The General Data Protection Regulation (GDPR) gives individuals control over their personal data and places obligations on organisations that collect or process it. LODE takes these obligations seriously. This page explains how GDPR applies to our platform, what rights you have, and how to exercise them.
For full details of how we collect and use personal data, see our Privacy Policy. For the technical measures we use to protect data, see our Security page.
Who controls your data
GDPR distinguishes between a data controller (who decides why and how data is used) and a data processor (who processes data on the controller's behalf). Understanding which role LODE plays is important.
LODE as controller
For your account data — your name, email address, and subscription details — LODE is the data controller. We decide how this information is collected and used, and we are responsible for protecting it in line with GDPR.
LODE as processor
For the travel data files you upload to the platform — which may contain personal data about employees or travellers — you remain the data controller. LODE acts as a data processor, handling that data solely to provide the service to you.
Our lawful basis for processing
GDPR requires that every use of personal data has a lawful basis. The table below shows the basis we rely on for each type of processing.
| What we do | Legal basis |
|---|---|
| Create and manage your account | Performance of a contract — Art. 6(1)(b) |
| Provide and operate the platform | Performance of a contract — Art. 6(1)(b) |
| Process payments and manage subscriptions | Performance of a contract — Art. 6(1)(b) |
| Respond to support and sales enquiries | Legitimate interests — Art. 6(1)(f) |
| Send service notifications (billing, security) | Performance of a contract — Art. 6(1)(b) |
| Send marketing communications | Consent — Art. 6(1)(a) — you can opt out at any time |
| Improve and develop the platform | Legitimate interests — Art. 6(1)(f) |
| Comply with legal obligations | Legal obligation — Art. 6(1)(c) |
Privacy by design — built in, not bolted on
Article 25 of the GDPR requires organisations to build data protection into their systems by default. LODE was designed with this principle at its core. The key technical measures are:
Personal data never reaches the AI
Before any data sample is sent to our AI for analysis, LODE automatically detects and removes columns containing personal information. The AI receives column names and redacted placeholders — never actual values such as names, email addresses, or card numbers.
Queries run in your browser
All SQL queries are executed locally inside your browser. Query results are never transmitted to any server. Only you see the output.
Local lakes never leave your device
When using local data lakes, files are stored entirely in your browser's built-in storage. Nothing is uploaded to LODE's servers — the data never leaves your machine.
Explicit consent for cloud uploads containing PII
If personal data is detected in a file you are uploading to a cloud lake, the upload pauses. A clear modal lists every type of personal data found, with its GDPR classification, and asks for your explicit acknowledgement before proceeding. You can always cancel.
Minimum data transmission
We only send what is necessary. For AI analysis, that is column names, a small redacted data sample, and the total row count. Full datasets are never transmitted.
Special category data
Article 9 of the GDPR provides extra protection for sensitive categories of personal data — such as passport numbers, national identity numbers, and financial account details. LODE's PII detection engine specifically flags these as Critical severity and ensures they are redacted before any external processing.
If your travel data files contain special category data, you will be warned before any cloud upload proceeds, and you must confirm a lawful basis for processing before continuing.
Your rights under GDPR
The GDPR gives you a clear set of rights over your personal data. Here is what each one means and how to use it.
Right of access
You can ask us for a copy of all personal data we hold about you. We will provide it within one calendar month.
Right to rectification
If any data we hold about you is inaccurate or incomplete, you can ask us to correct it.
Right to erasure
You can ask us to delete your personal data. Subject to any legal obligations, we will remove it from our systems.
Right to restrict processing
In certain circumstances, you can ask us to limit what we do with your data while a dispute is resolved.
Right to data portability
You can request your personal data in a structured, machine-readable format so you can transfer it elsewhere.
Right to object
You can object to processing based on our legitimate interests, or to receiving direct marketing at any time.
Right to withdraw consent
Where we rely on your consent (for example, marketing emails), you can withdraw it at any time with no penalty.
Right to complain
If you believe we have not handled your data correctly, you have the right to complain to the relevant supervisory authority.
To exercise any of these rights, email us at info@go-lode.com. We will respond within one calendar month.
Supervisory authority
LODE operates primarily under UK GDPR, regulated by the Information Commissioner's Office (ICO).
If you are based in the EU, your local data protection authority has jurisdiction over complaints relating to EU GDPR.
ICO website: ico.org.uk
ICO helpline: 0303 123 1113
We would always prefer to resolve any concern directly — please contact us first and we will do our best to help.
Sub-processors
As a data processor for your uploaded travel data, LODE uses a small number of trusted third-party sub-processors. We have data processing agreements in place with each of them.
International data transfers
Your personal data is primarily stored and processed within the UK and the European Economic Area (EEA). Where any transfer outside these regions is necessary (for example, to US-based service providers), we ensure appropriate safeguards are in place — including Standard Contractual Clauses (SCCs) approved by the relevant supervisory authority.
Questions about your data?
Whether you want to exercise a right, understand how your data is used, or raise a concern, we are here to help.
Contact us