Skip to main content
Nous contacter Network Login
Nous contacter

Avis de confidentialité

Read Now Télécharger le PDF
Personne tapant sur un clavier - pour illustrer un avis de confidentialité

Privacy Notice

Contents

  1. INTRODUCTION
  2. ACHILLES AS A CONTROLLER AND PROCESSOR
  3. PERSONAL DATA WE COLLECT AS A CONTROLLER
  4. PURPOSES & BASIS FOR PROCESSING
  5. COOKIES, SIMILAR TECHNOLOGIES & SOCIAL MEDIA LINKS
  6. SHARING YOUR DATA
  7. HOW LONG WE KEEP YOUR DATA
  8. YOUR RIGHTS
  9. HOW TO CONTACT US
  10. UPDATES TO THIS NOTICE

1. INTRODUCTION

This Privacy Notice describes how Aurora II Topco Limited, the parent company of the Achilles group, and the Achilles global affiliates (together “Achilles”, “we”, “us”, “our”) process personal data when you use any of our supply chain risk assessment services.  Depending on the Achilles service provided, we will collect and process personal data about individuals (“you” and “your”) for our own business purposes (as a data controller) and/or under the instructions of our buyer customer/hiring client (as a data processor).

As a global information led business, we place great importance in ensuring the quality, confidentiality, integrity and availability of the data we hold, and in meeting our data protection obligations where we process personal data. This privacy notice explains what personal data we collect and process about you in our capacity as a data controller and as a data processor, with a specific focus on the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”) and the United Kingdom General Data Protection Regulation (“UK GDPR”).  As a global company we will process your personal data in accordance with applicable data protection laws, and further information on specific local compliance requirements is set out in Appendix 1 to this Privacy Notice.

2. ACHILLES AS A CONTROLLER AND PROCESSOR

Data Controller

We act as a data controller when:

  • Buyers (hiring clients) and suppliers register to use (i) the Achilles Network (MyAchilles) service; and (ii) in certain cases (as determined by your contract with Achilles), the Achilles Enterprise (GoSupply) service.
  • When any individual subscribes to receive marketing communications or registers to attend an Achilles event.

Data Processor

We act as a data processor when buyers (hiring clients) and suppliers register to use (i) the Controlar service; (ii) the Achilles Veritas service (GRMS); and (iii) in certain cases (as determined by your contract with Achilles), the Achilles Enterprise (GoSupply) service.

Where we act as a data processor/service provider under the instructions of our buyer customer (the hiring client), your rights will be facilitated by the buyer organisation (that has engaged the supplier organisation you work for) because they are the data controller of your personal information.

The rights available to you depend on the laws of the country in which you are located or in which the controller is established and processes your personal information. You should contact the data controller to exercise your rights. If you are unsure who the data controller is, you can contact us at dataprivacy@achilles.com and ask for the controller’s contact details.

3. PERSONAL DATA WE COLLECT AS A CONTROLLER

The personal data we collect about you depends on our relationship with you or the organisation you are engaged by. In most cases we will process your personal data because you work for one of our buyer or supplier customers, including organisations that our buyer customers ask us to invite to become a supplier customer.

We may also process your personal data if you work for an organisation that is a sales prospect or target of ours; if you have subscribed for our insight emails or other marketing communications; if you register for our webinars or events; or if you otherwise contact us and when you visit our website.

Individuals at Supplier Organisations – Achilles Network (MyAchilles) and Achilles Enterprise (GoSupply)

If you work for one of our supplier customers and you are a key contact or senior business stakeholder, your organisation may provide us with your personal data in connection with the services provided to them by Achilles. The information is provided to us using our supplier onboarding questionnaires and will include your name, job title, business email, business telephone and office address.

We may also collect your personal data from one of our buyer customers if they want us to contact you to invite your organisation to become one of our supplier customers for the purpose of supplying or continuing to supply the buyer organisation. Where this applies, we will typically be provided with your name, business email address and business telephone number.

Where your organisation has provided your information to us when signing up to become an Achilles supplier customer, we may also collect information about you from risk screening and financial screening service providers and combine this with the information provided to us by your organisation.  Achilles uses the service of LSEG World Check and their Privacy notice can be viewed here.   It is in Achilles’ legitimate interest to carry out checks and provide reports to Buyer organisations to assist them in complying with their leal and regulatory obligations as part of Achilles supply chain risk management services. For any special categories of data collected, Achilles processing of this data is necessary for the reasons of substantial public interest under the basis of domestic law.

If you pay for services on behalf of your supplier organisation using a payment card in your name, we will collect your payment card information when you provide it to us for payment.

Individuals at Buyer Organisations/Hiring Clients – All services

If you work for one of our buyer customers/hiring clients and you are a key relationship contact, we will collect your personal data in connection with the services provided to them by Achilles. The personal data we collect will be your name, job title, business email address, business telephone number and office address.  We will also collect billing or payment information in order to process payments for our subscription to our services.

We will also collect your name and email address and process the password you set if we are asked by a buyer customer to provide you with user access to one of our online supply chain management/risk assessment platforms.

We may also process your personal data if you work for a buyer organisation that is a sales target or prospect, and we wish to contact you to build a sales relationship or provide you with information and marketing communication that you may find interesting.

We collect prospecting information from publicly available sources, from referrals and from providers of business decision maker contact information.

Marketing Subscribers & Event Registrants

If you subscribe for our insight emails or other marketing communications, we will collect your name, email address and, if you use a corporate email address, the name of the organisation you work for.

