Privacy Policy

INCIPIO GROUP LIMITED PRIVACY POLICY

INTRODUCTION

Welcome to the Incipio Group Limited’s (“Incipio”) privacy notice. Incipio Group respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you.

Please use the Glossary to understand the meaning of some of the terms used in this privacy notice.

IMPORTANT INFORMATION AND WHO WE ARE
THE DATA WE COLLECT ABOUT YOU
HOW IS YOUR PERSONAL DATA COLLECTED
HOW WE USE YOUR PERSONAL DATA
RECRUITMENT AND JOB APPLICATIONS
SOCIAL MEDIA PLATFORMS
WI-FI SERVICES IN OUR VENUES
CCTV AND AUDIO RECORDINGS
THIRD PARTY MARKETING
10. DISCLOSURES OF YOUR PERSONAL DATA
INTERNATIONAL TRANSFERS
12. DATA SECURITY
13. DATA RETENTION
14. YOUR LEGAL RIGHTS
INFORMATION ABOUT OUR USE OF COOKIES
CHANGES TO THIS POLICY
14. GLOSSARY

IMPORTANT INFORMATION AND WHO WE ARE

This privacy notice aims to give you information on how Incipio Group collects and processes your personal data through your use of this website, including any data you may provide through this website when you sign up to our newsletter, make a reservation at one of our establishments, purchase a product or service, apply for a job with us, or take part in a competition or promotion. This website is not intended for children and we do not knowingly collect data relating to children.

It is important that you read this privacy notice together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data.

Controller

Incipio Group Ltd is the controller and responsible for this website.

Incipio operates a wide range of food and hospitality brands across the UK and while each may be branded differently, Incipio is the responsible controller for each website and establishment. While our businesses operate under different brand names, they are all ultimately owned and controlled by Incipio Group Ltd. Details of our group entities are available at www.incipiogroup.co.uk.

This privacy notice is issued by Incipio Group Ltd, which is the data controller for all personal data processed across our websites, venues and systems. Our venues operate under different brand names, but they are all owned and operated by Incipio Group Ltd, and all customer data (including website activity, reservations, EPOS transactions, marketing and CRM information) is processed under the control of Incipio Group Ltd. When we refer to “Incipio”, “we”, “us” or “our” in this privacy notice, we mean Incipio Group Ltd as the controller responsible for your personal data.

We have appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the data privacy manager using the details set out below.

Contact details

Our full details are:

Full name of legal entity: Incipio Group Ltd|
Email address: contact@incipio-group.co.uk
Postal address: Incipio Group, 4 O Meara Street, London, SE1 1TE

Changes to the privacy notice and your duty to inform us of changes to your personal data

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Third-party links

This website may include links to third-party websites. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. For example, this may include links to booking platforms, social media pages, event partners, ticketing partners, or external service providers. We do not control these third-party websites and are not responsible for the privacy practices of other websites even if you access them using links that we provide. When you leave our website, we encourage you to read the privacy notice of every website you visit.

THE DATA WE COLLECT ABOUT YOU

Personal data, or personal information, means any information about an individual from which that person can be identified.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:

Identity Data includes first name, last name and date of birth.

Contact Data includes email address and telephone numbers.

Financial and Transaction Data includes payment card details and information about purchases you make in our venues or via our websites/applications.

Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.

Usage Data includes information about how you use our websites, apps and services. This may include statistical data about browsing actions, patterns.

Profile Data includes your username, purchases or orders made by you, your interests, preferences, feedback and survey responses.

Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.

Other Data includes information collected through CCTV in our venues, use of guest Wi-Fi services, accident logs, or other data we may collect in the course of operating our business and ensuring the safety and security of our customers and staff.

We also collect, use and share Aggregated Data such as statistical or demographic data. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice. For more information on how we may use aggregated data about you, please see our Cookie Policy.

We do not routinely collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data).

However, we may process limited health-related information only where you choose to provide it, for example allergen or dietary requirements submitted when making a reservation, or accessibility needs (such as requests for step-free access) that may indicate a disability. We use this information solely for the purpose of managing your booking and ensuring your safety and comfort.

