Data Use Policy
Effective date: 1 February 2026This Data Use Policy describes how Gridworld Technologies UK Ltd ("Gridworld", "we", "us", "our") collects, processes, stores, and protects operational and industrial data submitted to or generated by the Gridworld platform. It supplements our Privacy Policy and applies specifically to enterprise customers and their industrial data.
1. What We Mean by "Operational Data"
Operational data refers to any machine-generated or process-related data submitted to the Gridworld platform, including but not limited to:
- Sensor readings, telemetry, and time-series measurements from industrial equipment.
- SCADA historian data, alarm logs, and event records.
- Process configurations, set points, and control parameters.
- Operator annotations, incident notes, and HMI interaction logs.
- Site topology, equipment metadata, and tag dictionaries.
This data is processed to provide AI-powered decision support, anomaly detection, and operational intelligence features within the Gridworld platform.
2. Data Ownership
You retain full ownership of all operational data you upload or stream to the Gridworld platform. Gridworld acquires no intellectual property rights over your operational data. Our use of your data is strictly limited to fulfilling our contractual obligations to you.
3. How We Process Operational Data
We process operational data for the following purposes:
- Core platform functionality: Ingesting, normalising, and storing data to power real-time dashboards, alert systems, and AI copilot features.
- AI model inference: Running trained models against your live data to generate insights, anomaly alerts, and recommendations. Models operate on your data in real time and do not retain raw data beyond the processing window unless configured for historian retention.
- Model improvement (opt-in only): We may use anonymised or aggregated operational data to improve our AI models, strictly subject to your explicit written consent documented in your commercial agreement. We will never use identifiable customer data for model training without consent.
- Security and reliability monitoring: Processing metadata (e.g. request rates, error codes) to detect abuse, diagnose failures, and maintain service availability.
4. Data Isolation and Security
Enterprise customer data is logically isolated at the account and organisation level. We implement the following controls:
- Encryption at rest (AES-256) and in transit (TLS 1.2+).
- Role-based access controls limiting Gridworld personnel access to customer data to those with a legitimate operational need (e.g. for debugging under a support ticket).
- Audit logging of all access to customer data by Gridworld staff.
- Penetration testing and vulnerability assessments conducted on a regular basis.
We do not allow any third-party vendor to access raw customer operational data without explicit authorisation from the customer.
5. Data Residency
By default, customer operational data is stored and processed within the United Kingdom (UK) or European Economic Area (EEA). Customers requiring specific residency guarantees (e.g. data must remain in the UK) should raise this requirement during commercial discussions, and it will be documented in the Data Processing Agreement (DPA).
6. Retention and Deletion
Operational data is retained for the duration of your commercial agreement, plus a configurable grace period (default: 90 days) to allow data export before deletion. Upon written request or contract expiry, we will securely delete all customer operational data within 30 days and provide a deletion certificate upon request.
Backup snapshots are purged on a rolling 30-day cycle unless longer retention is required by your agreement.
7. Sub-processors
We engage a limited number of sub-processors (e.g. cloud infrastructure providers) to support platform operations. All sub-processors are:
- Bound by data processing agreements with protections equivalent to those in this policy.
- Located in the UK, EEA, or countries with adequacy decisions, or covered by appropriate transfer mechanisms.
We will notify customers of any material changes to our sub-processor list with reasonable advance notice.
8. Incident Response
In the event of a data breach or security incident affecting customer operational data, Gridworld will:
- Notify affected customers within 72 hours of becoming aware of the incident.
- Provide a detailed incident report including scope, impact, and remediation steps.
- Cooperate fully with any regulatory investigation as required under UK GDPR or other applicable law.
9. Data Processing Agreement
Enterprise customers who process personal data through the Gridworld platform (e.g. operator names or identity data within historian logs) may request a formal Data Processing Agreement (DPA) in compliance with UK GDPR Article 28. Please contact contact@gridworld.ai to request a DPA.
10. Your Controls
Customers have access to the following data controls through their account settings or upon request:
- Data export in standard formats (CSV, JSON, or agreed proprietary formats).
- Selective deletion of specific data sets or time ranges.
- Opt-out of any data uses beyond core platform functionality.
- Access logs showing Gridworld staff interactions with your data.
11. Changes to This Policy
We will provide at least 30 days' notice of material changes to this policy for existing enterprise customers. Continued use of the platform after the effective date of any changes constitutes acceptance.
12. Contact
For questions about this Data Use Policy or to request a DPA, please contact:
contact@gridworld.ai
Gridworld Technologies UK Ltd