Burmain Holdings
AboutPlatformsTechnologyGlobalContact
Get in Touch
AboutPlatformsTechnologyGlobalContactGet in Touch
LEGAL

GDPR Statement

General Data Protection Regulation (EU) 2016/679  ·  UK GDPR  ·  Effective 1 January 2025

Contents

  1. Introduction & Scope
  2. Data Controller Details
  3. Personal Data We Process
  4. Lawful Basis for Processing
  5. Your Rights under UK/EU GDPR
  6. How to Exercise Your Rights
  7. International Data Transfers
  8. Data Retention
  9. AI & Automated Processing
  10. Children's Data
  11. Security Measures
  12. Cookies
  13. Supervisory Authorities
  14. Changes & Contact

This statement applies to UK and EU data subjects. Burmain Holdings LTD (United Kingdom) is the primary data controller for UK/EU residents. South African residents should refer to our POPIA Compliance Statement.

1. Introduction & Scope

Burmain Holdings LTD, registered in the United Kingdom, acts as data controller for personal data processed in relation to UK and EU residents under the UK GDPR (as retained in UK law post-Brexit) and the EU General Data Protection Regulation 2016/679. Burmain Holdings (Pty) Ltd (South Africa) acts as a joint data controller where South African operations involve UK/EU data subjects.

This statement sets out how both entities comply with applicable data protection law when processing the personal data of individuals in the UK and European Union — covering our website burmain.com and all platforms including BovRes, 1os.io, Synopli, Global Urban Solutions, Windsor AI Gaming and Windsor AI Tutor.

Where this statement refers to “GDPR” it means both the UK GDPR and EU GDPR unless context requires otherwise.

2. Data Controller Details

UK Data Controller

Burmain Holdings LTD | Registered in England and Wales | Contact: uk@burmain.com | Data protection enquiries: uk@burmain.com

South African Joint Controller (where applicable)

Burmain Holdings (Pty) Ltd | Registered in South Africa | Contact: hello@burmain.com

Data Protection Officer

We are committed to appointing a Data Protection Officer as our processing activities grow. Current data protection enquiries should be directed to uk@burmain.com. We will publish DPO details here once appointed.

3. Personal Data We Process

Depending on your relationship with Burmain Holdings and the platforms you use, we may process the following categories of personal data:

  • Identity data (name, job title, company)
  • Contact data (email, phone)
  • Technical data (IP address, browser, device, cookies)
  • Usage data (platform interactions, feature usage, session duration)
  • Platform-specific data (livestock health records via BovRes; business process data via 1os.io; learning progress via Windsor platforms; knowledge query patterns via Synopli; urban planning data via Global Urban Solutions)
  • Communications (emails, support tickets, form submissions)
  • Financial data (payment details, transaction records — processed via PCI-compliant third parties)
  • Recruitment data (CVs, cover letters, references — for job applicants)

4. Lawful Basis for Processing

We only process personal data where we have a lawful basis for doing so under Article 6 of the GDPR. Where special category data is processed (Article 9), we rely on an additional condition as noted below.

Processing Activity Lawful Basis (Art. 6) Details
Account creation and management Contract (6(1)(b)) Necessary to perform our service agreement with you
Platform service delivery Contract (6(1)(b)) Delivering BovRes, 1os.io, Synopli and other subscribed platforms
Security monitoring and fraud prevention Legitimate Interests (6(1)(f)) Protecting systems and users; balanced against minimal privacy intrusion
Website analytics Legitimate Interests (6(1)(f)) Understanding site usage to improve performance; anonymised where possible
Marketing and newsletters Consent (6(1)(a)) Only sent where explicit consent obtained; withdraw at any time
AI model improvement (anonymised) Legitimate Interests (6(1)(f)) Improving platform intelligence using aggregated non-identifiable data
Legal and regulatory compliance Legal Obligation (6(1)(c)) Complying with UK law, HMRC requirements, court orders
Processing sensitive data (health/biometric in BovRes) Explicit Consent (9(2)(a)) Where BovRes processes data that may relate to human health indirectly

5. Your Rights under UK/EU GDPR

As a data subject in the UK or EU, you have the following rights under the GDPR. These rights are not absolute and may be subject to conditions or limitations, but we will always handle requests fairly and transparently.

