General Data Protection Regulation (EU) 2016/679 · UK GDPR · Effective 1 January 2025
This statement applies to UK and EU data subjects. Burmain Holdings LTD (United Kingdom) is the primary data controller for UK/EU residents. South African residents should refer to our POPIA Compliance Statement.
Burmain Holdings LTD, registered in the United Kingdom, acts as data controller for personal data processed in relation to UK and EU residents under the UK GDPR (as retained in UK law post-Brexit) and the EU General Data Protection Regulation 2016/679. Burmain Holdings (Pty) Ltd (South Africa) acts as a joint data controller where South African operations involve UK/EU data subjects.
This statement sets out how both entities comply with applicable data protection law when processing the personal data of individuals in the UK and European Union — covering our website burmain.com and all platforms including BovRes, 1os.io, Synopli, Global Urban Solutions, Windsor AI Gaming and Windsor AI Tutor.
Where this statement refers to “GDPR” it means both the UK GDPR and EU GDPR unless context requires otherwise.
Burmain Holdings LTD | Registered in England and Wales | Contact: uk@burmain.com | Data protection enquiries: uk@burmain.com
Burmain Holdings (Pty) Ltd | Registered in South Africa | Contact: hello@burmain.com
We are committed to appointing a Data Protection Officer as our processing activities grow. Current data protection enquiries should be directed to uk@burmain.com. We will publish DPO details here once appointed.
Depending on your relationship with Burmain Holdings and the platforms you use, we may process the following categories of personal data:
We only process personal data where we have a lawful basis for doing so under Article 6 of the GDPR. Where special category data is processed (Article 9), we rely on an additional condition as noted below.
| Processing Activity | Lawful Basis (Art. 6) | Details |
|---|---|---|
| Account creation and management | Contract (6(1)(b)) | Necessary to perform our service agreement with you |
| Platform service delivery | Contract (6(1)(b)) | Delivering BovRes, 1os.io, Synopli and other subscribed platforms |
| Security monitoring and fraud prevention | Legitimate Interests (6(1)(f)) | Protecting systems and users; balanced against minimal privacy intrusion |
| Website analytics | Legitimate Interests (6(1)(f)) | Understanding site usage to improve performance; anonymised where possible |
| Marketing and newsletters | Consent (6(1)(a)) | Only sent where explicit consent obtained; withdraw at any time |
| AI model improvement (anonymised) | Legitimate Interests (6(1)(f)) | Improving platform intelligence using aggregated non-identifiable data |
| Legal and regulatory compliance | Legal Obligation (6(1)(c)) | Complying with UK law, HMRC requirements, court orders |
| Processing sensitive data (health/biometric in BovRes) | Explicit Consent (9(2)(a)) | Where BovRes processes data that may relate to human health indirectly |
As a data subject in the UK or EU, you have the following rights under the GDPR. These rights are not absolute and may be subject to conditions or limitations, but we will always handle requests fairly and transparently.
Request a copy of all personal data we hold about you, free of charge. We will respond within one month.
Have inaccurate or incomplete personal data corrected without undue delay.
Request deletion of your personal data where there is no compelling reason for continued processing.
Restrict how we process your data while a dispute about accuracy or legitimacy is resolved.
Receive your personal data in a structured, machine-readable format and transfer it to another controller.
Object to processing based on legitimate interests or direct marketing at any time with immediate effect.
Not to be subject to decisions based solely on automated processing that produce significant legal or similar effects.
Withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Email uk@burmain.com with subject line “GDPR Rights Request”. Include your full name, email address, and a description of your request. We will acknowledge within 72 hours and respond fully within one calendar month. We may request proof of identity. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive. If we are unable to fulfil your request, we will explain why and advise on your right to complain to the ICO.
The UK has not adopted a formal adequacy decision for South Africa. Transfers between Burmain Holdings LTD and Burmain Holdings (Pty) Ltd are governed by Standard Contractual Clauses (SCCs) as approved by the ICO, providing equivalent protection to UK GDPR standards.
We use AWS and Google Cloud, which may process data on servers in the United States. These transfers are protected by SCCs and the UK-US data bridge framework where applicable.
Where EU data subjects’ data is processed within the EU, it remains subject to EU GDPR with no transfer restrictions.
You may request details of the specific safeguards in place for any international transfer by emailing uk@burmain.com.
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.
After the retention period expires, data is either permanently deleted or irreversibly anonymised. You may request earlier deletion subject to legal retention requirements — see Section 5 (Right to Erasure).
Burmain builds AI-native platforms. We are committed to transparency about how artificial intelligence processes personal data across our portfolio. We do not use personal data to make solely automated decisions that produce legal or similarly significant effects without human oversight, in compliance with Article 22 UK/EU GDPR.
Our AI systems may process your personal data to:
AI-driven personalisation and model improvement based on your usage is conducted under legitimate interests (Article 6(1)(f)), with appropriate safeguards. Where AI processing involves sensitive data categories (Article 9), we obtain explicit consent.
All significant AI Outputs (recommendations affecting livestock health decisions, educational assessments, urban planning inputs, or enterprise decisions) are presented as advisory information. Users retain full decision-making authority. You may request human review of any AI-generated output that affects you by contacting uk@burmain.com.
Where our platforms build user profiles to personalise experiences, this constitutes profiling under Article 4(4) GDPR. You have the right to object to such profiling (Article 21) — contact uk@burmain.com.
Our platforms and website are not directed at children under the age of 13. We do not knowingly collect personal data from children under 13 without verifiable parental or guardian consent.
The Windsor AI Tutor and Windsor AI Gaming platforms may be used by minors in educational settings. These platforms operate under institutional agreements with accredited schools and educational bodies, which provide the appropriate legal basis for processing student data. Parents and guardians may contact us at uk@burmain.com to request access to or deletion of their child's data.
Where we discover that personal data has been collected from a child under 13 without appropriate consent, we will delete such data promptly and notify the relevant supervisory authority if required.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by Article 33 UK GDPR. Where the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay under Article 34. Notification will include the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed.
We use cookies and similar tracking technologies on burmain.com and our platforms. Our full Cookie Policy — including a detailed table of all cookies used, their purposes, durations, and providers — is available at cookie-policy.html. Cookie consent is obtained in compliance with UK PECR (Privacy and Electronic Communications Regulations) and is separate from consent to this GDPR Statement. You may update your cookie preferences at any time via the cookie preference centre.
If you are not satisfied with how we have handled a data protection concern, you have the right to lodge a complaint with your relevant supervisory authority.
Information Commissioner's Office (ICO) | Website: ico.org.uk | Phone: 0303 123 1113 | Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
The relevant national Data Protection Authority (DPA) in your EU member state. A full list of EU DPAs is available at edpb.europa.eu.
We encourage you to contact us first at uk@burmain.com. We will make every effort to resolve your concern directly and promptly.
We review and update this GDPR Statement periodically to reflect changes in our data processing activities, applicable law, and best practices. We will notify UK and EU data subjects of material changes by email (where we hold your address) and by updating the effective date above. The current version of this statement is always available at burmain.com/gdpr.html.
UK Data Controller: Burmain Holdings LTD | Email: uk@burmain.com | Subject line: "GDPR Enquiry" | Response time: Within 72 hours acknowledgement, 30 days full response
SA Joint Controller: Burmain Holdings (Pty) Ltd | Email: hello@burmain.com
This statement was first published on 1 January 2025 and is version 1.0.