At Desia ("we", "us", or "our"), we are committed to safeguarding your privacy and Personal Data in compliance with the United Kingdom General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, the EU General Data Protection Regulation ("EU GDPR") where applicable to EU data subjects, and all other applicable laws. References in this Policy to "GDPR" should be read as including both the UK GDPR and EU GDPR where the context requires. This Privacy Policy explains how we collect, use, share, and protect Personal Data, and sets out your rights under UK data protection law. Depending on the context, Desia acts either as a Data Controller (for example, when managing your account or our marketing) or as a Data Processor on behalf of our business customers (when processing data they submit to the platform under our Data Processing Agreement).
Desia is responsible for your Personal Data and acts as your Data Controller. While we are not legally required to appoint a data protection officer, any queries regarding your data can be addressed to info@desia.ai or by post at 20 Eastbourne Terrace, London, W2 6LG, UK.
You have the right to contact the relevant supervisory authority. For UK data subjects this is the Information Commissioner's Office (ICO) at www.ico.org.uk. For EU data subjects this is your national data protection authority (for example, the CNIL in France, the Garante in Italy, or the BfDI in Germany). A full list of EU supervisory authorities is available at https://www.edpb.europa.eu. We encourage you to contact us first at info@desia.ai so we can try to resolve your concern directly.
As Desia is established in the United Kingdom, EU data subjects whose personal data we process have the right to contact our EU representative under Article 27 of the EU GDPR. Our EU representative is:
Instant EU GDPR Representative Ltd (trading as GDPRLocal)
Office 2, 12A Lower Main Street, Lucan, Co. Dublin, K78 X5P8, Ireland
Email: contact@gdprlocal.com
EU privacy request submission page:
https://desialimited.gdprlocal.com/eu
Acting as Data Controller
Personal Data means any information relating to an identified or identifiable natural person ('data subject'). We may collect, store, and use various types of Personal Data, which include:
UK GDPR requires that every processing activity has a lawful basis. The following sets out the basis we rely on for each category of processing:
We will only use your Personal Data when permitted by law.
Where you have consented, we may send you marketing updates and content that might interest you. Occasionally, we may suggest products or services based on your interests. You can withdraw your consent at any time by using the unsubscribe link in any marketing email or by contacting us at info@desia.ai.
We will use your Personal Data only for the purposes it was collected, unless we find that it is necessary for another purpose compatible with the original. If we need to use your data for another purpose, we will inform you of the legal grounds allowing us to do so.
Under UK GDPR, you have the following rights. We will respond to any request within one calendar month of receipt. In complex or multiple cases we may extend this by a further two months, in which case we will notify you within the first month and explain the reason for the delay. We will not charge a fee for handling your request unless it is manifestly unfounded or excessive:
You may request deletion of your account and associated Personal Data at any time by contacting us at info@desia.ai. We will process erasure requests in accordance with your rights under UK GDPR Article 17. Where retention is required by law or another lawful ground applies, we will retain only the minimum data necessary and will inform you of the reason.
Your account is protected by a password, and you must take steps to secure your password and limit unauthorised access to your account.
We are committed to ensuring the security of your data and safeguarding it from unauthorised disclosure. Any Personal Data we collect is accessible only to a limited number of employees with special access privileges and who are bound by strict confidentiality obligations. If we engage sub-contractors to store your data, we will retain control over your Personal Data and will not expose it to security risks that would not have been present had we kept the data ourselves. However, please be aware that no method of data transmission over the internet can be guaranteed as entirely secure. Third parties outside of the control of Desia Limited may unlawfully intercept or access transmissions or private communications. While we make every effort to protect your Personal Data, we cannot guarantee or warrant the security of any information you transmit to us. Transmission of data is carried out at your own risk. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately.
You can opt out of marketing messages at any time, but we may retain other data from your interactions with us for non-marketing purposes.
You will not be required to pay a fee to access your Personal Data (or to exercise any of your other rights). However, if your request is manifestly unfounded or excessive, we reserve the right to refuse to fulfil your request. To help verify your identity and confirm that you have the right to access your Personal Data (or exercise any of your other rights), we may ask you to provide specific information. This is a security measure to ensure that Personal Data is not shared with anyone who is not authorized to receive it. Additionally, we may contact you to request further details regarding your inquiry to expedite our response.
Our Sub-Processors
Where we act as a Data Processor on behalf of our business customers, we engage sub-processors to help us deliver the Services. All sub-processors are bound by Data Processing Agreements that impose obligations equivalent to those in our DPA. The current list of approved sub-processors is maintained at trust.desia.ai.
We will notify our business customers (Controllers) of any intended additions or replacements to the sub-processor list at least 30 days in advance by email to the account owner, giving them the opportunity to object. Business customers may object to a new sub-processor on reasonable data protection grounds within 14 days of receiving notice.
How We Use AI in the Service
Desia's platform uses large language models (LLMs) and other AI technologies to deliver the Services. This section explains how Personal Data interacts with those AI systems.
