lawsuits, regulatory investigations, or governmental inquiries;

(c) Enforce the Terms, including investigating suspected violations and taking appropriate enforcement action;

(d) Detect, prevent, and address fraud, security threats, technical issues, and illegal activity;

(e) Protect the rights, property, or safety of Knoesis, our customers, or the public, to the extent permitted or required by law.

Where permitted by law, we will provide you with advance notice of legal demands for information unless such notice is prohibited by law, court order, or would undermine the purpose of the legal process.

5.3 Business Transfers

In the event of a merger, acquisition, reorganisation, sale of assets, bankruptcy, or other business transaction involving Knoesis, information collected under this Privacy Policy may be transferred to the acquiring or successor entity. In such event, we will provide notice to you (via email to your Account email address or via prominent notice on the Platform) before your information is transferred and becomes subject to a different privacy policy. The acquiring entity will be required to continue to honour the commitments we have made in this Privacy Policy or obtain your consent to any material changes.

5.4 With Your Consent

We may share information with third parties if you provide explicit consent for such sharing. We will clearly describe the nature of the sharing and the recipient before obtaining your consent.

6. DATA SECURITY

6.1 Technical and Organisational Security Measures

We implement comprehensive technical and organisational security measures designed to protect information from unauthorised access, loss, misuse, alteration, and destruction. Our security measures are described in detail in Schedule A (Data Processing Addendum) to the Terms and include:

(a) Encryption: Data is encrypted in transit using Transport Layer Security (TLS) version 1.3 or higher, and data at rest is encrypted using AES-256 encryption or equivalent industry-standard encryption;

(b) Access Controls: Role-based access control (RBAC), multi-factor authentication for administrative access, principle of least privilege, and regular access reviews to ensure only authorised personnel have access to systems and data;

(c) Network Security: Firewalls, intrusion detection and prevention systems (IDS/IPS), network segmentation, and DDoS protection;

(d) Monitoring and Logging: Comprehensive audit logs, security event monitoring, real-time alerting for suspicious activity, and regular log reviews;

(e) Incident Response: Documented incident response procedures, incident response team, regular incident response testing and drills, and personal data breach notification protocols as set forth in Clause 6.4;

(f) Personnel Security: Background checks where legally permitted, mandatory security awareness training, confidentiality agreements binding all personnel, and regular security training updates;

(g) Physical Security: Secure data centre facilities operated by reputable cloud infrastructure providers with physical access controls, environmental protections (fire suppression, climate control), and 24/7 surveillance;

(h) Business Continuity: Regular data backups, disaster recovery planning, tested recovery procedures, and redundancy measures to ensure Platform availability and data integrity;

(i) Vulnerability Management: Regular security assessments, penetration testing, vulnerability scanning, timely security patching, and security updates;

(j) Third-Party Security: All sub-processors and service providers are subject to written agreements imposing security obligations at least as protective as those described herein, and we regularly assess sub-processor security practices.

6.2 Firebase Security

User Data is stored via Firebase (Google Cloud Platform), which implements industry-leading security measures including encryption at rest and in transit, access controls, security monitoring, compliance certifications (ISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3), and regular security audits. Firebase's security practices are described in Google's Security Whitepaper and Privacy Policy, available at https://cloud.google.com/security and https://policies.google.com/privacy.

6.3 No Absolute Security Guarantee

While we implement comprehensive security measures and follow industry best practices, no system can be completely secure. We cannot and do not guarantee absolute security or warrant that information will never be accessed, disclosed, altered, or destroyed by breach of our security measures. Security threats including hacking, phishing, malware, ransomware, insider threats, and other attack vectors exist and evolve constantly.

In the event of a security incident affecting your information, our liability is limited as set forth in Clause 12 of the Terms. Specifically, our aggregate liability for all claims is capped at twenty per cent (20%) of Net Fees paid, subject to the exceptions set forth in Clause 12.3 of the Terms. This limitation applies to security incidents except in cases of fraud, fraudulent misrepresentation, wilful misconduct, or gross negligence in handling User Data resulting in material data protection breaches caused directly by our failure to implement the security measures specified in Schedule A to the Terms.

You acknowledge and accept the inherent security risks of using online platforms and internet-based services, and you agree that we shall not be liable for security incidents except to the extent set forth in the Terms.

