Privacy Notice

The following Notice is effective from 28 May 2026 and it applies across all Smart Data Foundry (SDF) services (including SDF website and subdomains).

Who we are

“We” are ‘Smart Data Foundry’, a not-for-profit private limited company by guarantee, registered in Scotland and a wholly owned subsidiary of the University of Edinburgh, with company number SC709914 and VAT Registration Number GB 592 9507 00.  

We are based in Edinburgh Futures Institute, 1 Lauriston Place, Edinburgh, EH3 9EF. We are registered with the Information Commissioner’s Office (ICO) with registration number ZB326175, and we have a Data Protection Officer who can be contacted by e-mail ig@smartdatafoundry.com.  

The University of Edinburgh is a charitable body registered in Scotland, with registration number SC005336, VAT Registration Number GB 592 9507.  

How we collect, store and use personal information

Most of the personal information we process is provided to us directly by you for one of the following reasons: 

We also receive personal information indirectly, in the following scenarios: 

  • An employee of ours gives your contact details as an emergency contact or a referee 
  • A research applicant gives your details as a project member or supervisor within a research project proposal 

Information shared with us by Data Partners  

We have established trusted partnerships with the private sector organisations listed on our Data Partnerships page to securely and responsibly share real-time information.  Our data partnerships are underpinned by sharing agreements in which the controls and safeguards on the use of the information are documented.  The lawful basis we rely on for this work is Article 6(1)(f) of the UK GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interests.  The processing is necessary to meet our business objectives of enabling research and creating data insights that open financial data for good.   

Information shared with us by Data Partners has had details which reveal a person’s identity removed before we receive it, so we are unable to identify any individuals.  This type of information is often referred to as ‘effectively anonymised’.     

We use this effectively anonymised data to show trends, themes and predictions in economic wellbeing and related areas of policy making, to help create data insights for partners and customers such as government bodies and financial services companies.  We use machine learning (ML) and Artificial Intelligence (AI) tools as part of this process. Any automated decisions made using these data are subject to human oversight and will not have any impact on the individuals from whom the data first originated.    

We also share this effectively anonymised data with researchers securely for research that helps build a stronger economy and more equitable society.  

Sharing personal information  

We may share your personal information but will only do so when this is fair and lawful. We will not share your information with any third parties for the purposes of direct marketing.  

We use Processors who are third parties who provide elements of services for us. We have contracts in place with our Processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct. 

In some circumstances we are legally obliged to share information. For example, under a court order.  In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information. 

When it is necessary for us to transfer your personal information outside of the UK this will only be done in accordance with the UK GDPR. 

We receive information requests under the Freedom of Information (Scotland) Act and the UK GDPR. Requests are considered on a case-by-case basis and we will only disclose your information where we are legally required to do so. 

As a subsidiary of the University of Edinburgh we are subject to audit and may share your information with auditors. What we share will depend on the nature and scope of the audit and we will take steps to minimise data sharing wherever possible. 

Your rights     

You have rights in relation to the personal information we hold about you.  Use the contact details provided in ‘How to get in touch’ if you would like to make a rights request.   

Right of access  

You can ask us at any time for a copy of the information that we hold about you, and for details about how this information is used.    

Right of correction or completion 

If the information we hold about you is inaccurate, incomplete, or out of date then you can tell us to correct it, complete it, or update it.    

Right of erasure  

In certain circumstances, you can ask us to delete the data we hold about you; for example, if it’s no longer necessary for us to hold the information or if there are no legal grounds for us to hold the information.     

Right to restrict or object to processing  

In certain circumstances, you can tell us to stop using your information, including for direct marketing.    

Right of data portability 

In certain circumstances, you can tell us to send you any information that we hold about you in a structured, commonly-used format that can be read by a computer or other digital device.     

Rights related to automated individual decision-making, including profiling 

You have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal or other significant effects on you.  Although we do carry out some automated and profiling processing activities, any decision-making involved does not have any legal or similarly significant effect on the individuals from whom the data first originated.      

Right to complain  

You have the right to complain about the way we handle your personal data. If you want to make a complaint, please contact us using the contact details below.  We will acknowledge that we have received your complaint.  We will investigate your concerns and let you know what we have found without undue delay.   

If you are not satisfied with our response, you have the right to escalate your complaint to the Information Commissioner’s Office (ICO).  Information on how to complain to the ICO is provided here: https://ico.org.uk/make-a-complaint/.  

More information on your rights  

Further information on these rights is available on the ICO website at https://ico.org.uk/for-the-public/ .  

Most of the rights have limits and exceptions. If we can’t handle your request then we’ll explain our reasons to you.   

We may ask you to prove your identity before we can handle your request, and we cannot handle requests that relate to other people without their consent.    

Please note that we are unable to take action on rights requests in relation to the effectively anonymised data shared with us by Data Partners.  This is because this information does not contain personal data, and we are unable to identify individuals.  If you would like to make a rights request in relation to this information, we will pass it to the relevant Data Partner for them to respond.  

How to get in touch    

If you want to exercise any of your rights set out in the section above, make a complaint about the way we handle your data, or contact our Data Protection Officer, then please email ig@smartdatafoundry.com or write to: Data Protection Officer, Smart Data Foundry, Edinburgh Futures Institute, 1 Lauriston Place, Edinburgh, EH3 9EF.  

Sign up for the latest updates

Receive news, insights and event invites straight to your inbox.