Privacy Notice
Last Updated: October 2025
Privacy Notice
Contents
- INTRODUCTION
- ACHILLES AS A CONTROLLER AND PROCESSOR
- PERSONAL DATA WE COLLECT AS A CONTROLLER
- PURPOSES & BASIS FOR PROCESSING
- COOKIES, SIMILAR TECHNOLOGIES & SOCIAL MEDIA LINKS
- SHARING YOUR DATA
- HOW LONG WE KEEP YOUR DATA
- YOUR RIGHTS
- HOW TO CONTACT US
- UPDATES TO THIS NOTICE
1. INTRODUCTION
This Privacy Notice describes how Aurora II Topco Limited, the parent company of the Achilles group, and the Achilles global affiliates (together “Achilles”, “we”, “us”, “our”) process personal data when you use any of our supply chain risk assessment services. Depending on the Achilles service provided, we will collect and process personal data about individuals (“you” and “your”) for our own business purposes (as a data controller) and/or under the instructions of our buyer customer/hiring client (as a data processor).
As a global information led business, we place great importance in ensuring the quality, confidentiality, integrity and availability of the data we hold, and in meeting our data protection obligations where we process personal data. This privacy notice explains what personal data we collect and process about you in our capacity as a data controller and as a data processor, with a specific focus on the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”) and the United Kingdom General Data Protection Regulation (“UK GDPR”). As a global company we will process your personal data in accordance with applicable data protection laws, and further information on specific local compliance requirements is set out in Appendix 1 to this Privacy Notice.
2. ACHILLES AS A CONTROLLER AND PROCESSOR
Data Controller
We act as a data controller when:
- Buyers (hiring clients) and suppliers register to use the Achilles Network (MyAchilles) service.
- When any individual subscribes to receive marketing communications or registers to attend an Achilles event.
Data Processor
We act as a data processor when buyers (hiring clients) and suppliers register to use our Controlar service, our Achilles Enterprise service (GoSupply) or our Achilles Veritas service (GRMS).
Where we act as a data processor/service provider under the instructions of our buyer customer (the hiring client), your rights will be facilitated by the buyer organisation (that has engaged the supplier organisation you work for) because they are the data controller of your personal information.
The rights available to you depend on the laws of the country in which you are located or in which the controller is established and processes your personal information. You should contact the data controller to exercise your rights. If you are unsure who the data controller is, you can contact us at dataprivacy@achilles.com and ask for the controller’s contact details.
3. PERSONAL DATA WE COLLECT AS A CONTROLLER
The personal data we collect about you depends on our relationship with you or the organisation you work. In most cases we will process your personal data because you work for one of our buyer or supplier customers, including organisations that our buyer customers ask us to invite to become a supplier customer.
We may also process your personal data if you work for an organisation that is a sales prospect or target of ours; if you have subscribed for our insight emails or other marketing communications; if you register for our webinars or events; or if you otherwise contact us and when you visit our website.
Individuals at Supplier Organisations – Achilles Network (MyAchilles)
If you work for one of our supplier customers and you are a key contact or senior business stakeholder, your organisation may provide us with your personal data in connection with the services provided to them by Achilles. The information is provided to us using our supplier onboarding questionnaires and will include your name, job title, business email, business telephone and office address.
We may also collect your personal data from one of our buyer customers if they want us to contact you to invite your organisation to become one of our supplier customers for the purpose of supplying or continuing to supply the buyer organisation. Where this applies, we will typically be provided with your name, business email address and business telephone number.
Where your organisation has provided your information to us when signing up to become an Achilles supplier customer, we may also collect information about you from risk screening and financial screening service providers and combine this with the information provided to us by your organisation.
If you pay for services on behalf of your supplier organisation using a payment card in your name, we will collect your payment card information when you provide it to us for payment.
Individuals at Buyer Organisations/Hiring Clients – All services
If you work for one of our buyer customers/hiring clients and you are a key relationship contact, we will collect your personal data in connection with the services provided to them by Achilles. The personal data we collect will be your name, job title, business email address, business telephone number and office address. We will also collect billing or payment information in order to process payments for our subscription to our services.
We will also collect your name and email address and process the password you set if we are asked by a buyer customer to provide you with user access to one of our online supply chain management/risk assessment platforms.
We may also process your personal data if you work for a buyer organisation that is a sales target or prospect, and we wish to contact you to build a sales relationship or provide you with information and marketing communication that you may find interesting.