6.4 Personal Data Breach Notification

In the event of a personal data breach affecting User Data (personal data for which we act as data processor on your behalf), we shall notify you without undue delay and in no case later than seventy-two (72) hours after becoming aware of the breach, unless legally prohibited from doing so or unless notification would compromise an ongoing law enforcement investigation. Our breach notification shall include the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, measures taken to address the breach, contact information for further inquiries, and recommendations regarding your own breach notification obligations under UK GDPR. You, as data controller for User Data, are responsible for determining whether you must notify affected individuals and the Information Commissioner's Office (ICO) and for conducting such notifications in accordance with UK GDPR. We shall provide reasonable cooperation and assistance with your breach response and regulatory notifications.

7. DATA RETENTION

7.1 Retention During Active Subscription

We retain information for as long as necessary to provide the Platform, fulfil the purposes described in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce the Terms.

During your active subscription:

7.2 Retention Following Termination or Cancellation

Upon termination or cancellation of your Account in accordance with Clause 11 of the Terms:

(a) Campaign Data and User Data: Within thirty (30) calendar days following termination, we shall, at your written election communicated to us within seven (7) calendar days following termination: (i) return Campaign Data and User Data to you in a commonly used electronic format (such as CSV or JSON) reasonably specified by you; or (ii) permanently and securely delete all Campaign Data and User Data from our production systems, databases, and active storage, and provide written certification of such deletion signed by an authorised officer.

(b) Backup Retention: Campaign Data and User Data may remain in backup systems, disaster recovery systems, and archived storage for up to ninety (90) calendar days following deletion from production systems. Data in backup systems is maintained with the same security protections as operational data and is not accessible for operational use. Following the ninety (90) day backup retention period, such data is permanently and securely deleted in accordance with our data destruction procedures.

(c) Calibration Data: Notwithstanding the foregoing, WE EXPRESSLY RETAIN ALL RIGHTS TO CALIBRATION DATA PURSUANT TO THE IRREVOCABLE, PERPETUAL LICENCE GRANTED UNDER CLAUSE 5.3 OF THE TERMS. CALIBRATION DATA IS NOT SUBJECT TO RETURN OR DELETION OBLIGATIONS AND IS RETAINED INDEFINITELY. Calibration Data is derived from Campaign Data and User Data through anonymisation and aggregation processes that render it permanently incapable of identifying individuals or specific campaigns. Because Calibration Data is properly anonymised, it is not personal data under UK GDPR and is not subject to data subject rights or deletion obligations.

(d) Legal and Compliance Retention: We may retain any information, including Campaign Data, User Data, Account information, payment records, and communications, to the extent and for the duration required or permitted by applicable law, legal process, court orders, regulatory requirements, or legitimate business needs including record retention for audit purposes, compliance with tax and accounting obligations, investigation and defence of legal claims, and enforcement of the Terms. We shall notify you of legal retention requirements to the extent permitted by law.

7.3 Aggregated and Anonymised Data

We may retain aggregated, anonymised data indefinitely for analytics, research, Platform improvement, and other business purposes. Aggregated and anonymised data does not identify you, your organisation, your campaign, or any individual, and is not subject to deletion requests or data subject rights because it is not personal data under UK GDPR.

8. INTERNATIONAL DATA TRANSFERS

8.1 General Principles

Knoesis is located in the United Kingdom. However, some of our service providers and sub-processors are located outside the United Kingdom and European Economic Area (EEA), particularly in the United States. This means that information we collect may be transferred to, stored in, and processed in countries outside the UK and EEA that may have different data protection standards than UK GDPR.

Where we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place to protect your information and ensure it receives an adequate level of protection in accordance with UK GDPR Chapter V. These safeguards include Standard Contractual Clauses approved by the UK Information Commissioner's Office, adequacy decisions by the UK government, and other transfer mechanisms recognised under UK GDPR.

Note on UK GDPR and EU GDPR: Following the United Kingdom's departure from the European Union, UK GDPR and EU GDPR are separate but substantively similar legal frameworks as of the Last Updated date of this Privacy Policy. The UK has been granted an adequacy decision by the European Commission, and the EU has been granted adequacy by the UK government, enabling data to flow freely between the UK and EU. We monitor legal developments in both jurisdictions and maintain compliance with both UK GDPR and EU GDPR where applicable.

