This is our privacy notice explaining how we may use your personal data and your rights under data protection laws

Exigia respects your privacy

Exigia Ltd is a small consultancy company, based in the UK, whose clients are mostly UK organisations working in the health and social care sector as providers or suppliers, alongside the NHS. We also serve charities, local government organisations such as parish councils and small businesses generally.

Exigia Ltd. takes the security and privacy of client data very seriously. After all, one of the main proposes of the Company is to provide our clients with advice, guidance and support for their own security and data protection regimes.

This is our privacy notice, that we believe is compliant with the United Kingdom’s Data Protection Act, 2018, including the ‘UK General Data Protection Regulation (UK GDPR)’, and all other relevant legislation.

What personal data does Exigia process?

Personal data is information about you that is identifiably about a living individual. The personal data we may collect and process about you will vary depending on how you interact with us. When acting as a (data) controller, we may process some or all of the following types of personal data:

General identification and contact information

We may collect your name, address, phone number, email address, IP address, name, password, age, gender, date of birth.

Financial information

We may collect your name, bank account number and sort code. For example, where you are a client or a supplier we need to pay or send a refund to.

Device information

We may collect some technical information from devices and applications you use when accessing our services (e.g. computers, mobiles, tablets, smart speakers, web browsers etc. This might include IP addresses and device IDs.

Marketing preferences

We may collect information if you access our services, such as how you use those services and the pages or articles you read.

Information if you communicate with us

If you call, text, email, chat online, videoconference or otherwise communicate with us, we may collect your name, location and a brief summary of your message or opinion. Please note this may include confidential information.

Location information

You may be asked for your address in order to offer you services and exchange information. We may also have information regarding your general geographic location based on your IP address.

Information on your activities etc.

if you contact use or submit a comment via a noticeboard, blog or other website facility, we will not normally collect any sensitive personal data from you (unless you provide it to us voluntarily), and will, in any event, ask for your express consent to hold this information if we need to do so.

Please do not submit sensitive information if you do not wish us to collect it.

What information do we collect about you from other sources?

We may obtain additional information about you from trusted third parties and public sources.

How do we use personal data?

Lawful basis

We have to have a valid reason to use your personal data. This is called a “lawful basis for processing”. We process personal data for the following legal bases:


We may use your personal data if we have your consent. We rely on consent for the following:

  • to enable you to login to your account
  • to tell you about products, events, services and promotions that we or our third party partners are offering
  • for marketing purposes
  • to send you notifications on your device if you have selected them

You have the right to withdraw consent at any time. Where consent is the only legal basis for processing, we will cease to process data after consent is withdrawn.


We may process your data when we need to fulfil a contract with you.

Legitimate Interest

We process your data when it is in our legitimate interest to do this and when these interests are not overridden by your data protection rights.

Our legitimate interests include:

to improve our content, products, services and customer experiences by monitoring your use of our services and working with our suppliers to improve the products and services we offer or develop new content and servicesto create profiles for targeted advertising and marketing opportunitiesto ensure the security and integrity of our servicesto ensure that our websites and apps operate effectivelyto protect clients and other individuals and maintain their safety, health and welfarefor market researchto deal with your requests, complaints and enquiriesWe may use your information to deliver targeted advertising about our services to you when you visit our websites.

Legal and regulatory obligations

We may process your personal data to comply with our legal and regulatory obligations e.g. taxation, preventing, investigating and detecting crime, fraud or anti-social behaviour and to comply with actions taken by law enforcement agencies.

Who else might access the data?

There is a possibility that some of your personal data may be shared with other parties such as:

Our partners

If you sign up for one of our partnered services, you will be providing your information directly to that third party partner. We advise that you check their privacy policy or statement to understand how they intend to use your information. They may share certain information with us, which we will only use for the reasons set out in this policy and this will not include sensitive or financial information.

Our service providers (processors)

We may pass your personal data to our external third-party service providers who act either as our data processors or in exceptional cases as data controllers in their own right e.g. professional advisors. When they act on our instructions under contract, we remain responsible for the processing of personal data.

Our providers may include:

  • accountants, auditors, lawyers, other professional advisors
  • IT systems, support and hosting service providers
  • printing, advertising, marketing, market research and analysis service providers
  • website analytics, technical engineers, data storage and cloud providers and similar third party vendors and outsourced service providers that assist us in carrying out business activities

These third parties (and any subcontractors they are be permitted to use) are legally obliged not to share, use or retain your personal data for any purpose other than as necessary for the provision of our services. For further information on our processors and sub-processors please refer to the list of our Data Processors

Government authorities

As required by law or regulation

Children and minors

Our services are not directed towards individuals under the age of 18. We do not knowingly use or process the personal data of children under 13 years of age either directly or indirectly.

How long is the data kept?

We hold personal data for different purposes and the length of time we keep it will vary depending on the services or products we are providing.

We will only keep your data for a reasonable period of time, which is based on the purpose for which we are using it. Once that purpose has been fulfilled, we will securely delete that data or anonymise it (so that neither we, nor anyone else, can tell that the data relates to you) unless we are required to retain the data longer for legal, tax or accounting reasons.

To determine the period we store personal data, we always stick to these principles:

  • we design our services so that we do not hold your longer than we need to or have to
  • we think about what type of information it is, the amount collected, how sensitive or intrusive it might be and any legal requirements
International transfers

Personal data which you supply to us is generally stored and kept inside the United Kingdom.

