Privacy Policy | ImpactOS

1. Introduction

Welcome to ImpactOS. This Privacy Policy explains how we collect, use, disclose, and protect your personal information, including where our systems apply artificial intelligence (AI) to data for reporting, mapping to frameworks, or answering data-driven questions in natural language.

ImpactOS is committed to meeting the requirements of:

UK GDPR and Data Protection Act 2018
ISO/IEC 27001 (Information Security)
ISO/IEC 42001 (AI Management System)

2. Data controller

Evexia Health International Ltd trading as ImpactOS

Registered Office: Woodwater House, Pynes Hill, Exeter EX2 5WR

Contact: James Parkes (Data Protection Officer / AI Governance Lead)

Address: Edgcumbe, Moorhaven, Bittaford, PL21 0EX

Email: james@impactos.tech

Tel: +44 7793 185448

3. Data we process

ImpactOS can process a wide range of internal organisational data, as determined by our clients. This may be ingested via spreadsheets, PDFs, Word documents, data transfers, file feeds, APIs, or MCP connections.

This may include:

Employee and HR data (e.g. payroll, wellbeing scores, engagement data)
Supply chain and environmental data
Learning and development records
Health-related data (special category under GDPR, always aggregated/anonymised)
Derived AI outputs (e.g. framework mapping, social value scoring, natural language answers)

4. Legal basis for processing & cookies

We process data primarily on the basis of contractual necessity (providing our services to clients).

No features of ImpactOS rely on explicit consent, as all health/sensitive data used by AI systems is aggregated and anonymised.

4.1 Data we may collect and process

We may collect and process the following data about you:

Information you give to us: You may give us information about you by filling in forms (e.g. on our 'Contact Us' page) or by contacting us. This may include your name, email address, phone number, and other relevant details you choose to provide.
Information we collect about you: Each time you visit the Website, we may automatically collect web usage information (e.g. IP address), your login information, browser type and version, time zone setting, operating system and platform; and information about your visit, including the URL clickstream to, through and from the Website (including date and time), time on page, page response times, download errors, length of visits to certain pages, and page interaction information (such as scrolling, clicks and mouse-overs).
Sensitive information: As a provider of employee wellbeing SaaS services, we may collect sensitive health information. This data will be handled with the utmost care and in compliance with relevant data protection regulations.
Information we receive from other sources: We may also receive information about you if you use any of the other websites we might operate or the other services we provide.

4.2 Use of cookies

The Website uses cookies to distinguish you from other users, to improve your experience on our Website, and to recommend content that may be of interest to you.

4.3 How we will use your information

We may use your information for the following purposes:

To respond to any query that you may submit to us
To ensure that our Website's content is presented in the most effective manner for you and your device
We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided, but only if you have given us your consent to do so
To customise the Website according to your interests
To administer the Website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey responses
To allow you to participate in interactive features of our service when you choose to do so
As part of our efforts to keep the Website safe and secure
To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you
To comply with the applicable law/s
As we feel is necessary to prevent illegal activity or to protect our interests

5. How we use data & AI

ImpactOS ensures all AI outputs are transparent, with logic explained in each response. Users may score answers and provide feedback, which we review to improve outputs and address any bias or errors.

Reporting: transforming datasets into structured reporting against frameworks
Framework Mapping: linking client data to UK Social Value, TOMs, UN SDGs, etc.
Natural Language Answers: enabling data-driven Q&A in human-readable form

6. Your rights & choices

You have rights to: be informed; access; rectification; erasure; restriction; portability; and to object (including to processing based on legitimate interests).

Contact: james@impactos.tech (we may need to verify your identity).

Withdraw consent (for connected systems): disconnect in the app and/or revoke permissions
Object to analytics: contact us, and we will cease analytics collection and delete associated records where feasible
Account deletion: request deletion at any time. All user-level data is permanently deleted when you delete your account

7. Data retention

Analytics events: deleted after 2 months
Crash diagnostics: retained only as needed for security/stability troubleshooting
Database: fully deleted when a user account is deleted
Operational/debug logs: retained short-term before automatic purge

8. International transfers

ImpactOS is UK-based, but personal data may be processed in the US or other countries. Safeguards include:

UK Addendum to EU Standard Contractual Clauses
Transfer Impact Assessments
Adequacy decisions where available

9. Security measures

Data encrypted at rest and in transit
Single Sign-On (SSO), SCIM, or Okta available for enterprise users (on request)
Role-based access controls applied through the administration portal
Privileged access strictly monitored, logged, and reviewed for anomalies
Alerts generated for any unauthorised or unusual access

10. Incident management

Incidents identified and internally reported within 24 hours
ICO and affected parties notified within 72 hours if a breach occurs
AI-related incidents (bias, errors, unintended outputs) are logged, classified, and corrected

11. Subprocessors

ImpactOS uses trusted subprocessors, including:

AWS — cloud hosting and storage
GitHub — secure code repository and version control
Vercel — application hosting and deployment

12. AI governance

AI-specific controls

All LLM calls keep LLM reasoning, reviewer metadata, and sample evidence.
Model endpoints are configurable via the hardcoded config file with comments on model choice, beyond that there is no explicit model card book keeping.
A custom built testing framework is used to judge bias, fairness and reliability from multiple model providers providing analytics for final human review and decision making.
Frontier models are used which employ their own bias/fairness safeguards and testing frameworks, all of which have been reviewed internally prior to deployment.
No training/tuning is yet employed and as such no documentation exists.
A runbook, changelog and model lineage record is kept internally.

User transparency

All AI generated responses finish with an AI acknowledgment message.
We maintain a single, versioned AI Use Registry (ISO/IEC 42001 Clause 7.4) and present plain-language, point-of-use notices in the product that link to it, satisfying both management-system transparency and legal "just-in-time" disclosure expectations.
The platform is driven by the underlying AI data engine that powers all application functionality.

Governance & review

Privacy Policy Review: We keep this Privacy Policy under regular review to make sure it stays accurate and reflects how ImpactOS manages personal data and AI-related information.

Review cycle: We review the Privacy Policy at least once every 12 months. A mid-year check may also take place if there are updates to our systems, subprocessors, or regulations.

When we trigger an extra review: We will review and, if needed, update this policy whenever there are:

Changes to the way we collect or use data
New features, tools, or integrations added to our platform
Updates to privacy or AI regulations
Security or data-protection incidents that highlight a need for improvement
Approval and versioning

13. Contact & complaints

For any questions or complaints about this policy, contact James Parkes (Data Protection Officer & AI Governance Lead) at james@impactos.tech.

If you are unsatisfied with our response, you may lodge a complaint with the Information Commissioner's Office (ICO) in the UK.

All subprocessors are contractually bound to protect personal data. A current list is available on request and will be published on our website.

Each review is logged with the date and reviewer's name. The latest approved version replaces all earlier versions and is published on our website.