Privacy Page Header

Privacy Notice

We are Exigia Ltd – a small consultancy company, based in the UK, which specialises in providing a range of services for SME clients, including support for information governance compliance, cyber security compliance and a range of web services.

Most of our clients are UK organisations working in the health and social care sector, either within the NHS, supporting it or supplying it. We also serve charities, local government organisations such as parish councils, small businesses and individuals.

This is our Privacy Notice that describes how we handle personal data. It was last updated on 25 March 2023.

The personal data we collect varies depending on the relationship we have with the data subjects and how we interact with them. It may include the following:

General identification and contact information

We may collect names, address, phone numbers, email addresses, IP addresses, passwords, ages, genders and dates of birth.

Financial information

We may collect names, bank account numbers and sort codes. For example, we may need these details to pay suppliers or issue clients with refunds.

Device information

We may collect some technical information from devices and applications used to access our web services (e.g. computers, mobiles, tablets, smart speakers, web browsers etc. This might include IP addresses and device IDs.

Marketing preferences

We may collect information on how clients access and use our services, for example the pages or articles read.

Information if you communicate with us

We may collect the names, location and a summary of messages or opinions expressed by enquirers and clients who call, text, email, chat online, videoconference or otherwise communicate with us. Please note that depending on what is said, this may include confidential information.

Location information

We may ask for addresses in order to offer services and exchange information. We may also collect our contact’s general geographic locations based on IP addresses.

Information on activities etc.

When we are contacted via a form or comment, noticeboard, blog or other website facility, we may use the data you answer an enquiry or provide services. We will record details of answers supplied and services provided.

We collect contact details, records and attainments of students attending our online courses. Where students are sponsored by an organisation or employer, we will be acting on their behalf as a processor and they will have access to the information we hold about their students.

We do not normally collect any sensitive personal data (unless it is provided voluntarily), and will, in any event, ask for express consent to hold this information if we need to do so.

We ask  that enquirers and users of our services do not submit sensitive information if they do not wish us to collect it.

We may obtain additional information from trusted third parties and public sources.


We need to have a valid purpose to use personal data. This is called a “lawful basis for processing”. We process personal data for the following lawful bases:
  • We may use your personal data if we have your consent. We rely on consent for the following:
  • to enable you to login to your account
  • to tell you about products, events, services and promotions that we or our third party partners are offering
  • for marketing purposes
  • to send you notifications on your device if you have selected them

You have the right to withdraw consent at any time. Where consent is the only legal basis for processing, we will cease to process data after consent is withdrawn.
We may process your data when we need to fulfil a contract with you.
Legitimate Interest
We process your data when it is in our legitimate interest to do this and when these interests are not overridden by your data protection rights. Our legitimate interests include being able to:
  • improve our content, products, services and customer experiences by monitoring your use of our services and working with our suppliers to improve the products and services we offer or develop new content and services
  • create profiles for targeted advertising and marketing opportunities
  • ensure the security and integrity of our services
  • ensure that our websites and apps operate effectively
  • protect clients and other individuals and maintain their safety, health and welfare
  • undertake market research
  • deal with your requests, complaints and enquiries
  • deliver targeted advertising about our services to you when you visit our websites
Legal and regulatory obligations
We may process your personal data to comply with our legal and regulatory obligations e.g. taxation, preventing, investigating and detecting crime, fraud or anti-social behaviour and to comply with actions taken by law enforcement agencies.
Our service providers (processors)

We may pass personal data to our external third-party service providers; companies who act either as our (data) processors or in exceptional cases as data controllers in their own right e.g. some professional advisors.

Our providers may include:

    • ,accountants, auditors, lawyers, insurance companies and other professional advisors
    • IT systems, support and hosting service providers
    • printing, advertising, marketing, market research and analysis service providers
    • website analytics, technical engineers, data storage and cloud providers and similar third party vendors and outsourced service providers that assist us in carrying out business activities

These third parties (and any subcontractors they are be permitted to use) are legally obliged not to share, use or retain your personal data for any purpose other than as necessary for the provision of our services.

For further information on our processors and sub-processors, please refer to the list of our Data Processors.

Government authorities

As required by law or regulation

Other third parties


Our services are not directed towards individuals under the age of 18.

We do not knowingly use or process the personal data of children under 13 years of age for our own purposes as a controller, but may do so as a processor on behalf of a client.

We hold personal data for different purposes and the length of time we keep it will vary depending on the services or products we are providing.