We collect prospecting information from publicly available sources, from referrals and from providers of business decision maker contact information.
Marketing Subscribers & Event Registrants
If you subscribe for our insight emails or other marketing communications, we will collect your name, email address and, if you use a corporate email address, the name of the organisation you work for.
If you register for one of our webinars or another event, we will collect the registration information you provide to us, including your name, email address, job title and the name of the organisation you work for.
You can unsubscribe from our marketing emails at any time using the link provided in the messages we send. Alternatively, you can withdraw your consent or object to our marketing communications by emailing us at dataprivacy@achilles.com.
Individuals Contacting Us
If you contact us using the forms on our website, by email or through our social channels (such as X or LinkedIn) we collect the information you provide to us. This typically includes your name, job title, employer business address, business email and any additional information you include in your message.
Website Visitors
When you visit our website, we may automatically collect limited personal data by the use of cookies and similar technologies on our website. For more information, please refer to the Cookie Notice.
We may also automatically collect information including your IP address, details about the device and software you are using to visit the site, your country and continent and your web page viewing path including page response times and download times. This information will not include directly identifiable personal data.
3. PURPOSES & BASIS FOR PROCESSING
The purposes and lawful bases for which we process your personal data depends on our relationship with you and the particular Achilles service that is being provided, as follows:
Individuals at Supplier Organisations using the Achilles Network (MyAchilles) solution
| Purpose | Lawful Basis for Processing |
| Contacting you at the request of buyer organisations: Including contacting you to invite you to register your organisation with Achilles as a supplier organisation. | Our legitimate interest to invite your organisation to sign up for our services at the request of a buyer organisation. |
| Onboarding your organisation as a supplier customer: Including collecting your details and other organisational information using our supplier onboarding questionnaires and setting your organisation up as a customer on our systems.Assessing organizational documents using Achilles Intelligence AI technology. |
Our legitimate interest to process the personal data about you provided to us by your organisation for the purposes of the services we have agreed to provide to them.
|
| Adding supplier information to our online supply chain management platform: Including adding personal data provided to us by suppliers during registration and from third party data providers. Once on the platform, your personal data will be visible to:
(i) buyer organisations in the Achilles community your organisation has agreed to join; and/or (ii) where your organisation has agreed to allow access of your information to a specific buyer organisation only, that specific buyer organisation. |
Our legitimate interest to process the personal data about you provided to us by your organisation for the purposes of the services we have agreed to provide to them. |
| Providing our services to your organisation: Including setting up your user access to our online supply chain management platform, authenticating your ongoing access, to the platform or the mobile app, providing you with user support and arranging and carrying out supply chain audits of your organisation. | Our legitimate interest to process the personal data about you provided to us by your organisation for the purposes of the services we have agreed to provide to them. |
| Developing our business relationship with your organisation: Including sharing information about using our services, providing training and support, sending you insight emails and other marketing communication and inviting you to our webinars and other events. |
Our legitimate interest to develop our relationship with you and your organisation, to provide you with information about how to use the services we provide and to send you related marketing information and event invites. You consent when you sign up for our insight emails, for information about our events or our other marketing communications. |
| Seeking customer feedback and monitoring customer satisfaction: Including sending you customer satisfaction surveys and requesting input on services. | Our legitimate interest to request feedback from you about the services we provide to your organisation and to assess your customer satisfaction. |
| Account management and contract renewals: Including contacting you to ensure we hold up to date information about your organisation, advising you when your contract with Achilles is due to expire and providing renewals quotes. | Our legitimate interest to update the information we hold about you and your organisation as an Achilles supplier customer, to advise you when your organisation’s contract with Achilles is expiring and to seek to retain your organization as a customer. |
| Taking payment for the services provided to your organisation: Including processing details of payments cards in your name used to pay on behalf of your organisation. | Our legitimate interest to process payment card information you provide to us to pay for services we provide to your organisation. |
Individuals at the Buyer Organisation / Hiring Client (all services)
| Purpose | Lawful Basis for Processing |
| Building a sales relationship with your organisation: Including contacting you by telephone or email or sending marketing communications to promote our services. | Our legitimate interest to contact you to introduce our business, promote our services and to build a sales relationship with your organisation. |