We do not collect any information about criminal convictions and offences. 

HOW IS YOUR PERSONAL DATA COLLECTED?

We use different methods to collect data from and about you including through:

Direct interactions. You may give us your identity and contact data by filling in forms or by corresponding with us by phone, email or otherwise. This includes personal data you provide when you:

make a reservation at one of our establishments;

purchase food, drink or other services in-venue (including through our EPOS systems) or via our apps;

subscribe to our service or publications;

request marketing to be sent to you;

enter a competition, promotion or survey;

apply for a job with us;

give us some feedback;

apply for, or redeem, a voucher.

Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy for further details.

In-venue technologies. When you visit our establishments, we may collect:

CCTV footage for the purposes of security, health and safety, and crime prevention;

Wi-Fi login details and related Technical/Usage Data if you choose to use guest Wi-Fi services;

EPOS and payment data when you make purchases at our venues; and

App data if you use our mobile ordering or loyalty applications.

Third parties or publicly available sources. We may receive personal data about you from various third parties, including:

analytics providers;

advertising networks;

search information providers; and

payment and delivery service providers.

recruitment providers (Harri), when you apply for a job with us.

HOW WE USE YOUR PERSONAL DATA

We will only use your personal data where the law allows us to. This means we rely on one or more of the following legal bases: (i) your consent; (ii) where we need to perform a contract with you; (iii) where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; or (iv) where we need to comply with a legal obligation.

Where you have provided consent

We will use your personal data where you have specifically agreed we can do so. For example:

to send you marketing communications (by email, SMS, push notification or other digital channel) about our venues, events, offers and services;

to send you marketing across our group of brands, where you have agreed to hear from the wider Incipio Group;

to share your details with trusted third-party partners (for example, drinks brands sponsoring an event) so they can send you marketing, where you have consented to this;

to collect customer feedback (for example, where you book through OpenTable and agree to be contacted about your experience);

to use images, video or testimonials that feature you (for example, if you consent to appear in marketing materials).

You may withdraw your consent at any time by clicking “unsubscribe” in our emails or contacting us at contact@incipio-group.co.uk.

Where it is necessary for a contract

We will process your personal data where it is necessary for us to perform our contract with you, or to take steps at your request before entering into one. For example:

to make and manage reservations (tables, private dining, events, venue hire);

to take payment for food, drink and services (whether online, through our app, or in-venue via EPOS);

to provide you with services you have requested (for example, catering, event services, or Wi-Fi);

to manage loyalty schemes, vouchers, and promotional offers you choose to participate in.

Where we have a legitimate interest

We may use your personal data where it is necessary to pursue our legitimate interests as a business, provided your rights and freedoms do not override these interests. For example:

to understand how customers use our venues, websites and apps, and to make improvements;

to personalise your customer experience, including tailoring marketing and recommendations to your interests;

to keep our venues, staff and customers safe, including through the use of CCTV and incident reporting;

to administer Wi-Fi and IT systems securely and efficiently;

to manage customer enquiries, feedback, complaints or claims;

to maintain suppression lists so we can respect your marketing preferences;

to establish, exercise or defend our legal rights.

Where we must comply with a legal obligation

We may process your personal data where necessary for us to meet legal or regulatory requirements. For example:

to keep records for tax and accounting purposes;

to comply with licensing laws, food safety requirements and health & safety obligations;

Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so.

Note that we may process your personal data for more than one lawful bases depending on the specific purpose for which we are using your data. If you would like more information about how we use your personal data, please contact us using the details below and we will provide you with the information we are able to share.

