1. Our role under UK GDPR
Ilmove acts as a data processor on behalf of our business customers (data controllers) for personal data held within Ilmove HR and Ilmove Accountancy. We act as a data controller for personal data submitted via the ilmove.com marketing site (e.g. demo requests, contact form submissions).
2. Data Processing Agreement (DPA)
Every paid Ilmove customer is automatically covered by our standard Data Processing Agreement, which forms part of our terms. It sets out:
- The subject matter and duration of processing;
- The nature and purpose of processing;
- The categories of personal data and data subjects;
- Our obligations as processor and yours as controller;
- Our use of sub-processors and your right to object;
- How we handle data subject requests;
- Our security measures (technical and organisational);
- Breach notification and audit rights;
- Return and deletion of data at termination.
A countersigned copy of the DPA is available on request from hello@ilmoveai.com. Enterprise customers may negotiate bespoke clauses where required.
3. Lawful basis matrix
The lawful basis on which we process personal data depends on the context:
- Marketing site enquiries — legitimate interests and, where appropriate, consent.
- Employee records inside Ilmove HR — contract and legal obligation (controller side: you).
- UKVI sponsor compliance — legal obligation under Home Office rules.
- Payroll and financial records — legal obligation under HMRC rules.
- Marketing communications — consent.
4. International transfers
We do not transfer personal data outside the United Kingdom unless you specifically request it. If we do, we will use the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or another UK-recognised transfer mechanism.
5. Data subject rights
Data subjects whose personal data is held inside Ilmove on behalf of our customers should generally direct rights requests to the controller (their employer or service provider). We will assist controllers in fulfilling these requests promptly. For data Ilmove holds as controller (marketing site), send requests to hello@ilmoveai.com.
Rights covered: access, rectification, erasure, restriction of processing, portability, objection, automated decision-making safeguards.
6. Security measures
We implement and regularly review:
- Encryption in transit (TLS 1.2+) and at rest (AES-256);
- Principle of least privilege for system access;
- Multi-factor authentication for all administrative access;
- Per-tenant data isolation enforced at the application and database layer;
- Regular security patching and dependency monitoring;
- Audit logs retained for 12 months;
- Offsite, encrypted backups with point-in-time recovery;
- Background checks for all personnel with production access.
7. Breach notification
If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, we will notify affected controllers without undue delay and at the latest within 72 hours of becoming aware. We will provide all information reasonably required to enable controllers to fulfil their own ICO and data subject notification obligations.
8. Our Data Protection Officer
Email hello@ilmoveai.com for all data protection enquiries, DPA requests, audit requests, and breach-related communications.
9. ICO complaints
If you believe Ilmove has failed to meet its UK GDPR obligations, you have the right to complain to the Information Commissioner's Office at ico.org.uk. We would appreciate the opportunity to address your concerns directly first.