8.2 Firebase / Google Cloud Platform (United States)

User Data is stored and processed via Firebase, a service provided by Google LLC, a company organised under the laws of Delaware, United States. Firebase infrastructure may involve data storage and processing in the United States and other countries outside the UK and EEA.

Transfers of User Data to Firebase/Google are subject to the following safeguards:

(a) Standard Contractual Clauses: Google has executed Standard Contractual Clauses approved by the UK Information Commissioner's Office for international data transfers, ensuring that User Data transferred to Google receives adequate protection equivalent to UK GDPR;

(b) EU-US Data Privacy Framework: Google LLC adheres to the EU-US Data Privacy Framework principles and is certified under the Data Privacy Framework, providing an additional adequacy mechanism for data transfers to the United States;

(c) Technical Safeguards: As described in Clause 6 and Schedule A to the Terms, User Data is encrypted in transit (TLS 1.3 or higher) and at rest (AES-256), providing strong technical protection regardless of storage location;

(d) Contractual Obligations: Our agreement with Google imposes data processing, security, confidentiality, and compliance obligations on Google as our sub-processor, as detailed in Schedule A to the Terms.

Further information about Google's data protection practices, international data transfers, and compliance certifications is available in Google's Privacy Policy at https://policies.google.com/privacy and Google Cloud's Security and Compliance documentation at https://cloud.google.com/security/compliance.

8.3 Stripe Payment Processing (United States)

Payment and billing information is processed by Stripe, Inc., a company organised under the laws of Delaware, United States. Stripe processes payment data in the United States and may process such data in other jurisdictions as necessary to provide payment processing services.

Stripe acts as an independent data controller for payment data and processes such data in accordance with its own Privacy Policy, available at https://stripe.com/privacy. Transfers of payment data to Stripe are subject to appropriate safeguards including:

(a) Standard Contractual Clauses between Stripe and its customers and partners;

(b) Stripe's adherence to the EU-US Data Privacy Framework;

(c) Stripe's PCI DSS Level 1 Service Provider certification, the highest level of payment security certification;

(d) Strong encryption and security measures implemented by Stripe in accordance with payment card industry requirements.

8.4 Changes to International Transfer Mechanisms

We monitor legal and regulatory developments affecting international data transfers, including court decisions, regulatory guidance from the Information Commissioner's Office, and changes to adequacy mechanisms. In the event that the legal basis for international transfers changes or is invalidated by court decision or regulatory action, we shall promptly notify you and shall work with you and our sub-processors to implement alternative transfer mechanisms, relocate data processing to the UK or EEA, or, if necessary, enable you to terminate your subscription in accordance with the Regulatory Change provision in Clause 14 of the Terms without penalty.

9. YOUR RIGHTS UNDER UK GDPR

9.1 Scope of UK GDPR Rights

UK GDPR grants individuals (data subjects) certain rights with respect to their personal data. However, these rights apply only to personal data, not to data that has been properly anonymised or to data that does not relate to identified or identifiable individuals.

As described throughout this Privacy Policy:

9.2 Rights Relating to User Data (You as Controller)

For User Data (personal data of Authorised Users and candidates), you are the data controller and are responsible for responding to data subject rights requests. Authorised Users and candidates should direct their requests to you, not to Knoesis.

As data processor for User Data, we shall assist you in facilitating the following data subject rights:

(a) Right of Access: Upon your written request, we shall provide you with a copy of User Data we hold, in a commonly used electronic format, to enable you to respond to data subject access requests;

(b) Right to Rectification: Upon your written instruction, we shall correct or update inaccurate or incomplete User Data;

(c) Right to Erasure: Upon your written instruction, we shall delete User Data, subject to our retention obligations under Clause 7 and our perpetual rights to Calibration Data under Clause 5.3 of the Terms;

(d) Right to Data Portability: Upon your written request, we shall provide User Data in a structured, commonly used, machine-readable format (such as CSV or JSON) to enable you to respond to data portability requests;

(e) Right to Restriction of Processing: Upon your written instruction and where legally required, we shall restrict processing of User Data;

(f) Right to Object: Upon your written instruction and where legally required, we shall cease processing User Data, subject to our overriding legitimate interests or legal obligations.

We shall respond to your requests to facilitate data subject rights within thirty (30) calendar days of receipt, or such longer period as permitted or required by UK GDPR. Detailed procedures for facilitating data subject rights are set forth in Schedule A (Data Processing Addendum) to the Terms.

