Privacy Notice
This notice describes how Amaea Ltd ("Amaea", "we", "us", "our") processes personal data, in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). It is structured to mirror the ICO's "what information must I provide" checklist.
1. Who we are
Amaea Ltd: the data controller for personal data of firm users and website visitors, and the data processor for the personal data of clients of firms using the Amaea platform.
- Registered office, company number, and ICO registration: pending UK incorporation ahead of public launch (September 2028). Current details available on request to privacy@amaea.co.uk.
- General contact: hello@amaea.co.uk
- Privacy queries: privacy@amaea.co.uk
We have not appointed a statutory Data Protection Officer (DPO), as the appointment is not required for our current scope, but privacy is overseen by Hasna Sahul Hameed (Co-Founder & CEO).
2. When Amaea is a controller vs a processor
Our role depends on whose data we're processing:
- Controller: for personal data of firm users (name, work email, role, login history, MFA enrolment) and website visitors (form submissions, analytics). We decide why and how this data is processed.
- Processor: for personal data of your firm's clients. We process it only on your firm's documented instructions, governed by the Data Processing Agreement (DPA) every customer signs at onboarding.
3. What personal data we process
| Category | Examples | Special category? |
|---|---|---|
| Firm user account | Name, work email, role, password hash, MFA factor metadata | No |
| Firm record | Firm name, FCA reference, subscription tier, billing contact | No |
| Client records (processor) | Names, references, adviser, attitude to risk, suitability documents, complaint records, financial figures | Some (see below) |
| Vulnerability indicators | Health, life-event, financial-resilience, or capability drivers as recorded by the firm under FG21/1 | Yes: Article 9 health data where applicable |
| Usage & access logs | Request timestamps, route, status, request ID; truncated IP (/24) | No |
| AI usage telemetry | Token counts, latency, query length (not query content) | No |
| Marketing | Waitlist / demo / newsletter form submissions | No |
4. Purposes and lawful basis
| Purpose | Lawful basis (UK GDPR Art. 6) | Art. 9 condition (if special) |
|---|---|---|
| Provide the platform to subscribing firms | Contract (6(1)(b)) | N/A |
| Process client data on the firm's instructions | Performed under DPA; the firm chooses lawful basis as controller | Firm chooses; commonly 9(2)(g) substantial public interest (FCA-regulated activity) or 9(2)(a) explicit consent |
| Security, audit logging, fraud prevention | Legitimate interests (6(1)(f)): running a secure platform | N/A |
| Service emails (onboarding, billing, security alerts) | Contract (6(1)(b)) | N/A |
| Marketing emails / newsletter | Consent (6(1)(a)): opt-in, withdrawable at any time | N/A |
| Legal & regulatory record-keeping (incl. SYSC 9 7-year retention) | Legal obligation (6(1)(c)) | N/A |
5. Recipients and sub-processors
We share personal data only with sub-processors strictly necessary to provide the platform. Each is contractually bound to UK GDPR-equivalent obligations. The current list:
| Sub-processor | Purpose | Processing location |
|---|---|---|
| Supabase (Postgres, Storage, Auth) | Database, file storage, authentication | EU-West (Ireland) |
| Vercel | Application hosting, edge runtime, observability | EU & US (UK IDTA in place) |
| Anthropic | Claude API for the AI Compliance Assistant + document extraction | US (UK IDTA in place; zero-data-retention being enabled pre-launch) |
| Voyage AI | Embedding generation for AI retrieval | US (UK IDTA in place) |
| Resend | Transactional email delivery | US (UK IDTA in place) |
| Sentry (functional Software, Inc.) | Error tracking (PII-scrubbed before send) | EU (Frankfurt ingest) |
| Cloudflare | CDN, DDoS mitigation, bot management | Global anycast (UK IDTA in place) |
| Upstash | Rate-limit counter store (Redis); no PII processed | EU-West (Frankfurt) |
We notify customers at least 30 days before adding or replacing a sub-processor. The current list is maintained at amaea.co.uk/security.
6. International transfers
Some sub-processors are based outside the UK. Where transfers occur, we rely on the UK International Data Transfer Agreement (UK IDTA) or the EU Standard Contractual Clauses with the UK Addendum, plus supplementary measures (encryption in transit and at rest, PII scrubbing, zero-data-retention where available). A copy of the transfer agreements is available on request.
