Graph Aware Limited, a UK-based international software company with entities in the EU (Italy and Czech Republic) and Australia, acts as the controller for personal data processed through our website, client services, recruitment activities, events, and related operations. This policy complies with UK GDPR and EU GDPR, covers customers, prospects, website users, job applicants, and candidates (not intended for children), and explains how personal data is collected, used, shared, protected, transferred, and what rights individuals have under applicable data protection laws; where relevant, specific controllers are identified at the point of collection. Our compliance team oversees data protection matters and can be contacted at gdpr@graphaware.com for all privacy-related queries, including requests to exercise data subject rights or obtain further information about this notice.
Personal Data We Collect
We may collect the following categories of personal data, depending on how you interact with us:
Identity: name, username, title, date of birth, gender, pronouns.
Contact: corporate/personal email address, phone number, postal address, company/employer details.
Financial/transaction: payment details, invoicing information, transaction history in relation to our products and services.
Technical: IP address, browser type and version, operating system, device identifiers, cookie identifiers, time zone, approximate location, and other information from server logs.
Profile/usage: interests, interaction history with our website, services, and communications, feedback, employment details, job title, project information, education history, references, and communication preferences.
Marketing data: marketing preferences, subscription and unsubscribe information, engagement metrics, and campaign interaction data.
Special categories and criminal data (recruitment/compliance only): information relating to criminal convictions, security clearances, right-to-work documentation, and related vetting information where required by law or our legitimate interests in protecting our business (e.g., fraud and IP protection), subject to appropriate safeguards and data minimisation.
We also generate aggregated or anonymised statistics for analytics and reporting, which do not identify individuals; such data is not treated as personal data where irreversibly anonymised. No special category data is intentionally collected for general marketing purposes.
How We Collect Data
We collect personal data from a range of sources:
Directly from you: Forms on our website or landing pages (including mandatory marketing consent checkboxes where required), emails and correspondence, business cards, event badge scans or attendee lists when you register for or attend our events, job applications (including CVs, cover letters, references), account registrations, support tickets, meetings, interviews, and calls (which may be recorded for training, quality, or evidential purposes).
Automatically: Cookies and similar technologies (see Cookies below), server and application logs, usage data from our website and online services, and tracking pixels within emails or web pages that help measure engagement and performance.
Third parties: Advertising and analytics providers (such as Google, LinkedIn, Microsoft Advertising and Reddit Advertising) for clicks, conversions, and campaign performance; partners; event badge scans or attendee lists when you register for or attend an event we have organised or participated in, public and professional sources (including prior employers and online professional profiles); regulators and public authorities where legally permitted or required; recruitment vendors and background-check providers (such as DBS and Access NI checks); processors used for HR, timesheets, CRM and marketing (including BambooHR, Harvest, HubSpot); and reputable marketing lists or data aggregators, always in line with applicable law and contractual assurances. In many cases, data from these sources is synchronised into HubSpot or other systems we use for centralised management and analysis.
Cookies
Cookies and similar technologies are used to support site functionality, analytics, marketing (including Microsoft Ads and Reddit Ads), and security. These technologies allow us to recognise your browser or device, understand how our services are used, improve the user experience, and measure the effectiveness of our communications. Cookie use is managed via a Cookiebot banner that enables granular consent by category (strictly necessary cookies are non-optional because they are required for core functionality). Cookie details are reviewed and updated periodically, and you can request further information by contacting gdpr@graphaware.com.
Cookie categories
Category
Purpose
Examples / Vendors
Typical Duration
Strictly Necessary
Security, load balancing, login, form submissions, captcha validation, and core performance
Cloudflare, Google reCAPTCHA, HubSpot (bot detection and forms), essential session cookies
Session to 1 year
Statistics/Performance
Usage analytics, service improvement, performance measurement, and video support
Measuring ads effectiveness, lead scoring and profiling (e.g., job title, email domain, country, engagement), campaign tracking, and personalisation
HubSpot (user tracking), YouTube, Google Analytics, Google Ads, Microsoft Ads, Reddit Ads.
