Record of Processing Activities

Record of Processing Activities (ROPA)

UK GDPR Article 30 · Controller: Obimanso Technologies (UK) · Document version 1.0 · Last updated: 11 May 2026

Purpose. This ROPA is the mandatory inventory of every processing activity Obimanso Technologies carries out as a controller for the Azindoo platform. It is maintained internally and is shared with the ICO on request and with enterprise customers as part of procurement.

1. Controller details

Field	Value
Controller name	Obimanso Technologies
Country of establishment	United Kingdom (Leeds, England)
ICO registration	Registered controller, annual data-protection fee paid (registration number to be appended once issued)
Privacy contact	[email protected]
DPO / Legal contact	[email protected] (DPO not mandatory under Art. 37 at current scale; voluntary contact provided)
EU/UK representative	Not yet appointed. To be reviewed when EU/EEA user volume exceeds the Art. 27 threshold.

Field

Value

Controller name

Obimanso Technologies

Country of establishment

United Kingdom (Leeds, England)

ICO registration

Registered controller, annual data-protection fee paid (registration number to be appended once issued)

Privacy contact

[email protected]

DPO / Legal contact

[email protected] (DPO not mandatory under Art. 37 at current scale; voluntary contact provided)

EU/UK representative

Not yet appointed. To be reviewed when EU/EEA user volume exceeds the Art. 27 threshold.

2. Processing activities

Activity 1 — User account & authentication

Field	Detail
Purpose	Identify the user, manage sessions, secure the account.
Lawful basis	UK GDPR Art. 6(1)(b) performance of contract.
Categories of data	Email address, name, hashed password (bcrypt cost 12) or Google OAuth identifier, profile image URL, role.
Categories of subject	Registered Azindoo users.
Recipients	None outside our infrastructure providers.
Transfers	Stored in US (Abacus.AI / AWS) — see §3.
Retention	Until account deletion (cascade), then 30 days backup window, then purged.
Security measures	TLS 1.2+, bcrypt password hashing, server-side session storage, role-based access on admin endpoints.

Field

Detail

Purpose

Identify the user, manage sessions, secure the account.

Lawful basis

UK GDPR Art. 6(1)(b) performance of contract.

Categories of data

Email address, name, hashed password (bcrypt cost 12) or Google OAuth identifier, profile image URL, role.

Categories of subject

Registered Azindoo users.

Recipients

None outside our infrastructure providers.

Transfers

Stored in US (Abacus.AI / AWS) — see §3.

Retention

Until account deletion (cascade), then 30 days backup window, then purged.

Security measures

TLS 1.2+, bcrypt password hashing, server-side session storage, role-based access on admin endpoints.

Activity 2 — Gmail email import & storage

Field	Detail
Purpose	Provide email-intelligence features over the user’s last 30 days of Gmail history.
Lawful basis	Art. 6(1)(b) contract (user-as-subject) · Art. 6(1)(f) legitimate interest with LIA (third-party senders — see LIA).
Categories of data	Message ID, thread ID, subject, sender/recipient names & addresses (from, to, cc — no Bcc), sent timestamp, body (cleaned plain text only — HTML, quoted reply chains, signatures and content beyond 8 KB are stripped before storage).
Categories of subject	The user; any third party who has corresponded with the user via the connected mailbox.
Special category data	Possible but not actively solicited. May incidentally include health, political, religious or sexual-orientation information present in email bodies. Mitigations: no targeted use, no profiling on these axes, automated deletion options for the user.
OAuth scope	`gmail.readonly` only. We never send, modify or delete email.
Recipients	Abacus.AI LLM API (per activity 3), no other recipients.
Transfers	US — see §3.
Retention	Until user disconnects the account or triggers “Delete email data” or account deletion. Maximum default retention 24 months (see Retention Policy).
Security measures	TLS in transit; OAuth tokens encrypted at application layer with AES-256-GCM (envelope key in KMS-equivalent secret store); database access server-side only; row-level filtering by userId on every query.