If you register for one of our webinars or another event, we will collect the registration information you provide to us, including your name, email address, job title and the name of the organisation you work for.

You can unsubscribe from our marketing emails at any time using the link provided in the messages we send. Alternatively, you can withdraw your consent or object to our marketing communications by emailing us at dataprivacy@achilles.com.

Individuals Contacting Us

If you contact us using the forms on our website, by email or through our social channels (such as X or LinkedIn) we collect the information you provide to us. This typically includes your name, job title, employer business address, business email and any additional information you include in your message.

Website Visitors

When you visit our website, we may automatically collect limited personal data by the use of cookies and similar technologies on our website. For more information, please refer to the Cookie Notice.

We may also automatically collect information including your IP address, details about the device and software you are using to visit the site, your country and continent and your web page viewing path including page response times and download times. This information will not include directly identifiable personal data.

4.PURPOSES & BASIS FOR PROCESSING

The purposes and lawful bases for which we process your personal data depends on our relationship with you and the particular Achilles service that is being provided, as follows:

Individuals at Supplier Organisations using the Achilles Network (MyAchilles) or the Achilles Enterprise (GoSupply) solution

Purpose Lawful Basis for Processing
Contacting you at the request of buyer organisations

: Including contacting you to invite you to register your organisation with Achilles as a supplier organisation.

 Our legitimate interest to invite your organisation to sign up for our services at the request of a buyer organisation.

Onboarding your organisation as a supplier customer: Including collecting your details and other organisational information using our supplier onboarding questionnaires and setting your organisation up as a customer on our systems.

Assessing organizational documents using Achilles Intelligence AI technology. 

Our legitimate interest to process the personal data about you provided to us by your organisation for the purposes of the services we have agreed to provide to them.

 

Adding supplier information to the Achilles Network (MyAchilles) or Achilles Enterprise (GoSupply) platform: Including adding personal data provided to us by suppliers during registration and from third party data providers. Once on the platform, your personal data will be visible to:

(i)buyer organisations in the Achilles community your organisation has agreed to join; and/or

(ii)where your organisation has agreed to allow access of your information to a specific buyer organisation only, that specific buyer organisation.

Our legitimate interest to process the personal data about you provided to us by your organisation for the purposes of the services we have agreed to provide to them.
Providing our services to your organisation:

Including setting up your user access to our online supply chain management platform, authenticating your ongoing access, to the platform or the mobile app, providing you with user support and arranging and carrying out supply chain audits of your organisation.

 Our legitimate interest to process the personal data about you provided to us by your organisation for the purposes of the services we have agreed to provide to them.
Developing our business relationship with your organisation

: Including sharing information about using our services, providing training and support, sending you insight emails and other marketing communication and inviting you to our webinars and other events.

Our legitimate interest to develop our relationship with you and your organisation, to provide you with information about how to use the services we provide and to send you related marketing information and event invites.

You consent when you sign up for our insight emails, for information about our events or our other marketing communications.

Seeking customer feedback and monitoring customer satisfaction: Including sending you customer satisfaction surveys and requesting input on services.
Our legitimate interest to request feedback from you about the services we provide to your organisation and to assess your customer satisfaction.
Account management and contract renewals

: Including contacting you to ensure we hold up to date information about your organisation, advising you when your contract with Achilles is due to expire and providing renewals quotes.

 Our legitimate interest to update the information we hold about you and your organisation as an Achilles supplier customer, to advise you when your organisation’s contract with Achilles is expiring and to seek to retain your organization as a customer.
Taking payment for the services provided to your organisation

: Including processing details of payments cards in your name used to pay on behalf of your organisation.

 Our legitimate interest to process payment card information you provide to us to pay for services we provide to your organisation.

 

Individuals at the Buyer Organisation / Hiring Client (all services)

Purpose Lawful Basis for Processing
Building a sales relationship with your organisation

: Including contacting you by telephone or email or sending marketing communications to promote our services.

 Our legitimate interest to contact you to introduce our business, promote our services and to build a sales relationship with your organisation.
Providing our services to your organisation: Including setting up your user access to our online supply chain management/risk assessment platform(s), authenticating your ongoing access and providing you with user support. Our legitimate interest to process the personal data about you provided to us by your organisation for the purposes of the services we have agreed to provide to them.
Managing and developing our business relationship with your organisation:

Including account management, sharing information about our services, providing training and support, sending you insights emails and other marketing communications, and inviting you to our webinars and other events.

Our legitimate interest to develop our relationship with you and your organisation, to provide you with information about how to use the services we provide and to send you related marketing information and event invites.

Your consent when you sign up for our insight emails, for information about our events or our other marketing communications.
Seeking customer feedback and monitoring customer satisfaction:

Including sending you customer satisfaction surveys and requesting input on our products and services.

 Our legitimate interest to request feedback from you about the services we provide to your organisation and to assess your customer satisfaction.

 

Marketing Subscribers & Event Registrants

Purpose Lawful Basis for Processing
Sending you marketing communications:

Including insight emails, information about Achilles’, invites to webinars and events and other marketing information.

Our legitimate interest to send you marketing communications, including invites to webinars and events we hold or attend.

Your consent when you sign up for our marketing communications, including invites to webinars and events we hold or attend.
Event management: Including providing you with access to the event and recording your attendance. Our legitimate interest to administer and manage events and webinars to which to you signed up to attend.

