Privacy policy (Website)

Privacy Policy

  • 1.     Introduction

We are Apomatix Limited, a company incorporated in the United Kingdom, with our registered office at Soverign House, 212-224 Shaftsbury Avenue, London, United Kingdom, WC2H 8HQ (No. 10240032).

We are registered as a Data Controller with the Information Commissioner’s Office, with the registration number: ZA192435. 

We are committed to protecting and respecting your privacy and we are required to follow the data protection laws and regulations in the UK and other jurisdictions in which we operate.

This Privacy Policy informs you of our policies regarding the collection, use, processing and disclosure of Personal Information when you use our Services (in all forms, including; our website and our platform).

This Privacy Policy explains:

  •         Why we are able to process your information
  •         What purpose we are processing it for
  •         Whether you have to provide it to us
  •         How long we store it for
  •         Whether there are any other recipients of your personal information
  •         Whether we intend to transfer it to another country, and
  •         Whether we do automated decision-making or profiling.

Apomatix Limited is the controller for the personal information we process, unless otherwise stated. 

If you have any questions about this Privacy Policy, or any other data protection queries, please contact our Data Protection & Privacy Lead (Matthew Quinn) at

  • 2.     Personal Information (legal basis of processing, collection of personal data, categories of personal data, use of personal data, and retention periods)

Personal Information is information about a living individual and includes, but is not limited to, a living individual’s name, email address, phone number, postal address, age, birth date, gender, Internet Protocol (“IP”) address, username, password and other registration information, personal description, photograph and other information with which it is possible to identify a living individual (“Personal Information”).

Legal basis of processing

Apomatix may process Personal Data relating to users of our Services if one of the following applies:

        Users have given their consent for one or more specific purposes. Note: Under some legislations the Apomatix may be allowed to process Personal Data until the User objects to such processing (“opt-out”), without having to rely on consent or any other of the following legal bases. This, however, does not apply, whenever the processing of Personal Data is subject to European data protection law;

        provision of Data is necessary for the performance of an agreement with the user and/or for any pre-contractual obligations thereof;

        processing is necessary for compliance with a legal obligation to which the Apomatix is subject;

        processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Apomatix;

        processing is necessary for the purposes of the legitimate interests pursued by the Apomatix or by a third party.

In any case, Apomatix will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

Collection of personal information  

While using our Services (Platform and Website), we may ask you to provide us with certain Personal Information.

For the Platform this includes information you directly provide:

  •         when you register to use the Services;
  •         when you pay for the Services;
  •         when you download or register the Services;
  •         when you use or interact with the Services; or
  •         when you contact us, such as to report a problem with our Platform.  
  •         when we ask you certain scoping questions prior to commencement of your use of the Apomatix technology;
  •         when we ask you to complete certain questionnaires to allow Apomatix provide its services and to allow the Apomatix technology to be used for its purpose.
  •         When we provide online calendar and other tools to help you manage identified risks, tasks, communication and deadlines’

We also collect:

  •         information that your device sends whenever you use the Services (“Log Data”). This Log Data may include information such as the IP address, location, the time and date of your use of the Services, and key words used on the Services.
  •         Cookies – to learn more and for a detailed cookie notice, please see our Cookie Policy. 

For the Website this includes information you directly provide:

  •         when you contact us via our contact form or live chat
  •         when you sign up to our mailing list

We also collect:

  • 1.     Cookies – to learn more and for a detailed cookie notice, please see our Cookie Policy. 

Categories of personal information

For the platform we process the following Personal Information you directly provide:

  • 2.     Full Name
  • 3.     Email Address
  • 4.     Phone Number (only used for two factor authentication), and
  • 5.     Country.
  • 6.     Payment information
  • o   Credit, Debit or Payment Card information
  • o   Billing Address
  • o   Bank details
  • o   Full name of Cardholder

We also process Log Data:

  •         IP Address
  •         Location
  •         Time and date of your use of the Platform


  •         Cookies – please see separate Cookie Policy for more information

For the website we process the following Personal Information you directly provide:

  •         Full Name
  •         Email Address

We also process:

  •         Cookies – please see separate Cookie Policy for more information

Use of personal information

We may use Personal Information in the following ways:

