Draft for review

Privacy Notice

This notice explains how Buddico Ltd handles personal data as a company, including company administration, contracts, service support, security, compliance and legal obligations.

Owner: Amy Cox, Director and Data Protection Lead / designated DPO Supporting owner: Dr Anjan Chakraborty, Director, SIRO and IT Lead Version: 0.1, draft for review Intended public location: https://buddico.com/privacy

1. Who We Are

Buddico Ltd provides technology and support services, including services supplied to health and care organisations.

Buddico Ltd is registered with the Information Commissioner's Office under registration number ZC101141.

Data protection contact

  • Amy Cox, Director and Data Protection Lead / designated DPO
  • Email: [email protected]
  • Postal address: 38 Halstead Gardens, London N21 3DX

2. When This Notice Applies

This notice explains how Buddico Ltd handles personal data as a company.

It applies where Buddico processes personal data for its own company purposes, such as company administration, contracts, supplier management, website enquiries, service support, security, compliance and legal obligations.

Where Buddico provides systems or services to a customer and processes personal data on that customer's behalf, the customer is normally the controller and Buddico acts as processor. In that situation, the customer's own privacy information will usually explain the main purpose and lawful basis for the processing, and Buddico will support the customer under its contract.

Supplementary service privacy information may be provided where a particular Buddico service needs more specific information.

3. Personal Data We Process

Buddico may process the following categories of personal data:

  • names, roles, organisations and business contact details;
  • customer, supplier, contractor and professional contact records;
  • contract, support, service, meeting and correspondence records;
  • system user identity, access role, authentication and audit log records;
  • security, incident, risk, action and assurance records;
  • training, policy acknowledgement and access review records;
  • website enquiry and communication records;
  • customer/controller data processed through Buddico systems and services, where Buddico acts as processor.

Customer/controller data may include records supplied by or entered by authorised customer users. Buddico does not decide the purposes of that controller data unless a separate agreement or legal obligation says otherwise.

4. How We Collect Personal Data

Buddico may collect personal data:

  • directly from you;
  • from your employer or organisation;
  • from customer/controller systems or authorised users;
  • through contracts, support requests, meetings and email;
  • through Buddico systems, security controls and audit logs;
  • from suppliers, professional advisers, public sources or regulators where relevant.

5. Why We Use Personal Data

Buddico uses personal data to:

  • provide, manage and support Buddico systems and services;
  • manage customer, supplier and professional relationships;
  • respond to enquiries and support requests;
  • operate contracts and service arrangements;
  • maintain security, access control, audit logs and incident records;
  • manage company governance, assurance, training, risk and DSPT compliance;
  • meet legal, accounting, tax, regulatory and contractual obligations;
  • investigate incidents, complaints, security concerns and service issues;
  • protect Buddico's systems, customers and business.

6. Lawful Bases

Buddico relies on one or more of the following lawful bases:

  • contract performance, where processing is needed to enter into or perform a contract;
  • legal obligation, where processing is needed to comply with law or regulation;
  • legitimate interests, where processing is necessary for business administration, service operation, security, quality improvement, governance, audit, support, fraud prevention or legal protection and those interests are not overridden by individual rights;
  • consent, where consent is appropriate and you have a genuine choice.

Where Buddico acts as processor for a customer/controller, the customer/controller is responsible for identifying the lawful basis for its own processing.

7. Special Category Data

Buddico does not seek to collect special category data for its own company administration unless it is necessary and lawful.

Where customer/controller records include health-related or other special category data, the customer/controller determines the applicable Article 9 condition and Buddico processes that data only on documented instructions unless required by law.

Users of Buddico systems should not submit unnecessary patient-identifiable, clinical or special category data.

9. Who We Share Personal Data With

Buddico may share personal data with:

  • authorised Buddico directors, staff and contractors;
  • the customer/controller responsible for the data;
  • suppliers and sub-processors that support Buddico systems, hosting, email, security, source control, support, administration or professional services;
  • professional advisers, auditors, insurers and legal advisers;
  • regulators, law enforcement or public authorities where required by law;
  • another organisation where required to protect systems, investigate an incident, perform a contract or comply with legal obligations.

Buddico requires suppliers and sub-processors to provide appropriate data protection and security commitments where they process personal data.

Current and planned suppliers/sub-processors or supporting services include Synology NAS hosting/storage, Microsoft Azure as the expected future hosting platform, Microsoft Office / Microsoft 365 email including [email protected], DNS/domain services for buddico.com, buddico.ai and buddico.co.uk, Git/GitHub for source control, and AI providers Anthropic, OpenAI and Google where AI-supported services are used.

10. International Transfers

Some suppliers may process personal data outside the UK.

Where this occurs, Buddico will use appropriate safeguards required by UK data protection law, such as adequacy regulations, standard contractual safeguards, the UK International Data Transfer Agreement or UK Addendum, or another lawful transfer mechanism.

Buddico currently has no confirmed personal data processing outside the UK. Buddico relies on supplier data processing agreements and international transfer safeguards in supplier terms, including the UK Addendum to EU Standard Contractual Clauses or the UK International Data Transfer Agreement where applicable.

11. How Long We Keep Personal Data

Buddico keeps personal data only for as long as needed for the purpose for which it was collected, unless a longer period is required by contract, law, audit, dispute management, security, compliance or controller instruction.

Current retention evidence includes:

  • service feedback records: 3 years where applicable;
  • governance, learning, incident and action records: 6 years where applicable;
  • audit logs: at least 12 months where technically available;
  • security, supplier, compliance and DSPT evidence records: retained as needed to evidence compliance and manage contractual obligations.

Where Buddico acts as processor, customer/controller data is returned, deleted, exported or retained according to the contract and documented controller instructions.

12. Your Rights

Depending on the circumstances, you may have the right to:

  • be informed about how your personal data is used;
  • access your personal data;
  • correct inaccurate personal data;
  • ask for personal data to be erased;
  • ask for processing to be restricted;
  • object to certain processing;
  • receive certain personal data in a portable format;
  • withdraw consent where processing is based on consent;
  • challenge decisions based solely on automated processing where this applies.

Buddico does not currently make solely automated decisions with legal or similarly significant effects.

To exercise your rights, contact [email protected].

If your request relates to data for which a Buddico customer is the controller, Buddico may need to pass the request to that customer and support them in responding.

13. Complaints

Please contact Buddico first at [email protected] so the issue can be reviewed.

You also have the right to complain to the Information Commissioner's Office:

14. Security

Buddico uses technical and organisational measures to protect personal data, including access controls, least privilege, MFA where supported, approved devices, encryption where applicable, audit logging where available, supplier review, backup controls, incident response and staff training.

No system can be guaranteed completely secure. Buddico keeps controls under review and records improvement actions through its risk register and action log.

15. Changes to This Notice

Buddico reviews this notice at least annually and sooner after material changes to processing, systems, suppliers, hosting, incidents, legislation or DSPT requirements.

The current approved version should be published at https://buddico.com/privacy.