Data Protection Policy

Last Updated: January 12, 2026

1. Purpose and Scope

This Data Protection Policy outlines BLocal AI's commitment to protecting personal data and complying with applicable data protection laws, including the UK Data Protection Act 2018, the General Data Protection Regulation (GDPR), and other relevant legislation.

This policy applies to all personal data processed by BLocal AI, including data about our customers, users, employees, business partners, and other individuals whose data we handle.

2. Data Protection Principles

BLocal AI processes personal data in accordance with the following principles:

2.1 Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. We provide clear information about how we collect and use personal data.

2.2 Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.

2.3 Data Minimization

We collect only the personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

2.4 Accuracy

We take reasonable steps to ensure personal data is accurate and, where necessary, kept up to date. Inaccurate data is erased or rectified without delay.

2.5 Storage Limitation

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

2.6 Integrity and Confidentiality

We implement appropriate technical and organizational measures to ensure the security of personal data, protecting it against unauthorized or unlawful processing and accidental loss, destruction, or damage.

2.7 Accountability

We are responsible for and can demonstrate compliance with the data protection principles.

3. Legal Basis for Processing

We process personal data under one or more of the following legal bases:

  • Consent: You have given clear consent for us to process your personal data for a specific purpose
  • Contract: Processing is necessary for a contract we have with you, or to take steps at your request before entering into a contract
  • Legal Obligation: Processing is necessary for us to comply with the law
  • Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party, unless there is a good reason to protect your personal data which overrides those interests

4. Data Subject Rights

Individuals have the following rights regarding their personal data:

Right of Access

Request access to your personal data and obtain information about how it is processed

Right to Rectification

Request correction of inaccurate or incomplete personal data

Right to Erasure (Right to be Forgotten)

Request deletion of your personal data in certain circumstances

Right to Restrict Processing

Request restriction of processing your personal data in certain circumstances

Right to Data Portability

Request transfer of your personal data to you or to a third party in a structured, commonly used format

Right to Object

Object to processing of your personal data in certain circumstances

Rights Related to Automated Decision Making

Not be subject to decisions based solely on automated processing, including profiling, which produce legal effects

We will respond to requests to exercise these rights within one month, or sooner if required by law.

5. Data Security Measures

BLocal AI implements comprehensive technical and organizational security measures to protect personal data:

5.1 Technical Measures

  • Encryption of data in transit using TLS/SSL protocols
  • Encryption of sensitive data at rest
  • Regular security updates and patch management
  • Intrusion detection and prevention systems
  • Secure backup and disaster recovery procedures
  • Multi-factor authentication for administrative access
  • Regular vulnerability assessments and penetration testing

5.2 Organizational Measures

  • Access controls and principle of least privilege
  • Employee confidentiality agreements
  • Regular staff training on data protection
  • Clear data protection policies and procedures
  • Incident response and breach notification procedures
  • Data Protection Impact Assessments for high-risk processing
  • Vendor management and due diligence processes

6. Data Breach Management

In the event of a personal data breach, BLocal AI will:

  1. Contain and assess the breach within 24 hours of detection
  2. Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by law
  3. Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
  4. Document all breaches, including facts, effects, and remedial actions taken
  5. Review and update security measures to prevent similar breaches

7. Third-Party Data Processors

When we engage third-party service providers to process personal data on our behalf, we:

  • Conduct due diligence to ensure they provide sufficient data protection guarantees
  • Enter into written data processing agreements that comply with applicable law
  • Ensure processors only process data according to our documented instructions
  • Monitor processor compliance through audits and assessments
  • Require processors to implement appropriate security measures
  • Ensure processors assist us in responding to data subject requests

8. International Data Transfers

When transferring personal data outside the UK/EEA, we ensure appropriate safeguards are in place:

  • Transfers to countries with adequacy decisions recognized by UK/EU authorities
  • Use of Standard Contractual Clauses (SCCs) approved by relevant authorities
  • Binding Corporate Rules for intra-group transfers
  • Other appropriate safeguards as permitted by law

9. Data Retention and Disposal

We maintain a data retention schedule that specifies:

  • Categories of personal data processed
  • Retention periods for each category
  • Legal or business justification for retention
  • Secure disposal methods when data is no longer needed

Personal data is securely deleted or anonymized when it is no longer necessary for the purpose for which it was collected, unless retention is required by law.

10. Training and Awareness

All BLocal AI employees receive regular training on:

  • Data protection principles and legal requirements
  • Recognizing and reporting security incidents
  • Handling data subject requests
  • Best practices for data security
  • Role-specific data protection responsibilities

11. Accountability and Governance

BLocal AI has appointed a Chief Compliance Officer responsible for:

  • Overseeing data protection strategy and compliance
  • Monitoring compliance with this policy and applicable laws
  • Serving as point of contact for data subjects and supervisory authorities
  • Conducting Data Protection Impact Assessments
  • Maintaining records of processing activities
  • Coordinating data breach responses
  • Providing advice and guidance on data protection matters

12. Policy Review and Updates

This Data Protection Policy is reviewed annually and updated as necessary to reflect changes in:

  • Legal and regulatory requirements
  • Our business operations and services
  • Technology and security practices
  • Industry best practices and standards

13. Contact Information

For questions about this Data Protection Policy, to exercise your data rights, or to report a data protection concern, please contact:

Chief Compliance Officer: Iolo Jones

Company Address:
The Boathouse
46 Kenavon Drive
Reading RG1 3DH
United Kingdom

Compliance Email: compliance@inchannels.net