VigilPath

Legal

Privacy Notice

Last updated 1 June 2026

This Privacy Notice explains how VigilPath UK Limited ("VigilPath", "we") processes personal data when you use our investigation platform. It is written to satisfy the transparency requirements of UK GDPR (Articles 13 and 14) and the Data Protection Act 2018.

1. Who we are

VigilPath UK Limited (in formation), a company to be registered in England and Wales. We act as a data controller for account and audit data, and as a data processor for personal data your organisation uploads to its tenant.

2. What we collect

  • Account data: name, work email, job title, organisation, password hash.
  • Consent records: the policy version and timestamp of each consent you gave.
  • Audit data: sign-ins, case actions, narrative edits, exports — actor, time, reason.
  • Investigation content (processor): case material your firm uploads. We do not mine, profile or repurpose this content.

3. Lawful basis (UK GDPR Art. 6)

  • Performance of a contract — to provide the platform to your firm.
  • Legitimate interests — security, audit, fraud prevention, service improvement.
  • Legal obligation — record-keeping required by financial-crime regulation.
  • Consent — only for optional marketing communications; withdrawable at any time.

4. Where data is stored

UK and EU regions of a Tier-1 hyperscaler (London primary, Frankfurt failover). We do not transfer personal data outside the UK / EEA except to sub-processors covered by UK International Data Transfer Agreements.

5. Retention

  • Account data: for the life of the tenant + 12 months.
  • Audit trail: 7 years, to satisfy AML record-keeping obligations.
  • Investigation content: retained per your firm's instructions in the DPA.
  • Backups: rolling 35-day window, encrypted at rest.

6. AI and automated processing

VigilPath uses large-language-model agents to draft SAR narratives and score them. These outputs are decision-support only; the named investigator and MLRO remain the accountable decision-makers. Frontier-model APIs are contracted to prohibit training on customer data and retention beyond the processing call. No solely-automated decision producing legal effects (UK GDPR Art. 22) is made.

7. Your rights

You may exercise the following rights free of charge:

  • Access to your personal data (Art. 15)
  • Rectification of inaccurate data (Art. 16)
  • Erasure where applicable (Art. 17)
  • Restriction of processing (Art. 18)
  • Portability of data you provided (Art. 20)
  • Objection to processing based on legitimate interests (Art. 21)
  • Withdraw consent to optional processing at any time (Art. 7(3))

Contact privacy@vigilpath.example. We respond within one calendar month. You may also complain to the UK Information Commissioner (ICO) at ico.org.uk.

8. Security

TLS 1.3 in transit, AES-256 at rest, tenant-isolated row-level security, MFA for administrators, immutable audit logging, ISO 27001-aligned controls and SOC 2 Type II readiness in Year 2.

9. Cookies

We use only strictly-necessary cookies to keep you signed in and to maintain CSRF protection. No analytics, advertising or tracking cookies are set.

10. Changes

Material changes are notified by email to tenant administrators 30 days before they take effect. The previous version remains available on request.