| Providing our services to your organisation: Including setting up your user access to our online supply chain management/risk assessment platform(s), authenticating your ongoing access and providing you with user support. | Our legitimate interest to process the personal data about you provided to us by your organisation for the purposes of the services we have agreed to provide to them. |
| Managing and developing our business relationship with your organisation: Including account management, sharing information about our services, providing training and support, sending you insights emails and other marketing communications, and inviting you to our webinars and other events. |
Our legitimate interest to develop our relationship with you and your organisation, to provide you with information about how to use the services we provide and to send you related marketing information and event invites. Your consent when you sign up for our insight emails, for information about our events or our other marketing communications. |
| Seeking customer feedback and monitoring customer satisfaction: Including sending you customer satisfaction surveys and requesting input on our products and services. | Our legitimate interest to request feedback from you about the services we provide to your organisation and to assess your customer satisfaction. |
Marketing Subscribers & Event Registrants
| Purpose | Lawful Basis for Processing |
| Sending you marketing communications: Including insight emails, information about Achilles’, invites to webinars and events and other marketing information. |
Our legitimate interest to send you marketing communications, including invites to webinars and events we hold or attend. Your consent when you sign up for our marketing communications, including invites to webinars and events we hold or attend. |
| Event management: Including providing you with access to the event and recording your attendance. | Our legitimate interest to administer and manage events and webinars to which to you signed up to attend. |
Individuals Contacting Us & Website Visitors
| Purpose | Lawful Basis for Processing |
| Responding to your enquiry: Including by email, telephone or using the social media channel you have used to contact us. | Our legitimate interest to respond to your enquiry or communication. |
| Improving our website: Including your visitor experience by using cookies and similar tools to remember your preferences and display content that is more relevant to you. | Your consent, when you agree to cookies and similar technologies used by our website. |
| Measuring website engagement: Including monitoring use of our website and measuring the success of our marketing campaigns using cookies and similar analytics technologies. | Your consent, when you agree to cookies and similar technologies used by our website. |
In all cases, we may also process your personal data for the following purposes and on the following lawful bases:
| Purpose | Lawful Basis for Processing |
| Internal management, administrative and organisational purposes: Including maintaining internal records and carrying out other business administration tasks. | Our legitimate interest to process your personal data in order to manage our business processes. |
| Sharing data with group companies: Including Achilles employees in overseas offices for the purposes of processing set out in this privacy notice. | Our legitimate interest to make your data available to Achilles employees in other locations to provide our services and meet our business objectives. |
| Sharing data with other third parties: Including third parties who process personal data on our behalf as data processors. | Our legitimate interest to share your data with trusted suppliers who provide us with services relevant to our provision of services to your organisation, including cloud software, hosting and IT service providers. |
4. COOKIES, SIMILAR TECHNOLOGIES & SOCIAL MEDIA LINKS
Achilles uses cookies, website analytics and similar technologies on our website and online supply chain management platform. Marketing emails we send may also include tracking pixels to monitor email receipt, opens and clicks.
Cookies are small text files and web beacons are small graphic images. They are downloaded to your device when you visit a website or receive certain emails unless you have set your browser or email application to stop them.
We use cookies to remember your preferences, display content that is more relevant to you and improve your overall experience on our site. Our email marketing platform uses pixels to track engagement with the emails we send and measure the success of our marketing campaigns. Website analytics are used to measure engagement and monitor issues to help us identify opportunities to improve our website and platforms.
To learn more about our use of cookies and similar technologies, please view our Cookie Notice.
Our website includes social media sharing buttons and links to enable you to share our content through your preferred social media site or by email directly from one of our web pages. These features may collect your IP address and the page you are visiting on our website and may set a cookie on your device if you use the buttons.
When you use one of these sharing buttons or links, you are sharing information to another website or service (such as X, LinkedIn or Facebook) and this privacy notice will no longer apply. Please read the privacy notices provided by the particular social media website you are sharing through before posting any personal data using these links.
5. SHARING YOUR DATA
Achilles is a global business and to respond properly to your enquiry, or for the purpose of delivering our services, it is possible that we will share your data with our group companies, including those in countries outside the UK and European Economic Area (the “EEA”) where the data protection laws are not equivalent to those within the UK or EEA. We do so using Standard Contractual Clauses approved by the European Commission and the International Data Transfer Addendum (IDT Addendum) approved by the UK Parliament (as applicable) which contractually oblige our group companies in those countries to the standard expected within the EEA and/or the UK.