  •         for providing and improving the Services, including to improve, test and monitor the effectiveness of our Services, extract metrics (e.g. number of visitors, traffic and demographic patterns), to test and develop new products and features, or to fix technology problems;
  •         by aggregating it with any other category of information for the purposes of internal analytics.
  •         When you initiate an assessment or a similar process of one of your suppliers (also known as third party supplier, vendor) or other projects, the Apomatix platform will send invitations, notifications, reports or messages generated by you to the selected person(s) using your Username (or Name, Full Name or company / organization name) as the requestor of an assessment. This allows the third party you have request to identify the request as being generated by you.
  •         When you are a third party supplier, vendor or provider of services to an Apomatix client (customer or user) and they (the requesting party) have initiated and invited you to participate and complete an online questionnaire to allow Apomatix to provide its services to you and to your client (the requesting party) in form of assessing and managing your risks as a supplier to the client (the requesting party). In such a case, Apomatix will allow your client (the requesting party) to view your risk assessment and management results. This allows your client (the requesting party) to understand and manage risks that your relationship to them as a supplier may pose to their own business.
  •         When you are a third party supplier, vendor or provider of services to an Apomatix client (customer or user) and they (the requesting party) have initiated and invited you to participate and complete an online questionnaire we may use your Username (or Name, Full Name or company / organization name) in the notifications, reports or your messages sent to your client (the requesting party). This allows your client (the requesting party) to identify the messages, reports, or notifications as being generated by you.
  •         System notifications will be sent to the email address you have provided during sign-up or edited in your settings page or asked us to amend. 
  •         When subscribing to Apomatix, we may request your credit, debit or payment card details, billing address, bank account details, name on the card or other information to allow us to process your payments for the Apomatix service and subscription. Financial and related information will be held by third parties and will be specified on the payment form.

Personal information retention periods

We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.

  • 3.     Recipients of your personal information

We use three 3rd parties to process your personal information (we have contractual agreements in place with all of them).

  • 1.      Microsoft Azure – for hosting services
  • -         Privacy Policy:
  • 2.      Sendgrid – for email fulfilment
  • -         Privacy Policy:
  • 3.      Help Scout – for live chat and ticketing services
  • -         Privacy Policy:
  • 4.     Disclosure of your information

We will not use or share Personal Information with anyone except as described in this Privacy Policy.

Tables can't be imported directly. Please insert an image of your table which can be found here.

  • 5.     Data Subject Rights

Data subjects may exercise certain rights regarding their data processed by Apomatix.

In particular, data subjects have the right to do the following:

        Withdraw their consent at any time. Data subjects have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.

        Object to processing of their Data. Data subjects have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent.

        Access their Data. Data subjects have the right to learn if Data is being processed by Apomatix, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.

        Verify and seek rectification. Data subjects have the right to verify the accuracy of their Data and ask for it to be updated or corrected.

        Restrict the processing of their Data. Data subjects have the right, under certain circumstances, to restrict the processing of their Data. In this case, the data subject will not process their Data for any purpose other than storing it.

        Have their Personal Data deleted or otherwise removed. Data subjects have the right, under certain circumstances, to obtain the erasure of their Data from Apomatix.

        Receive their Data and have it transferred to another controller. Data subjects have the right to receive their Data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the Data is processed by automated means and that the processing is based on the data subject’s consent, on a contract which the data subject is part of or on pre-contractual obligations thereof.

        Lodge a complaint. Data subjects have the right to bring a claim before their competent data protection authority.

Any requests to exercise data subject rights can be directed to the Data Protection Lead by emailing These requests can be exercised free of charge and will be addressed by Apomatix as early as possible, and always within one month. Please note that if you ask us to delete Personal Information you have supplied, we may no longer be able to provide the Service to you and may terminate your license to use the Services in accordance with our Terms.

  • 6.     International Transfers

The Services are global.  Your information, including without limitation, Personal Information you submit, may be transferred to and maintained on computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.

If you are located outside United Kingdom and choose to provide information to us, please note that we transfer the information, including Personal Information, to United Kingdom and process it there.

Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.

The Personal Information that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for us or for one of its suppliers, service providers or partner entities. By submitting Personal Information, you agree to this transfer, storing or processing. We will take such steps as are reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.

  • 7.     Automated decision making

Our services do not involve any automated decision making or profiling.

  • 8.     Cookies

Our platform and website use cookies to distinguish you from other users of our website and platform. This helps us to provide you with a good experience when you browse our website and/or use our platform. For more detailed information on the cookies we use please see our Cookie policy.

  • 9.     Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on the Services.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are updated by us.

  • 10.  Governing Law and Jurisdiction

This Privacy Policy and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) are governed by and construed in accordance with the laws of England. We irrevocably agree with you that the courts of England have exclusive jurisdiction to settle any disputes or claims arising out of or in connection with this Privacy Policy, its subject matter or its formation (including non-contractual disputes or claims).