Effective: January 1st, 2026
This Data Privacy Framework Statement ("Statement") has been produced by AlliumAI in connection with the transfer and protection of personal data received from data subjects located in the European Economic Area (EEA), Switzerland, and the United Kingdom (UK). AlliumAI is located at 8981 Kittiwake St., Littleton, CO 80126.
AlliumAI complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. AlliumAI has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. AlliumAI has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
For the purposes of this Statement, "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. To participate in the DPF program, AlliumAI must publicly commit to comply with the DPF Principles. While the decision to self-certify to and participate in the DPF program is voluntary, effective compliance upon self-certification is compulsory. Once such an organization self-certifies to the ITA and publicly declares its commitment to adhere to the DPF Principles that commitment is enforceable under U.S. law.
AlliumAI provides AI-driven consulting and data-processing services to its Clients pursuant to Client instructions. Such services include order management, fulfillment, customer support, and marketing. As a data processor acting on behalf of our Clients, AlliumAI obtains DPF Information about EEA, UK and Swiss consumers. The information obtained varies from Client to Client and is specified by each Client. Typically this includes names, mailing addresses, email addresses, telephone numbers, payment information, demographics and information about interactions with emails or digital platforms.
When we are processing personal data as a data processor (for example, as a CRO on behalf of client or sponsor), we will only use personal data according to the privacy notices and instructions issued by those entities who determine the purpose and means of the processing.
As a data processor, AlliumAI does not have a direct relationship with our Clients' consumers. When processing DPF Information of EEA, UK and Swiss Consumers, AlliumAI applies the Data Privacy Framework Principles as follows:
EEA, UK and Swiss individuals have rights to access personal information about them and to limit use and disclosure of such information. EEA, UK and Swiss consumers who wish to request access to, limit the use of, or limit disclosures of DPF Information we process on behalf of a Client can contact the relevant Client who is the controller of the DPF Information. AlliumAI cooperates with its Clients to address EEA, UK and Swiss consumers' requests in relation to DPF Information and supports Clients as needed to respond to the request.
AlliumAI receives DPF Information in association with providing its Consumer Offerings and operating the Site, and we receive personal information of EEA, UK and Swiss representatives of current and prospective Clients, vendors, and service providers. AlliumAI is a data controller in relation to this type of DPF Information.
EEA, UK and Swiss individuals have the following rights with regard to DPF Information for which AlliumAI is a data controller:
When required or permitted by applicable law, we obtain consent before the collection, use or disclosure of personal data. To the extent we can under applicable law, we will respect the choices and requests of data subjects to limit the collection, use, transfer or other processing of their personal data. If we are processing personal data based on consent, the data subject has the right to withdraw their consent at any time and no additional personal data will be gathered.
We will only carry out international transfers of personal data within or outside of our group of affiliated companies and agents, when the recipient is located in a country that is the recipient of an adequacy decision, or when we have implemented adequate safeguards and reasonable privacy controls for such information in compliance with applicable laws. AlliumAI does not sell or share personal data with third parties unless it is contractually obligated to do so in its capacity as a processor on behalf of a Client. We may be required under applicable law to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
AlliumAI does not plan to transfer personal information to third parties. However, in the event of any future transfer of personal information to a third party acting as an agent on its behalf, AlliumAI will abide by the Liability and Accountability for Onward Transfer Principles. AlliumAI bears responsibility for the processing of personal information it receives under these Principles and subsequently transfers to a third party acting as an agent on its behalf. AlliumAI shall remain liable if its agent processes such personal information in a manner inconsistent with the DPF Principles, unless AlliumAI proves that it is not responsible for the event giving rise to the damage.
Furthermore, AlliumAI will require any third-party agents and/or service providers to only process personal data in accordance with applicable law and the principles contained in this Statement.
We implement appropriate administrative, physical, and technical safeguards to protect personal data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. We evaluate any potential security incident or personal data breach, and report any unauthorized disclosure of personal data as required by and in accordance with applicable laws. We will ensure that personal data is kept accurate, complete and relevant for its intended use. We will take all reasonable steps to destroy or amend inaccurate or out-of-date personal data. When we are acting as a data processor of personal data on behalf of a data controller, we will act according to the instructions of and contractual terms in place with the data controller to support the data controller's obligations under the Data Use, Integrity & Retention principle.
We will only collect and process personal data that is relevant and necessary to fulfill the purpose for which it was collected.
We will retain personal data only as long as necessary or required to fulfil the purpose of the collection. When we process personal data on behalf of a data controller, we will act according to the instructions of and contractual terms in place with the data controller to support the data controller's obligations under the Purpose Limitation principle.
AlliumAI has established internal mechanisms to verify its ongoing adherence to this Statement. AlliumAI is subject to the investigatory and enforcement powers of the US federal government, including the Federal Trade Commission (FTC). AlliumAI also encourages individuals covered by this Statement to raise any concerns about our processing of their personal data by contacting AlliumAI's Data Protection Officer at the address below. AlliumAI will seek to resolve any concerns within thirty (30) days according to our internal SOPs.
AlliumAI commits to periodically reviewing and verifying the accuracy of this Statement and its compliance with the Principles, and remedying any issues identified. All employees of AlliumAI that have access to personal data covered by this Statement in the US are responsible for conducting themselves in accordance with this Statement and with AlliumAI policies and procedures. Failure of an employee to comply with AlliumAI policies related to personal data may result in disciplinary action up to and including termination.
Adherence to these Privacy Principles may be limited to the extent required to meet a legal, governmental, national security or public interest obligation.
If a privacy complaint or dispute relating to Personal Data received by AlliumAI, Data, Inc. in reliance on the Data Privacy Framework (or any of its predecessors) cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure. Subject to the terms of the VeraSafe Data Privacy Framework Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure, please submit the required information here:
https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/
In compliance with DPF Principles, AlliumAI commits to resolve complaints about our collection or use of your personal data within thirty (30) days, to respond to requests made by individuals to access or to limit the use and disclosure of their personal data.
To issue a complaint, make a request to access your personal data or to limit the use and disclosure of your personal data, or for any other questions or concerns, please contact AlliumAI's Data Protection Officer at t.demillard@alliumai.com.
If your dispute or complaint related to your Personal Data that we received in reliance on the Data Privacy Framework cannot be resolved by us, nor through the dispute resolution mechanism mentioned above, you may have the right to require that we enter into binding arbitration with you under the Data Privacy Framework "Recourse, Enforcement and Liability" Principle and Annex I of the Data Privacy Framework.
Mail: 8981 Kittiwake St., Littleton, CO 80126
Data Protection Officer: t.demillard@alliumai.com
General privacy and data protection inquiries: m.scotch@alliumai.com