This Privacy Notice explains how Exchester Ltd (a company incorporated in England and Wales with company number 12601661, whose registered office is at 2nd Floor College House, 17 King Edwards Road, Ruislip, London, HA4 7AE, United Kingdom), trading as GATA AI ("GATA", "we", "us", "our"), processes personal data in connection with:
- the GATA AI software-as-a-service platform (the "Service"), available at https://gata.ai;
- our public-facing website at https://gata.ai (the "Website"); and
- related sales, support, marketing and corporate activities.
This Privacy Notice is issued under Articles 13 and 14 of the UK General Data Protection Regulation ("UK GDPR") and, where applicable, of Regulation (EU) 2016/679 (the "EU GDPR"). Capitalised terms used but not defined in this Privacy Notice have the meanings given in the GATA Terms of Service published at https://gata.ai/terms-of-service (the "Terms").
GATA contracts only with business customers. Information about how Customers' use of the Service is governed (including in respect of personal data that Customers upload to the Service) is set out in the Terms and the GATA Data Processing Addendum ("DPA").
1. Who we are and how to contact us
Controller: Exchester Ltd (trading as GATA AI)
Company number: 12601661 (England and Wales)
Registered office: 2nd Floor College House, 17 King Edwards Road, Ruislip, London, HA4 7AE, United Kingdom
Contact email: support@gata.ai
ICO registration number: Exchester Ltd is registered with the UK Information Commissioner's Office under the Data Protection (Charges and Information) Regulations 2018; the registration number will be published here once it has issued.
Data Protection Officer (DPO): GATA has not appointed a DPO under UK GDPR Article 37, as we have determined that our core activities do not require one (we do not, as our core activity, carry out large-scale systematic monitoring of data subjects or large-scale processing of special-category data; the Service operates as a processor on behalf of business Customers in respect of their content). This determination is reviewed at the earlier of: (i) twelve (12) months from the "Last updated" date of this Privacy Notice; (ii) the date on which GATA processes Customer Content involving the personal data of more than 10,000 distinct end-data-subjects in any rolling twelve-month period; or (iii) the launch of any feature involving biometric identification, emotion-recognition or automated decision-making within the meaning of UK GDPR Article 22. Each re-assessment is documented internally, even where the conclusion is unchanged.
Privacy enquiries. For any question about this Privacy Notice or about how we process your personal data, please contact support@gata.ai.
1.1 EU representative (Article 27 EU GDPR)
Exchester Ltd is established in the United Kingdom and has not, as at the "Last updated" date of this Privacy Notice, appointed a representative in the European Economic Area under Article 27 of the EU GDPR. Appointment is in progress and the appointed representative's name, address and contact details will be published in this Section 1.1 and in Section 16 once the appointment is complete.
Pending that appointment, data subjects in the European Economic Area who wish to exercise their rights under the EU GDPR, or to contact GATA in connection with the processing of their personal data, may do so by writing to support@gata.ai. GATA will respond to EEA data-subject enquiries on the same basis and within the same timescales as for UK data subjects (see Section 10).
EU Representative: Appointment in progress; details to be published here once issued.
2. Scope of this Privacy Notice
This Privacy Notice describes processing for which GATA acts as a controller, including:
- personal data of visitors to the Website and prospective customers;
- personal data of Account administrators, billing contacts and Authorised Users (in their administrative and contractual capacity);
- personal data of business contacts (e.g. sales prospects, partners, suppliers, advisers);
- personal data of individuals who contact us (e.g. by email, support ticket, AUP report, recruitment enquiry); and
- certain processing relating to the operation of the Service that is necessary for security, billing, abuse prevention, audit and legal compliance.
Customer content. Where Customers upload Inputs to the Service that contain personal data of third parties (for example, video footage featuring identifiable individuals, scripts referring to real people, voice samples, or moodboard images), GATA processes that personal data as a processor on behalf of the Customer, who acts as the controller. The Customer is responsible for the lawful basis, transparency and data-subject-rights handling for that processing, in accordance with the DPA. For more detail on the Service's processing of Customer-content personal data, please refer to the DPA and to the Customer's own privacy notice. Section 8 below summarises certain Article 14 elements applicable to data subjects whose personal data appears in Customer Inputs.