We may also share your personal data with trusted suppliers who provide us with services relevant to our provision of services to your organisation, including cloud software, hosting and IT service providers. In such cases, our suppliers are data processors and may only use the data in line with our instructions and not for any other purpose. This and other obligations are agreed in the contract we enter into with them.
For Achilles Network (MyAchilles) customers:
- If your details have been provided to us by a supplier customer because you are one of their key contacts or senior business stakeholders, your details will be added to our online supply chain management platform from where it will be accessible to buyers in the same Achilles community that your organisation has agreed to join. This may include buyers located outside the UK or EEA where the data protection laws are not equivalent to those within the UK or EEA.
- Where a buyer organisation accesses your personal data via our online supply chain management platform as you are a key contact or senior business stakeholder at a supplier organisation, the buyer organisation will do so as an independent controller.
For all services, it is possible that we may be required to share your data to comply with applicable laws or with valid legal processes, such as in response to a court order or with government or law enforcement agencies.
6. HOW LONG WE KEEP YOUR DATA
The period for which we will retain your personal data depends on the purposes for which we process it. We will retain your personal data for as long as is necessary to provide you with our services and for a reasonable period thereafter to enable us to meet our contractual and legal obligations and to deal with complaints and claims. At the end of the retention period, your personal data will be securely deleted or anonymised, for example by aggregation with other data, so that it can be used in a non-identifiable way for statistical analysis and business planning.
We do not retain credit or debit card information once payment has been made.
Please note we need to hold contact details for individuals at supplier and buyer organisations for the performance of the service and the contract we have entered into with your organisation. If you no longer want us to hold your personal data and we have an ongoing contract with your organisation, we will require alternative contact details or we will be unable to continue providing your organisation with the relevant service.
7. YOUR RIGHTS
The rights you have in respect of your personal data depend on factors including the laws of the country in which you are located. Where you are in scope of application of the data protection laws of the United Kingdom or the European Union/European Economic Area you have the following rights listed below. For information other jurisdiction specific rights, please see Appendix 1:
- You have the right of access to your personal data and can request copies of it and information about our processing of it.
- If the personal data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it.
- Where we are using your personal data with your consent, you can withdraw your consent at any time.
- Where we are using your personal data because it is in our legitimate interests to do so, you can object to us using it this way because you feel it impacts on your interests, rights and freedoms.
- Where we are using your personal data for direct marketing, including profiling for direct marketing purposes, you can object to us doing so.
- You can ask us to restrict the use of your personal data if:
- It is not accurate.
- It has been used unlawfully but you do not want us to delete it.
- We do not need it any-more, but you want us to keep it for use in legal claims; or
- You have already asked us to stop using your data but you are waiting to receive confirmation from us as to whether we can comply with your request.
- In some circumstances you can compel us to erase your personal data.
- In some circumstances you can request a machine-readable copy of your personal data to transfer to another service provider.
- You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
If you wish to exercise your rights, we may need to request specific information from you to help us confirm your identity, especially if you are exercising your right of access.
If you wish to exercise your rights, please contact us at dataprivacy@achilles.com.
You can also lodge a complaint with your local data protection supervisory authority. In the UK, this is the ICO (https://ico.org.uk/make-a-complaint/). In the EEA, there are national and regional data protection authorities (a list is available here: https://edpb.europa.eu/about-edpb/about-edpb/members_en).
9. HOW TO CONTACT US
The rights available to you depend on the laws of the country in which you are located or in which the controller is established and processes your personal information. You should contact the data controller to exercise your rights. If you are unsure who the data controller is, you can contact us at dataprivacy@achilles.com and ask for the controller’s contact details.
You can contact Achilles in relation to data protection and this privacy notice by writing to:
UK, EU and ROW
Achilles Information Limited
Attn: Legal Department
115 NRTW Olympic Avenue, Milton Park
Abingdon, OX14 4SA
United Kingdom
United States
Achilles Information, LLC.
Attn: Legal Department
5271 California Ave. Suite 290
Irvine, CA 92617
United States
Alternatively, you can email us at dataprivacy@achilles.com.
10. UPDATES TO THIS NOTICE
We update this privacy notice from time to time in response to changes in applicable laws and regulations, to our processing practices and to products and services we offer. When changes are made, we will update the ‘Last Updated’ date at the top of this page. Please review this privacy notice periodically to check for updates.