1. Who We Are

1.1 Company Identity

Immigration Workspace is a product of Ascend General Consultants Ltd, a private limited company registered in England and Wales, company number 16315187.

As a company registered in England and Wales we are subject to the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018, and to the Data Protection Act 2018. The supervisory authority for data protection matters in the United Kingdom is the Information Commissioner's Office (ICO).

Ascend General Consultants Ltd is registered with the Information Commissioner's Office (ICO), registration number C1905899.

References to "we", "us", and "our" in this statement refer to Ascend General Consultants Ltd. References to "you" and "your" refer to users of Immigration Workspace and their clients.

1.2 Contact Details

Ascend General Consultants Ltd — Immigration Workspace

Registered in England and Wales, company number 16315187

Unit 82a James Carter Road, Mildenhall, Bury St. Edmunds, England, IP28 7DE

ICO Registration Number: C1905899

Data Protection Contact: support@immigrationworkspace.com

General Enquiries: support@immigrationworkspace.com

We respond to all data protection enquiries within one business day.

2. Our Commitment to UK GDPR

2.1 Our Data Protection Principles

Ascend General Consultants Ltd is committed to processing personal data in full compliance with UK GDPR and the Data Protection Act 2018. We apply the following data protection principles to everything we do:

Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. We are open about what data we collect, why we collect it, and what we do with it. We always have a lawful basis for processing.

Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes. We do not process personal data in ways that are incompatible with those purposes. We never use your data for purposes beyond what is described in our Privacy Policy.

Data Minimisation

We collect only the personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed. We do not collect data we do not need.

Accuracy

We take reasonable steps to ensure that personal data we hold is accurate and where necessary kept up to date. We provide tools for users to update their account information directly and will promptly correct inaccurate data on request.

Storage Limitation

We retain personal data only for as long as is necessary for the purposes for which it was collected or as required by law. We have a clear data retention schedule and delete data when it is no longer needed.

Integrity and Confidentiality

We process personal data in a manner that ensures appropriate security including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage. We use appropriate technical and organisational measures to protect the data we hold.

Accountability

We take responsibility for our data processing activities. We maintain records of our processing activities, implement appropriate policies and procedures, and are able to demonstrate our compliance with UK GDPR on request.

3. Key Definitions

3.1 Defined Terms

The following key terms are used throughout this statement in accordance with their definitions under UK GDPR:

Personal Data

Any information relating to an identified or identifiable natural person (a data subject). An identifiable natural person is one who can be identified directly or indirectly by reference to an identifier such as a name, identification number, location data, or online identifier.

On Immigration Workspace this includes user account data and all client and applicant data entered into the platform.

Special Category Data

Personal data that is particularly sensitive and which receives additional protection under UK GDPR. Special category data includes information about racial or ethnic origin, political opinions, religious beliefs, health, biometric data, and more.

Immigration case data may contain special category data — for example information about nationality, religion (relevant to Minister of Religion visa routes), or family status.

Data Subject

The identified or identifiable natural person to whom personal data relates. On Immigration Workspace data subjects include registered users (practitioners) and the visa applicants whose data is entered into the platform.

Data Controller

The natural or legal person who determines the purposes and means of processing personal data. Ascend General Consultants Ltd is the data controller in respect of user account data. Immigration practitioners are the data controllers in respect of their clients' personal data entered into the platform.

Data Processor

A natural or legal person who processes personal data on behalf of the data controller. Ascend General Consultants Ltd acts as a data processor in respect of client personal data entered into Immigration Workspace by practitioners.

Processing

Any operation performed on personal data including collection, recording, storage, adaptation, retrieval, use, disclosure, erasure, and destruction.

Consent

A freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of their personal data. Consent can be withdrawn at any time.

4. Data Controller and Data Processor

4.1 Dual Role Explanation

Immigration Workspace operates with a dual data relationship that is important to understand clearly.