Right of Access (Art. 15)

Request a copy of all personal data we hold about you, free of charge. We will respond within one month.

Right to Rectification (Art. 16)

Have inaccurate or incomplete personal data corrected without undue delay.

Right to Erasure (Art. 17)

Request deletion of your personal data where there is no compelling reason for continued processing.

Right to Restriction (Art. 18)

Restrict how we process your data while a dispute about accuracy or legitimacy is resolved.

Right to Data Portability (Art. 20)

Receive your personal data in a structured, machine-readable format and transfer it to another controller.

Right to Object (Art. 21)

Object to processing based on legitimate interests or direct marketing at any time with immediate effect.

Automated Decision Rights (Art. 22)

Not to be subject to decisions based solely on automated processing that produce significant legal or similar effects.

Right to Withdraw Consent (Art. 7(3))

Withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

6. How to Exercise Your Rights

Email uk@burmain.com with subject line “GDPR Rights Request”. Include your full name, email address, and a description of your request. We will acknowledge within 72 hours and respond fully within one calendar month. We may request proof of identity. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive. If we are unable to fulfil your request, we will explain why and advise on your right to complain to the ICO.

7. International Data Transfers

UK to South Africa

The UK has not adopted a formal adequacy decision for South Africa. Transfers between Burmain Holdings LTD and Burmain Holdings (Pty) Ltd are governed by Standard Contractual Clauses (SCCs) as approved by the ICO, providing equivalent protection to UK GDPR standards.

UK/EU to United States (Cloud Providers)

We use AWS and Google Cloud, which may process data on servers in the United States. These transfers are protected by SCCs and the UK-US data bridge framework where applicable.

Within the EU

Where EU data subjects’ data is processed within the EU, it remains subject to EU GDPR with no transfer restrictions.

Requesting Transfer Details

You may request details of the specific safeguards in place for any international transfer by emailing uk@burmain.com.

8. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.

  • Website visitor data and analytics: 26 months from last visit (Google Analytics default), then deleted
  • Contact form enquiries: 2 years from submission date
  • Account and subscriber data: Duration of subscription plus 3 years after account closure
  • Platform usage data (BovRes, 1os.io, Synopli, Windsor, Global Urban Solutions): 3 years from last active use, then anonymised
  • Financial and billing records: 7 years (UK legal requirement — Companies Act 2006 / HMRC)
  • Marketing consent records: Until withdrawal of consent plus 1 year
  • Job applicant data (unsuccessful): 6 months from rejection
  • Job applicant data (successful): Retained in employee file for duration of employment plus 7 years
  • Security and access logs: 90 days rolling
  • Backup data: Overwritten on a 30-day rolling cycle

After the retention period expires, data is either permanently deleted or irreversibly anonymised. You may request earlier deletion subject to legal retention requirements — see Section 5 (Right to Erasure).

9. AI & Automated Processing

9.1 Our Commitment to Transparency

Burmain builds AI-native platforms. We are committed to transparency about how artificial intelligence processes personal data across our portfolio. We do not use personal data to make solely automated decisions that produce legal or similarly significant effects without human oversight, in compliance with Article 22 UK/EU GDPR.

9.2 How AI Uses Your Data

Our AI systems may process your personal data to:

  • Personalise platform outputs and recommendations
  • Generate insights, predictions and analytics tailored to your usage
  • Improve model accuracy over time using anonymised and aggregated patterns
  • Detect security anomalies and prevent fraud

9.3 Lawful Basis for AI Processing

AI-driven personalisation and model improvement based on your usage is conducted under legitimate interests (Article 6(1)(f)), with appropriate safeguards. Where AI processing involves sensitive data categories (Article 9), we obtain explicit consent.