Until opt-out plus 30 days
Functional/Preferences
Remembering consent settings, preferences, and supporting embeds or widgets
Cookiebot, Breezy (job adverts), Microsoft Teams (webinar data)
Up to 12 months
Alongside Cookies, we sometimes use similar technologies to understand how visitors interact with our email marketing.
Tracking pixels – our newsletters, marketing emails and some individual sales emails contain a pixel-sized image known as a tracking pixel. When this image is ‘opened’ in an email, some information, including the time at which the newsletters/emails are opened by you, the email client you are using and the links you click in the email, is collected and used to help us evaluate the effectiveness of our communications and marketing campaigns.
Personalised URLs – some emails you receive from us may contain personalised URLs. This means they contain a unique set of numbers and letters that tie your website behaviour to specific email campaigns, helping us to evaluate the effectiveness of our communications and marketing campaigns.
If you do not want your newsletters/emails to be tracked in this way, you can disable automated image loading in your email client.
You can manage non-essential cookies and similar technologies at any time through the Cookiebot preference centre on our site (including withdrawing consent). Email-based preferences can be managed via HubSpot unsubscribe links or by contacting gdpr@graphaware.com. We do not sell personal data and aim to comply with applicable PECR and UK/EU GDPR rules on consent and transparency. Marketing and ad-related data may be pseudonymised or aggregated, and is processed in line with data processing agreements concluded with our providers.
Purposes, Legal Bases, and Retention
The table below summarises the main purposes for which we process personal data, the categories of data involved, the corresponding legal bases under UK/EU GDPR, legitimate interests where applicable, and typical retention periods.
Purpose
Data Types
Legal Bases (UK/EU GDPR)
Legitimate Interests (where applicable)
Retention Period
Provide and improve products and services;
Identity, contact, financial/transaction, customer representative employment details where relevant, video call recordings, account data, product usage
Contract; Consent; Legal obligation (e.g., tax)
Ensuring service quality, understanding usage, and responding to enquiries
Contractual relationship plus 6 years (tax/legal)
Recruitment (applications, vetting, onboarding)
Identity, contact, CV and employment history, education, references, right-to-work documentation, criminal convictions and background-check data, National Insurance number, copies of ID
Contract; Legal obligation (employment, right-to-work); Consent where required for specific checks
Conducting fair and effective recruitment, ensuring suitability/trustworthiness for high-risk roles, protecting IP and preventing fraud
Up to 6 months after recruitment process closure for unsuccessful candidates (unspent criminal data only), or up to 6 years where needed for legal claims or record-keeping
Operate accounts; handle queries, complaints, and claims
Identity, contact, financial, purchase history, support and call data, location, communications
Contract; Legal obligation; Legitimate interests
Maintaining accurate records, customer service operations, and resolving disputes
As needed during relationship plus up to 6 years
Marketing, newsletters, and updates (including HubSpot sequences); process forms (demos, webinars, e-books, trials); analytics and lead scoring / profiling
Identity, contact, usage, marketing and preference data
Consent; Legitimate interests
Business growth, informing customers about relevant products/services, and tailoring communications
Until opt-out plus 30 days; disengaged/hard-bounce contacts are suppressed earlier where appropriate
Crime prevention, security, fraud/abuse detection
Identity, technical, location, profile and engagement data
Legitimate interests; Legal obligation
Ensuring network and information security, protecting IP and confidential information, improving site performance, and assessing lead quality
Analytics data (e.g., cookies) generally up to 14 months; profile and suppression lists retained as long as necessary for security and suppression purposes
Research, product development, surveys, and events follow-up
Developing and improving products and services, understanding customer needs, and evaluating events
Typically up to 12 months after the relevant event or project, unless longer retention is legally required
Retention periods may be extended where required by law (e.g., tax or accounting rules) or where necessary to establish, exercise, or defend legal claims. After the applicable period, data is securely deleted, anonymised, or archived in accordance with our retention schedule.