Purpose/Activity	Type of data	Lawful basis for processing including basis of legitimate interest
To register you as a new customer	(a) Identity (b) Contact	Performance of a contract with you
To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy (b) Asking you to leave a review or take a survey	(a) Identity (b) Contact (c) Profile (d) Marketing and Communications	(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services to help improve our offerings to our customers)
To enable you to partake in a prize draw, apply for a free voucher, competition or complete a survey	(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications	(a) Performance of a contract with you (b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business) (c) Where you have provided consent
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	(a) Identity (b) Contact (c) Technical	(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation
To deliver relevant web site content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you	(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical	(a) where we have obtained your consent (b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences	(a) Technical (b) Usage	(a) where we have obtained your consent (b) Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that may be of interest to you	(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile	Necessary for our legitimate interests (to develop our products/services and grow our business)
To process and manage reservations, bookings and event hire (including through our websites, apps and third-party platforms such as OpenTable)	(a) Identity (b) Contact (c) Financial and Transaction (d) Profile	Performance of a contract with you
To take payment for food, drink and other services at our venues (including via EPOS systems and apps)	(a) Identity (b) Contact (c) Financial and Transaction	(a) Performance of a contract with you; (b) Necessary to comply with a legal obligation
To operate loyalty schemes, promotions and vouchers (including registration, redemption and rewards tracking)	(a) Identity (b) Contact (c) Profile (d) Financial and Transaction (e) Marketing and Communications	(a) Performance of a contract with you (b) Necessary for our legitimate interests (to develop and promote our business)
To request and collect customer feedback (e.g., through OpenTable or post-visit surveys)	(a) Identity (b) Contact (c) Profile (d) Marketing and Communications	(a) Where you have provided consent (b) Necessary for our legitimate interests (to improve our venues and customer experience)
To provide guest Wi-Fi services in our venues	(a) Identity (b) Contact (c) Technical (d) Usage	(a) Performance of a contract with you (b) Necessary for our legitimate interests (to provide added services to customers and ensure network security)
To maintain security and safety in our venues (including CCTV monitoring and incident logs)	(a) Identity (b) Other Data (CCTV footage, incident reports)	(a) Necessary for our legitimate interests (to ensure the safety and security of staff, customers and property, and to prevent and detect crime) (b) Necessary to comply with a legal obligation (e.g. law enforcement requests)
To comply with licensing, health and safety and food safety requirements	(a) Identity (b) Contact (c) Financial and Transaction (d) Other Data (incident logs, CCTV)	Necessary to comply with a legal obligation

Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We may use your personal data to provide you with marketing communications about our products and services where you have provided consent and/or where we are permitted to do so for similar goods and services in accordance with applicable law. You can choose to receive marketing messages by opting in when registering for an account, signing up for newsletters, or updating your preferences.

Where you have provided consent, we may share your contact details with other entities within the Incipio Group for the purpose of sending you marketing communications about similar hospitality and venue services. You will be given clear options to manage your preferences or opt out at any time.

You have the right to withdraw your consent or opt out of marketing at any time by following the unsubscribe instructions in our communications or contacting us directly. We will not share your personal data with third parties for their marketing purposes without your explicit consent. For more details on your rights and how to manage your preferences, please refer to the “Your Rights” section of this policy.

Promotional offers from us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us, made a reservation at one of our establishments, purchased goods or services from us or if you provided us with your details when you entered a competition or registered for a promotion and, in each case, you have not opted out of receiving that marketing.

5. RECRUITMENT & JOB APPLICATIONS

We use Harri to advertise roles and manage job applications on our behalf. When you apply, your data is collected and processed through Harri. Incipio Group Ltd remains the data controller for all applications to our roles. You can view Harri’s privacy policy here: https://harri.com/privacy.

What we collect: information you provide in your application, such as your name, contact details, work history, education and right-to-work details, as well as interview notes and correspondence.

Why we use it:

to assess and manage your application and communicate with you (steps to enter a contract)

to keep necessary recruitment records (legitimate interests)

to meet legal requirements (e.g. right-to-work checks)

How long we keep it: normally 12 months for unsuccessful applicants, or longer if needed for legal reasons. If we ask to keep your details for future roles, we will only do so with your consent.

Who we share it with: relevant Incipio hiring managers and trusted suppliers who support our recruitment process (including Harri). They must protect your data and act only on our instructions.

