9 February 2026
1. Organisation Details
- Legal entity: ALPHi Group Ltd
- Role: Data Controller (website and business operations); Data Processor (customer platforms)
- Registered address: Studio WP2, TOCS, Butts Hill, Frome, UK, BA11 1HR.
- Company number: 16944977
- Contact: privacy@alphcompany.com
2. Categories of Personal Data
2.1 Data Provided Directly
- Name, role, and organisation.
- Email address and telephone number.
- Account credentials.
- Billing and contractual information.
- Communications and support enquiries.
2.2 Technical and Usage Data
- IP address and device identifiers.
- Browser type, operating system, and access logs.
- Platform usage, performance, and diagnostic data.
This data is processed on a data-minimised basis, limited to what is necessary to operate, secure, monitor, and support ALPHi services. Where possible, data is aggregated or pseudonymised, and retained only in accordance with defined operational, security, and contractual requirements.
2.3 IoT and Sensor-Derived Data
Where personal data is present, it is generally:
- Incidental to operational data.
- Determined and controlled by the customer.
- Processed strictly under customer instruction.
3. Purposes of Processing
Personal data is processed solely where lawful and necessary, including to:
- Deliver and operate ALPHi services and platforms.
- Provision accounts and manage access.
- Monitor system health, performance, and security.
- Provide analytics, alerts, and integrations.
- Respond to enquiries and support requests.
- Meet contractual, statutory, and regulatory obligations.
- Maintain auditability and service assurance.
ALPHi does not sell personal data.
4. Lawful Bases for Processing
Processing is carried out under one or more of the following lawful bases:
- Contractual necessity.
- Legitimate interests, balanced against individual rights.
- Legal obligation.
- Consent, where explicitly obtained.
4A. Lawful Basis Mapping
ALPHi maintains a documented mapping between processing activities, purposes, and lawful bases in accordance with UK GDPR Article 30. A high-level summary is provided below.
| Processing Activity | Purpose | Lawful Basis |
|---|---|---|
| Account creation and access management | Provision and administration of user accounts | Contractual necessity |
| Service delivery and platform operation | Deliver contracted IoT, sensor, and data services | Contractual necessity |
| System monitoring and security logging | Maintain availability, integrity, and security | Legitimate interests |
| Support communications | Respond to enquiries and incidents | Legitimate interests |
| Billing and invoicing | Financial and contractual administration | Legal obligation / Contractual necessity |
| Regulatory and audit compliance | Meet statutory and regulatory requirements | Legal obligation |
| Marketing communications (where applicable) | Product or service updates | Consent |
Detailed Records of Processing Activities (RoPA) are maintained internally and made available to regulators or customers where required.
5. Cookies and Website Analytics
ALPHi uses only strictly necessary cookies to support essential website functionality, specifically secure authentication and user-requested session persistence.
ALPHi does not use:
- Non-essential cookies.
- Advertising or marketing cookies.
- Cookie-based analytics or tracking technologies.
Website usage analytics are provided via Plausible Analytics, which operates without cookies and without the collection of personal data.
As only strictly necessary cookies are used, consent mechanisms such as cookie banners are not required under UK data-protection and electronic-communications regulations.
Further details are provided in the Cookie Policy.
6. Data Sharing and Third Parties
Personal data may be shared with trusted third parties where necessary for service delivery, including:
- Secure cloud hosting providers.
- Data dashboard platforms.
- IoT infrastructure providers.
- Monitoring and observability services.
- Billing and accounting providers.
- Legal, regulatory, and professional advisers.
All third parties are contractually bound to appropriate confidentiality, security, and data-protection obligations.
7. International Transfers
Where personal data is transferred outside the UK, ALPHi ensures appropriate safeguards are in place, including adequacy decisions or contractual protections compliant with UK GDPR.
8. Data Retention
Personal data is retained only for as long as necessary for:
- Contractual and operational requirements.
- Legal and regulatory compliance.
- Security, audit, and dispute resolution.
Retention periods for platform and sensor data are configurable and defined contractually.
9. Data Subject Rights
Individuals have the right to:
- Access their personal data.
- Rectify inaccurate or incomplete data.
- Request erasure or restriction.
- Object to processing.
- Request data portability.
- Withdraw consent where applicable.
Requests should be submitted using the contact details above.
10. Complaints
Concerns may be raised directly with ALPHi. Individuals may also lodge a complaint with the UK Information Commissioner’s Office (ICO):
www.ico.org.uk.