We only keep data for a reasonable period of time, which is based on the purpose for which we are using it. Once that purpose has been fulfilled, we will securely delete that data or anonymise it (so that neither we, nor anyone else, can tell that the data relates to the original data subject) unless we are required to retain the data longer for legal, tax or accounting reasons.

To determine how long we store personal data, we always use these principles

  • we think about what type of information it is, the amount collected, how sensitive or intrusive it might be and any legal requirements
  • we will not hold personal data any longer than we need to or have to


Personal data supplied to us is generally stored and kept inside the United Kingdom.

However, due to the nature of our business and the technologies required, personal data may sometimes be transferred to third party service providers outside the UK. This is nearly always within the EEA or other countries considered ‘adequate’ in data protection terms by the UK as we are aware that countries without an ‘adequacy’ status may not have the same level of data protection laws and have a lower level of protection.

In the unlikely event that we need to transfer personal data to such countries we will take steps to ensure adequate privacy and security, including, where appropriate, data minimisation, anonymisation, pseudonymisation and encryption.

We will also undertake due diligence on the recipients and their country’s privacy laws and seek alternatives in countries that have been granted Adequacy Decisions by the UK where possible. We will place data recipients under contractual obligations to take care of personal data, for example by using UK standard contractual clauses (SCCs) or their equivalent.


Right of access
Data subjects have the right to obtain details of the personal data about them. The exercise of this right leads to data subject access requests.
Right to be erasure (“right to be forgotten”)
Data subjects have the right to be forgotten.
Right to object and opt-out of marketing
Data subjects have the right to object to the processing of their personal data. This includes the right to object to direct marketing. Data subjects will always be given the opportunity to opt-out of further direct marketing when they receive such communications from us or can contact us as set out in the Contacting Us section below.
Right to portability
Data subjects have the right to move, copy or transfer certain personal data
Right to restrict processing
Data subjects have the right to restrict the use of their personal data in certain circumstances
Right to opt-out of automated individual decision-making (including “profiling”)
Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which significantly affects you or produces legal effects.
Exercising your rights
Data subjects wishing to submit a request in relation to any of these rights, should contact us as set out in the Contacting Us section below. Please note we may need proof of identity before we provide a response. We do not charge for requests to exercise these rights unless they are manifestly unfounded or excessive, when we may refuse to respond or charge a reasonable fee before dealing with them.

Please see our separate Cookies Notice

This Privacy Notice primarily sets out how we process personal data as a controller of that data, but at times we may process personal data controlled by others.
This is the situation, defined in data protection law, where we process personal data on behalf of a client. In such situations we are acting as a (data) processor or sub-processor* of personal data which you control. As a processor, we
  • process personal data only on the controllers’ documented instructions
  • acknowledge our duty of confidence
  • take appropriate security measures
  • respect all data subjects’ rights
  • assist controllers in complying with their duties
  • comply with controller’s requirements when we cease to act as a processor
  • employ sub-processors on our own behalf as stated and/or agreed (a list of our current processors is to be found under the About menu of this website)
* Sub-processing
When a processor, processing personal data under contract with a controller, employs a second company to do some of that processing, that second company is referred to as a sub-processor. Sub-processors
  • are bound by the same conditions that the processor employing them
  • can only act a sub-processors if the controller allows it
Note: Clients should refer to our Terms and Conditions or their contracts with us for the terms under which we act as a processor.

For the avoidance of doubt:

  • We will not automatically log personal data nor link information automatically logged by other means with personal data about specific individuals
  • We will not sell personal data to anyone
  • We will not share personal data with anyone without expressed permission unless permitted or required to do so by law
  • We will not use fonts on our website that are hosted by Google (or anyone else) – All our fonts are stored on our website to prevent visitor IP addresses being sent to Google who would use them to serve their font files; potentially breaching the UK GDPR/EU GDPR
  • We will co-operate with data subjects to enable them to speedily exercise their rights over their personal data


The controller responsible for personal data collected via this and associated websites and associated business transactions is Exigia Ltd. If you have any concerns about his Privacy Notice or any other personal data or data protection issue, we would like to know about them and have the opportunity to deal with them.

We encourage you to contact us first so that we can try to help you. Please contact us at:


Post: Exigia Ltd., 124 City Road, London EC1V 2NX

Please mark your correspondence for the attention of the Data Protection Officer.

If you do not think we are handling your personal data adequately, you have the right to lodge a complaint with the Information Commissioner’s Office. Further information, including contact details, are available from the Information Commissioner (see below).

In order to comply with current legislation, The Company maintains a Data Protection Act, 2018 Registration No. ZA019088. Further information is available at the Information Commissioner’s website.


Skip to content