6. SOCIALMEDIA PLATFORMS

We use a number of different social media platforms to communicate with you and to promote products and services. We process your personal information using these platforms in a variety of ways, as follows:

Pages. We use your personal information when you post content or otherwise interact with us on our official pages on Facebook, Instagram, TikTok and other social media platforms.  We also use the Page Insights service for Facebook and Instagram to view statistical information and reports regarding your interactions with the pages we administer on those platforms and their content. Where those interactions are recorded and form part of the information we access through these Page Insights services, we and the relevant platform are joint controllers of the processing necessary to provide that service to us.

Single sign-on. Some of our mobile apps use a feature provided by social media and other digital service providers that allow you to register and login to our account with the app using the same login details you have already set up with those providers. This feature is known as a ‘single sign-on service’. We are responsible for any use we make of the personal information we receive from the platform using this feature.

Data from your profile. When you use single sign-on services, you may be prompted to confirm that you are happy to share with us your name, email address and certain other personal information you hold with those providers. You may be asked if you would like to share information with us that goes beyond what is needed to log you into your account. For example, you may be asked if you would like us to use your contact details or date of birth for direct marketing purposes. We will only use your personal information in this way if you agree.

Cookies. We use cookies and similar technologies in our Website to collect and send information to Facebook about actions you take on our website and applications. In particular, Meta (who operates the Facebook and Instagram platforms) uses this information to provide services to us and also for further processing for its own business purposes. We and Meta are joint controllers of the processing involved in collecting and sending your personal information to Meta using cookies and similar technologies as each of us has a business interest in Meta receiving this information.  You can find out more about these technologies by visiting our Cookie Policy.  The services we receive from Meta that use this information are delivered to us through Meta Business Tools, which include Meta Pixel, Facebook Login, Social Plugins and Website Custom Audiences. These tools allow us to target advertising to you within Meta’s social media platforms by creating audiences based on your actions on our Website and applications and allow Meta to improve and optimise the targeting and delivery of our advertising campaigns for us. 

Our relationship with Meta. As we are joint controllers with these platforms for certain processing, we and each platform have:

entered into agreements in which we have agreed each of our data protection responsibilities for the processing of your personal information described above;

agreed that we are responsible for providing to you the information in this privacy notice about our relationship with each platform; and

agreed that each platform is responsible for responding to you when you exercise your rights under data protection law in relation to that platform’s processing of your personal information as a joint controller.

Meta also processes, as our processor, contact information that we submit for the purposes of matching, online targeting, measurement, reporting and analytics purposes. These services include the processing Meta carries out when it display our advertisements to you in your news feed at our request after matching contact details for you that we have uploaded to a platform operated by Meta. These advertisements may include forms through which we collect contact information you give to us.

Further information. The Meta company that is a joint controller of your personal information is Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. For further information regarding Meta and its use of your personal information, please see:

Meta’s Controller Addendum for Page Insights and UK Controller Addendum for Business Tools which include information regarding how our and Meta’s responsibilities to you are allocated as controllers of your personal information;

Meta’s Privacy Center including its Privacy Policy at https://www.facebook.com/privacy which include details of the legal reasons (known as ‘lawful bases’) on which each platform relies to process your personal information, together with details regarding your data protection rights; and

Meta’s help pages regarding its Page Insights and Business Tools and its terms and conditions relating to those tools.

Our relationship with Tiktok. To find out more about our relationship with TikTok, please see the terms of the data sharing arrangement we have with TikTok and the TikTok Privacy Policy.

7.WI-FI SERVICES IN OUR VENUES

We make guest Wi-Fi available in some of our venues. These services are provided by Wireless Social (owned by Access Group).

When you choose to use guest Wi-Fi, personal data such as your device details, login credentials and browsing activity may be collected. Wireless Social acts as a separate controller for the information it collects in connection with its Wi-Fi services, meaning it is independently responsible for how it processes your personal data.

Wireless Social may store and process data in the EEA, UK, US, Australia and Singapore. Please refer to Wireless Social’s privacy policy for full details about how it uses your information.