Field

Detail

Purpose

Provide email-intelligence features over the user’s last 30 days of Gmail history.

Lawful basis

Art. 6(1)(b) contract (user-as-subject) · Art. 6(1)(f) legitimate interest with LIA (third-party senders — see LIA).

Categories of data

Message ID, thread ID, subject, sender/recipient names & addresses (from, to, cc — no Bcc), sent timestamp, body (cleaned plain text only — HTML, quoted reply chains, signatures and content beyond 8 KB are stripped before storage).

Categories of subject

The user; any third party who has corresponded with the user via the connected mailbox.

Special category data

Possible but not actively solicited. May incidentally include health, political, religious or sexual-orientation information present in email bodies. Mitigations: no targeted use, no profiling on these axes, automated deletion options for the user.

OAuth scope

gmail.readonly only. We never send, modify or delete email.

Recipients

Abacus.AI LLM API (per activity 3), no other recipients.

Transfers

US — see §3.

Retention

Until user disconnects the account or triggers “Delete email data” or account deletion. Maximum default retention 24 months (see Retention Policy).

Security measures

TLS in transit; OAuth tokens encrypted at application layer with AES-256-GCM (envelope key in KMS-equivalent secret store); database access server-side only; row-level filtering by userId on every query.

Activity 3 — AI analysis (21 modules)

Field	Detail
Purpose	Extract commitments, emotions, decisions, knowledge nodes, regulatory exposures, trust graph, etc. from imported emails.
Lawful basis	Art. 6(1)(b) for the user’s own data; Art. 6(1)(f) for third-party content (LIA).
Processor	Abacus.AI (LLM API, gpt-5.4-mini and successor models). No persistent storage or model training on user content.
Automated decision-making	None producing legal or similarly significant effects on the user. All outputs are advisory and visible only to the account owner.
Retention	Derived analytics retained alongside the source email and deleted on the same cascade.

Field

Detail

Purpose

Extract commitments, emotions, decisions, knowledge nodes, regulatory exposures, trust graph, etc. from imported emails.

Lawful basis

Art. 6(1)(b) for the user’s own data; Art. 6(1)(f) for third-party content (LIA).

Processor

Abacus.AI (LLM API, gpt-5.4-mini and successor models). No persistent storage or model training on user content.

Automated decision-making

None producing legal or similarly significant effects on the user. All outputs are advisory and visible only to the account owner.

Retention

Derived analytics retained alongside the source email and deleted on the same cascade.

Activity 4 — Operational logs & security telemetry

Field	Detail
Purpose	Application monitoring, debugging, abuse detection.
Lawful basis	Art. 6(1)(f) legitimate interest in operating a secure service.
Categories of data	HTTP request metadata, error traces, IP address, user-agent, user ID, route, latency. Email bodies are not logged.
Retention	30 days rolling, then purged.

Field

Detail

Purpose

Application monitoring, debugging, abuse detection.

Lawful basis

Art. 6(1)(f) legitimate interest in operating a secure service.

Categories of data

HTTP request metadata, error traces, IP address, user-agent, user ID, route, latency. Email bodies are not logged.

Retention

30 days rolling, then purged.

3. International transfers

Destination	Mechanism	Notes
United States (Abacus.AI / AWS)	UK addendum to EU SCCs + Transfer Risk Assessment, pending the confirmation of Abacus.AI’s EU–US Data Privacy Framework certification.	Disclosed in the Privacy Policy §13. Migration to a UK/EU region is on the 90-day plan.

Destination

Mechanism

Notes

United States (Abacus.AI / AWS)

UK addendum to EU SCCs + Transfer Risk Assessment, pending the confirmation of Abacus.AI’s EU–US Data Privacy Framework certification.

Disclosed in the Privacy Policy §13. Migration to a UK/EU region is on the 90-day plan.

4. Review

This ROPA is reviewed every 6 months, whenever a new processor is added, whenever a new AI module is shipped, or following any reportable incident. Director-level sign-off is recorded in the internal compliance binder.