 

Individuals Contacting Us & Website Visitors

Purpose Lawful Basis for Processing
Responding to your enquiry: Including by email, telephone or using the social media channel you have used to contact us. Our legitimate interest to respond to your enquiry or communication.
Improving our website: Including your visitor experience by using cookies and similar tools to remember your preferences and display content that is more relevant to you. Your consent, when you agree to cookies and similar technologies used by our website.
Measuring website engagement: Including monitoring use of our website and measuring the success of our marketing campaigns using cookies and similar analytics technologies. Your consent, when you agree to cookies and similar technologies used by our website.

 

In all cases, we may also process your personal data for the following purposes and on the following lawful bases:

Purpose Lawful Basis for Processing
Internal management, administrative and organisational purposes: Including maintaining internal records and carrying out other business administration tasks. Our legitimate interest to process your personal data in order to manage our business processes.
Sharing data with group companies: Including Achilles employees in overseas offices for the purposes of processing set out in this privacy notice. Our legitimate interest to make your data available to Achilles employees in other locations to provide our services and meet our business objectives.
Sharing data with other third parties: Including third parties who process personal data on our behalf as data processors. Our legitimate interest to share your data with trusted suppliers who provide us with services relevant to our provision of services to your organisation, including cloud software, hosting and IT service providers.

 

5. COOKIES, SIMILAR TECHNOLOGIES & SOCIAL MEDIA LINKS

Achilles uses cookies, website analytics and similar technologies on our website and online supply chain management platform. Marketing emails we send may also include tracking pixels to monitor email receipt, opens and clicks.

Cookies are small text files and web beacons are small graphic images. They are downloaded to your device when you visit a website or receive certain emails unless you have set your browser or email application to stop them.

We use cookies to remember your preferences, display content that is more relevant to you and improve your overall experience on our site. Our email marketing platform uses pixels to track engagement with the emails we send and measure the success of our marketing campaigns. Website analytics are used to measure engagement and monitor issues to help us identify opportunities to improve our website and platforms.

To learn more about our use of cookies and similar technologies, please view our Cookie Notice.

Our website includes social media sharing buttons and links to enable you to share our content through your preferred social media site or by email directly from one of our web pages. These features may collect your IP address and the page you are visiting on our website and may set a cookie on your device if you use the buttons.

When you use one of these sharing buttons or links, you are sharing information to another website or service (such as X, LinkedIn or Facebook) and this privacy notice will no longer apply. Please read the privacy notices provided by the particular social media website you are sharing through before posting any personal data using these links.

6. SHARING YOUR DATA

Achilles is a global business and to respond properly to your enquiry, or for the purpose of delivering our services, it is possible that we will share your data with our group companies, including those in countries outside the UK and European Economic Area (the “EEA”) where the data protection laws are not equivalent to those within the UK or EEA. We do so using Standard Contractual Clauses approved by the European Commission and the International Data Transfer Addendum (IDT Addendum) approved by the UK Parliament (as applicable) which contractually oblige our group companies in those countries to the standard expected within the EEA and/or the UK.

We may also share your personal data with trusted suppliers who provide us with services relevant to our provision of services to your organisation, including cloud software, hosting and IT service providers. In such cases, our suppliers are data processors and may only use the data in line with our instructions and not for any other purpose. This and other obligations are agreed in the contract we enter into with them.

For individuals employed or engaged by supplier organisations that are registered in Achilles Network (MyAchilles) and Achilles Enterprise (GoSupply):

  • If your details have been provided to us by a supplier customer because you are one of their key contacts or senior business stakeholders, your details will be added to our online supply chain management platform from where it will be accessible to buyer organisations in the same Achilles network that your organisation has agreed to join. This may include buyers located outside the UK or EEA where the data protection laws are not equivalent to those within the UK or EEA.
  • Where a buyer organisation accesses your personal data via our online supply chain management platform as you are a key contact or senior business stakeholder at a supplier organisation, the buyer organisation will do so as an independent controller.

For all services, it is possible that we may be required to share your data to comply with applicable laws or with valid legal processes, such as in response to a court order or with government or law enforcement agencies.

7. HOW LONG WE KEEP YOUR DATA

The period for which we will retain your personal data depends on the purposes for which we process it.  We will retain your personal data for as long as is necessary to provide you with our services and for a reasonable period thereafter to enable us to meet our contractual and legal obligations and to deal with complaints and claims.   At the end of the retention period, your personal data will be securely deleted or anonymised, for example by aggregation with other data, so that it can be used in a non-identifiable way for statistical analysis and business planning.

We do not retain credit or debit card information once payment has been made.

Please note we need to hold contact details for individuals at supplier and buyer organisations for the performance of the service and the contract we have entered into with your organisation. If you no longer want us to hold your personal data and we have an ongoing contract with your organisation, we will require alternative contact details or we will be unable to continue providing your organisation with the relevant service.

8. YOUR RIGHTS

The rights you have in respect of your personal data depend on factors including the laws of the country in which you are located. Where you are in scope of application of the data protection laws of the United Kingdom or the European Union/European Economic Area you have the following rights listed below.  For information other jurisdiction specific rights, please see Appendix 1:

  • You have the right of access to your personal data and can request copies of it and information about our processing of it.
  • If the personal data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it.
  • Where we are using your personal data with your consent, you can withdraw your consent at any time.
  • Where we are using your personal data because it is in our legitimate interests to do so, you can object to us using it this way because you feel it impacts on your interests, rights and freedoms.
  • Where we are using your personal data for direct marketing, including profiling for direct marketing purposes, you can object to us doing so.
  • You can ask us to restrict the use of your personal data if:
    • It is not accurate.
    • It has been used unlawfully but you do not want us to delete it.
    • We do not need it any-more, but you want us to keep it for use in legal claims; or
    • You have already asked us to stop using your data but you are waiting to receive confirmation from us as to whether we can comply with your request.
  • In some circumstances you can compel us to erase your personal data.
  • In some circumstances you can request a machine-readable copy of your personal data to transfer to another service provider.
  • You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

If you wish to exercise your rights, we may need to request specific information from you to help us confirm your identity, especially if you are exercising your right of access.