3. Categories of personal data we collect
3.1 Account and contractual data
Categories: name, business email address, telephone number (where provided), job title, company name, country of business, role, team size, industry, and other business-context fields collected at sign-up; password (stored hashed); email-verification codes (stored hashed; cleared on use or expiry); authentication tokens; Account administrator and authorised-signatory details for Order Forms.
Source: the data subject (i.e. the individual signing up or being added to an Account) or the Customer (where the Customer adds an Authorised User).
3.2 Billing and transactional data
Categories: billing name, billing address, VAT/tax-registration number, Subscription tier and history, invoice records, Charge records, Credit-Wallet ledger entries, Top-Up purchase history, payment-method metadata (e.g. card brand, last 4 digits, expiry — payment-card numbers themselves are not received or stored by GATA; they are processed by Stripe).
Source: the data subject, the Customer and Stripe.
3.3 Service-usage and product-telemetry data
Categories: Account ID, Authorised User ID, IP address, device and browser identifiers, locale, timestamps, feature use, page views, button events, error logs, Generative Operation requests and outcomes (success / failure / moderation block), moderation classifications and triggers, rate-limit and abuse-prevention signals, support-session telemetry.
Source: automatically collected as the data subject uses the Service or the Website.
3.4 Customer-content personal data (processor role)
Categories: any personal data contained in Customer Inputs and Outputs, including images and video featuring identifiable individuals; voice samples; names; biometric-style data such as face geometry inferred by underlying models; scripts and prompts referring to real persons; metadata of uploaded files.
Source: the Customer (who acts as the controller for this category). See Section 2 (Scope) above.
3.5 Communications and support data
Categories: the content of emails, support tickets, AUP reports, copyright notices, sales enquiries, contract negotiations, marketing-campaign engagement (open/click) and similar communications with GATA; and the metadata of those communications.
Source: the data subject and the Customer.
3.6 Marketing and prospect data
Categories: business name, work email, role, country, marketing-list source, consent records and opt-out records.
Source: the data subject (e.g. via website forms), publicly available business sources and reputable B2B data providers.
3.7 Recruitment data (if applicable)
Categories: CV, cover letter, contact details, employment-history information and right-to-work data of job applicants.
Source: the data subject.
3.8 Cookies and analytics
See Section 11 (Cookies and similar technologies).
4. Purposes of processing and lawful bases
We process personal data for the following purposes and on the following lawful bases under UK GDPR Article 6 (and, where applicable, Article 9):
| # | Purpose | Categories of data | Lawful basis (UK GDPR) |
|---|---|---|---|
| 4.1 | Creating and operating Accounts; authenticating users; sending email-verification codes; managing Authorised Users; providing the Service; performing the Terms | 3.1, 3.3, 3.5 | Art. 6(1)(b) — performance of a contract to which the data subject is a party, or in order to take steps at the data subject's request prior to entering a contract; Art. 6(1)(f) — legitimate interests in operating the Service securely |
| 4.2 | Billing, payment processing, invoicing, dunning, tax compliance | 3.1, 3.2, 3.5 | Art. 6(1)(b); Art. 6(1)(c) — legal obligation (tax, accounting); Art. 6(1)(f) — legitimate interests in collecting amounts due |