We may receive limited information from Wireless Social (e.g. aggregate usage reports) to help us understand how the service is being used.

8. CCTV ANDAUDIO RECORDINGS

We use CCTV in and around our venues as part of our legitimate business interests in ensuring the safety and security of our customers, staff and property, and in the prevention and detection of crime.

CCTV may record images, date and time information whenever you are present in an area under surveillance. In some circumstances, recordings may capture information relating to criminal offences or health data.

Visible signage is displayed at all premises where CCTV is in operation. We do not deploy CCTV in areas where individuals have a reasonable expectation of privacy.

Footage may be reviewed by our security teams or by third-party service providers acting on our behalf, and may be shared with law enforcement authorities where required.

We may also use CCTV footage or incident logs to investigate complaints, accidents or claims.

In limited cases, we may also make audio recordings (e.g. body-worn cameras, security radios, or recorded customer service calls), which may capture conversations with customers or visitors.

Footage is retained for 31 days on each venue’s local recorder. Recorders are password-protected at all times, with access restricted to senior site managers and a limited number of authorised HQ personnel. We may retain footage for longer where required due to an ongoing investigation, incident or legal claim.

9. THIRD PARTY MARKETING

We will only share your personal data with third parties for their own marketing purposes where you have explicitly agreed to this. We do not routinely share customer data with third-party brands for marketing. However, on occasion, we may run competitions, collaborations or sponsored events where a partner brand wishes to contact participants with marketing communications.

Where this occurs:

the relevant third party will be clearly identified at the point where we ask for your consent

you will be told exactly what marketing you are agreeing to receive

your data will only be shared if you actively opt in

once shared, the third party’s own privacy policy will apply

we ensure appropriate contractual safeguards are in place with the third party (for example, a data-sharing agreement) so that your data is protected and used only for the purposes you consented to

If you choose to opt in, you can withdraw your consent at any time by contacting the third party directly or by contacting us so we can assist where appropriate.

We will never share your personal data with third parties for their own marketing unless you have clearly and specifically agreed to this.

10. DISCLOSURES OF YOUR PERSONAL DATA

 We may disclose your information to our third party service providers, agents and subcontractors (“Suppliers”) for the purposes set out above. Our Suppliers can be categorised as follows:

Recipient / relationship to us	Industry sector (& sub-sector)
Advertising, PR, digital and creative agencies	Media (Advertising & PR)
Card-linked loyalty and service providers that support our loyalty or voucher programmes	IT (Banking & Loyalty)
CCTV and security system providers	IT (Security)
Cloud software system providers, including database, booking, email, customer relationship management and document management providers	IT (Cloud Services)
Facilities and technology service providers, including scanning, archiving and secure data destruction	IT (Data Management)
Legal, accounting, insurance and other professional advisers and consultants	Professional Services
Market and customer research providers	Media (Market Research)
Social media platforms	Media (Social Media)
Website, app developers and maintenance providers	IT (Software Development)
Website hosting and data analytics providers	IT (Hosting & Analytics)
Wi-Fi service providers	IT (Networking)
Payment processors (including gift card providers, PayPal, Google Pay and Apple Pay)	Financial Services (Payments)

Named Suppliers we use (illustrative)

To be transparent, here are key suppliers we currently use for the services described above. This list is illustrative, not exhaustive, and may change over time.

IT Managed Services

RTP Solutions (main IT support; middleman for The 411, Pergola Brixton, Pergola On The Wharf, The Prince & Olympia networks)

Prime Networks (middleman for Head Office, The Palm House & The Libertine networks)

CSL Reality (middleman for Dear Grace network)

Network / Connectivity

Evolve (The 411, The Prince)

TalkTalk (The 411, Pergola On The Wharf, The Prince & Pergola Brixton)

Colt (Olympia, The Libertine)

Vorboss (Olympia)

Gamma (The Palm House & Head Office)

Point-of-sale, Ordering, Payments, Gift Cards

Zonal – EPOS

StoreKit – guest ordering app

Deliverect – guest ordering app

Deliveroo – takeaway ordering app

Dojo Go – payment gateway

Toggle – gift card platform

Guest Wi-Fi

Wireless Social (Access Group)

Some suppliers act as our processors (they process personal data on our instructions), while others act as independent controllers (they decide their own purposes/means). For information about where data may be stored or accessed, see Section 11 (International Transfers).