If you wish to exercise your rights, please contact us at dataprivacy@achilles.com.

You can also lodge a complaint with your local data protection supervisory authority. In the UK, this is the ICO (https://ico.org.uk/make-a-complaint/). In the EEA, there are national and regional data protection authorities (a list is available here: https://edpb.europa.eu/about-edpb/about-edpb/members_en).

9. HOW TO CONTACT US

The rights available to you depend on the laws of the country in which you are located or in which the controller is established and processes your personal information. You should contact the data controller to exercise your rights. If you are unsure who the data controller is, you can contact us at dataprivacy@achilles.com and ask for the controller’s contact details.

You can contact Achilles in relation to data protection and this privacy notice by writing to:

UK, EU and ROW

Achilles Information Limited

Attn: Legal Department

115 NRTW Olympic Avenue, Milton Park

Abingdon, OX14 4SA

United Kingdom

United States

Achilles Information, LLC.
Attn: Legal Department

5271 California Ave. Suite 290
Irvine, CA 92617
United States

Alternatively, you can email us at dataprivacy@achilles.com.

10. UPDATES TO THIS NOTICE

We update this privacy notice from time to time in response to changes in applicable laws and regulations, to our processing practices and to products and services we offer. When changes are made, we will update the ‘Last Updated’ date at the top of this page. Please review this privacy notice periodically to check for updates.

Dernière mise à jour : Février 2026

Privacy Notice

Contents

  1. INTRODUCTION
  2. ACHILLES AS A CONTROLLER AND PROCESSOR
  3. PERSONAL DATA WE COLLECT AS A CONTROLLER
  4. PURPOSES & BASIS FOR PROCESSING
  5. COOKIES, SIMILAR TECHNOLOGIES & SOCIAL MEDIA LINKS
  6. SHARING YOUR DATA
  7. HOW LONG WE KEEP YOUR DATA
  8. YOUR RIGHTS
  9. HOW TO CONTACT US
  10. UPDATES TO THIS NOTICE

1. INTRODUCTION

This Privacy Notice describes how Aurora II Topco Limited, the parent company of the Achilles group, and the Achilles global affiliates (together “Achilles”, “we”, “us”, “our”) process personal data when you use any of our supply chain risk assessment services.  Depending on the Achilles service provided, we will collect and process personal data about individuals (“you” and “your”) for our own business purposes (as a data controller) and/or under the instructions of our buyer customer/hiring client (as a data processor).

As a global information led business, we place great importance in ensuring the quality, confidentiality, integrity and availability of the data we hold, and in meeting our data protection obligations where we process personal data. This privacy notice explains what personal data we collect and process about you in our capacity as a data controller and as a data processor, with a specific focus on the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”) and the United Kingdom General Data Protection Regulation (“UK GDPR”).  As a global company we will process your personal data in accordance with applicable data protection laws, and further information on specific local compliance requirements is set out in Appendix 1 to this Privacy Notice.

2. ACHILLES AS A CONTROLLER AND PROCESSOR

Data Controller

We act as a data controller when:

  • Buyers (hiring clients) and suppliers register to use (i) the Achilles Network (MyAchilles) service; and (ii) in certain cases (as determined by your contract with Achilles), the Achilles Enterprise (GoSupply) service.
  • When any individual subscribes to receive marketing communications or registers to attend an Achilles event.

Data Processor

We act as a data processor when buyers (hiring clients) and suppliers register to use (i) the Controlar service; (ii) the Achilles Veritas service (GRMS); and (iii) in certain cases (as determined by your contract with Achilles), the Achilles Enterprise (GoSupply) service.

Where we act as a data processor/service provider under the instructions of our buyer customer (the hiring client), your rights will be facilitated by the buyer organisation (that has engaged the supplier organisation you work for) because they are the data controller of your personal information.

The rights available to you depend on the laws of the country in which you are located or in which the controller is established and processes your personal information. You should contact the data controller to exercise your rights. If you are unsure who the data controller is, you can contact us at dataprivacy@achilles.com and ask for the controller’s contact details.

3. PERSONAL DATA WE COLLECT AS A CONTROLLER

The personal data we collect about you depends on our relationship with you or the organisation you are engaged by. In most cases we will process your personal data because you work for one of our buyer or supplier customers, including organisations that our buyer customers ask us to invite to become a supplier customer.

We may also process your personal data if you work for an organisation that is a sales prospect or target of ours; if you have subscribed for our insight emails or other marketing communications; if you register for our webinars or events; or if you otherwise contact us and when you visit our website.

Individuals at Supplier Organisations – Achilles Network (MyAchilles) and Achilles Enterprise (GoSupply)

If you work for one of our supplier customers and you are a key contact or senior business stakeholder, your organisation may provide us with your personal data in connection with the services provided to them by Achilles. The information is provided to us using our supplier onboarding questionnaires and will include your name, job title, business email, business telephone and office address.