| 4.3 | Operating, securing, monitoring and improving the Service; abuse prevention; fraud prevention; rate limiting; investigating AUP violations; running the moderation pipeline | 3.1, 3.3, 3.5 | Art. 6(1)(f) — legitimate interests in keeping the Service safe, secure and reliable; Art. 6(1)(c) for some investigative obligations |
| 4.4 | Providing customer support; responding to enquiries; handling abuse and copyright reports; handling data-subject-rights requests | 3.1, 3.3, 3.5 | Art. 6(1)(b); Art. 6(1)(c); Art. 6(1)(f) |
| 4.5 | Sending service notices, transactional emails (e.g. verification codes, password resets, billing, security incidents) | 3.1, 3.2, 3.5 | Art. 6(1)(b); Art. 6(1)(f) |
| 4.6 | B2B marketing of the Service to business contacts (where we have a soft opt-in or other lawful basis under PECR), and communications about new features and offerings | 3.1, 3.6 | Art. 6(1)(f) — legitimate interests in marketing to business contacts; Art. 6(1)(a) — consent (where required, e.g. corporate-subscriber consent under PECR rules to the extent applicable) |
| 4.7 | Producing aggregated, anonymised analytics and statistics about Service usage and product performance | 3.3 | Art. 6(1)(f); processing on anonymised data is outside UK GDPR once anonymisation is complete |
| 4.8 | Complying with our legal and regulatory obligations, including law-enforcement requests, mandatory CSAM reporting, AML/KYC obligations (where applicable), records-retention and audit obligations, EU AI Act compliance | All as relevant | Art. 6(1)(c); Art. 6(1)(f); Art. 9(2)(g) where applicable |
| 4.9 | Establishing, exercising or defending legal claims; managing risk and disputes; corporate transactions (M&A) | All as relevant | Art. 6(1)(f); Art. 9(2)(f) where applicable |
| 4.10 | Recruitment and HR (where applicable) | 3.7 | Art. 6(1)(b); Art. 6(1)(f); Art. 6(1)(a) for some categories |
| 4.11 | Customer-content processing (processor role) — providing the Service in respect of Customer Inputs | 3.4 | Lawful basis is the Customer's responsibility; GATA processes only on documented Customer instructions per the DPA |
We do not use Customer Content (including any personal data contained in Customer Content) to train, fine-tune or improve our underlying machine-learning models, except where the Customer has expressly consented in writing in a separate agreement, or where the use is anonymised and aggregated such that no Customer or any individual is identifiable. See clause 6.4 of the Terms.
4.1 Special-category and criminal-conviction data
We do not, in the ordinary course, intentionally collect special-category personal data (UK GDPR Article 9) or criminal-conviction data (UK GDPR Article 10) about Account administrators, Authorised Users or business contacts. Customers must not submit special-category or criminal-conviction data via the Service unless they have notified us in advance and have an Article 9 / Article 10 condition (see Section 7.3 of the AUP).
5. Recipients and sub-processors
We disclose personal data only to the following categories of recipient:
5.1 Authorised Users and Account administrators. Within an Account, Account administrators may have visibility of Authorised User identifiers, activity logs, billing data and Customer Content.
5.2 Sub-Providers, sub-processors and other third-party recipients. We use the following third-party providers to operate the Service. Some act as processors on our instructions; others act as independent controllers in respect of the personal data we share with them, under their own privacy notices.
