We are Exigia Ltd - a small consultancy company, based in the UK, which specialises in providing a range of services for SME clients, including support for information governance compliance, cyber security compliance and web services.

Most of our clients are UK organisations working in the health and social care sector, either within the NHS, supporting it or supplying it. We also serve charities, local government organisations such as parish councils, small businesses and individuals.

This is our Privacy Notice that describes how we handle personal data.


The personal data we may collect about you and others will vary depending on your relationship with us and how we interact. It may include the following:

General identification and contact information

We may collect names, address, phone numbers, email addresses, IP addresses, passwords, ages, genders and dates of birth.

Financial information

We may collect names, bank account numbers and sort codes. For example, where you are a client or a supplier we need to pay you or send you a refund.

Device information

We may collect some technical information from devices and applications you use when accessing our services (e.g. computers, mobiles, tablets, smart speakers, web browsers etc. This might include IP addresses and device IDs.

Marketing preferences

We may collect information if you access our services, such as how you use those services and the pages or articles you read.

Information if you communicate with us

If you call, text, email, chat online, videoconference or otherwise communicate with us, we may collect your name, location and a brief summary of your message or opinion. Please note that depending on what you say or type, this may include confidential information.

Location information

We may ask for your address in order to offer you services and exchange information. We may also have information regarding your general geographic location based on your IP address.

Information on your activities etc.

If you contact us or submit a comment via a form, noticeboard, blog or other website facility, we may use the data you answer your enquiry or provide you with services. We will record details of answers supplied and services provided.

If you become a student and use any of our training services, we will collect contact details, records and attainments. Where you have been sponsored of training by your organisation or employer, we will be acting on their behalf as a processor and they will have access to the information we hold about you.

We will not normally collect any sensitive personal data from you (unless you provide it to us voluntarily), and will, in any event, ask for your express consent to hold this information if we need to do so. Please do not submit sensitive information if you do not wish us to collect it.


We may obtain additional information about you from trusted third parties and public sources.


We need to have a valid purpose to use personal data. This is called a “lawful basis for processing”. We process personal data for the following lawful bases:

  • We may use your personal data if we have your consent. We rely on consent for the following:
  • to enable you to login to your account
  • to tell you about products, events, services and promotions that we or our third party partners are offering
  • for marketing purposes
    to send you notifications on your device if you have selected them

You have the right to withdraw consent at any time. Where consent is the only legal basis for processing, we will cease to process data after consent is withdrawn.


We may process your data when we need to fulfil a contract with you.

Legitimate Interest

We process your data when it is in our legitimate interest to do this and when these interests are not overridden by your data protection rights.

Our legitimate interests include being able to:

  • improve our content, products, services and customer experiences by monitoring your use of our services and working with our suppliers to improve the products and services we offer or develop new content and services
  • create profiles for targeted advertising and marketing opportunities
  • ensure the security and integrity of our services
  • ensure that our websites and apps operate effectively
  • protect clients and other individuals and maintain their safety, health and welfare
  • undertake market research
  • deal with your requests, complaints and enquiries
  • deliver targeted advertising about our services to you when you visit our websites
Legal and regulatory obligations

We may process your personal data to comply with our legal and regulatory obligations e.g. taxation, preventing, investigating and detecting crime, fraud or anti-social behaviour and to comply with actions taken by law enforcement agencies.


Our service providers (processors)

We may pass personal data to our external third-party service providers who act either as our data processors or in exceptional cases as data controllers in their own right e.g. some professional advisors.

Our providers may include:

  • accountants, auditors, lawyers, other professional advisors
  • IT systems, support and hosting service providers
  • printing, advertising, marketing, market research and analysis service providers
  • website analytics, technical engineers, data storage and cloud providers and similar third party vendors and outsourced service providers that assist us in carrying out business activities

These third parties (and any subcontractors they are be permitted to use) are legally obliged not to share, use or retain your personal data for any purpose other than as necessary for the provision of our services.

For further information on our processors and sub-processors please refer to the list of our Data Processors.

Government authorities

As required by law or regulation

Other third parties



If you sign up for one of our partnered services, you will be providing your information directly to that third party partner. We advise that you check their privacy policy or statement to understand how they intend to use your information. They may share certain information with us, which we will only use for the reasons set out in this policy and this will not include sensitive or financial information.


Our services are not directed towards individuals under the age of 18.

We do not knowingly use or process the personal data of children under 13 years of age for our own purposes as a controller, but may do so as a processor on behalf of a client.


We hold personal data for different purposes and the length of time we keep it will vary depending on the services or products we are providing.

We will only keep your data for a reasonable period of time, which is based on the purpose for which we are using it. Once that purpose has been fulfilled, we will securely delete that data or anonymise it (so that neither we, nor anyone else, can tell that the data relates to you) unless we are required to retain the data longer for legal, tax or accounting reasons.

To determine how long we store personal data, we always use these principles:

  • we think about what type of information it is, the amount collected, how sensitive or intrusive it might be and any legal requirements
  • we will not hold your personal data any longer than we need to or have to


Personal data which you and others supply to us is generally stored and kept inside the United Kingdom.