We may also collect your personal data from one of our buyer customers if they want us to contact you to invite your organisation to become one of our supplier customers for the purpose of supplying or continuing to supply the buyer organisation. Where this applies, we will typically be provided with your name, business email address and business telephone number.

Where your organisation has provided your information to us when signing up to become an Achilles supplier customer, we may also collect information about you from risk screening and financial screening service providers and combine this with the information provided to us by your organisation.  Achilles uses the service of LSEG World Check and their Privacy notice can be viewed here.   It is in Achilles’ legitimate interest to carry out checks and provide reports to Buyer organisations to assist them in complying with their leal and regulatory obligations as part of Achilles supply chain risk management services. For any special categories of data collected, Achilles processing of this data is necessary for the reasons of substantial public interest under the basis of domestic law.

If you pay for services on behalf of your supplier organisation using a payment card in your name, we will collect your payment card information when you provide it to us for payment.

Individuals at Buyer Organisations/Hiring Clients – All services

If you work for one of our buyer customers/hiring clients and you are a key relationship contact, we will collect your personal data in connection with the services provided to them by Achilles. The personal data we collect will be your name, job title, business email address, business telephone number and office address.  We will also collect billing or payment information in order to process payments for our subscription to our services.

We will also collect your name and email address and process the password you set if we are asked by a buyer customer to provide you with user access to one of our online supply chain management/risk assessment platforms.

We may also process your personal data if you work for a buyer organisation that is a sales target or prospect, and we wish to contact you to build a sales relationship or provide you with information and marketing communication that you may find interesting.

We collect prospecting information from publicly available sources, from referrals and from providers of business decision maker contact information.

Marketing Subscribers & Event Registrants

If you subscribe for our insight emails or other marketing communications, we will collect your name, email address and, if you use a corporate email address, the name of the organisation you work for.

If you register for one of our webinars or another event, we will collect the registration information you provide to us, including your name, email address, job title and the name of the organisation you work for.

You can unsubscribe from our marketing emails at any time using the link provided in the messages we send. Alternatively, you can withdraw your consent or object to our marketing communications by emailing us at dataprivacy@achilles.com.

Individuals Contacting Us

If you contact us using the forms on our website, by email or through our social channels (such as X or LinkedIn) we collect the information you provide to us. This typically includes your name, job title, employer business address, business email and any additional information you include in your message.

Website Visitors

When you visit our website, we may automatically collect limited personal data by the use of cookies and similar technologies on our website. For more information, please refer to the Cookie Notice.

We may also automatically collect information including your IP address, details about the device and software you are using to visit the site, your country and continent and your web page viewing path including page response times and download times. This information will not include directly identifiable personal data.

4.PURPOSES & BASIS FOR PROCESSING

The purposes and lawful bases for which we process your personal data depends on our relationship with you and the particular Achilles service that is being provided, as follows:

Individuals at Supplier Organisations using the Achilles Network (MyAchilles) or the Achilles Enterprise (GoSupply) solution

Purpose Lawful Basis for Processing
Contacting you at the request of buyer organisations

: Including contacting you to invite you to register your organisation with Achilles as a supplier organisation.

 Our legitimate interest to invite your organisation to sign up for our services at the request of a buyer organisation.

Onboarding your organisation as a supplier customer: Including collecting your details and other organisational information using our supplier onboarding questionnaires and setting your organisation up as a customer on our systems.

Assessing organizational documents using Achilles Intelligence AI technology. 

Our legitimate interest to process the personal data about you provided to us by your organisation for the purposes of the services we have agreed to provide to them.

 

Adding supplier information to the Achilles Network (MyAchilles) or Achilles Enterprise (GoSupply) platform: Including adding personal data provided to us by suppliers during registration and from third party data providers. Once on the platform, your personal data will be visible to:

(i)buyer organisations in the Achilles community your organisation has agreed to join; and/or

(ii)where your organisation has agreed to allow access of your information to a specific buyer organisation only, that specific buyer organisation.

Our legitimate interest to process the personal data about you provided to us by your organisation for the purposes of the services we have agreed to provide to them.
Providing our services to your organisation:

Including setting up your user access to our online supply chain management platform, authenticating your ongoing access, to the platform or the mobile app, providing you with user support and arranging and carrying out supply chain audits of your organisation.

 Our legitimate interest to process the personal data about you provided to us by your organisation for the purposes of the services we have agreed to provide to them.
Developing our business relationship with your organisation

: Including sharing information about using our services, providing training and support, sending you insight emails and other marketing communication and inviting you to our webinars and other events.

Our legitimate interest to develop our relationship with you and your organisation, to provide you with information about how to use the services we provide and to send you related marketing information and event invites.

You consent when you sign up for our insight emails, for information about our events or our other marketing communications.

Seeking customer feedback and monitoring customer satisfaction: Including sending you customer satisfaction surveys and requesting input on services.
Our legitimate interest to request feedback from you about the services we provide to your organisation and to assess your customer satisfaction.
Account management and contract renewals

: Including contacting you to ensure we hold up to date information about your organisation, advising you when your contract with Achilles is due to expire and providing renewals quotes.

 Our legitimate interest to update the information we hold about you and your organisation as an Achilles supplier customer, to advise you when your organisation’s contract with Achilles is expiring and to seek to retain your organization as a customer.
Taking payment for the services provided to your organisation

: Including processing details of payments cards in your name used to pay on behalf of your organisation.

 Our legitimate interest to process payment card information you provide to us to pay for services we provide to your organisation.