4.2 Ascend General Consultants Ltd as Data Controller

Ascend General Consultants Ltd is the data controller in respect of:

• Registered user account data — name, email, organisation, subscription details
• Platform usage and technical data collected automatically
• Billing and payment data (processed via Stripe)
• Support ticket and communication data
• Data collected through the public landing page including the free refusal analyser

As data controller for this data Ascend General Consultants Ltd determines the purposes and means of processing and is directly responsible for compliance with UK GDPR in respect of this data.

4.3 Ascend General Consultants Ltd as Data Processor

When immigration practitioners use Immigration Workspace to store and process personal data relating to their clients and visa applicants, Ascend General Consultants Ltd acts as a data processor — processing that personal data on behalf of the practitioner and under their instruction.

In this capacity Ascend General Consultants Ltd:

• Processes client personal data only as instructed by the practitioner through use of the platform
• Does not process client personal data for its own purposes
• Implements appropriate technical and organisational security measures to protect the data
• Assists practitioners in meeting their own UK GDPR obligations where possible
• Deletes or returns client personal data at the end of the service relationship
• Provides information necessary to demonstrate compliance with UK GDPR obligations on request

4.4 Data Processing Agreement

Under UK GDPR Article 28 processing by a data processor must be governed by a binding contract — a Data Processing Agreement (DPA). Our Terms of Service incorporate the key terms required by UK GDPR Article 28 for data processor relationships.

Agency plan customers who require a separate formal Data Processing Agreement may request one by contacting us at support@immigrationworkspace.com

5. What Personal Data We Process

5.1 User Account Data

• Full name
• Email address
• Organisation or firm name
• Password — stored as an encrypted hash. We cannot see your password.
• Subscription plan and status
• Account creation and activity timestamps
• Two-factor authentication settings
• Email verification status

5.2 Client and Case Data

Personal data entered by practitioners in relation to their clients and cases may include:

• Applicant full name and date of birth
• Nationality and country of birth
• Passport number and expiry date
• Current immigration status and history
• Current address and location
• Sponsor and employer details
• Job role, salary, and employment details
• Family member information where applicable
• Supporting documents uploaded to cases
• Case notes and correspondence
• Interview preparation content

5.3 Billing Data

• Billing name and email address
• Subscription and payment history
• Invoice records
• Stripe customer reference — no full card data stored by us

5.4 Technical and Usage Data

• IP address and general location
• Browser and device type
• Platform feature usage logs
• Session timestamps and durations
• Error and performance logs
• AI generation usage and token data

5.5 Support and Communication Data

• Support ticket content and history
• Email correspondence with our team
• Contact form submissions

5.6 Data Storage Location

Application data and files are stored in UK and EU data centres. When AI generation features are used, content is transferred to Anthropic's servers in the United States. This transfer is protected by UK International Data Transfer Agreements (IDTAs) as described in Section 11.

6. Lawful Basis for Processing

6.1 UK GDPR Article 6 Legal Bases

Under UK GDPR Article 6 we rely on the following lawful bases for processing personal data:

6.2 Consent — Article 6(1)(a)

Where we rely on consent we will always ask for your explicit agreement before processing for that purpose. You have the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

We rely on consent for:

• Marketing communications to non-users and prospective users
• Processing email addresses collected through the free refusal analyser for follow-up communications

6.3 Contract Performance — Article 6(1)(b)

Processing is necessary for the performance of a contract to which you are a party — specifically the contract formed when you agree to our Terms of Service and subscribe to Immigration Workspace.

We rely on this basis for:

• Creating and managing your user account
• Providing access to platform features according to your subscription plan
• Processing subscription payments and issuing invoices
• Sending service-critical account notifications
• Responding to your support requests
• Sending deadline reminders and case notifications

6.4 Legal Obligation — Article 6(1)(c)

Processing is necessary to comply with a legal obligation to which we are subject. We rely on this basis for:

• Retaining financial and billing records for 7 years in accordance with UK law
• Responding to lawful requests from courts, regulators, and law enforcement
• Complying with UK GDPR data subject rights requests
• Reporting data breaches to the ICO where required

6.5 Vital Interests — Article 6(1)(d)

We may rely on this basis where processing is necessary to protect the vital interests of the data subject or another natural person. This basis is rarely relied upon and would only apply in exceptional circumstances.

