1. Roles and scope
This Addendum applies where you upload or generate data through the Product (“Customer Data”) that contains personal data. For that personal data, you are the controller and Data Consultancy Ltd (trading as ADMHub) is the processor. “UK GDPR”, “personal data”, “processing”, “data subject”, “controller” and “processor” have the meanings given in the UK GDPR and the Data Protection Act 2018.
2. Subject-matter and details of processing
- Subject-matter: providing the Product — analysing Agency Debit Memos and related documents, predicting outcomes, tagging recharges and drafting dispute correspondence.
- Duration: for as long as you use the Product, plus the retention and deletion periods in clause 9.
- Nature and purpose: hosting, storage, organisation, analysis (including via an AI sub-processor), retrieval and deletion, to provide the Product to you.
- Types of personal data: typically limited business and travel data that may appear in ADM documents — for example passenger or agent names, ticket numbers, PNRs, booking references and the work contact details of your users. You should not upload special-category data.
- Categories of data subject: your staff, and passengers or agents referenced in your ADM documents.
3. Our obligations as processor
We will:
- process personal data only on your documented instructions (including those given through your use of the Product and this Addendum), unless required to do otherwise by law, in which case we will tell you first unless the law prevents it;
- ensure that people authorised to process the data are bound by confidentiality;
- implement appropriate technical and organisational security measures (clause 5);
- respect the conditions in clause 6 for engaging sub-processors;
- taking into account the nature of the processing, assist you by appropriate measures to respond to data-subject requests (access, rectification, erasure, restriction, portability and objection);
- assist you with your obligations on security, breach notification, data protection impact assessments and prior consultation with the ICO;
- at your choice, delete or return the personal data at the end of the services and delete existing copies unless the law requires us to keep them (clause 9); and
- make available the information reasonably necessary to demonstrate compliance with Article 28, and allow for and contribute to audits as set out in clause 8.
4. Your obligations as controller
You will ensure that you have a lawful basis and all necessary rights and notices to provide the personal data to us and to have it processed as described, that your instructions comply with data protection law, and that you do not upload special-category data unless you have told us and agreed appropriate safeguards in writing.
5. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and accidental loss, destruction or damage, including: access controls and role-based permissions; per-tenant data separation; encryption in transit; use of reputable infrastructure providers; and restricting access to those who need it. We review these measures and update them as appropriate.
6. Sub-processors
You give us general authorisation to engage the sub-processors listed below to process personal data. Each is engaged under a written contract imposing data-protection obligations equivalent to those in this Addendum, and we remain responsible to you for their performance.
- Supabase — database and storage hosting.
- Vercel — application hosting and infrastructure.
- Anthropic — AI processing of documents and ADM data to produce predictions, tags and draft correspondence. Anthropic processes this data on our behalf and does not use it to train its models.
- Resend — transactional email delivery.
We will give you reasonable prior notice (for example by updating this page or by email) before adding or replacing a sub-processor, so you can object on reasonable data-protection grounds. If you object and we cannot offer a reasonable alternative, you may terminate the affected part of the Product.
7. International transfers
Where a sub-processor processes personal data outside the UK, we ensure an appropriate transfer mechanism is in place — such as the UK’s International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or transfers to a country covered by UK adequacy regulations.
8. Audit
On reasonable written request, and no more than once a year (unless required by a supervisory authority or following a personal-data breach), we will provide information reasonably necessary to demonstrate compliance with Article 28 and allow you (or an independent auditor bound by confidentiality) to verify it, subject to reasonable notice, confidentiality and security requirements.
9. Personal-data breaches
We will notify you without undue delay after becoming aware of a personal data breach affecting your personal data, and provide the information you reasonably need to meet your own breach-notification obligations.
10. Return and deletion
On termination or expiry, and at your choice, we will delete or return your personal data and delete existing copies within a reasonable period (and no later than 90 days), unless the law requires us to retain it, in which case we will keep it protected and process it only as required by that law. You may also export Your Data during the 30-day window described in our Terms of Service.
11. Liability
The liability provisions of our Terms of Service apply to this Addendum. Nothing in this Addendum limits either party’s obligations or liability directly to data subjects or the ICO under data protection law.
12. Contact
For any data-protection matter under this Addendum, contact us at sales@admhub.co.uk.