7. Retention
| Data category | Retention |
|---|---|
| Firm user account, firm record | Duration of subscription + 90 days, then deleted unless required for active legal proceedings |
| Client compliance records (processor) | As instructed by the firm. Default 7 years from last activity to align with SYSC 9 retention; 10 years for pension-transfer cases |
| Compliance audit log (compliance_events) | 7 years (SYSC 9). Firm-deletion preserves audit rows with the firm-link set to NULL. |
| Access logs, usage telemetry | 90 days for general logs; 12 months for security-relevant events |
| Marketing form submissions | Until consent is withdrawn or 24 months of inactivity, whichever is sooner |
| Newsletter subscribers | Until consent is withdrawn |
8. Your rights
Under UK GDPR you have the following rights, exercisable free of charge unless requests are manifestly unfounded or excessive:
- Right of access: obtain a copy of the personal data we hold about you (UK GDPR Art. 15).
- Right to rectification: correct inaccurate or complete incomplete data (Art. 16).
- Right to erasure:"right to be forgotten", subject to legal-retention obligations (Art. 17).
- Right to restrict processing: require us to pause processing in defined circumstances (Art. 18).
- Right to data portability: receive your data in a machine-readable format (Art. 20). Firm admins have self-service export at Settings → Data Export inside the app.
- Right to object: object to processing based on legitimate interests or direct marketing (Art. 21).
- Rights related to automated decision-making: see section 9 below (Art. 22).
- Right to withdraw consent: where processing is based on consent, withdrawable at any time without affecting prior lawfulness (Art. 7(3)).
To exercise any right, contact privacy@amaea.co.uk. We will respond within one month of a verifiable request (extendable by two months for complex cases, with explanation). If you are the client of a firm using Amaea, contact your firm first. They are the controller and we will pass your request to them.
9. Automated decision-making and AI
The Amaea platform includes an AI Compliance Assistant (the "AI") and AI-driven document extraction. These features:
- Produce analysis, recommendations, and draft text for human review by qualified compliance staff at the firm.
- Do not make decisions that produce legal effects or similarly significant effects on individuals without human review. The qualified compliance officer remains the decision-maker.
- Are explicitly framed in-product as decision support, not regulated advice (FSMA s.19). Every AI surface displays this caveat adjacent to its output.
As such Article 22 does not apply, but we will treat any future feature that crosses into solely automated significant decisions (e.g. automatic policy enforcement) as Article 22 processing and obtain the appropriate basis and safeguards before launch.
10. Cookies and similar technologies
See our Cookie Policy for the specific cookies set on this site. We do not use third-party advertising cookies, cross-site tracking, or behavioural analytics by default. Functional and analytics cookies require explicit opt-in via the cookie banner.
11. Security
We implement appropriate technical and organisational measures including: TLS 1.3 in transit, AES-256 at rest, Row Level Security tenant isolation enforced server-side, multi-factor authentication for app users, audit logging for every sensitive operation, regular dependency-vulnerability scanning, and PII scrubbing in error-tracking pipelines. Full posture is published at amaea.co.uk/security.
12. Source of personal data not collected directly
When Amaea processes personal data of clients of subscribing firms, that data is provided to us by the firm (either uploaded directly or synced via integrations such as Intelliflo and SharePoint). The firm is the controller and the source of the data. We do not enrich it from external sources.
13. How to complain
We hope you will raise concerns with us first at privacy@amaea.co.uk. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- Telephone: 0303 123 1113
- Online: ico.org.uk/make-a-complaint
14. Changes to this notice
We will update this notice when our processing changes materially: new sub-processors, new categories of data, new purposes. Material changes are communicated to firm administrators by email at least 30 days in advance. The current version's date is shown at the top of this page.
| Version | Date | Change |
|---|---|---|
| 2.0 | 19 May 2026 | Full rewrite to the ICO UK GDPR template: controller/processor distinction, lawful basis per purpose, sub-processor inventory, international transfers, full data subject rights, automated decision-making, ICO complaint route. |
| 1.0 | May 2026 | Initial draft. |
This notice has been drafted to meet ICO and UK GDPR transparency requirements. We recommend customers and prospective customers also review our Security page and request a copy of our Data Processing Agreement before onboarding. For any clarification, contact privacy@amaea.co.uk.