11. Data Processing Agreement (DPA) Summary
Where ALPHi processes personal data on behalf of a customer, ALPHi acts as a Data Processor, and the customer acts as the Data Controller.
11.1 Processing Scope
- Processing is limited to documented customer instructions.
- Data is processed solely to deliver contracted services.
- Processing locations, purposes, and durations are defined contractually.
11.2 Confidentiality and Access
- Personnel access is role-based and restricted.
- All staff are bound by confidentiality obligations.
11.3 Sub-processing
- Sub-processors are vetted for security and compliance.
- Equivalent data-protection obligations are contractually imposed.
- A current list of sub-processors is maintained (see Section 14).
11.4 Data Subject Rights Assistance
ALPHi will assist customers, where technically feasible, in fulfilling data-subject rights requests.
11.5 Personal Data Breaches
ALPHi maintains documented incident-response procedures and will notify customers without undue delay where a breach affects data processed on their behalf.
A full DPA is available upon request and forms part of enterprise contracts.
12. Information Security and ISO/IEC 27001 Alignment
ALPHi operates a structured information-security framework aligned with the principles and control objectives of ISO/IEC 27001. Privacy and data-protection risks are assessed alongside information-security risks as part of ALPHi’s integrated risk-management process.
12.1 Governance and Risk
- Formal risk assessment and treatment processes.
- Defined security roles and responsibilities.
- Regular review of policies and controls.
12.2 Access Control
- Role-based access control (RBAC).
- Strong authentication mechanisms.
- Logging and monitoring of privileged access.
12.3 Data and Asset Management
- Data classification and minimisation.
- Defined retention and deletion processes.
- Secure configuration management.
12.4 System and Network Security
- Secure cloud infrastructure.
- Monitoring, logging, and alerting.
- Controlled deployment and change management.
12.5 Incident and Business Continuity
- Documented incident-response procedures.
- Recovery and resilience planning.
- Continuous improvement through post-incident review.
ALPHi does not claim ISO/IEC 27001 certification unless explicitly stated, but aligns its controls with recognised best practice.
13. Security & Privacy Overview (Procurement Summary)
- Security model: Risk-based, defence-in-depth.
- Standards alignment: UK GDPR, Data Protection Act 2018, ISO/IEC 27001 principles.
- Data minimisation: Yes
- Encryption: Used where appropriate for data in transit and at rest.
- Access controls: Role-based, least-privilege.
- Audit logging: Enabled for platform and administrative actions.
- Incident response: Documented procedures with customer notification.
- Sub-processor management: Contractual and reviewed.
- Public-sector readiness: Designed to support NHS and local-authority environments.
14. Sub-Processor List (Indicative)
ALPHi engages third-party sub-processors solely to support the delivery, operation, and security of its services. Each sub-processor is subject to due diligence and is contractually bound to equivalent data-protection, confidentiality, and security obligations.
Where ALPHi acts as a Data Processor, these entities operate as sub-processors under UK GDPR.
| Sub-Processor | Role | Purpose | Data Location |
|---|---|---|---|
| DigitalOcean Cloud Infrastructure Provider |
Sub-processor | Cloud infrastructure, hosting, storage, backups. | UK |
| Datacake Data Dashboard Platform |
Sub-processor | Data dashboard platform services. | EU |
| The Things Industries IoT Infrastructure Provider |
Sub-processor | IoT gateway and sensor communications. | EU |
| BetterStack Monitoring & Logging Provider |
Sub-processor | Monitoring, logging, and observability. | UK / EU |
| Microsoft Email & Support Services |
Sub-processor | Email and support communications. | UK / EU / USA |
| Starling Bank Accounting / Invoicing Provider |
Independent Controller | Banking, accounting and invoicing services. | UK |
An up-to-date list of sub-processors, including any changes, is available upon request.
15. Policy Updates
This Privacy Policy may be updated periodically. Material changes will be published on this page with an updated revision date.
16. Records of Processing Activities (RoPA)
ALPHi maintains formal Records of Processing Activities in accordance with UK GDPR Article 30.
These records document:
- Categories of personal data processed.
- Processing purposes and lawful bases.
- Data subject categories.
- Data recipients and sub-processors.
- International transfer safeguards.
- Retention periods.
- Technical and organisational security measures.
RoPA documentation is reviewed periodically and updated to reflect material changes to services, suppliers, or processing activities.
A summary or extract may be provided to customers, partners, or supervisory authorities upon request.