 

Individuals at the Buyer Organisation / Hiring Client (all services)

Purpose Lawful Basis for Processing
Building a sales relationship with your organisation

: Including contacting you by telephone or email or sending marketing communications to promote our services.

 Our legitimate interest to contact you to introduce our business, promote our services and to build a sales relationship with your organisation.
Providing our services to your organisation: Including setting up your user access to our online supply chain management/risk assessment platform(s), authenticating your ongoing access and providing you with user support. Our legitimate interest to process the personal data about you provided to us by your organisation for the purposes of the services we have agreed to provide to them.
Managing and developing our business relationship with your organisation:

Including account management, sharing information about our services, providing training and support, sending you insights emails and other marketing communications, and inviting you to our webinars and other events.

Our legitimate interest to develop our relationship with you and your organisation, to provide you with information about how to use the services we provide and to send you related marketing information and event invites.

Your consent when you sign up for our insight emails, for information about our events or our other marketing communications.
Seeking customer feedback and monitoring customer satisfaction:

Including sending you customer satisfaction surveys and requesting input on our products and services.

 Our legitimate interest to request feedback from you about the services we provide to your organisation and to assess your customer satisfaction.

 

Marketing Subscribers & Event Registrants

Purpose Lawful Basis for Processing
Sending you marketing communications:

Including insight emails, information about Achilles’, invites to webinars and events and other marketing information.

Our legitimate interest to send you marketing communications, including invites to webinars and events we hold or attend.

Your consent when you sign up for our marketing communications, including invites to webinars and events we hold or attend.
Event management: Including providing you with access to the event and recording your attendance. Our legitimate interest to administer and manage events and webinars to which to you signed up to attend.

 

Individuals Contacting Us & Website Visitors

Purpose Lawful Basis for Processing
Responding to your enquiry: Including by email, telephone or using the social media channel you have used to contact us. Our legitimate interest to respond to your enquiry or communication.
Improving our website: Including your visitor experience by using cookies and similar tools to remember your preferences and display content that is more relevant to you. Your consent, when you agree to cookies and similar technologies used by our website.
Measuring website engagement: Including monitoring use of our website and measuring the success of our marketing campaigns using cookies and similar analytics technologies. Your consent, when you agree to cookies and similar technologies used by our website.

 

In all cases, we may also process your personal data for the following purposes and on the following lawful bases:

Purpose Lawful Basis for Processing
Internal management, administrative and organisational purposes: Including maintaining internal records and carrying out other business administration tasks. Our legitimate interest to process your personal data in order to manage our business processes.
Sharing data with group companies: Including Achilles employees in overseas offices for the purposes of processing set out in this privacy notice. Our legitimate interest to make your data available to Achilles employees in other locations to provide our services and meet our business objectives.
Sharing data with other third parties: Including third parties who process personal data on our behalf as data processors. Our legitimate interest to share your data with trusted suppliers who provide us with services relevant to our provision of services to your organisation, including cloud software, hosting and IT service providers.

 

5. COOKIES, SIMILAR TECHNOLOGIES & SOCIAL MEDIA LINKS

Achilles uses cookies, website analytics and similar technologies on our website and online supply chain management platform. Marketing emails we send may also include tracking pixels to monitor email receipt, opens and clicks.

Cookies are small text files and web beacons are small graphic images. They are downloaded to your device when you visit a website or receive certain emails unless you have set your browser or email application to stop them.

We use cookies to remember your preferences, display content that is more relevant to you and improve your overall experience on our site. Our email marketing platform uses pixels to track engagement with the emails we send and measure the success of our marketing campaigns. Website analytics are used to measure engagement and monitor issues to help us identify opportunities to improve our website and platforms.

To learn more about our use of cookies and similar technologies, please view our Cookie Notice.

Our website includes social media sharing buttons and links to enable you to share our content through your preferred social media site or by email directly from one of our web pages. These features may collect your IP address and the page you are visiting on our website and may set a cookie on your device if you use the buttons.

When you use one of these sharing buttons or links, you are sharing information to another website or service (such as X, LinkedIn or Facebook) and this privacy notice will no longer apply. Please read the privacy notices provided by the particular social media website you are sharing through before posting any personal data using these links.

6. SHARING YOUR DATA

Achilles is a global business and to respond properly to your enquiry, or for the purpose of delivering our services, it is possible that we will share your data with our group companies, including those in countries outside the UK and European Economic Area (the “EEA”) where the data protection laws are not equivalent to those within the UK or EEA. We do so using Standard Contractual Clauses approved by the European Commission and the International Data Transfer Addendum (IDT Addendum) approved by the UK Parliament (as applicable) which contractually oblige our group companies in those countries to the standard expected within the EEA and/or the UK.

We may also share your personal data with trusted suppliers who provide us with services relevant to our provision of services to your organisation, including cloud software, hosting and IT service providers. In such cases, our suppliers are data processors and may only use the data in line with our instructions and not for any other purpose. This and other obligations are agreed in the contract we enter into with them.

For individuals employed or engaged by supplier organisations that are registered in Achilles Network (MyAchilles) and Achilles Enterprise (GoSupply):

  • If your details have been provided to us by a supplier customer because you are one of their key contacts or senior business stakeholders, your details will be added to our online supply chain management platform from where it will be accessible to buyer organisations in the same Achilles network that your organisation has agreed to join. This may include buyers located outside the UK or EEA where the data protection laws are not equivalent to those within the UK or EEA.
  • Where a buyer organisation accesses your personal data via our online supply chain management platform as you are a key contact or senior business stakeholder at a supplier organisation, the buyer organisation will do so as an independent controller.