What data is sent to AI providers
When you submit a query or document to the platform, only the content of that specific query or document is transmitted to the relevant AI provider to generate a response. Desia does not transmit your account details, billing information, or any other Personal Data to AI providers beyond what you explicitly include in a query.
No training on your data
Desia has entered into enterprise agreements with each AI provider that explicitly prohibit them from using any data submitted through the Desia platform to train, fine-tune, or otherwise improve their AI models. Your data is used solely to generate a response to your query and is not retained by the AI provider beyond what is required to deliver that response.
AI outputs are not automated decisions
AI-generated outputs are informational tools to assist finance professionals. They do not constitute investment, legal, or regulatory advice, and Desia does not make solely automated decisions about individuals that produce legal or similarly significant effects. Authorised Users are responsible for reviewing and exercising professional judgment on any AI-generated output.
Our site may contain links to third-party websites, and we are not responsible for their privacy practices.
You can manage your cookie preferences at any time through our cookie preference centre, accessible via the cookie banner on our website.
In the unlikely event of a data breach that may impact your Personal Data, we will take all necessary measures to assess the breach and its implications. If it is determined that your rights and freedoms may be adversely affected, we will notify you without undue delay, in compliance with GDPR requirements. This notification will include:
1. A description of the nature of the breach.
2. The likely consequences of the breach.
3. Measures we have taken or will take to address the breach and mitigate any potential harm.
We may share your Personal Data with law enforcement agencies, governmental authorities, or regulatory bodies as required by law or in response to valid legal requests. This may include sharing information necessary for the investigation of a crime, compliance with a subpoena, or other legal obligations. We will ensure that any sharing of your Personal Data in such circumstances is conducted in compliance with applicable laws and regulations, and we will strive to notify you of such sharing unless prohibited by law.
We retain Personal Data only for as long as is necessary for the purposes for which it was collected, or as required by law. The following indicative periods apply:
• Account and profile data is retained for the duration of your subscription and deleted within 90 days of account closure;
• Billing and financial records are retained for 7 years to comply with UK tax and accounting obligations;
• Marketing contact data is retained until you unsubscribe or object, after which it is suppressed rather than deleted to honour your preference;
• Service logs and usage data are retained for up to 12 months;
• Data submitted to the platform by customers acting as Controllers ("Service Data") is retained in accordance with the applicable DPA and deleted or returned upon termination of the relevant agreement.
Where we are required by law to retain data for longer, the statutory period applies.
You must be 18 or older to use Desia. We do not knowingly collect data from children.
As a user of our services, you have certain responsibilities to help us protect your Personal Data and maintain the security of your account. These responsibilities include:
Providing Accurate Information: You must ensure that any Personal Data you provide to us is accurate, complete, and up to date. If your information changes, please notify us promptly so we can update our records.
Protecting Account Credentials: You are responsible for maintaining the confidentiality of your account credentials, including your password. Do not share your login details with anyone, and inform us immediately if you suspect unauthorised access to your account.
Securing Your Device: Ensure that the device you use to access our services is secure and protected against malware, viruses, and unauthorised access. This includes using updated antivirus software and firewalls.
Complying with Applicable Laws: You must comply with all applicable laws and regulations when using our services. This includes refraining from using our services for any unlawful activities, including but not limited to fraud, hacking, or any form of harassment.
Respecting Others' Privacy: You should not collect, store, or share the Personal Data of other individuals without their consent. Any data shared with us should not infringe on the rights of others.
Reporting Security Concerns: If you become aware of any security vulnerabilities or data breaches related to our services, you should report them to us immediately at info@desia.ai.
By fulfilling these responsibilities, you contribute to the overall security and integrity of our services and help us protect your Personal Data and that of other users.
Some of our sub-processors are located outside the United Kingdom or European Economic Area. The following transfer mechanisms apply depending on the direction of transfer.
(a) UK outbound transfers: where we transfer Personal Data from the UK to a country that does not benefit from a UK adequacy decision, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (UK Addendum), incorporated into our agreements with each sub-processor, or on a UK adequacy decision where applicable.
(b) EU outbound transfers (EU to UK): where our EU customers transfer Personal Data to us in the UK, such transfers are currently covered by the European Commission's adequacy decision recognising the UK as providing adequate protection. We recommend that EU customers verify the current status of this adequacy decision at the time of contracting, as it is subject to periodic review. Where the adequacy decision is not in force, EU customers may rely on Standard Contractual Clauses (EU SCCs) incorporated into our Data Processing Agreement.
(c) We do not rely solely on consent as the basis for any international transfer. Copies of applicable transfer mechanisms are available on request at info@desia.ai.
We regularly review this Privacy Policy and post updates here. We will notify you of material changes to this Privacy Policy by email or in-app notice at least 30 days before the changes take effect. Continued use of the Services after that date constitutes acknowledgment of the updated policy. Where changes affect processing previously based on consent, we will seek fresh consent before proceeding.
Please also review our Terms of Service for more information about your use of Desia.
Revolutionize your firm's operations and join the leading institutions trusting Desia.