6.6 Public Task — Article 6(1)(e)

This basis is not relied upon by Ascend General Consultants Ltd in the operation of Immigration Workspace.

6.7 Legitimate Interests — Article 6(1)(f)

Processing is necessary for the purposes of our legitimate interests except where those interests are overridden by your interests or fundamental rights.

We rely on this basis for:

• Improving and developing the platform based on usage analytics
• Maintaining platform security and preventing fraud
• Sending product updates and feature announcements to existing users
• Maintaining audit logs for security and dispute resolution
• Analysing aggregated usage data for business intelligence

We have conducted legitimate interests assessments for these processing activities and are satisfied that our interests do not override your rights and freedoms. You have the right to object to processing based on legitimate interests — see Section 13.

7. Special Category Data

7.1 Special Category Data on the Platform

Special Category Data Notice: Immigration case data may contain special category personal data as defined under UK GDPR Article 9. This includes but is not limited to information about nationality, ethnic origin, religious beliefs, and family status. Such data is entered into the platform by practitioners as part of managing immigration cases.

7.2 Our Approach to Special Category Data

As a data processor for client personal data we process special category data only as instructed by the practitioner and solely for the purpose of providing the Immigration Workspace service. We do not use special category data for any other purpose.

We apply enhanced security measures to protect special category data including encryption at rest and in transit and strict access controls.

7.3 Practitioner Responsibility

As the data controller for their clients' personal data practitioners are responsible for ensuring they have an appropriate legal basis under UK GDPR Article 9 for processing special category data. Appropriate bases may include:

• Explicit consent of the data subject — Article 9(2)(a)
• Processing necessary for legal claims — Article 9(2)(f)
• Processing necessary for reasons of substantial public interest — Article 9(2)(g)

Practitioners should ensure they have appropriate privacy notices in place for their clients explaining how special category data is processed.

8. How We Use Personal Data

8.1 Purposes of Processing

We use personal data only for the following specified and legitimate purposes:

• Providing and operating the Immigration Workspace platform and all its features
• Managing user accounts, authentication, and access control
• Processing AI analysis requests submitted by users through the platform
• Processing subscription payments and managing billing through Stripe
• Sending service-related communications including account notifications, deadline reminders, and billing alerts
• Responding to support requests and resolving technical issues
• Maintaining platform security and preventing unauthorised access and fraud
• Improving and developing the platform based on anonymised usage data
• Complying with legal obligations including financial record keeping and responding to lawful regulatory requests

8.2 What We Do Not Do

✓ Our Commitments

• We do not sell personal data to any third party
• We do not use client case data to train AI models
• We do not process personal data for advertising purposes
• We do not share personal data with advertisers or data brokers
• We do not make solely automated decisions that produce legal or similarly significant effects on individuals
• We do not process personal data beyond the purposes described in this statement

9. Data Retention

9.1 Retention Principle

In accordance with the UK GDPR storage limitation principle we retain personal data only for as long as is necessary for the purposes for which it was collected or as required by applicable law.

9.2 Retention Schedule

Account Data

Retained for the duration of your active account. Following account closure all account data is permanently deleted within 30 days. We retain a minimal record of the account deletion itself for security and audit purposes for up to 12 months.

Case and Client Data

Retained until deleted by the user or upon account closure. Following account closure case and client data is permanently and irreversibly deleted from all our systems within 30 days to allow for any final export.

Financial Records

Retained for 7 years from the date of the transaction in accordance with UK law, including the Companies Act 2006 and HMRC requirements.

Support and Communication Records

Support ticket records and communication history are retained for 2 years from the date the ticket was closed for quality assurance and dispute resolution purposes.