In some cases, third parties act as independent controllers. This means they determine how they use your data and are directly responsible to you for their processing. In such cases, we recommend that you review their privacy policies for further details.

We may also disclose your personal information to:

any third party that is restructuring, selling or acquiring some or all of our business or assets, or in the event of a merger, re-organisation or similar event; and

where we have a duty to disclose or share your information in order to comply with any legal or regulatory obligation or request, including to police, law enforcement bodies, regulators, HMRC local or central government or related agencies.

11. INTERNATIONAL TRANSFERS

All personal data you provide to us is stored on secure systems. Some of our core systems are hosted in the UK/EEA; however, certain suppliers store or access data in other countries. Where personal data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place (e.g. UK/EU standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms).

Current server locations (guest/customer data) disclosed by our suppliers:

RTP Solutions (IT managed services): UK

Zonal (Aztec) (EPOS): UK

Deliveroo (takeaway ordering): EEA / US

Deliverect (guest ordering): EEA

StoreKit (guest ordering): UK

Dojo Go / PaymentSense (payments): UK

Wireless Social (guest Wi-Fi): EEA, UK, US, Australia & Singapore

Toggle (gift cards): Uses AWS or Google Cloud (regions may vary and may include locations outside the UK/EEA)

What this means for you:

If your data is processed in a country without UK/EEA-equivalent data protection laws, we’ll ensure it is protected using the safeguards above.

We review suppliers periodically; this list is illustrative and may change over time. Material changes will be reflected in this policy.

12. DATA SECURITY

We take the security of your personal data seriously. We have put in place appropriate technical and organisational measures designed to protect your information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

Access to your personal data is limited to those employees, agents and contractors who have a genuine business need to know it. They are required to process your data only on our instructions and are subject to duties of confidentiality. We also maintain procedures to deal with any suspected data security incident. Where we are legally required to do so, we will notify you and the relevant regulator of a breach.

While we apply safeguards to keep your personal data secure once it reaches us, please note that transmission of information over the internet is never completely secure. We will do our best to protect your personal data, but we cannot guarantee the security of data transmitted to us online and any transmission is at your own risk.

Where we collect or process sensitive or “special category” personal data (for example, information relating to your health, ethnicity or criminal record), we apply additional security controls to help ensure this information receives a higher level of protection.

13. DATA RETENTION

How long will you use my personal data for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Details of retention periods for different aspects of your personal data can be requested from us.

Under certain circumstances, you have rights under data protection laws in relation to your personal data. To find out more about these rights, please contact us.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

14. YOUR LEGAL RIGHTS

Depending on the lawful bases relied upon for the processing of your personal data you may have the right to:

Request access to a copy of your personal data that we hold about you by emailing us at the email address at the end of this privacy notice.  We may not provide you with a copy of your personal data if this concerns other individuals or we have another lawful reason to withhold that

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

What we may need from you

Time limit to respond

We try to respond to all requests within one month of receiving them. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Right to complain

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

15.INFORMATION ABOUT OUR USE OF COOKIES

Our website uses cookies and similar technologies to improve your browsing experience, provide essential site functionality, and help us understand how our site is used. Cookies may also be used to personalise content and, where you have consented, deliver relevant advertising. You can manage or disable cookies at any time through your browser settings. For more details, please see our Cookie Policy.

16.CHANGES TO THIS POLICY

We may review this policy from time to time and any changes will be notified to you by posting an updated version on our website and/or by contacting you by email. We recommend you regularly check for changes and review this policy whenever you visit our website. If you do not agree with any aspect of the updated policy you must immediately notify us and cease using our services.

17. GLOSSARY

LAWFUL BASIS

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

Last updated: 28.11.25