9.3 Your Rights Relating to Operational Data (We as Controller)

For operational data for which we are the data controller (Account information, payment and billing data, technical and usage data, communications data, and cookies), you have the following rights under UK GDPR:

(a) Right of Access: You have the right to request a copy of the personal data we hold about you. To request access, contact us at the details provided in Clause 12;

(b) Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data. You can update much of your Account information directly through the Platform interface, or contact us for assistance;

(c) Right to Erasure: You have the right to request deletion of your personal data in certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected, where you withdraw consent (if consent was the lawful basis), or where you object to processing and there are no overriding legitimate grounds. Note that we may be required to retain certain information for legal, accounting, or regulatory compliance purposes, and deletion of certain data may prevent us from providing the Platform services;

(d) Right to Data Portability: Where we process your personal data based on consent or for performance of a contract, and the processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit such data to another controller;

(e) Right to Restriction of Processing: You have the right to request restriction of processing in certain circumstances, such as where you contest the accuracy of personal data, where processing is unlawful but you oppose erasure, where we no longer need the data but you require it for legal claims, or where you have objected to processing pending verification of our legitimate grounds;

(f) Right to Object: You have the right to object to processing based on legitimate interests or for direct marketing purposes. We do not use personal data for direct marketing. Where you object to processing based on legitimate interests, we shall cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for establishment, exercise, or defence of legal claims;

(g) Right to Withdraw Consent: Where we process personal data based on your consent, you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal. Note that most of our processing is based on performance of a contract or legitimate interests, not consent;

(h) Rights Related to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you. The Platform uses automated processing and algorithms to generate Outputs, but such processing does not produce legal effects or similarly significantly affect individuals because Outputs are recommendations for campaign planning, and final campaign decisions remain your responsibility.

To exercise any of these rights, contact us using the details in Clause 12. We shall respond to your request within one (1) month of receipt, or such longer period as permitted by UK GDPR where requests are complex or numerous. We may request additional information to verify your identity before responding to requests. We do not charge a fee for processing requests unless they are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse the request.

9.4 Limitations on Rights

Data subject rights under UK GDPR are not absolute and are subject to limitations and exceptions. We may refuse or limit requests where:

10. CHILDREN'S PRIVACY

The Platform is not directed at, marketed to, or intended for use by children under the age of sixteen (16) years. We do not knowingly collect personal data from children under 16. The Terms expressly prohibit provision of children's data to the Platform. If we become aware that we have inadvertently collected personal data from a child under 16, we shall take steps to delete such data as soon as reasonably practicable. If you believe we have collected personal data from a child under 16, please contact us immediately at the details provided in Clause 12.

11. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, applicable laws, or for other operational, legal, or regulatory reasons. When we make material changes to this Privacy Policy, we shall notify you by sending an email to the primary contact email address associated with your Account and/or by posting a prominent notice on the Platform. The notice shall specify the nature of the changes and the effective date of the updated Privacy Policy. Your continued use of the Platform after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated Privacy Policy, you must cease using the Platform and may cancel your Account in accordance with Clause 11.2 of the Terms. We encourage you to review this Privacy Policy periodically. The "Last Updated" date at the top of this Privacy Policy indicates when it was last revised.

12. CONTACT INFORMATION

If you have questions, concerns, or requests regarding this Privacy Policy, data protection, data subject rights, or our processing of your information, please contact us at:

Knoesis Technologies Limited
Email: [email protected]
Telephone: 07851069078
Company Number: 16019207

Data Protection Contact

We have appointed a data protection lead responsible for overseeing compliance with UK GDPR and applicable data protection laws. For any data protection enquiries, please contact:

Email: [email protected]

13. COMPLAINTS TO THE INFORMATION COMMISSIONER'S OFFICE

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates UK GDPR or other applicable data protection laws. In the United Kingdom, the supervisory authority is the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: https://ico.org.uk
Email: [email protected]

We encourage you to contact us first at the details provided in Clause 12 so that we can address your concerns directly. However, you have the right to lodge a complaint with the ICO at any time.

14. GOVERNING LAW AND JURISDICTION

This Privacy Policy and any disputes or claims arising out of or in connection with it or its subject matter shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Privacy Policy.

END OF PRIVACY POLICY

By using the DANTE Platform, you acknowledge that you have read, understood, and agree to this Privacy Policy.