However, due to the nature of our business and the technologies required, personal data may sometimes be transferred to third party service providers outside the UK. This is nearly always within the EEA or other countries considered 'adequate' in data protection terms by the UK as we are aware that countries without an 'adequacy' status may not have the same level of data protection laws and have a lower level of protection.

In the unlikely event that we need to transfer personal data to such countries we will take steps to ensure adequate privacy and security, including, where appropriate, data minimisation, anonymisation, pseudonymisation and encryption.

We will undertake due diligence on the recipients and their country's privacy laws and seek alternatives in countries that have been granted Adequacy Decisions by the UK where possible. We will also place data recipients under contractual obligations to take care of personal data, for example by using UK standard contractual clauses (SCCs) or their equivalent.


Right of access

You have the right to obtain your personal data from us. The exercise of this right leads to data subject access requests.

Right to be erasure (“right to be forgotten”)

You have the right to be forgotten.

Right to object and opt-out of marketing

You have the right to object to the processing of your personal data. This includes the right to object to direct marketing. You will always be given the opportunity to opt-out of further direct marketing when you receive such communications from us or you can contact us as set out in the Contacting us section below.

Right to portability

You have the right to move, copy or transfer certain personal data

Right to restrict processing

You have the right to restrict the use of your personal data in certain circumstances

Right to opt-out of automated individual decision-making (including “profiling”)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which significantly affects you or produces legal effects.

Exercising your rights

If you wish to submit a request in relation to any of your rights, please contact us as set out in the Contacting us section below. Please note you may be asked to supply proof of identity before we provide a response. We do not charge for requests to exercise these rights unless they are manifestly unfounded or excessive, when we may refuse to respond or charge a reasonable fee before dealing with them.


What are Cookies?

A cookie is a small amount of data, which often includes an anonymous unique identifier. Cookies are sent to your browser from a website's computer and stored on your computer or mobile device.

Each website can send its own cookies to your browser if your browser's preferences allow it, but (to protect your privacy) your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other sites.

Many sites save cookies whenever a user visits their website in order to:

  • Provide website personalisation (for example: saving preferences such as font size, accessibility features, template versions etc.)
  • Save data on user’s decisions (for example: removing the need to enter login and password on every website, remembering a login for the next visit, keeping information on products added to a shopping cart)
  • Provide social media integration (for example: displaying your friends, fans or post publishing on Facebook directly from the website)
  • Adjust adverts that are displayed on the website and make them 'more relevant' to the person viewing them
  • Create website and flow statistics between different websites to track online traffic flows
Cookie control

Users have the opportunity to set their computers to accept all cookies, to notify them when a cookie is issued, or not to receive cookies at any time. The last of these, of course, means that certain personalised services cannot then be provided and you may not be able to take full advantage of all of the features of websites. Each browser is different, so check the "Help" menu of your browser to learn how to change your cookie settings or preferences.

In the UK, as in the EU, website users must be given the option to agree to accept the use of cookies. This is normally achieved through their internet browser settings and by making it clear in policy statements that cookies are used, giving users the opportunity change their internet browser settings, or even avoid websites if they don't want to have certain cookies stored on their computers.

You can clear cookies stored by your browser e.g. by using one of its menu options or a third party add-in. For further information, please refer to your browser's 'Help' documentation.

On this website, we provide you with a means of controlling the cookies you wish to reject or accept (if any). You may see a banner requiring a response and you can alter your settings at any time via the 'cog' icon at the top right corner of the screen.

Our use of cookies

During the course of any visit to our websites, the pages you see are downloaded to your computer. In addition we may download cookies.

Information supplied by cookies can help us to provide you with a better online user experience and assist us to analyse the profile of our visitors. For example: you need to allow the session cookie to be able to send us a message via the contact form or login to a client account (if you have one).


This Privacy Notice sets out how we process personal data as a controller of that data, but there is another situation whereby we also process personal data that you control.


This is where we are processing personal data on your behalf as our client. In those situations we are acting as a (data) processor or sub-processor* of personal data which you control.

* Sub-processing

This is similar to acting as your processor, but instead you have employed another processor who has in turn sub-contracted us to do some of the personal data processing. When acting as a sub-processor, we will be bound to act in the same way as your processor and you will have given permission for the subcontracting to take place.

This Privacy Notice does not apply to those activities, and you should refer instead to the relevant contract, agreement or terms and conditions that apply between us.

For the avoidance of doubt:

  • We will not automatically log personal data nor link information automatically logged by other means with personal data about specific individuals
  • We will not sell your personal data to anyone
  • We will not share your personal data with anyone without your expressed permission unless permitted or required to do so by law
  • We will co-operate with you to enable you to speedily exercise your rights over your personal data


The controller responsible for your personal data collected via this and associated websites is Exigia Ltd.

If you have any concerns, we would like to know about them and have the opportunity to deal with them.

We encourage you to contact us first so that we can try to help you. Please contact us at:


Post: Exigia Ltd., 124 City Road, London EC1V 2NX

Please mark you correspondence for the attention of the Data Protection Officer.

If you do not think we are handling your personal data adequately, you have the right to lodge a complaint with the Information Commissioner’s Office. Further information, including contact details, are available from the Information Commissioner (see below).

In order to comply with current legislation, The Company maintains a Data Protection Act, 2018 Registration No. ZA019088. Further information is available at the Information Commissioner's website.