Privacy notice

Notice saying 'Private'

1. Introduction

Exigia Ltd. takes the security and privacy of client data very seriously. After all, one of the main proposes of the Company is to provide our clients with advice, guidance and support for their own security and data protection regimes.

2. What is in this notice?

This is our privacy notice, that tells you:

· what personal data we might collect about you

· how we might use that personal data

· when we might use your details to contact you

· what personal data of yours we might share with others

· your rights about the personal data you give us

We believe that this notice is compliant with the United Kingdom's Data Protection Act, 2018, including the 'UK General Data Protection Regulation (GDPR), and all other relevant legislation.

3. Who are we?

We are Exigia Ltd., a small consultancy company, based in the UK, specialising in providing a range of services for SME clients, which includes information governance compliance, cyber security compliance and web services.

In the main, our clients are UK organisations working in the health and social care sector as providers or suppliers, alongside the NHS.  We also serve charities, local government organisations such as parish councils and small businesses generally.

4. What personal data do we collect?

The personal data we may collect about you will vary depending on how you interact and engage with us. It may include the following:

a. General identification and contact information

We may collect your name, address, phone number, email address, IP address, user name, password, age, gender, date of birth.

b. Financial information

We may collect your name, bank account and sort code. For example, where you are a supplier we need to pay or a client we need to send a refund to.

d. Device information

We may collect some technical information from devices and applications you use when accessing our services (e.g. computers, mobiles, tablets, speakers web browsers etc. This might include IP addresses and device IDs. We will uniquely identify each instance of that use.

e. Marketing preferences

We may collect information if you access our services, such as how you use those services and the pages or articles you read.

f. Information if you communicate with us by mail, email, messaging, videoconferencing or our website

If you call, text, email or otherwise communicate with us, we may collect your name, location and a brief summary of your message or opinion. Please note this may include confidential information.

g. Location information

You may be asked for your address in order to offer you services and exchange information. We may also have information regarding your general geographic location based on your IP address.

h. Information on your activities outside if you submit a comment via a noticeboard, blog or other website facility

We will not normally collect any sensitive personal data from you (unless you provide it to us voluntarily), and will, in any event, ask for your express consent to hold this information if we need to do so.

Please do not submit such personal data or sensitive information if you do not wish us to collect it.

5. What information do we collect about you from other sources?

We may obtain additional information about you from trusted third parties and public sources.

6. How do we use your personal data?

We have to have a valid reason to use your . This is called a “lawful basis for processing”. We process for the following legal basis:

a. Consent

We use your personal data if we have your consent. We rely on consent for the following:

  • to enable you to login to your account
  • to tell you about products, events, services and promotions that we or our third party partners are offering
  • to answer you when you have contacted us, or to respond to a comment or complaint
  • for marketing purposes
  • to send you notifications on your device if you have selected them

You have the right to withdraw consent at any time. Where consent is the only legal basis for processing, we will cease to process data after consent is withdrawn.

b. The processing is necessary to fulfil a contract

We may process your data when we need to fulfil a contract with you.

c. Legitimate Interest

We process your data when it is in our legitimate interest to do this and when these interests are not overridden by your data protection rights.

Our legitimate interests include:

  • to improve our content, products, services and customer experiences by monitoring your use of our services and working with our suppliers to improve the products and services we offer, develop new content and services
  • to create profiles for targeted advertising and marketing opportunities
  • to ensure the security and integrity of our services
  • to ensure that our websites and apps operate effectively
  • to protect clients and other individuals and maintain their safety, health and welfare
  • for market research
  • to deal with your requests, complaints and enquiries

We will use your information to deliver targeted advertising about our services to you when you visit our websites.

d. Necessary to comply with a legal and regulatory obligations

We may process your personal data to comply with our legal and regulatory obligations e.g. preventing, investigating and detecting crime, fraud or anti-social behaviour and complying with law enforcement agencies.

7. Who else could have access to client personal data?

a. Partners

If you sign up for one of our partnered services, you will be providing your information directly to our third party partner. We advise that you check their privacy policy or statement to understand how they use your information. They may share certain information with us, which we will only use for the reasons set out in this policy and this will not include sensitive or financial information.

b. Our service providers (processors)

We may pass your personal data to our external third-party service providers who act either as our data processors or in exceptional cases as data controllers in their own right e.g. professional advisors.

Our providers may include:

  • accountants, auditors, lawyers, other professional advisors,
  • IT systems, support and hosting service providers
  • printing, advertising, marketing, market research and analysis service providers
  • website analytics, technical engineers, data storage and cloud providers and similar third party vendors and outsourced service providers that assist us in carrying out business activities.

