Data Protection Policy | CompleteFlow

1. Purpose

This Data Protection Policy describes how CompleteFlow Ltd processes personal data, both as controller (for its own business activities) and as processor (on behalf of customers who use the CompleteFlow platform). It forms part of the Information Security Management System governed by CF-POL-001 Information Security Policy.

The policy addresses compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR) where applicable.

2. Scope

This policy applies to:

All personal data processed by CompleteFlow Ltd, in any capacity
All CompleteFlow personnel and sub-processors handling personal data
All systems, devices, networks, and services used to process personal data

3. Role and registration

CompleteFlow Ltd is registered with the UK Information Commissioner's Office (ICO) as both a data controller and a data processor.

As controller: CompleteFlow processes personal data for its own business purposes (for example, employee records, prospect and customer contacts, website analytics).
As processor: CompleteFlow processes personal data on behalf of customers using the CompleteFlow platform. In this capacity, customers remain the controller.

For platform processing activities, a signed Data Processing Agreement (DPA) is in place with each customer, setting out subject matter, duration, nature, purpose, categories of personal data, and categories of data subject in accordance with Article 28(3) UK GDPR.

4. Key definitions

Term	Meaning (UK GDPR Article 4)
Personal data	Any information relating to an identified or identifiable natural person
Special category data	Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a person's sex life or sexual orientation
Processing	Any operation performed on personal data, including collection, storage, use, disclosure, and erasure
Controller	The party that determines the purposes and means of processing
Processor	The party that processes personal data on behalf of the controller
Sub-processor	A party engaged by the processor to carry out specific processing activities

5. Data protection principles

CompleteFlow processes personal data in accordance with the seven principles set out in UK GDPR Article 5:

Lawfulness, fairness, and transparency: personal data is processed lawfully, fairly, and transparently.
Purpose limitation: personal data is collected for specified, explicit, and legitimate purposes.
Data minimisation: personal data is adequate, relevant, and limited to what is necessary.
Accuracy: personal data is accurate and, where necessary, kept up to date.
Storage limitation: personal data is kept no longer than necessary for the purposes for which it is processed (see CF-POL-006 Data Retention and Disposal Policy).
Integrity and confidentiality: personal data is processed in a manner that ensures appropriate security.
Accountability: CompleteFlow is able to demonstrate compliance with the above principles.

6. Lawful basis for processing

CompleteFlow documents the lawful basis for each processing activity it carries out as controller, drawn from Article 6 UK GDPR:

Processing activity	Lawful basis
Employment records and HR administration	Contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c))
Customer contract management, billing, support	Contract (Art. 6(1)(b))
Prospect contact management, sales and marketing	Legitimate interests (Art. 6(1)(f)); consent where required by PECR
Website analytics and essential operation	Legitimate interests (Art. 6(1)(f)); consent for non-essential cookies
Compliance with legal or regulatory request	Legal obligation (Art. 6(1)(c))
Security monitoring of CompleteFlow systems	Legitimate interests (Art. 6(1)(f))

For processing carried out as processor on behalf of a customer, the lawful basis is determined by the customer as controller and recorded in the relevant DPA.

7. Categories of personal data

7.1 Customer platform data (processor)

The categories of personal data processed within customer CompleteFlow deployments depend on the customer's configured workflows and document sources. CompleteFlow does not dictate these categories; it provides the technical environment within which the customer operates. Typical categories for legal sector deployments include:

Client and matter identifiers, contact details, correspondence
Employee identifiers of the customer's own staff (for authentication and audit)
Document content, including any personal data contained within client documents
Workflow execution metadata (user identifier, timestamp, workflow input and output)

Special category data may be present where the customer processes such data through the platform (for example, in employment law or personal injury matters). The customer, as controller, is responsible for determining whether such processing is permissible and on what legal basis.

7.2 CompleteFlow business data (controller)

As controller, CompleteFlow processes limited personal data for its own business activities:

Prospect, customer, and supplier contact details
Personnel records (employment, payroll, training)
Website visitor data (where collected under the privacy notice on completeflow.ai)
Support and enquiry correspondence

8. Data subject rights

CompleteFlow honours the rights set out in UK GDPR Articles 12 to 22:

The right to be informed (Art. 13-14)
The right of access (Art. 15)
The right to rectification (Art. 16)
The right to erasure (Art. 17)
The right to restrict processing (Art. 18)
The right to data portability (Art. 20)
The right to object (Art. 21)
Rights relating to automated decision-making and profiling (Art. 22)

8.1 Rights in respect of platform processing (processor)

Where a data subject makes a request relating to personal data processed within a customer deployment, CompleteFlow forwards the request to the customer (as controller) without undue delay, and assists the customer in responding as required by Article 28(3)(e). Because customer data resides in the customer's own Azure subscription, CompleteFlow is not positioned to respond directly.