| Provider | Role | Capacity | Location of processing |
|---|---|---|---|
| Amazon Web Services EMEA SARL — Amazon S3 | Object storage of Customer Content and Service data (currently eu-west-2, London region; subject to change) | Processor | UK / EEA, and globally where applicable (see Section 6) |
| Amazon Web Services EMEA SARL — Amazon Bedrock | Foundation-model inference for text generation, parsing and content moderation (default text model: configured by GATA via BEDROCK_TEXT_MODEL_ID) | Processor | EEA / US (depending on model — see Section 6) |
| Amazon Web Services EMEA SARL — Amazon Transcribe | Speech-to-text transcription of audio extracted from Customer Content (used in the localisation pipeline) | Processor | UK (eu-west-2) |
| Amazon Web Services EMEA SARL — Amazon Simple Email Service (SES) | Transactional email delivery (e.g. verification codes, service notices) | Processor | EEA / US (depending on configuration) |
| fal.ai, Inc. | Image and video generation (including image generation, image-to-video, character "reels", and lip-sync) | Processor | United States |
| ElevenLabs, Inc. | Text-to-speech and dialogue voice synthesis for the script-to-video pipeline | Processor | United States |
| OpenAI Ireland Limited | Structured-output text generation — used for script parsing and shot extraction | Processor | United States and other countries (no EU data-residency guarantee — see Section 6) |
| Google Cloud EMEA Limited — Vertex AI and Google Cloud Storage | Vertex AI: Gemini foundation-model inference and video analysis for the localisation pipeline. Google Cloud Storage: object storage of localisation video uploads | Processor | United States and other countries; some operations currently run in the EEA, but no EU data-residency is guaranteed (see Section 6) |
| Stripe Payments Europe Limited (Stripe Payments UK Limited in respect of UK Customers) | Subscription billing and payment processing | Independent controller (in respect of payment-card data and Stripe's anti-fraud and AML obligations) and processor (in respect of certain billing metadata on our instructions) | EEA (Ireland) and onward to United States under Stripe's intra-group transfer mechanisms |
Google LLC (and Google Ireland Limited for UK / EEA users) — Google Analytics 4 (measurement ID G-NFPBEF1HB4) | Website and product measurement: page views, custom events, and (after sign-in) account-bound user_id and user_properties. Loaded only after opt-in consent through the cookie banner described in the Cookie Notice (https://gata.ai/cookies). | Independent controller (under Google's Measurement Controller-to-Controller Data Protection Terms) | United States, with a UK / EEA front-door |
Google LLC — Google Fonts (fonts.googleapis.com) | Web-font CDN serving the "JetBrains Mono" typeface | Independent controller (no cookie set; IP address transferred to Google's CDN) | United States |
| Prospect One sp. z o.o. (Poland) — jsDelivr, fronted by Cloudflare, Inc. and Fastly, Inc. (United States) | Web-font CDN serving the "Geist" typeface family from cdn.jsdelivr.net | Independent controllers (no cookie set; IP address transferred to the CDN) | EEA / United States |
| Professional advisers (lawyers, accountants, auditors), banks and corporate-services providers | As required for the corporate operation of the business | Independent controllers (in respect of their own professional records) | UK / EEA |
We do not currently use error-monitoring or browser-side crash reporting (e.g. Sentry), third-party customer-support tooling (e.g. Intercom, Zendesk, HubSpot Service Hub), outbound marketing-email platforms (e.g. HubSpot, Mailchimp, Brevo), session-replay or behavioural-recording tools (e.g. Hotjar, FullStory), or advertising / retargeting platforms. If we add any of the above we will update the Sub-Processor List at https://gata.ai/subprocessors and follow the change-notification process in the DPA.
A current list of sub-processors used to process personal data on behalf of Customers as a processor is published at https://gata.ai/subprocessors and is maintained as Annex III to the DPA, updated under the change-control process described in the DPA.
5.3 Law enforcement and regulators. We may disclose personal data to law-enforcement and regulatory authorities, courts, the Information Commissioner's Office and equivalent supervisory authorities, where we are required to do so by law or where we reasonably consider it necessary to comply with legal process, prevent or detect crime (including CSAM-reporting obligations), or protect the rights, property or safety of GATA, our Customers, our users or the public.
5.4 Corporate transactions. In the event of a sale, merger, financing, restructuring, acquisition, bankruptcy or other change of control of all or part of our business, we may disclose personal data to the prospective or actual counterparty and its advisers, subject to appropriate confidentiality undertakings.
5.5 No sale of personal data. We do not sell personal data, and we do not "share" personal data for cross-context behavioural advertising within the meaning of the California Consumer Privacy Act (as amended).
6. International data transfers
GATA is established in the United Kingdom. While a number of our Sub-Providers currently process personal data in the UK and the European Economic Area, we do not offer or guarantee EU / EEA data residency, EU-region storage or EU-only processing. Personal data (including Customer Content and the personal data it may contain) may be processed and stored globally, including in the United States and other countries, by us and by our Sub-Providers, and the locations used for a given operation may change over time.
In particular:
- fal.ai and ElevenLabs process personal data in the United States and other countries.