You can opt out of marketing at any time using unsubscribe links in our communications, updating your preferences, or contacting us directly. Sales emails are normally addressed to specific business contacts and respect applicable soft opt-in and objection rules.
Sharing Your Data
We share personal data only as necessary and proportionate for the purposes described above, subject to appropriate contractual and security safeguards.
Processors and affiliates acting under our instructions:
CRM, marketing, and communication tools such as HubSpot for forms, email campaigns, tracking, lead scoring, and related processing.
HR and people platforms such as BambooHR (HR and recruitment records), BreezyHR (recruitment workflows), and Harvest (time tracking and billing).
Cloud infrastructure, analytics, and collaboration services such as Google (Analytics, Ads, reCAPTCHA, Google Workspace), LinkedIn, Slack, Microsoft Teams, Vimeo, Spotify, YouTube, Breezy, Cloudflare, Cookiebot, and Atlassian Confluence.
Graph Aware Limited affiliates from Italy, Czech Republic, and Australia (Graph Aware S.R.L., Graph Aware s.r.o., GraphAware APAC Pty Ltd.) which may act as processors or sub-processors for group-wide services such as shared support, development, and coordinated recruitment, under binding instructions and appropriate safeguards.
Other recipients (typically independent controllers or joint recipients in a specific context):
Group entities where they determine their own purposes and means.
Professional advisers (legal, accounting, audit), insurers and insurance intermediaries, regulators, supervisory authorities, courts and tribunals, and law-enforcement agencies where necessary.
Event partners, sponsors, and recruitment agencies/vendors involved in co-hosted events, referrals, or candidate placement.
We require service providers processing personal data on our behalf to enter into written data processing agreements that include confidentiality, security obligations, restrictions on sub-processing, and requirements to act only on our documented instructions. They may not use personal data for their own independent purposes without a separate lawful basis and appropriate transparency. For a current list of sub-processors, or details about particular recipients, you can contact us at gpdr@graphaware.com.
These recipients may act either as processors (following our instructions) or as independent controllers under their own privacy notices. In each case, we aim to ensure GDPR-compliant contracts are in place, including appropriate security measures, limits on sub-processing without our approval, and safeguards for international transfers.
International Transfers
Because GraphAware operates internationally, personal data may be transferred and accessed across borders as necessary to provide services and run group operations.
Transfers within the EEA/UK: Transfers between the UK and EEA (for example to entities in Ireland or other EU Member States, and vice versa) take place under the UK adequacy regulations and the EU–UK adequacy decision, meaning that an essentially equivalent level of protection is recognised between these jurisdictions.
Transfers to other countries (e.g., US and Australia): Where personal data is transferred to countries that do not benefit from an adequacy decision, we rely on appropriate safeguards under UK GDPR and EU GDPR Chapter V. These typically include:
UK International Data Transfer Agreements (IDTAs) or Addenda;
Standard Contractual Clauses (SCCs) adopted by the European Commission;
Binding Corporate Rules (BCRs) where applicable; and
Supplementary technical and organisational measures, guided by transfer impact assessments (TIAs), to address local legal risks and ensure equivalent protection.
Recipients include certain service providers (e.g., HubSpot, Google, Microsoft, and other cloud or SaaS vendors) and affiliates providing support from outside the UK/EEA.
We periodically review transfer arrangements and safeguards in light of evolving legal requirements and guidance. You can request further details about specific international transfers, or copies of relevant safeguards (subject to redactions for security and confidentiality), by contacting gdpr@graphaware.com.
Data Security
We take the security of personal data seriously and implement appropriate technical and organisational measures designed to protect it against unauthorised or unlawful processing, accidental loss, destruction, or damage.
Security measures
Depending on the systems and data involved, these measures may include:
Encryption of data in transit (e.g., TLS) and at rest where appropriate.