These third parties (and any subcontractors they may be permitted to use) have agreed not to share, use or retain your personal data for any purpose other than as necessary for the provision of our services. For further information on our processors and sub-processors please refer to the list of Our Data Processors.

c. Government authorities and third parties

As required by law or regulation

d. Other third parties


8. Relating to children and minors

Our services are not directed towards individuals under the age of 18. We do not knowingly use or process the personal data of children under 13 years of age either directly or indirectly.

9. How long do we keep your information for?

We hold personal data for different purposes and the length of time we keep it will vary depending on the services or products we are providing. We will only keep your data for a reasonable period of time, which is based on the purpose for which we are using it. Once that purpose has been fulfilled, we will securely delete that data or anonymise it (so that neither we, nor anyone else, can tell that the data relates to you) unless we are required to retain the data longer for legal, tax or accounting reasons.

To determine the period we store personal data, we always stick to these principles:

  • we design our services so that we do not hold your longer than we need to or have to
  • we think about what type of information it is, the amount collected, how sensitive or intrusive it might be and any legal requirements

10. International transfers of your personal data

Personal data which you supply to us is generally stored and kept inside the European Economic Area and nearly all within the United Kingdom.

However, due to the nature of our business and the technologies required, your personal data may be transferred to a third party service provider outside the EEA. These countries may not have the same data protection laws, including a lower level of protection.

If we need to transfer your personal data in this way we will take steps to ensure adequate privacy and security, including, where appropriate, data minimisation, anonymisation and pseudonymisation. We will undertake due diligence on the recipients and their country's privacy laws and place data recipients under contractual obligations to take care of your data, for example by using EU standard contractual clauses (SCCs) or their equivalent.

11. Your rights in relation to how we use your personal data

Data Protection laws give you certain rights in respect of your personal data. You have the following rights:

  • Right to rectification
    The right to have your personal data corrected if it is inaccurate or incomplete. You can also manage some of this yourself if you have registered with us via our website.
  • Right of access
    You have the right to obtain your personal data from us. This is referred to as a data subject access request.
  • Right to be erasure (“right to be forgotten”)
    You have the right to be forgotten.
  • Right to object and opt-out of marketing
    You have the right to object to the processing of your personal data. This includes the right to object to direct marketing. You will always be given the opportunity to opt-out of further direct marketing when you receive such communications from us or you can contact us at This email address is being protected from spambots. You need JavaScript enabled to view it..
  • Right to portability
    You have the right to move, copy or transfer certain personal data
  • Right to restrict processing
    You have the right to restrict the use of your personal data in certain circumstances
  • Right to opt-out of automated individual decision-making (including “profiling”)
    You have the right not to be subject to a decision based solely on automated processing, including profiling, which significantly affects you or produces legal effects.

If you wish to submit a request in relation to any of your rights above, please contact us at: This email address is being protected from spambots. You need JavaScript enabled to view it.. Please note you may be asked to supply us with proof of identity before we will be able to provide you with a response

12. Cookies

See our separate Cookies Policy, which also contains some guidance on managing cookies.

13. What we will not do

For the avoidance of doubt

  • We will not automatically log personal data nor link information automatically logged by other means with personal data about specific individuals
  • We will not sell your personal data to anyone
  • We will not share your personal data with anyone without your expressed permission unless permitted or required to do so by law
  • We will co-operate with you to enable you to speedily exercise your rights over your personal data

14. Acting as your data processor

This notice applies to our processing of your personal data. We may also act on your behalf as a (data) processor or sub-processor of other personal data which you control. This notice does not apply to those activities, and you should refer instead to the relevant contract between us.

15. Contact us and complaints

The data controller responsible for your personal data is Exigia Ltd.

If you have any concerns we would like you give us the opportunity to know about them and so we would encourage you to contact us first so that we can try to help you.  Please email This email address is being protected from spambots. You need JavaScript enabled to view it. or write to the Data Protection Officer, Exigia Ltd., 4th Floor, 18 St. Cross Street, London EC1N 8UN.

If you do not think we are handling your personal data adequately, you have the right to lodge a complaint with the Information Commissioner’s Office. Further information, including contact details, are available at

16. Data Protection Act notification

In order to comply with current legislation, The Company maintains a Data Protection Act Registration No. ZA019088. Further information is available at the Information Commissioner's website -

17. Changes to our privacy notice

This Privacy Notice will be amended from time to time if we make any important changes in the way that we collect, store and/or use personal data. We will notify you where required.


Last updated: 04 January 2021