ImpactOS

Privacy Policy

Effective date: 10/10/2025

1. Introduction

Welcome to ImpactOS. This Privacy Policy explains how we collect, use, disclose, and protect your personal information, including where our systems apply artificial intelligence (AI) to data for reporting, mapping to frameworks, or answering data-driven questions in natural language.

ImpactOS is committed to meeting the requirements of:

  • UK GDPR and Data Protection Act 2018
  • ISO/IEC 27001 (Information Security)
  • ISO/IEC 42001 (AI Management System)

2. Data Controller

Evexia Health International Ltd trading as ImpactOS

Registered Office: Woodwater House, Pynes Hill, Exeter EX2 5WR

Contact: James Parkes (Data Protection Officer / AI Governance Lead)

Address: Edgcumbe, Moorhaven, Bittaford, PL21 0EX

Email: james@impactos.tech

Tel: +44 7793 185448

3. Data We Process

ImpactOS can process a wide range of internal organisational data, as determined by our clients. This may be ingested via spreadsheets, PDFs, Word documents, data transfers, file feeds, APIs, or MCP connections.

This may include:

  • Employee and HR data (e.g. payroll, wellbeing scores, engagement data)
  • Supply chain and environmental data
  • Learning and development records
  • Health-related data (special category under GDPR, always aggregated/anonymised)
  • Derived AI outputs (e.g. framework mapping, social value scoring, natural language answers)

4. Legal Basis for Processing & Cookies

We process data primarily on the basis of contractual necessity (providing our services to clients).

No features of ImpactOS rely on explicit consent, as all health/sensitive data used by AI systems is aggregated and anonymised.

4.1 We may collect and process the following data:

  • Information you give to us. You may give us information about you by filling in forms (e.g. on our ‘Contact Us’ page) or by contacting us. The information you give to us may include:
    • Your name;
    • Your email address;
    • Your phone number;
    • Other relevant details you choose to provide.
  • Information we collect about you. Each time you visit the Website, we may automatically collect the following information:
    • web usage information (e.g. IP address), your login information, browser type and version, time zone setting, operating system and platform; and
    • information about your visit, including the URL clickstream to, through and from the Website (including date and time); time on page, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs).
  • Sensitive Information.

    • As a provider of employee wellbeing SaaS services, we may collect sensitive health information. This data will be handled with the utmost care and in compliance with relevant data protection regulations.

  • Information we receive from other sources.

    • We may also receive information about you if you use any of the other websites we might operate or the other services we provide.

4.2 USE OF COOKIES

The Website uses cookies to distinguish you from other users, to improve your experience on our Website, and to recommend content that may be of interest to you. For more information, please view our Cookies Policy.

4.3 HOW WE WILL USE YOUR INFORMATION

We may use your information for the following purposes:

  • to respond to any query that you may submit to us;
  • to ensure that our Website’s content is presented in the most effective manner for you and your device;
  • we may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided, but only if you have given us your consent to do so;
  • to customise the Website according to your interests;
  • to administer the Website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey responses;
  • to allow you to participate in interactive features of our service when you choose to do so;
  • as part of our efforts to keep the Website safe and secure;
  • to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;
  • to comply with the applicable law/s;
  • as we feel is necessary to prevent illegal activity or to protect our interests.

5. How We Use Data & AI

  • Reporting: transforming datasets into structured reporting against frameworks.
  • Framework Mapping: linking client data to UK Social Value, TOMs, UN SDGs, etc.
  • Natural Language Answers: enabling data-driven Q&A in human-readable form.

ImpactOS ensures all AI outputs are transparent, with logic explained in each response. Users may score answers and provide feedback, which we review to improve outputs and address any bias or errors.

6. Your Rights & Choices

You have rights to: be informed; access; rectification; erasure; restriction; portability; and to object (including to processing based on legitimate interests).

  • Withdraw consent (for connected systems): disconnect in the app and/or revoke permissions.
  • Object to analytics: contact us, and we will cease analytics collection and delete associated records where feasible.
  • Account deletion: request deletion at any time. All user-level data is permanently deleted when you delete your account.

Contact: james@impactos.tech (we may need to verify your identity).

7. Data Retention

  • Analytics events: deleted after 2 months
  • Crash diagnostics: retained only as needed for security/stability troubleshooting
  • Database: fully deleted when a user account is deleted
  • Operational/debug logs: retained short-term before automatic purge

8. International Transfers

ImpactOS is UK-based, but personal data may be processed in the US or other countries. Safeguards include:

  • UK Addendum to EU Standard Contractual Clauses
  • Transfer Impact Assessments
  • Adequacy decisions where available

9. Security Measures

  • Data encrypted at rest and in transit
  • Single Sign-On (SSO), SCIM, or Okta available for enterprise users (on request)
  • Role-based access controls applied through the administration portal
  • Privileged access strictly monitored, logged, and reviewed for anomalies
  • Alerts generated for any unauthorised or unusual access

10. Incident Management

  • Incidents identified and internally reported within 24 hours
  • ICO and affected parties notified within 72 hours if a breach occurs
  • AI-related incidents (bias, errors, unintended outputs) are logged, classified, and corrected

11. Subprocessors

ImpactOS uses trusted subprocessors, including:

  • AWS - cloud hosting and storage
  • GitHub - secure code repository and version control
  • Vercel - application hosting and deployment

All subprocessors are contractually bound to protect personal data. A current list is available on request and will be published on our website.

12. AI Governance

I. AI-Specific Controls

  • All LLM calls keep LLM reasoning, reviewer metadata, and sample evidence.
  • Model endpoints are configurable via the hardcoded config file with comments on model choice, beyond that there is no explicit model card book keeping.
  • A custom built testing framework is used to judge bias, fairness and reliability from multiple model providers providing analytics for final human review and decision making.
  • Frontier models are used which employ their own bias/fairness safeguards and testing frameworks, all of which have been reviewed internally prior to deployment.
  • No training/tuning is yet employed and as such no documentation exists.
  • A runbook, changelog and model lineage record is kept internally.

J. User Transparency

  • Yes, all AI generated responses finish with an AI acknowledgment message.
  • Yes. We maintain a single, versioned AI Use Registry (ISO/IEC 42001 Clause 7.4) and present plain-language, point-of-use notices in the product that link to it, satisfying both management-system transparency and legal “just-in-time” disclosure expectations.
  • No, the platform is driven by the underlying AI data engine that powers all application functionality.

K. Governance & Review

Privacy Policy Review: We keep this Privacy Policy under regular review to make sure it stays accurate and reflects how ImpactOS manages personal data and AI-related information.

Review cycle: We review the Privacy Policy at least once every 12 months. A mid-year check may also take place if there are updates to our systems, subprocessors, or regulations.

When we trigger an extra review: We will review and, if needed, update this policy whenever there are

  • Changes to the way we collect or use data
  • New features, tools, or integrations added to our platform
  • Updates to privacy or AI regulations
  • Security or data-protection incidents that highlight a need for improvement
  • Approval and versioning

Each review is logged with the date and reviewer’s name. The latest approved version replaces all earlier versions and is published on our website.

13. Contact & Complaints

For any questions or complaints about this policy, contact James Parkes (Data Protection Officer & AI Governance Lead) at james@impactos.tech.

If you are unsatisfied with our response, you may lodge a complaint with the Information Commissioner’s Office (ICO) in the UK.