For all services, it is possible that we may be required to share your data to comply with applicable laws or with valid legal processes, such as in response to a court order or with government or law enforcement agencies.

7. HOW LONG WE KEEP YOUR DATA

The period for which we will retain your personal data depends on the purposes for which we process it.  We will retain your personal data for as long as is necessary to provide you with our services and for a reasonable period thereafter to enable us to meet our contractual and legal obligations and to deal with complaints and claims.   At the end of the retention period, your personal data will be securely deleted or anonymised, for example by aggregation with other data, so that it can be used in a non-identifiable way for statistical analysis and business planning.

We do not retain credit or debit card information once payment has been made.

Please note we need to hold contact details for individuals at supplier and buyer organisations for the performance of the service and the contract we have entered into with your organisation. If you no longer want us to hold your personal data and we have an ongoing contract with your organisation, we will require alternative contact details or we will be unable to continue providing your organisation with the relevant service.

8. YOUR RIGHTS

The rights you have in respect of your personal data depend on factors including the laws of the country in which you are located. Where you are in scope of application of the data protection laws of the United Kingdom or the European Union/European Economic Area you have the following rights listed below.  For information other jurisdiction specific rights, please see Appendix 1:

  • You have the right of access to your personal data and can request copies of it and information about our processing of it.
  • If the personal data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it.
  • Where we are using your personal data with your consent, you can withdraw your consent at any time.
  • Where we are using your personal data because it is in our legitimate interests to do so, you can object to us using it this way because you feel it impacts on your interests, rights and freedoms.
  • Where we are using your personal data for direct marketing, including profiling for direct marketing purposes, you can object to us doing so.
  • You can ask us to restrict the use of your personal data if:
    • It is not accurate.
    • It has been used unlawfully but you do not want us to delete it.
    • We do not need it any-more, but you want us to keep it for use in legal claims; or
    • You have already asked us to stop using your data but you are waiting to receive confirmation from us as to whether we can comply with your request.
  • In some circumstances you can compel us to erase your personal data.
  • In some circumstances you can request a machine-readable copy of your personal data to transfer to another service provider.
  • You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

If you wish to exercise your rights, we may need to request specific information from you to help us confirm your identity, especially if you are exercising your right of access.

If you wish to exercise your rights, please contact us at dataprivacy@achilles.com.

You can also lodge a complaint with your local data protection supervisory authority. In the UK, this is the ICO (https://ico.org.uk/make-a-complaint/). In the EEA, there are national and regional data protection authorities (a list is available here: https://edpb.europa.eu/about-edpb/about-edpb/members_en).

9. HOW TO CONTACT US

The rights available to you depend on the laws of the country in which you are located or in which the controller is established and processes your personal information. You should contact the data controller to exercise your rights. If you are unsure who the data controller is, you can contact us at dataprivacy@achilles.com and ask for the controller’s contact details.

You can contact Achilles in relation to data protection and this privacy notice by writing to:

UK, EU and ROW

Achilles Information Limited

Attn: Legal Department

115 NRTW Olympic Avenue, Milton Park

Abingdon, OX14 4SA

United Kingdom

United States

Achilles Information, LLC.
Attn: Legal Department

5271 California Ave. Suite 290
Irvine, CA 92617
United States

Alternatively, you can email us at dataprivacy@achilles.com.

10. UPDATES TO THIS NOTICE

We update this privacy notice from time to time in response to changes in applicable laws and regulations, to our processing practices and to products and services we offer. When changes are made, we will update the ‘Last Updated’ date at the top of this page. Please review this privacy notice periodically to check for updates.

Annexe 1

Jurisdiction specific information

INDIVIDUALS IN CALIFORNIA

If you live in California, you have the following rights under the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”).

The CCPA (as amended) provides California residents certain rights related to their Personal Data, namely:

  • Right to know

You have the right to know details such as what Personal Data we collect about you, who we share it with, how we use it, for what purpose and how long we keep it. We use our privacy notice to explain this.

  • Right of access (commonly known as a “Subject Access Request”)

You have the right to access and receive a copy of the Personal Data we hold about you.

  • Right to rectification 

You have the right to have any incomplete or inaccurate information we hold about you corrected.

  • Right to erasure (commonly known as the right to be forgotten)

You have the right to ask us to delete or de-identify your Personal Data.

  • Right to object

You have the right to object to the sale of your Personal Data.

  • Right to restrict processing

You have the right to request that we limit the use and disclosure of Personal Data that we have about you which is sensitive (as defined in the CPRA).

  • Rights regarding the sale and sharing of your Personal Data

You have the right to know whether we sell your Personal Data and whether we disclose your data to anyone.

  • Right against discrimination

You have the right not to be discriminated against for exercising your privacy rights.

  • Right to portability

You have the right to ask us to transfer your Personal Data to another party.

We do not sell or disclose your Personal Data for monetary gain or any valuable consideration.  ThePersonal Data we collect about you is set out in Section 3 of the main notice “Personal Data we collect as a controller”.

Complaints

If you are concerned about the way in which we are handling your Personal Data, you can submit a complaint to your supervisory authority, the California Privacy Protection Agency who can be contacted online at:

California Privacy Protection Agency (CPPA)

Contact Us – California Privacy Protection Agency (CPPA)

INDIVIDUALS IN BRAZIL

If you are located in Brazil, this section 10 provides you with additional information which we are required to share with you in accordance with the Lei Geral de Proteção de Dados No. 13,709/2018 (“LGPD”).