9.4 Human Oversight

All significant AI Outputs (recommendations affecting livestock health decisions, educational assessments, urban planning inputs, or enterprise decisions) are presented as advisory information. Users retain full decision-making authority. You may request human review of any AI-generated output that affects you by contacting uk@burmain.com.

9.5 AI Profiling

Where our platforms build user profiles to personalise experiences, this constitutes profiling under Article 4(4) GDPR. You have the right to object to such profiling (Article 21) — contact uk@burmain.com.

10. Children's Data

Our platforms and website are not directed at children under the age of 13. We do not knowingly collect personal data from children under 13 without verifiable parental or guardian consent.

The Windsor AI Tutor and Windsor AI Gaming platforms may be used by minors in educational settings. These platforms operate under institutional agreements with accredited schools and educational bodies, which provide the appropriate legal basis for processing student data. Parents and guardians may contact us at uk@burmain.com to request access to or deletion of their child's data.

Where we discover that personal data has been collected from a child under 13 without appropriate consent, we will delete such data promptly and notify the relevant supervisory authority if required.

11. Security Measures

11.1 Technical Safeguards

  • Encryption of data in transit using TLS 1.3
  • Encryption of data at rest using AES-256
  • Multi-factor authentication for all internal system access
  • Role-based access controls limiting data access to authorised personnel
  • Regular automated vulnerability scanning and annual penetration testing
  • Web Application Firewall (WAF) protection
  • Secure development lifecycle with code security reviews

11.2 Organisational Safeguards

  • Annual data protection training for all staff
  • Data access on a strict need-to-know basis
  • Data Processing Agreements with all sub-processors
  • Vendor due diligence process for all third-party providers
  • Incident response plan with defined escalation procedures

11.3 Personal Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by Article 33 UK GDPR. Where the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay under Article 34. Notification will include the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed.

12. Cookies

We use cookies and similar tracking technologies on burmain.com and our platforms. Our full Cookie Policy — including a detailed table of all cookies used, their purposes, durations, and providers — is available at cookie-policy.html. Cookie consent is obtained in compliance with UK PECR (Privacy and Electronic Communications Regulations) and is separate from consent to this GDPR Statement. You may update your cookie preferences at any time via the cookie preference centre.

13. Supervisory Authorities

If you are not satisfied with how we have handled a data protection concern, you have the right to lodge a complaint with your relevant supervisory authority.

United Kingdom

Information Commissioner's Office (ICO) | Website: ico.org.uk | Phone: 0303 123 1113 | Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

European Union

The relevant national Data Protection Authority (DPA) in your EU member state. A full list of EU DPAs is available at edpb.europa.eu.

Before Making a Complaint

We encourage you to contact us first at uk@burmain.com. We will make every effort to resolve your concern directly and promptly.

14. Changes to This Statement & Contact

14.1 Changes

We review and update this GDPR Statement periodically to reflect changes in our data processing activities, applicable law, and best practices. We will notify UK and EU data subjects of material changes by email (where we hold your address) and by updating the effective date above. The current version of this statement is always available at burmain.com/gdpr.html.

14.2 Contact & Data Protection Enquiries

UK Data Controller: Burmain Holdings LTD | Email: uk@burmain.com | Subject line: "GDPR Enquiry" | Response time: Within 72 hours acknowledgement, 30 days full response

SA Joint Controller: Burmain Holdings (Pty) Ltd | Email: hello@burmain.com

14.3 Version History

This statement was first published on 1 January 2025 and is version 1.0.

Burmain Holdings

Shaping Tomorrow's Intelligence.
AI-native platforms that redefine industries.

Platforms

  • BovRes
  • 1os.io
  • Global Urban Solutions
  • Synopli
  • Windsor AI Gaming
  • Windsor AI Tutor

Company

  • About Burmain
  • Careers
  • Investors
  • Press & Media
  • Partnerships

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • POPIA Compliance
  • GDPR Statement

© 2025 Burmain Holdings (Pty) Ltd & Burmain Holdings LTD. All rights reserved.

Registered in South Africa & United Kingdom  ·  burmain.com