Security and Audit Logs

Technical security logs and platform audit records are retained for up to 12 months for security monitoring and incident investigation purposes.

Refusal Analyser Uploads

Documents uploaded to the free refusal analyser are processed to generate the analysis result and are not stored after processing is complete. Email addresses provided through the tool are retained until the user unsubscribes or requests deletion.

9.3 Right to Request Deletion

You may request deletion of your personal data at any time subject to any legal retention obligations. See Section 13 for information on your right to erasure.

10. Data Security

10.1 Technical Measures

In accordance with UK GDPR Article 32 we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing. Our technical security measures include:

• TLS encryption for all data in transit between users and our servers
• Encryption of all personal data stored at rest in our databases
• Secure password hashing using industry-standard algorithms — we cannot see your password
• Two-factor authentication (TOTP 2FA) available for all user accounts
• JWT-based session management with appropriate expiry and revocation
• Role-based access controls ensuring users can only access their own data
• Automated encrypted database backups with secure off-site storage
• Regular security monitoring of platform infrastructure
• CI/CD deployment pipeline with security checks via GitHub Actions

10.2 Organisational Measures

• Access to user and client data is restricted to those who need it to provide the service
• Administrative access to the platform is protected by separate credentials and API key authentication
• We maintain a full admin audit log of all administrative actions taken on the platform
• We review and update our security practices regularly in response to emerging threats and vulnerabilities

10.3 Limitation of Guarantee

While we implement robust security measures no system can be guaranteed to be completely secure. We cannot guarantee the absolute security of personal data transmitted over the internet. We are committed to taking all reasonable steps to protect your data and to responding promptly and effectively to any security incidents.

11. International Data Transfers

11.1 Transfers Outside the UK

As a UK company we are subject to UK GDPR rules on international data transfers. Some of our third party service providers are based outside the United Kingdom. Where we transfer personal data outside the UK we ensure that appropriate safeguards are in place to protect your data. The primary mechanism we use is the UK International Data Transfer Agreement (IDTA) — the UK equivalent of Standard Contractual Clauses following the UK's departure from the EU.

11.2 Anthropic — United States

Our AI features are powered by Anthropic Claude, whose servers are based in the United States. When you use AI generation features on Immigration Workspace — including document drafting, refusal analysis, case intelligence, and all AI-powered tools — the content you submit is transferred to Anthropic's servers in the United States for processing.

The United States does not benefit from a UK adequacy regulation. This transfer is therefore a restricted transfer under UK GDPR and is protected by a UK International Data Transfer Agreement (IDTA) between Ascend General Consultants Ltd and Anthropic.

Anthropic does not retain your data after processing is complete and does not use data submitted through the API to train its AI models.

AI Processing Transfer Notice: By using the AI features of Immigration Workspace you acknowledge that personal data submitted for AI processing will be transferred to Anthropic's systems in the United States, protected by an IDTA as described above. Please consider this when deciding what personal data to include in AI processing requests. We recommend anonymising or pseudonymising applicant data where possible before AI processing.

11.3 Stripe — United States and United Kingdom

Stripe operates in both the United States and the United Kingdom. Where personal data is processed by Stripe's US operations this is protected by appropriate transfer mechanisms including IDTAs. Stripe is certified under applicable data transfer frameworks and processes payment data in accordance with UK GDPR requirements.

11.4 Cloudflare — Global Infrastructure

Cloudflare provides file storage, CDN, and infrastructure delivery for the platform. Cloudflare operates a global infrastructure network. Data stored and delivered through Cloudflare is subject to Cloudflare's data protection commitments and equivalent transfer safeguards where data leaves the UK.

11.5 Data Minimisation

We only transfer the minimum data necessary to third party providers to fulfil the specific purpose for which it is being transferred.

12. Third Party Processors

12.1 Sub-Processors

Under UK GDPR Article 28 where we engage sub-processors to process personal data on our behalf we ensure that appropriate data processing agreements are in place and that sub-processors provide sufficient guarantees regarding their technical and organisational security measures.

