Coaims Privacy Policy & Data Protection Framework

• Coaims (“we,” “our,” “us”) is committed to protecting the privacy of individuals whose data we process. This Privacy Policy explains how we collect, use, store, share, and protect personal information across our services, and also provides the governance and compliance details required under the UK GDPR, the Data Use & Accountability Act (DUAA 2025), and other international regulations. It applies to users of our platforms and applications, our clients and business partners, our employees and contractors, and all third-party vendors or sub-processors engaged by us.
• We collect and process several categories of personal data, including account details such as name, email, phone number, and organization information; usage data such as IP addresses, device identifiers, and activity logs; support data generated through communications with our support teams; payment data including billing and transaction history; employee and contractor information processed for HR, payroll, and compliance; and client data processed under contractual agreements. This information is used to provide and improve our services, manage accounts and transactions, deliver updates and alerts, comply with legal and regulatory obligations, and maintain the security of our systems. We process data only on lawful bases, including contractual necessity, legitimate interests, consent (where required, such as for marketing or cookies), and legal obligations.
• Our approach to privacy and security is grounded in privacy by design and default. Systems are designed to minimize exposure and protect confidentiality, integrity, and availability of data. We use strong encryption standards (TLS 1.3 and AES-256), enforce multi-factor authentication and role-based access controls, continuously monitor and log system activity, and conduct regular penetration tests and vulnerability assessments. All employees receive mandatory privacy and security training on induction and annually thereafter, and specialized training is given to high-risk teams.
• Coaims shares personal data only with authorized vendors, service providers, and sub-processors who are contractually bound by Data Processing Agreements (DPAs). Our sub-processors include established providers such as AWS and Microsoft Azure for cloud infrastructure, Stripe for payments, Zendesk for support, and Google Analytics for consent-based analytics. All sub-processors are reviewed annually, and clients are notified of any changes. When data is transferred internationally, we apply Standard Contractual Clauses (SCCs), International Data Transfer Agreements (IDTAs), and documented Transfer Risk Assessments (TRAs) to ensure adequacy and compliance. We do not sell personal data.
• We retain personal data only as long as necessary for the purposes outlined in this policy or as required by law. For example, account data is retained for the life of the account plus two years, payment data is retained for seven years in line with financial regulations, support data is retained for three years, and HR data is retained for the period of employment plus seven years. System access logs are kept for one year, and incident logs for five years, after which all data is securely deleted, anonymized, or destroyed with audit trails maintained.
• Our Incident and Risk Management framework ensures that all security incidents are logged, assessed, and resolved promptly. Data breaches are reported to the Data Protection Officer (DPO) immediately and, where required, to the Information Commissioner’s Office (ICO) within 72 hours, with affected users and clients notified without undue delay. Post-incident reviews are conducted to identify root causes and implement preventive measures. A comprehensive Risk Register is maintained and reviewed quarterly, with treatment plans for identified risks.
• Users retain full control over their personal data. Under GDPR and DUAA, you have the right to access, rectify, or erase your data, to restrict or object to processing, to request data portability, and to withdraw consent at any time where consent forms the basis of processing. Requests can be made to our Data Protection Officer at dpo@coaims.com, and will be responded to within statutory timelines. Cookie preferences and consent choices can be managed via our Consent Management Platform.
• Employee and contractor data is processed solely for HR, payroll, and compliance purposes, with access strictly limited to authorized HR and management personnel. Vendors and contractors with access to our systems must sign security agreements and meet our standards for access control, logging, and monitoring. Unauthorized access or misuse of data is treated as a security incident and escalated under our Incident Management Policy.
• Oversight of data protection and compliance lies with our appointed DPO, who ensures regulatory adherence and acts as the primary point of contact for users, clients, and regulators. The IT Security team is responsible for implementing and maintaining technical safeguards, while Compliance and Audit teams conduct regular reviews of data processing, vendor agreements, and internal practices. All policies, including this Privacy Policy, are reviewed annually or earlier where regulations, technology, or business processes change significantly.
• Coaims is dedicated to transparency, accountability, and continuous improvement in privacy and data protection. This Privacy Policy is both a user-facing statement of our commitments and a regulatory-grade compliance framework, integrating records of processing activities, data retention schedules, sub-processor oversight, incident and risk management, and international transfer assessments.
• For questions, complaints, or requests relating to your personal data, please contact:Data Protection Officer (DPO)→ dpo@coaims.com