- Amazon Bedrock and Amazon SES may, depending on the foundation model selected and the regional configuration of the relevant service, route inference or message-handling traffic outside the UK / EEA, including to the United States.
- OpenAI and Google Cloud (Vertex AI and Google Cloud Storage) are global services. Personal data sent to these Sub-Providers may be processed in the United States and other countries. Parent-company and group-entity access from the United States may also occur under the relevant intra-group transfer mechanisms.
- Stripe transfers payment-related personal data to the United States.
For each such transfer, we put in place an appropriate transfer mechanism under UK GDPR Chapter V and EU GDPR Chapter V, as applicable, including (depending on the recipient and the relevant adequacy position from time to time):
- the UK International Data Transfer Agreement and/or the UK Addendum to the EU Standard Contractual Clauses;
- the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914);
- transfers under a UK or EU adequacy regulation or decision (including the UK Extension to the EU-US Data Privacy Framework and the EU-US Data Privacy Framework, where the recipient is certified); and
- supplementary measures (technical, organisational and contractual) where appropriate following a transfer-impact assessment.
A copy of the relevant transfer mechanism for any specific Sub-Provider can be requested from support@gata.ai.
7. Retention
We retain personal data only for as long as necessary for the purposes set out in this Privacy Notice, after which it is deleted, anonymised or archived in accordance with our retention schedule. The principal retention periods are summarised below. The same schedule appears in Annex I (row 7) of the GATA Data Processing Addendum and the two documents are kept in lockstep.
| Data | Retention period |
|---|---|
| Account and contractual data (Section 3.1) | For the duration of the contract with the relevant Customer, plus 6 years after termination, in line with the limitation period under section 5 of the Limitation Act 1980 and the company-record-keeping period under section 388 of the Companies Act 2006. |
| Billing and transactional data (Section 3.2) | 6 years from the end of the tax period in which the transaction occurred, in line with the record-keeping period required under Schedule 11 of the Value Added Tax Act 1994 and equivalent HMRC guidance for businesses. |
| Customer Content uploaded to the Service — source media (Inputs) | 30 days after the relevant Generative Operation completes, after which the Input is deleted from active systems by an automated S3 lifecycle rule (subject to the backup retention period below). Enterprise Customers may negotiate a different period in their Order Form. |
| Generated Outputs | Retained while the Customer maintains an active Subscription and for the 30-day Export Window under clause 15.2 of the Terms, after which Outputs are deleted from active systems by an automated lifecycle rule triggered on Subscription termination (subject to the backup retention period below). |
| Service-usage and product-telemetry data (Section 3.3) | 13 months, covering detailed access and request logs and aggregated / pseudonymised analytics, after which logs are purged from active log destinations and from the corresponding database telemetry tables. |
| Email-verification codes | Hashed; cleared on successful verification or 15 minutes after issue (whichever is earlier). |
| Moderation classifications and abuse-prevention signals | 24 months, to enable repeat-violation detection, to support audit, and to discharge GATA's record-keeping obligations under the AUP and (where applicable) Article 16(c) of the EU AI Act. |
| Communications and support data (Section 3.5) | 3 years from closure of the relevant ticket, conversation or matter, save where retention for longer is required for legal-claim purposes. |
| Marketing and prospect data (Section 3.6) | 2 years from the data subject's last engagement with GATA, or until opt-out, whichever is earlier. |
| Backups | 35 days rolling backup window (matching the maximum automated-backup retention configurable on the database service we use). Data deleted from active systems falls out of backups within that window. |
| AUP reports, copyright notices and law-enforcement correspondence | 6 years from closure of the relevant incident, in line with the limitation period under section 5 of the Limitation Act 1980. |
GATA does not currently carry out recruitment activity; this Privacy Notice will be updated to add a recruitment-data retention row at the point recruitment processing begins.
Where personal data is retained for legal-claim, regulatory or audit reasons after the operational retention period has expired, access is restricted and the data is processed only for those purposes.