12.2 Current Sub-Processors

Anthropic Inc.

• Location: United States
• Purpose: AI processing — document generation, refusal analysis, case intelligence, and all AI-powered platform features
• Data transferred: Case and document data submitted for AI processing
• Transfer mechanism: UK International Data Transfer Agreement (IDTA)
• Retention: Anthropic does not retain data after processing and does not train on user data
• Privacy policy: anthropic.com/privacy

Stripe Inc.

• Location: United States and United Kingdom
• Purpose: Payment processing, subscription management, and billing
• Data transferred: Billing name, email address, and payment information
• Transfer mechanism: IDTA and adequacy mechanisms where applicable
• Privacy policy: stripe.com/privacy

Cloudflare Inc.

• Purpose: File storage, CDN, and infrastructure delivery
• Data transferred: Files and platform data as necessary for storage and delivery
• Transfer mechanism: Equivalent safeguards in place for any transfers outside the UK
• Privacy policy: cloudflare.com/privacypolicy

12.3 Changes to Sub-Processors

We will notify users of any changes to our sub-processors that may affect the processing of personal data. You have the right to object to the appointment of new sub-processors where you have legitimate grounds to do so.

13. Your Rights Under UK GDPR

13.1 Overview of Your Rights

Under UK GDPR Articles 15 to 22 you have the following rights in relation to your personal data. We will respond to all valid rights requests within one month of receipt. In complex cases we may extend this period by a further two months but will notify you within the initial one month period if an extension is required.

We will not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive.

13.2 Right of Access — Article 15

You have the right to obtain confirmation of whether we process personal data about you and if so to receive a copy of that data together with information about how it is processed. This is known as a Subject Access Request (SAR).

You can access much of your account data directly through your profile and dashboard. For a full Subject Access Request please contact us at support@immigrationworkspace.com

13.3 Right to Rectification — Article 16

You have the right to request correction of inaccurate personal data we hold about you and to have incomplete personal data completed. You can update most account information directly through your profile settings. For other corrections please contact us at support@immigrationworkspace.com

13.4 Right to Erasure — Article 17

You have the right to request the deletion of your personal data in certain circumstances including where:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent where consent was the basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

You may request deletion through your account settings or by contacting us at support@immigrationworkspace.com

Please note that we may be required to retain certain data for legal obligations such as financial records retained for 7 years under UK law. Where this applies we will inform you clearly.

13.5 Right to Restriction of Processing — Article 18

You have the right to request that we restrict the processing of your personal data in certain circumstances including where:

• You contest the accuracy of the personal data — restriction applies while accuracy is verified
• Processing is unlawful and you oppose erasure and request restriction instead
• We no longer need the data but you require it for legal claims
• You have objected to processing pending verification of whether our legitimate grounds override yours

13.6 Right to Data Portability — Article 20

You have the right to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where:

• Processing is based on consent or contract
• Processing is carried out by automated means

You can export your case data at any time using the PDF export feature within the platform. For other data portability requests please contact us at support@immigrationworkspace.com

13.7 Right to Object — Article 21

You have the right to object to processing of your personal data where we rely on legitimate interests as the lawful basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests or where processing is necessary for legal claims.

You also have the right to object at any time to processing for direct marketing purposes.

13.8 Rights Related to Automated Decision Making — Article 22

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you.

We confirm that we do not make solely automated decisions that produce legal or similarly significant effects on individuals. The AI features of Immigration Workspace — including risk scores, refusal predictions, and case intelligence — are tools designed to assist qualified practitioners and require human review before any action is taken. All decisions in respect of immigration applications remain with the practitioner.

13.9 How to Exercise Your Rights

To exercise any of your UK GDPR rights please contact us at:

Data Rights Requests

Email: support@immigrationworkspace.com

Subject line: UK GDPR Rights Request — [type of request]

Please include your full name, email address registered to your account, and a clear description of your request. We may ask you to verify your identity before processing your request. We will respond within one month.