Role-based access controls and least-privilege principles, with need-to-know access, multi-factor authentication, and centralised identity management.
Network and application security measures, including firewalls, intrusion detection/prevention, DDoS mitigation (e.g., through Cloudflare), and secure software development practices.
Endpoint security measures applied to company-managed laptops and mobile devices.
Regular monitoring, logging, and review of access and activity.
Vendor due diligence and contractual security obligations for third-party service providers.
Employee and contractor training on data protection, confidentiality, and information security policies.
Incident and breach response plans, including procedures for investigation, containment, and remediation.
If a personal data breach occurs that is likely to result in a risk to individuals’ rights and freedoms, we will assess the incident promptly and, where required, notify competent supervisory authorities (such as the ICO) within the applicable time limits and, in high-risk cases, inform affected individuals without undue delay.
Your Rights
Data subjects have the following rights under UK GDPR and EU GDPR (Articles 15-22), which can be exercised free of charge (unless requests are manifestly unfounded or excessive) with identity verification.
Below is a summary of these rights and how to exercise them.
Right of Access (SAR)
You can confirm whether we process your data, access a copy, and get processing details (purposes, categories, recipients, retention, safeguards). Email a written request to gdpr@graphaware.com
Rectification, Erasure, Restriction, Portability
Rectification: ask us to correct inaccurate data, or add information where our data is incomplete
Erasure (“right to be forgotten”): instruct us to delete personal data that is no longer needed for our purposes, if you withdraw your consent (and we have no other legal basis to keep it), if you successfully object to our processing, or if we’ve processed it unlawfully..
Restriction: we’ll pause processing your personal data if you contest its accuracy (while we verify it), if processing is unlawful but you don’t want it deleted, if we need it to defend or pursue legal claims, or while we’re reviewing your objection.
Portability: obtain your data in a portable format.
Right to Object
You can object at any time to processing based on our legitimate interests, profiling, or direct marketing—we’ll stop unless we have compelling reasons that override your rights, or we need the data for legal claims. Objections to marketing will always be honoured. To opt out, use the unsubscribe links in our emails, adjust your preferences in Cookiebot, or contact us at gdpr@graphaware.com
Right to Withdraw Consent
You can withdraw your consent at any time. This will not affect the lawfulness of processing carried out before you withdrew consent. To update your cookie preferences, use Cookiebot; to stop marketing emails, use the unsubscribe link in our emails; or contact us at gdpr@graphaware.com
Automated Decisions and Profiling
No significant automated decisions; limited profiling occurs.
How we handle requests
Requests can be made free of charge, unless manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse the request, as permitted by law).
We may ask for additional information to verify your identity before responding, particularly where sensitive data or large volumes of data are involved.
We aim to respond within one month of receipt. For particularly complex or numerous requests, this period may be extended by up to two further months; if so, we will inform you of the extension and reasons.
Some rights may not apply in particular contexts (for example, where retention is required by law, or where disclosure would adversely affect others’ rights). In such cases, we will explain the legal basis relied upon.
To exercise any of these rights or raise questions about our handling of personal data, contact gdpr@graphaware.com.
Complaints and Changes
If you have concerns about how we handle personal data, you are encouraged to contact our compliance team at gdpr@graphaware.com in the first instance so that we can seek to resolve the issue. You also have the right to lodge a complaint with your local supervisory authority; for the UK, this is the Information Commissioner’s Office (ICO), which can be contacted at:
Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Tel: 0303 123 1113 Website: https://ico.org.uk/make-a-complaint
This privacy notice may be updated periodically to reflect changes in our processing activities, technologies, services, or legal requirements. The effective date will be indicated at the top of the notice. Where changes are material, we will take reasonable steps to inform you (for example, by email or prominent notice on our website). This notice does not cover third-party websites or services that have their own privacy notices; users are encouraged to review those notices when interacting with third-party content or services.