However, due to the nature of our business and the technologies required, your personal data may be transferred to a third party service provider outside the UK. These countries may not have the same data protection laws, including a lower level of protection.

If we need to transfer your personal data in this way we will take steps to ensure adequate privacy and security, including, where appropriate, data minimisation, anonymisation and pseudonymisation. We will undertake due diligence on the recipients and their country’s privacy laws and make transfers to countries that have been granted Adequacy Decisions by the UK where possible. We will also place data recipients under contractual obligations to take care of your data, for example by using EU standard contractual clauses (SCCs) or their equivalent. 

Your rights

Data Protection laws give you certain rights in respect of your personal data and how we use it. You have the following rights:

Right to rectification

The right to have your personal data corrected if it is inaccurate or incomplete. You can also manage some of this yourself if you have registered with us via our website.

Right of access

You have the right to obtain your personal data from us. This is referred to as a data subject access request.

Right to be erasure (“right to be forgotten”)

You have the right to be forgotten.

Right to object and opt-out of marketing

You have the right to object to the processing of your personal data. This includes the right to object to direct marketing. You will always be given the opportunity to opt-out of further direct marketing when you receive such communications from us or you can contact us as set out in the Contacting us section below.

Right to portability

You have the right to move, copy or transfer certain personal data

Right to restrict processing

You have the right to restrict the use of your personal data in certain circumstances

Right to opt-out of automated individual decision-making (including “profiling”)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which significantly affects you or produces legal effects.

If you wish to submit a request in relation to any of your rights above, please contact us as set out in the Contacting us and complaints section below. Please note you may be asked to supply us with proof of identity before we provide a response. We do not charge for requests to exercise these rights unless they are manifestly unfounded or excessive, when we may refuse to respond or charge a reasonable fee before dealing with them.


A cookie is a small amount of data, which often includes an anonymous unique identifier. Cookies are sent to your browser from a website’s computer and stored on your computer or mobile device.

Each website can send its own cookies to your browser if your browser’s preferences allow it, but (to protect your privacy) your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other sites.

Many sites save cookies whenever a user visits their website in order to:

  • Provide website personalisation (for example: saving preferences such as font size, accessibility features, template versions etc.)
  • Save data or user’s decisions (for example: removing the need to enter login and password on every website, remembering a login during for the next visit, keeping information on products added to a shopping cart)
  • Provide social media integration (for example: displaying your friends, fans or post publishing on Facebook directly from the website)
  • Adjust adverts that are displayed on the website and make the ‘more relevant’ to the person viewing them
  • Create website and flow statistics between different websites to track online traffic flows

Users have the opportunity to set their computers to accept all cookies, to notify them when a cookie is issued, or not to receive cookies at any time. The last of these, of course, means that certain personalised services cannot then be provided and you may not be able to take full advantage of all of the features of websites. Each browser is different, so check the “Help” menu of your browser to learn how to change your cookie preferences.

In the UK, website users must be given the option to agree to accept the use of cookies. This is normally achieved through their internet browser settings and by making it clear in policy statements that cookies are used, giving users the opportunity change their internet browser settings, or even avoid websites if they don’t want to have certain cookies stored on their computers.

You can clear cookies stored by your browser e.g. by using one of its menu options or a third party add-in. For further information, please refer to your browser’s ‘Help’ documentation.

Our use of cookies

During the course of any visit to our websites, the pages you see are downloaded to your computer. In addition we may download cookies.

Information supplied by cookies can help us to provide you with a better online user experience and assist us to analyse the profile of our visitors. For example: you need to allow the session cookie to be able to send us a message via the contact form or login to a client account (if you have one).


We do not use cookies for advertising or marketing purposes, but third party vendors, including Google, may use cookies to serve advertisements based on users’ prior visits to websites, including our websites.

Google’s use of cookies and other technologies enables it and its partners to serve advertisements to you based on your visit(s) to our websites via their search engine and/or other sites on the Internet. You can learn more about Google’s advertising practices within the Advertising section of their Privacy Policy.

You can learn more and possibly opt out of a third-party vendor’s use of cookies by visiting the Network Advertising Initiative Consumer Opt-Out page.

Acting as your data processor

you controlThis notice applies to our processing of personal data you control under contract and your instructions.

This notice does not apply to those activities as it only applies to processing we undertake as a controller. If necessary you should refer to any relevant contract between us.

What we will not do

For the avoidance of doubt:

  • We will not automatically log personal data nor link information automatically logged by other means with personal data about specific individuals
  • We will not sell your personal data to anyone
  • We will not share your personal data with anyone without your expressed permission unless permitted or required to do so by law

We will however co-operate with you to enable you to speedily exercise your rights over your personal data

Contacting us and complaints

The (data) controller responsible for your personal data is Exigia Ltd.

If you have any concerns we would like you give us the opportunity to know about them and so we would encourage you to contact us first so that we can try to help you. Please contact us at:


Post: Exigia Ltd., 124 City Road, London EC1V 2NX

Please mark you correspondence for the attention of the Data Protection Officer.


If you do not think we are handling your personal data adequately, you have the right to lodge a complaint with the Information Commissioner’s Office. Further information, including contact details, are available at

Data Protection Act notification

In order to comply with current legislation, The Company maintains a Data Protection Act,2018 Registration No. ZA019088. Further information is available at the Information Commissioner’s website –

Changes to our privacy notice

This Privacy Notice will be amended from time to time if we make any important changes in the way that we collect, store and/or use personal data. Please check back here occasionally to refresh your understanding.

Last updated: 07 June 2022