13.10 Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with UK GDPR you have the right to lodge a complaint with the Information Commissioner's Office (ICO), which is the supervisory authority for data protection in the United Kingdom:

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Website: ico.org.uk

Please Contact Us First: We encourage you to contact us directly before lodging a complaint with the ICO. We are committed to resolving data protection concerns promptly and fairly. Please email us at support@immigrationworkspace.com and we will respond within one business day.

14. Practitioner Responsibilities as Data Controller

14.1 Your UK GDPR Obligations

Important — Practitioner Responsibilities: When you use Immigration Workspace to store and process personal data relating to your clients and visa applicants you are acting as the data controller for that personal data. You have independent UK GDPR obligations that you must comply with. This section summarises your key responsibilities.

14.2 Lawful Basis

You must have a lawful basis under UK GDPR Article 6 for processing your clients' personal data on Immigration Workspace. The most likely bases for immigration practitioners are:

• Contract performance — processing is necessary to provide immigration advice and services under your client agreement
• Legal obligation — processing is necessary to comply with legal obligations applicable to your practice
• Consent — your client has given clear consent to their data being processed for specified purposes

14.3 Privacy Notice to Clients

You are required by UK GDPR to provide your clients with a privacy notice explaining how their personal data is processed. This notice should include information about the use of Immigration Workspace as a processing platform. We recommend including a reference to our Privacy Policy in your own client privacy notice.

14.4 Data Subject Rights

You are responsible for responding to data subject rights requests from your clients in relation to the personal data you hold about them. If a client makes a Subject Access Request or requests deletion of their data you must comply with that request in accordance with UK GDPR. You can use the export and deletion features in Immigration Workspace to assist with this.

14.5 Data Minimisation

You should enter only the personal data into Immigration Workspace that is necessary for managing the immigration case. You should not enter personal data that is irrelevant to the case or excessive for the purpose.

14.6 AI Processing Consideration

When using AI features you are submitting personal data to Anthropic's API for processing in the United States. You should consider whether it is necessary to include specific personal data in AI processing requests. Where possible we recommend anonymising or pseudonymising data before AI processing.

14.7 Accuracy

You are responsible for ensuring that the personal data you enter into Immigration Workspace is accurate and up to date. Inaccurate data in immigration applications can have serious consequences for your clients.

15. Data Breach Procedures

15.1 Our Breach Response Obligations

Under UK GDPR Article 33 we are required to report personal data breaches that are likely to result in a risk to individuals' rights and freedoms to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach.

Under UK GDPR Article 34 where a breach is likely to result in a high risk to individuals' rights and freedoms we are also required to notify the affected individuals without undue delay.

15.2 Our Breach Response Process

• Upon becoming aware of a potential breach we will investigate immediately
• We will assess the risk level and scope of any breach
• Where required we will notify the ICO within 72 hours of becoming aware of the breach
• Where required we will notify affected users directly without undue delay
• We will take immediate steps to contain and remediate any breach
• We will document all breaches regardless of whether notification is required

15.3 Reporting a Security Concern

If you become aware of or suspect a security incident or data breach relating to Immigration Workspace please report it to us immediately at:

Security Incident Reports

Email: support@immigrationworkspace.com

Subject line: Security Incident Report

We treat all security reports as urgent and will respond as quickly as possible.

16. Data Protection by Design and Default

16.1 Our Approach

In accordance with UK GDPR Article 25 we implement data protection by design and by default. This means that data protection principles and privacy-enhancing measures are built into our platform from the ground up rather than added as an afterthought.

