Amivest Solutions Limited Privacy & Data Protection Notice

Last updated: 4 August 2025

This privacy and data protection notice tells you what to expect us to do with your personal information and outlines our comprehensive approach to data protection compliance.

Contact Details

Post: 54 Brantfell Road, BLACKBURN, BB1 8DL, GB

Email: info@reawoken.co.uk

Data Protection Officer: Mohammed Amir Elahi (info@reawoken.co.uk)

About Amivest Solutions Limited

Amivest Solutions Limited is a UK-based technology company specializing in the development of AI-integrated software solutions for businesses. Our primary focus is creating innovative tools that help organizations process and analyze data more efficiently while maintaining the highest standards of data protection and security.

Data Protection Policy Framework

Goals of Our Data Protection Approach

Our data protection objectives align with both legal requirements and our commitment to ethical data handling:

• Transparency: Ensure clear communication about how we process personal data
• Minimization: Collect and process only the data necessary for legitimate business purposes
• Security: Implement robust technical and organizational measures to protect personal data
• Accountability: Demonstrate compliance through comprehensive documentation and regular reviews
• Individual Rights: Respect and facilitate the exercise of data subject rights
• Continuous Improvement: Regularly assess and enhance our data protection practices

Security Policy and Responsibilities

Data Protection Leadership:

• Mohammed Amir Elahi serves as Director and Data Protection Officer, with overall responsibility for data protection strategy and compliance
• All employees receive regular data protection training through webinars and workshops
• Commitment to continuous improvement of our data protection management system

Key Responsibilities:

• Data Protection Officer: Oversees policy compliance, conducts annual reviews, and manages Data Protection Impact Assessments (DPIAs)
• Engineering Team: Implements technical safeguards, maintains audit logs, and ensures secure data handling
• All Staff: Undergo mandatory data protection training and follow established procedures

Legal Framework

Our data protection practices comply with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Relevant provisions of the Data (Use and Access) Act 2025
• Industry best practices for AI and technology companies

What Information We Collect, Use, and Why

We collect or use the following information to provide AI-integrated software services and solutions:

• Names and contact details
• Addresses
• Date of birth
• Health information (including dietary requirements, allergies, and health conditions)
• Health and safety information
• Website user information (including user journeys and cookie tracking)

We also collect or use the following special category information to provide services and goods, including delivery. This information is subject to additional protection due to its sensitive nature:

• Racial or ethnic origin
• Religious or philosophical beliefs
• Genetic information
• Health information
• Sex life information
• Sexual orientation information

Lawful Bases and Data Protection Rights

Under UK data protection law, we must have a "lawful basis" for collecting and using your personal information. Which lawful basis we rely on may affect your data protection rights.

Your Data Protection Rights

• Your right of access - You have the right to ask us for copies of your personal information and request details about where we get personal information from and who we share it with
• Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete
• Your right to erasure - You have the right to ask us to delete your personal information
• Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information
• Your right to object to processing - You have the right to object to the processing of your personal data
• Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you
• Your right to withdraw consent - When we use consent as our lawful basis you have the right to withdraw your consent at any time

If you make a request, we must respond to you without undue delay and in any event within one month.

Our Lawful Bases

Consent - We have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object.

Legitimate Interests - We're collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. Our legitimate interests include:

• Providing efficient AI-integrated software solutions that accelerate business processes
• Ensuring accurate and secure data processing through our technological infrastructure
• Meeting our professional obligations to clients while maintaining data security
• Improving our services through aggregated, anonymized analytics
• Protecting against fraud and ensuring system security

Technical and Organizational Measures (TOM)

We implement comprehensive security measures based on Article 32 UK GDPR:

Technical Measures

Encryption and Pseudonymization:

• End-to-end encryption for all data in transit and at rest
• Encryption keys managed independently from stored data
• Pseudonymization where technically feasible

Access and Authorization Controls:

• Role-based access permissions with regular review
• Multi-factor authentication for system access
• Comprehensive audit logging of all operations including who performed what actions and when

Data Integrity and Availability:

• Regular automated backups with encryption
• Disaster recovery procedures with defined recovery time objectives
• System monitoring and alerting for security incidents

Organizational Measures

Data Protection by Design and Default:

• Zero caching by external providers unless specifically configured
• Privacy-focused system architecture
• Regular security assessments and updates

Training and Awareness:

• Mandatory data protection training for all staff
• Regular workshops and webinars on data protection best practices
• Ongoing awareness campaigns about data protection responsibilities

Where We Get Personal Information From

• Directly from you
• Legal and judicial sector organisations
• Business partners and clients (in the course of providing AI software solutions)

How Long We Keep Information

Retention Principles

We keep data only as long as one of the following continues to apply:

• The business purpose for which it was collected remains valid
• Legal or regulatory requirements mandate retention
• Legitimate interests require continued processing
• Contractual obligations necessitate retention

Retention Schedule

Periodic reviews are conducted annually to ensure compliance with retention schedules.

Who We Share Information With

Data Processors

Amazon S3

Amazon Web Services provides cloud object storage. Data is transmitted over TLS, stored encrypted at rest, kept only in our selected UK/EU AWS regions, and access is controlled by our permissions and audit logs. AWS acts solely as infrastructure provider without access to plaintext content.

Microsoft Azure Read OCR

Converts scanned documents into machine-readable text. Documents travel over HTTPS with TLS 1.2 encryption, processed in UK regions only. Original images and extracted text are not retained after processing.

Google Cloud's Gemini

Processes text to generate structured summaries for our AI solutions. All data is encrypted in transit, with zero data retention configuration available. Google acts strictly as a processor without independent access rights.

Others We Share Information With

• Health care providers (where relevant to service delivery)
• Professional or legal advisors
• Business partners (only where necessary for service delivery)

Data Subject Rights and Early Deletion

Data subjects may request erasure under Article 17 UK GDPR. Where the business purpose no longer exists, we will expedite secure deletion within 30 days while notifying all subprocessors.

Data Protection Impact Assessments (DPIAs)

We conduct DPIAs for:

• New AI processing activities involving personal data
• Changes to existing processing that may increase privacy risks
• High-risk processing activities as defined by UK GDPR

Incident Response Management

Our incident response procedures include:

• Immediate containment and assessment
• Risk evaluation and impact analysis
• Notification to relevant authorities within 72 hours where required
• Communication to affected individuals where high risk is identified
• Post-incident review and system improvements

International Transfers

When we transfer personal data outside the UK, we ensure adequate protection through:

• Adequacy decisions where available
• Standard Contractual Clauses (SCCs)
• Appropriate technical and organizational measures

How to Complain

If you have concerns about our use of your personal data, contact us using the details above.

If you remain unhappy after raising a complaint with us, you can complain to the ICO:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire SK9 5AF

Helpline: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

Policy Review and Updates

This notice is reviewed at least annually or sooner if:

• Underlying law changes
• New data types or processing activities are introduced
• Audit findings or security incidents warrant revision
• Significant changes to our business operations occur