8.2 Rights in respect of CompleteFlow business processing (controller)

Data subjects may contact the Privacy Contact (privacy@completeflow.ai) to exercise their rights. CompleteFlow aims to respond to valid requests within 30 calendar days (extendable by up to two further months for complex requests, with notice to the data subject).

8.3 Identity verification

CompleteFlow takes reasonable steps to verify the identity of any person making a rights request, proportionate to the sensitivity of the data involved, before disclosing personal data or acting on the request.

9. International data transfers

CompleteFlow's default architecture does not involve transfers of personal data outside the UK. Customer data is processed exclusively within Azure UK datacentres (see CF-DOC-001 section 3.2).

Where a customer deployment exceptionally requires processing outside the UK, CompleteFlow will transfer personal data only where one of the following mechanisms is in place under UK GDPR Chapter V:

An adequacy decision applies to the receiving country (Article 45)
UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses are in place, accompanied by a documented Transfer Risk Assessment (Article 46)
A derogation under Article 49 applies (used only exceptionally, with documented justification)

Any change to the geographic scope of a customer deployment requires the customer's advance written consent and an updated transfer risk assessment.

10. Sub-processors

CompleteFlow engages the sub-processors listed in CF-DOC-001 section 9. Sub-processor engagements are subject to:

Security and data protection due diligence at onboarding, under CF-POL-007 Supplier Management Policy
Written contractual terms meeting the Article 28(3) requirements, including flow-down of data protection obligations, breach notification, and audit rights
Ongoing monitoring and annual review
30 days' advance notice to customers of any addition or change, with a defined right to object

11. Data protection by design and by default

CompleteFlow applies Article 25 principles through the architectural controls described in CF-DOC-001, including:

Dedicated per-customer Azure subscriptions (structural data segregation)
UK-only default data residency
Encryption at rest and in transit as standard
Private networking on all data services (no public internet exposure)
Per-user credentials for downstream integrations (no shared service accounts)
Audit logging of all material actions
Secure-deletion mechanisms and configurable retention (see CF-POL-006)
No use of customer data for training AI models or for product improvement (see CF-POL-008 section 4.4)

12. Data Protection Impact Assessments (DPIAs)

CompleteFlow conducts DPIAs in the following circumstances:

Any new processing activity likely to result in a high risk to the rights and freedoms of data subjects, as described in Article 35 and the ICO's published criteria
Material changes to the CompleteFlow platform affecting personal data handling (for example, adoption of a new AI model endpoint, new sub-processor, or new data category)
Where required by a specific customer contract or deployment

A platform-level DPIA covering the CompleteFlow platform as a processing service (independent of specific customer workflows) is maintained and available to customers on request. Customer-specific DPIAs are completed jointly with the customer during deployment scoping, reflecting the customer's configured workflows and data categories.

Where a DPIA identifies a residual high risk that cannot be adequately mitigated, CompleteFlow consults the ICO prior to the relevant processing, as required by Article 36.

13. Breach notification

Personal data breaches are handled under the Incident Response Plan (CF-PLAN-001). In summary:

Personnel report suspected breaches immediately via the documented incident channel.
The Information Security Officer and the Privacy Contact assess whether the event is a personal data breach under UK GDPR Article 4(12) and whether it creates a risk to data subjects.
Where CompleteFlow acts as processor, the affected customer is notified without undue delay after becoming aware of the breach, as required by Article 33(2). Specific notification channels and escalation contacts are agreed in the customer's Data Processing Agreement.
Where CompleteFlow acts as controller, a notifiable breach is reported to the ICO within 72 hours of becoming aware, and affected data subjects are informed where the breach is likely to result in a high risk to their rights and freedoms.
All breaches (notifiable or not) are recorded in the internal breach register.

14. Records of processing

CompleteFlow maintains records of processing activities as required by UK GDPR Article 30, for both controller and processor activities. These records are available to the ICO on request and are reviewed at least annually by the Privacy Contact.

15. Training and accountability

Data protection awareness is part of the mandatory induction and annual refresher training covered in CF-POL-001 section 7. The Privacy Contact reviews training content annually for alignment with current UK GDPR guidance from the ICO.

16. Relevant references

UK GDPR and Data Protection Act 2018, ICO guidance
Privacy and Electronic Communications Regulations 2003, ICO guidance
UK International Data Transfer Agreement, ICO guidance
CF-POL-001 Information Security Policy
CF-POL-006 Data Retention and Disposal Policy
CF-POL-007 Supplier Management Policy
CF-POL-008 AI Governance and Acceptable Use Policy
CF-PLAN-001 Incident Response Plan
CF-DOC-001 Architecture and Security Overview

17. Contact

Privacy contact: privacy@completeflow.ai.

Data subjects may also lodge a complaint with the UK Information Commissioner's Office, ico.org.uk.

18. Document control

Version	Date	Author	Change
1.0	2026-04-24	J. Griffin	Initial approved version