If the LGPD applies, you have the following rights in respect of your personal data:

  • You have a right to confirm if Achilles processes your personal data.
  • If we do have your personal data, you have the right to have access to the data and request a copy of it.
  • You have the right to receive information about the public and private entities with which we have shared your personal data.
  • You have the right to ask us to correct incomplete, inaccurate or outdated data.
  • You have the right to ask us to anonymise, block or delete any unnecessary or excessive personal data, or any personal data processed in non-compliance with LGPD.
  • In some circumstances, you can request us to transfer a copy of your personal data to another service provider, in accordance with the ANPD regulations, as long as commercial and industrial secrecy are respected, and except for data that has been anonymised by us.
  • If we are processing your personal data on the basis of your consent, you also have the right to (i) be informed about the possibility of denying consent and the consequences of the denial, (ii) revoke your consent, and (iii) ask us to delete your personal data, subject to our rights to retain data as provided by LGPD.

You can also lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) (https://www.gov.br/anpd/pt-br).

You can also file a lawsuit regarding your individual data protection rights or that of a group of people in accordance with applicable Brazilian legislation, before the competent court.

To exercise your rights regarding your personal data, you can contact us at dataprivacy@achilles.com, free of charge. We will respond to your request within the legal period of 15 days from receipt of your request.

INDIVIDUALS IN THE KINGDOM OF SAUDI ARABIA

If you are located in the Kingdom of Saudi Arabia, this section 11 provides you with additional information that we are required to share with you in accordance with Saudi Arabia’s Personal Data Protection Law (PDPL), Royal Decree No. M/19 dated 9/2/1443H (16 September 2021).

You have the right to confirm whether Achilles processes your personal data. If we do, you may request access to your data and ask for a copy.

  • You have the right to ask us to correct any inaccurate, incomplete, or outdated data.
  • You have the right to request that we delete unnecessary, excessive, or non-compliant personal data, as per PDPL regulations.
  • You may ask us to limit the processing of your personal data in certain situations, such as when you contest the accuracy of the data or its lawfulness.
  • In some circumstances, you may request that we transfer your personal data to another service provider, subject to compliance with PDPL regulations, while ensuring that trade and industrial secrets are protected, and except for anonymized data.
  • You have the right to receive information regarding the public or private entities with whom we have shared your personal data.
  • If your personal data is processed based on consent, you have the right to (i) be informed about the possibility of denying consent and the consequences of denial, (ii) revoke your consent at any time, and (iii) request deletion of your personal data, subject to legal retention requirements under PDPL.

You can lodge a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA), which oversees PDPL enforcement. Additionally, you have the right to file a lawsuit to protect your personal data rights, either individually or collectively, in accordance with Saudi law before a competent court.

To exercise your rights regarding your personal data, you can contact us at dataprivacy@achilles.com, free of charge. We will respond to your request within the legal period of 30 days from receipt of your request

INDIVIDUALS IN THE ABU DHABI GLOBAL MARKET (ADGM)

If your personal data is processed subject to the ADGM Data Protection Regulations 2021 (“ADGM DPR 2021”), this section provides you with additional information that we are required to share with you.

Where the ADGM DPR 2021 applies, you have the following rights in respect of your personal data:

  • Right to be informed

You have the right to receive clear and transparent information about how we collect, use and share your personal data. This Privacy Notice is designed to meet those requirements.

  • Right of access

You have the right to request confirmation as to whether we process your personal data and, where we do, to request a copy of that personal data.

  • Right to rectification

You may request that we correct any inaccurate, incomplete or outdated personal data we hold about you.

  • Right to erasure

In certain circumstances, you may request that we delete your personal data, for example where the data is no longer required for the purpose for which it was collected, or where you have withdrawn consent (where applicable).

  • Right to object to processing

You have the right to object to the processing of your personal data where we are relying on our legitimate interests as the lawful basis for processing and you believe that such processing impacts your rights, freedoms or interests. You also have the right to object to the processing of your personal data for direct marketing purposes.

  • Right to restrict processing

You have the right to request that we restrict the processing of your personal data in situations where:

  • the accuracy of the data is contested;
  • the processing is unlawful but you prefer restriction over deletion;
  • we no longer require the data but you require it for the establishment, exercise or defence of a legal claim; or
  • you have objected to processing pending verification of our overriding legitimate grounds.
  • Right to data portability

Where we process your personal data on the basis of consent or for the performance of a contract, and where processing is carried out by automated means, you have the right to request a machine‑readable copy of your personal data or for us to transfer it directly to another service provider where technically feasible.

  • Rights in relation to automated decision‑making

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces a legal effect concerning you or otherwise significantly affects you.

  • International Transfers of Personal Data

Where we transfer your personal data outside the ADGM, we will ensure that such transfers are made in compliance with the ADGM DPR 2021. This may include:

  • transfers to jurisdictions deemed “adequate” under the ADGM DPR 2021;
  • the use of approved standard contractual clauses; or
  • reliance on another lawful transfer mechanism under the regulations.

How to Exercise Your Rights

If you wish to exercise any of the rights available to you under the ADGM DPR 2021, you can contact us at dataprivacy@achilles.com. We may request additional information to verify your identity before responding to your request.

We will respond to your request within the period required by the ADGM DPR 2021.

Complaints

If you are concerned about how we handle your personal data, you may lodge a complaint with the Commissioner of Data Protection of the ADGM. Further information is available at: