GDPR Compliance

TakeNote Ltd ("TakeNote", "we", "us") is committed to protecting the personal data of our clients, their customers, and all individuals whose data is processed through our platform. We comply fully with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

As a platform that processes recorded client meetings for FCA-regulated financial advisory firms, we recognise that we handle particularly sensitive personal data. Our approach to data protection reflects this responsibility — privacy and security are embedded into the design of our platform, not added as an afterthought.

When an advisory firm uses TakeNote to record, transcribe, and summarise client meetings, the firm acts as the Data Controller — it determines why and how personal data is processed. TakeNote acts as a Data Processor — we process personal data on behalf of the firm, strictly in accordance with their documented instructions.

We do not determine the purposes of processing. We do not use client data for our own commercial purposes. We process data solely to deliver the services our clients have engaged us to provide.

A formal Data Processing Agreement (DPA) is available to all clients and is executed prior to the commencement of any data processing. The DPA sets out the scope, nature, and purpose of processing, the categories of personal data involved, and the technical and organisational measures we implement to protect that data.

TakeNote processes personal data on behalf of our clients under the following lawful bases:

The advisory firm, as Data Controller, is responsible for determining and communicating the appropriate lawful basis to its clients and meeting participants. TakeNote provides guidance and documentation to support this.

In the course of providing our services, TakeNote may process the following categories of personal data on behalf of the advisory firm:

We do not process personal data beyond what is necessary to deliver the contracted services.

Recorded client meetings may incidentally contain special category data as defined under Article 9 of the UK GDPR — for example, where a client discloses health information relevant to a capacity for loss assessment or vulnerability indicator.

TakeNote does not actively seek to collect special category data. Where such data is present within meeting recordings or transcriptions, it is processed in accordance with Article 9(2)(a) (explicit consent, where the advisory firm has obtained this from the client) or Article 9(2)(f) (establishment, exercise, or defence of legal claims).

The advisory firm, as Data Controller, is responsible for ensuring that an appropriate lawful basis exists for the processing of any special category data.

All personal data processed by TakeNote is stored and processed exclusively within the United Kingdom. Our infrastructure is hosted on Microsoft Azure UK South.

Client meeting recordings, transcriptions, summaries, metadata, and all associated personal data never leave the United Kingdom. We do not use sub-processors located outside the UK for any processing activity that involves client data.

This commitment to UK data residency is contractually guaranteed in our Data Processing Agreement and is a core design principle of the TakeNote platform.

TakeNote retains client data in accordance with the retention period specified by the advisory firm. The default retention period is five years from the date of each meeting, in accordance with MiFID II record-keeping requirements (Article 16(7) of MiFID II as retained in UK law).

All retained records are stored with immutable timestamps and a complete audit trail, ensuring their integrity for regulatory purposes throughout the retention period.

Upon expiry of the retention period, or upon the advisory firm's written request (subject to applicable regulatory retention obligations), personal data is securely deleted using industry-standard methods that render the data irrecoverable. Written confirmation of deletion is provided within 30 days.

Individuals whose personal data is processed through the TakeNote platform have the following rights under the UK GDPR:

As a Data Processor, TakeNote does not respond directly to data subject requests. All requests should be directed to the advisory firm in the first instance. TakeNote will provide the advisory firm with all necessary technical assistance to fulfil data subject requests promptly and within the timeframes required by the UK GDPR.

TakeNote implements comprehensive technical and organisational measures to protect personal data, including:

Full details of our security measures are set out in Schedule 2 of our Data Processing Agreement, available on request.

TakeNote has conducted a Data Protection Impact Assessment (DPIA) in respect of the processing activities carried out through our platform, in accordance with Article 35 of the UK GDPR. The DPIA addresses the nature, scope, context, and purposes of the processing, the risks to the rights and freedoms of data subjects, and the measures implemented to mitigate those risks.

A summary of the DPIA is available to clients and prospective clients on request to support their own data protection compliance obligations.

TakeNote engages a limited number of sub-processors to deliver its services. All sub-processors are contractually bound by data protection obligations no less onerous than those set out in our Data Processing Agreement.

Our current sub-processors are disclosed in Schedule 3 of the Data Processing Agreement. Clients are notified at least 30 days in advance of any proposed changes to sub-processors, with the right to object on reasonable grounds.

No sub-processor processes client data outside the United Kingdom.

TakeNote does not use client data — including meeting recordings, transcriptions, summaries, or any associated personal data — to train, fine-tune, or improve artificial intelligence or machine learning models.

This commitment is contractually guaranteed in our Data Processing Agreement.

Client data is processed solely for the purpose of delivering the contracted services to the advisory firm. It is never aggregated, anonymised for secondary use, or shared with any third party for model development purposes.

TakeNote does not transfer personal data outside the United Kingdom. All processing, storage, and backup of client data takes place exclusively within Microsoft Azure UK South.

In the exceptional circumstance that a transfer outside the UK were to become necessary, TakeNote would obtain the prior written consent of the advisory firm and implement appropriate safeguards in accordance with Chapter V of the UK GDPR, including the International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses as applicable.

In the event of a personal data breach affecting client data, TakeNote will notify the advisory firm without undue delay and in any event within 24 hours of becoming aware of the breach. The notification will include a description of the nature of the breach, the likely consequences, and the measures taken or proposed to address it.

TakeNote maintains a documented incident response procedure and conducts regular breach response exercises to ensure readiness.

The following documents are available on request:

• Data Processing Agreement (DPA)
• Data Protection Impact Assessment (DPIA) summary
• Sub-processor list
• Security whitepaper
• SOC 2 Type II report (under NDA)
• Penetration testing summary (under NDA)

To request any of these documents, please contact dpo@takenote.ai or speak to your TakeNote account manager.