8. Article 14 — personal data appearing in Customer Content
In some cases, personal data we process is provided to us not by the data subject themselves but by our Customer (for example, where the Customer uploads a video featuring an identifiable individual, or a script referring to a real person). UK GDPR Article 14 governs this scenario.
8.1 Source. The personal data is provided by the relevant Customer, in the form of Inputs (e.g. video, audio, images, text) uploaded to the Service.
8.2 Customer responsibility. The Customer acts as the controller of that personal data and is responsible for providing fair-processing information to the data subjects, for ensuring a lawful basis under Data Protection Laws and (in respect of voice and likeness) for satisfying the consent requirements in Section 4 of the AUP.
8.3 GATA's role. In respect of that personal data, GATA acts as a processor on the Customer's documented instructions under the DPA. Outside the activities required to deliver the Service (including Sub-Provider transmission, security, abuse detection and legal compliance), we do not use Customer-content personal data for our own purposes.
8.4 Data-subject rights. A data subject who believes that their personal data has been included in Customer Content without a lawful basis may contact us at support@gata.ai. We will, where appropriate, route the request to the Customer (as controller) and may, in addition, exercise our discretionary moderation and takedown rights under clause 8.1 of the Terms and Section 9 of the AUP.
9. Automated decision-making and profiling
The Service uses artificial-intelligence models, including third-party generative-AI models supplied by Amazon Bedrock and fal.ai, to generate, transform and moderate content. The Service also runs an automated content-moderation pipeline that may classify Inputs and Outputs (for example, as "blocked", "review" or "allowed") and act on that classification.
GATA does not, in the ordinary course, use personal data to make a decision based solely on automated processing (including profiling) that produces legal effects concerning a data subject or similarly significantly affects a data subject within the meaning of UK GDPR Article 22. The moderation pipeline operates as a content-safety filter on the Service rather than as a decision-making process about an individual.
Where, exceptionally, an Account is suspended or terminated under clause 14 of the Terms in part as a result of automated abuse-detection signals, a human review by GATA personnel forms part of any final termination decision; affected Customers may contact support@gata.ai to request review.
The Service is not designed, validated or supplied as a "high-risk AI system" under Annex III of the EU AI Act, and Customers are prohibited from deploying it in any of the capacities set out in Section 2.14 of the AUP without a separate Order Form. Customers remain responsible for any disclosure or labelling of AI-generated content under Article 50 of the EU AI Act, as further described in Section 9A below.
9A. EU AI Act — transparency, provenance and Article 50
This Section 9A sets out, for the benefit of users and downstream deployers of Outputs, GATA's position and practices under the EU AI Act (Regulation (EU) 2024/1689) and equivalent UK proposals as they emerge.
9A.1 GATA's role under the EU AI Act
GATA is a "provider" within the meaning of Article 3(3) of the EU AI Act in respect of the generative-AI components of the Service that produce synthetic image, video and (where applicable) audio content. Customers who use the Service to make Outputs publicly available are typically "deployers" within the meaning of Article 3(4).
GATA does not place on the EU market any AI system listed in Annex III of the EU AI Act as a "high-risk" system, and the Service is not provided as a general-purpose AI model or general-purpose AI system for the purposes of the Title VIIIA / Article 51 obligations attaching to providers of GPAI models. The Service is built on top of foundation models supplied by third parties (notably Amazon Bedrock and fal.ai) — the upstream model providers carry the GPAI-provider obligations attaching to those underlying models.
9A.2 Article 50(2) — provider transparency obligation (machine-readable marking)
Article 50(2) requires providers of AI systems that generate synthetic image, audio, video or text content (including general-purpose AI systems) to ensure that the outputs of those systems are marked in a machine-readable format and detectable as artificially generated or manipulated.
To meet this obligation, GATA:
- preserves any cryptographic content-provenance signals (including C2PA / Content Credentials manifests, where present) produced by the underlying Sub-Provider models for image and video Outputs;
- embeds, where technically practicable, additional metadata or signals that identify the Output as having been generated through the Service; and
- prohibits Customers from removing, obscuring, altering or interfering with such signals (see Section 5.6 of the AUP).
