Data Processing Notice
Last Updated: 25/09/2025
This Data Processing Notice explains how PalmFlow processes personal data in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and other relevant privacy legislation.
Important: This notice is provided in addition to our Privacy Policy and Terms of Service. It contains specific information about data processing activities as required by data protection laws.
1. Data Controller Information
Data Controller: Digital Palm Limited
Address: 5 Brunswick Avenue, London, UK
Contact: data@digitalpalm.co.uk
2. Categories of Personal Data Processed
Advisor Data
- Identity Data: First name, last name, job title, employee ID
- Contact Data: Email address, phone number, work address
- Professional Data: Organization, department, role, qualifications
- Authentication Data: Login credentials, security tokens, access logs
- Usage Data: System interactions, timestamps, IP addresses, device information
Client Data (Processed on Behalf of Organizations)
- Assessment Data: Form responses, questionnaire answers
- Communication Data: Chat transcripts, conversation logs
- Generated Data: AI summaries, analysis results, reports
- Metadata: Form creation dates, status updates, reference numbers
3. Legal Basis for Processing
| Processing Activity |
Legal Basis |
Description |
| User account management |
Contract |
Necessary for providing our services under the service agreement |
| Authentication and security |
Legitimate Interest |
Protecting our systems and users from unauthorized access |
| Client data processing |
Consent / Contract |
Based on consent obtained by the organization or contractual necessity |
| Service improvement |
Legitimate Interest |
Improving our services and user experience |
| Legal compliance |
Legal Obligation |
Complying with applicable laws and regulations |
| AI model training |
Legitimate Interest |
Improving AI capabilities (with appropriate safeguards) |
4. Data Processing Activities
Data Collection
Source: Directly from users and through automated systems
Method: Registration forms, login systems, usage tracking
Frequency: Continuous during service use
Data Storage
Location: UK
Security: Encrypted at rest and in transit
Backup: Regular encrypted backups maintained
Data Processing
AI Processing: Generate summaries and insights from form data
Analytics: Usage patterns and system performance analysis
Reporting: Generate reports for organizational use
Data Sharing
Within Organization: Shared with authorized personnel
Service Providers: Limited sharing with vetted third parties
Legal Requirements: Disclosure when legally required
5. Recipients of Personal Data
Internal Recipients
- Authorized employees with legitimate access needs
- Technical support and development teams
- Security and compliance personnel
External Recipients
- Cloud Service Providers: Vercel
- Authentication Services: Supabase (for user management)
- Hosting Providers: Vercel
- Legal and Regulatory Authorities: When required by law
Data Processing Agreements
All third-party processors are bound by data processing agreements that include:
- Strict confidentiality requirements
- Technical and organizational security measures
- Limitations on data use and retention
- Right to audit and monitor compliance
6. International Data Transfers
Personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When such transfers occur, we ensure appropriate safeguards are in place:
- Adequacy Decisions: Transfers to countries with adequate protection
- Standard Contractual Clauses: EU-approved contractual protections
- Binding Corporate Rules: Internal data protection standards
- Certification Schemes: Industry-recognized security certifications
7. Data Retention Periods
| Data Category |
Retention Period |
Justification |
| User account data |
Duration of service + 1 year |
Account management and legal requirements |
| Authentication logs |
6 months |
Security monitoring and incident response |
| Client assessment data |
As required by organization policy |
Professional and regulatory requirements |
| Usage analytics |
2 years |
Service improvement and optimization |
| AI training data |
5 years (anonymized) |
Model improvement and validation |
| Backup data |
30 days (rolling) |
Data recovery and business continuity |
8. Data Subject Rights
Under applicable data protection laws, you have the following rights:
Right of Access (Article 15 GDPR)
- Request confirmation of whether we process your personal data
- Obtain a copy of your personal data
- Receive information about processing activities
Right to Rectification (Article 16 GDPR)
- Request correction of inaccurate personal data
- Request completion of incomplete personal data
Right to Erasure (Article 17 GDPR)
- Request deletion of personal data in certain circumstances
- Subject to legal obligations and legitimate interests
Right to Restrict Processing (Article 18 GDPR)
- Request limitation of processing in specific situations
- Data may be stored but not actively processed
Right to Data Portability (Article 20 GDPR)
- Receive personal data in a structured, machine-readable format
- Request direct transfer to another controller where possible
Right to Object (Article 21 GDPR)
- Object to processing based on legitimate interests
- Object to direct marketing (absolute right)
Right to Withdraw Consent
- Withdraw consent for consent-based processing
- Does not affect lawfulness of prior processing
9. Automated Decision Making and Profiling
Our Service uses automated processing in the following ways:
AI Summary Generation
- Purpose: Create summaries of client responses
- Logic: Natural language processing algorithms
- Impact: Assists advisors in understanding client needs
- Human Oversight: All AI outputs are reviewed by qualified advisors
Form Routing and Notifications
- Purpose: Direct forms to appropriate advisors
- Logic: Rule-based assignment algorithms
- Impact: Determines which advisor receives specific forms
- Override: Manual reassignment is always possible
Your Rights: You have the right to request human intervention, express your point of view, and contest any automated decision that significantly affects you.
10. Security Measures
We implement appropriate technical and organizational measures to ensure data security:
Technical Measures
- Encryption at rest and in transit (AES-256, TLS 1.3)
- Multi-factor authentication and access controls
- Regular security patches and updates
- Intrusion detection and monitoring systems
- Regular penetration testing and vulnerability assessments
Organizational Measures
- Staff training on data protection and security
- Access controls based on need-to-know principles
- Regular review of data processing activities
- Incident response and breach notification procedures
- Data protection impact assessments for high-risk processing
11. Data Breach Procedures
In the event of a data breach, we will:
- Assess the breach within 24 hours
- Notify supervisory authorities within 72 hours (if required)
- Notify affected individuals without undue delay (if high risk)
- Implement immediate containment measures
- Conduct a thorough investigation
- Review and update security measures as needed
12. Supervisory Authority
You have the right to lodge a complaint with the relevant supervisory authority:
Information Commissioner’s Office (ICO)
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: https://ico.org.uk
Phone: 0303 123 1113