16.2 By Design

Our platform is designed with data protection built in at every level:

• Encryption is implemented at the architecture level — not added later
• Role-based access controls are built into the data model from the beginning
• Data deletion features are part of the core platform — not an afterthought
• Audit logging is built into every significant platform action
• 2FA is available as a first-class feature not an optional extra
• Data minimisation is considered in every feature we build

16.3 By Default

Our default settings are the most privacy-protective options:

• Only strictly necessary cookies are active by default
• Case sharing links are disabled by default — you must explicitly create and share them
• Client portal access is inactive by default — you must explicitly invite clients
• Account deletion permanently removes all data — we do not retain it by default

17. AI Processing and UK GDPR

17.1 AI and Personal Data

The AI features of Immigration Workspace process personal data submitted by users to generate documents, analysis, and intelligence reports. This section explains how UK GDPR applies to our AI processing.

17.2 No AI Training on Client Data

✓ We Do Not Train AI on Your Data
We do not use personal data entered into Immigration Workspace — including case data, client data, or uploaded documents — to train, fine-tune, or improve any AI model. Data submitted for AI processing is used solely to generate the requested output. Anthropic does not retain data submitted through the API and does not use it for AI training purposes.

17.3 No Solely Automated Decision Making

The AI features of Immigration Workspace do not make solely automated decisions with legal or similarly significant effects on data subjects within the meaning of UK GDPR Article 22. Specifically:

• Risk scores and refusal predictions are indicators only — not decisions
• All AI outputs are reviewed and acted upon by qualified practitioners
• No immigration application outcome is determined by our AI
• AI-generated documents are drafts subject to professional review

17.4 Data Minimisation in AI Requests

We encourage practitioners to apply data minimisation when using AI features. You should include only the personal data that is necessary to generate the required output. Where possible consider using pseudonymised or anonymised data in AI processing requests.

17.5 Anthropic Data Processing

Data submitted for AI processing is transmitted to Anthropic's Claude API. Anthropic processes this data as a sub-processor under a UK International Data Transfer Agreement (IDTA). Anthropic does not retain data after processing is complete and does not train on user data. Anthropic's processing is governed by their privacy policy available at anthropic.com/privacy

18. Supervisory Authority

18.1 UK Supervisory Authority

As a company registered in England and Wales the supervisory authority for data protection purposes is the Information Commissioner's Office (ICO).

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Website: ico.org.uk

18.2 Your Right to Complain

You have the right to lodge a complaint with the ICO if you believe we have processed your personal data in breach of UK GDPR.

We always encourage you to contact us directly first so we have the opportunity to address your concern. Please email support@immigrationworkspace.com and we will respond within one business day.

19. Changes to This Statement

19.1 Statement Updates

We may update this UK GDPR Statement from time to time to reflect changes in our data processing activities, changes in UK GDPR guidance, or changes to our platform. We will notify you of material changes by:

• Sending an email notification to the address registered to your account
• Displaying a prominent notice within the platform
• Updating the Last Updated date at the top of this page

Your continued use of Immigration Workspace after the effective date of any updated statement constitutes your acceptance of those changes. If you do not agree with the updated statement you should stop using the platform.

20. Contact Us

20.1 Data Protection Contact

For all UK GDPR and data protection enquiries please contact us at:

Ascend General Consultants Ltd — Immigration Workspace

Registered in England and Wales, company number 16315187

Unit 82a James Carter Road, Mildenhall, Bury St. Edmunds, England, IP28 7DE

ICO Registration Number: C1905899

Data Protection Enquiries: support@immigrationworkspace.com

UK GDPR Rights Requests: support@immigrationworkspace.com

Security Incidents: support@immigrationworkspace.com

General Support: support@immigrationworkspace.com

We respond to all data protection enquiries within one business day.

20.2 Related Policies

Please also review our related policies:

• Terms of Service
• Privacy Policy
• Cookie Policy

✓ Your Data Protection Matters to Us
We take your data protection rights seriously. If you have any questions, concerns, or requests relating to your personal data or our UK GDPR compliance please do not hesitate to contact us at support@immigrationworkspace.com . We are committed to responding promptly, transparently, and fairly to all data protection enquiries.