The state of the art and the standards on machine-readable marking are evolving. GATA's marking is implemented to the extent feasible and reliable, taking into account the limitations of the underlying Sub-Provider models, applicable harmonised standards, and evolving guidance from the European AI Office.
9A.3 Article 50(4) — deployer disclosure obligation (deep fakes and AI-generated content)
Article 50(4) imposes an obligation on deployers (i.e. Customers using the Service to publish Outputs) — not on GATA — to disclose, where applicable, that:
- image, audio or video content constitutes a "deep fake" (i.e. AI-generated or AI-manipulated content that resembles existing persons, objects, places, entities or events and that would falsely appear to a person to be authentic or truthful); and
- text published with the purpose of informing the public on matters of public interest has been artificially generated or manipulated, save where the conditions in Article 50(4) for derogation from disclosure are met (e.g. where authorised by law for the prevention, investigation or prosecution of criminal offences, or where the AI-generated content has undergone human review or editorial control and a person holds editorial responsibility for the publication).
The Customer is responsible for assessing whether Article 50(4) applies to its use of any Output and, if so, for making the required disclosure in a clear and distinguishable manner at the latest at the time of the first interaction or exposure. Section 5.3 of the Terms and Section 5.2 of the AUP impose this responsibility on the Customer as a contractual obligation.
9A.4 Article 50(1) and 50(3) — chatbots and emotion-recognition / biometric-categorisation systems
The Service is not a chatbot product (Article 50(1)) and does not include emotion-recognition or biometric-categorisation systems (Article 50(3)) within the meaning of the EU AI Act. Where any future feature engages those provisions, this Privacy Notice will be updated in advance and the affected feature will be designed to deliver the relevant disclosure.
9A.5 Prohibited uses
The use of the Service to create or distribute content prohibited by Article 5 of the EU AI Act (and analogous prohibited categories under the AUP) is forbidden. Examples include the use of subliminal or manipulative techniques to materially distort behaviour and cause significant harm, and certain forms of social scoring. See Section 2 of the AUP for the full list of prohibited uses.
9A.6 Cooperation with deployers
On reasonable request from a Customer who is a deployer of an Output and who needs information to satisfy its own EU AI Act transparency obligations (including its obligation to inform natural persons under Article 50(4)), GATA will provide reasonable cooperation, which may include identifying the underlying model used to generate the Output, confirming the marking applied, or providing information drawn from this Privacy Notice and the documentation maintained at https://gata.ai/subprocessors. Requests should be sent to support@gata.ai.
9A.7 Dates of effect
Article 50 applies from 2 August 2026. GATA is implementing the measures described above in advance of that date in line with the European AI Office's guidance and any harmonised standards or codes of practice that emerge before that date.
10. Data-subject rights
Subject to the conditions and exceptions in UK GDPR (and the EU GDPR where applicable), data subjects have the following rights in respect of their personal data:
- Right of access (Article 15) — to obtain confirmation of whether we process personal data about them, to access that data, and to receive certain information about the processing.
- Right to rectification (Article 16) — to have inaccurate personal data corrected and incomplete personal data completed.
- Right to erasure / "right to be forgotten" (Article 17) — to have personal data deleted in defined circumstances (for example, where the data is no longer necessary for the purposes for which it was collected, or where consent is withdrawn and there is no other lawful basis).
- Right to restriction of processing (Article 18) — to require us to restrict processing in defined circumstances.
- Right to data portability (Article 20) — to receive personal data that the data subject provided to us in a structured, commonly used, machine-readable format and to have it transmitted to another controller, where the processing is based on consent or contract and is carried out by automated means.
- Right to object (Article 21) — to object to processing based on Article 6(1)(f) (legitimate interests), including profiling. The data subject has an absolute right to object to processing for direct-marketing purposes.
- Right not to be subject to solely-automated decisions (Article 22) — see Section 9 above.
- Right to withdraw consent (Article 7(3)) — where processing is based on consent, the data subject may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact support@gata.ai. We may need to verify your identity before responding. We will respond within one month of receipt, unless the request is complex or numerous, in which case we may extend that period by up to two further months and will notify you of the extension within the first month.
Where we process personal data on behalf of a Customer (i.e. as a processor — see Section 2 / Section 8), we will route data-subject-rights requests to the relevant Customer (as controller) and assist the Customer in responding under the DPA.
10.1 Right to lodge a complaint
You have the right to lodge a complaint with a data-protection supervisory authority. The lead supervisory authority for GATA is:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
Telephone: 0303 123 1113
Website: https://ico.org.uk
Data subjects in the EEA may additionally lodge a complaint with the supervisory authority of their habitual residence, place of work or place of the alleged infringement, and may contact our EU representative (see Section 1.1 above).
11. Cookies and similar technologies
Our Website and the Service use cookies and similar technologies (such as HTML local storage and session storage) to operate the Service (strictly-necessary cookies — for example, authentication and CSRF protection) and to remember in-product user-interface preferences set after sign-in. As at the date of this Privacy Notice, we do not set analytics, marketing, advertising or retargeting cookies, and we do not run a cookie consent banner because PECR regulation 6 does not require one where every cookie set is strictly necessary.
The full inventory of cookies and similar technologies, and the legal basis on which we set them, is set out in the GATA Cookie Notice at https://gata.ai/cookies. If we introduce any non-essential cookie in future, we will update the Cookie Notice and deploy a consent banner offering a clear opt-in (with "Reject all non-essential" as prominent as "Accept all") before the cookie is set.
You can manage cookies through your browser settings; clearing site data for gata.ai will sign you out of the Service.
12. Security
We take appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage, having regard to the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. Measures include encryption in transit (TLS) and at rest, role-based access controls, audit logging, network segmentation, defence-in-depth on AWS, hashed credentials, multi-factor authentication for administrative access, and regular review of our security posture. No system is completely secure, however, and we cannot guarantee the security of personal data transmitted to or from the Service.
Security incidents that result in a personal-data breach will be assessed and, where notification is required, notified to the ICO and to affected data subjects in accordance with UK GDPR Articles 33 and 34.
13. Children
The Service is offered exclusively to business users (see Sections 2 of the Terms and Section 2.1 / Section 2.14 of the AUP) and is not directed to children. We do not knowingly collect personal data from children under 18 in the operation of the Service. If we become aware that we have collected personal data from a child without an applicable lawful basis, we will take steps to delete that data.
Customers must not submit Inputs that constitute personal data of children except in accordance with the AUP and Applicable Law. Generation of any sexualised or otherwise prohibited child-related content is prohibited and is dealt with under Section 2.1 of the AUP.
14. California, Colorado and other US-state privacy rights
To the extent that GATA processes personal information of California, Colorado, Connecticut, Virginia, Utah or other US-state residents, those individuals may have additional rights under applicable US state privacy laws (including the CCPA as amended by the CPRA, the Colorado Privacy Act, and equivalent laws). Where applicable, those rights map broadly onto the rights described in Section 10 above. To exercise US-state-law rights, please contact support@gata.ai. We do not "sell" personal information or "share" it for cross-context behavioural advertising within the meaning of those laws.
15. Changes to this Privacy Notice
We may update this Privacy Notice from time to time. The "Last updated" date at the top of this Privacy Notice will be revised when changes are made. Where changes are material, we will notify Account administrators by email or in-product notification.
16. Contact
For all enquiries — including privacy and data-subject rights, service support, abuse and AUP reports, and copyright and IP-infringement notices — please contact support@gata.ai.
Registered in England and Wales, company number 12601661.
Registered office: 2nd Floor College House, 17 King Edwards Road, Ruislip, London, HA4 7AE, United Kingdom.
ICO registration: registration in progress; number to be published here once issued.
EU GDPR Article 27 representative: appointment in progress; details to be published here once issued.