This Privacy Policy explains how GIVE Consultancy Limited (registered in England and Wales, company number 12082559; registered office Brook House, Brook Farm Close, Buckingham, Buckinghamshire, MK18 4FE, United Kingdom) ("we", "us", "our") collects, uses, stores and protects personal data. We are the data controller of personal data collected through this website and during the course of our engagements.
Questions or requests relating to your personal data should be sent to privacy@giveconsultancy.co.uk.
1. Who we are and how to contact us
Data controller: GIVE Consultancy Limited. Registered office: Brook House, Brook Farm Close, Buckingham, Buckinghamshire, MK18 4FE, United Kingdom. Company number: 12082559.
Primary contact for data-protection matters: privacy@giveconsultancy.co.uk. General contact: hello@giveconsultancy.co.uk.
Our ICO registration number is currently being processed and will be published here once confirmed.
2. What personal data we collect
We collect personal data in the following circumstances:
Contact form submissions
- First name and last name
- Email address
- Company or organisation name (optional)
- Sector and service interest (optional)
- Subject and the content of your message
- Your IP address and browser user-agent (for spam protection)
- The page you submitted from (for context)
- A reCAPTCHA score from Google (used to reject automated abuse)
Newsletter signups
- Email address
- A confirmation token (used to verify your subscription via the double-opt-in flow)
- Your IP address at the time of signup
Engagement data
During the course of a paid engagement we may also process additional personal data that you or your organisation provides to us. The terms of any such processing are set out in the engagement contract (or accompanying data-processing agreement).
Technical data
Our web server logs limited technical data for each request (IP address, request path, response status, user-agent, timestamp) for the purpose of security and availability monitoring. These logs are retained for ninety days and are not shared with third parties except where required by law.
3. Legal basis for processing
| Processing activity | Lawful basis (UK GDPR Article 6) |
|---|---|
| Responding to your contact-form enquiry | Legitimate interest (to engage with people who have asked us to) |
| Performing a paid engagement | Performance of a contract |
| Newsletter delivery | Consent (double opt-in; you can unsubscribe at any time) |
| Security logging and spam protection | Legitimate interest (to keep the service secure and available) |
| Storing essential cookies | Strictly necessary for the service you have requested |
| Statutory record retention | Legal obligation (UK accounting, tax and company law) |
4. How long we keep personal data
| Data category | Retention period |
|---|---|
| Contact-form leads (active) | Up to three years from last activity, then reviewed and deleted |
| Contact-form leads (marked deleted) | Hard-deleted thirty days after soft-deletion |
| Newsletter subscribers (confirmed) | Until you unsubscribe, plus thirty days for unsubscribe processing |
| Newsletter signups (unconfirmed) | Twenty-four hours, then deleted |
| Email-queue (transient) | Seven days after send or final failure, then deleted |
| Web server access logs | Ninety days, then deleted |
| Rate-limit logs | Ninety days, then deleted |
| Engagement records (commercial) | Six years after engagement end (UK Companies Act and HMRC requirements) |
5. How we store and secure personal data
Personal data is stored on UK-located servers operated by us under our own administrative control. Sensitive data (names, email addresses, the content of contact-form messages) is encrypted at the column level using authenticated encryption (AES-256-GCM) with a key hierarchy that keeps key material separate from the encrypted data. Access to production systems is restricted to named administrators using a dedicated administrative network path.
All public website traffic is served over HTTPS with HTTP Strict Transport Security enforced at the browser level. The website applies Content-Security-Policy, X-Content-Type-Options, Referrer-Policy and Permissions-Policy headers to mitigate common web threats.
6. Who we share personal data with
We share personal data only with the following categories of processor, and only to the minimum extent necessary:
- Email delivery provider: a UK-based SMTP host used to send transactional emails (contact-form notifications, acknowledgements, newsletter confirmation). Recipient address and message content are transmitted to this provider.
- Google reCAPTCHA: used to score whether a contact-form or newsletter signup is automated. Your IP address and browser fingerprint are sent to Google for this assessment. See Google's Privacy Policy and Terms of Service.
- Google Analytics 4 (consent-gated): if you have consented via our cookie notice, anonymised page-view and event data is sent to Google Analytics for aggregate audience and behaviour analysis. We do not enable Google's advertising features and we do not share data with Google for advertising purposes.
We do not sell personal data. We do not share it with marketing networks, data brokers, or third parties for their own purposes. We will disclose personal data where we are legally required to do so (for example, in response to a valid court order or regulator request).
7. International transfers
Some of our processors (Google in particular) are based in the United States. Such transfers are made under the UK Extension to the EU-US Data Privacy Framework and the UK International Data Transfer Agreement, both of which provide an adequate level of protection for personal data leaving the United Kingdom.
8. Your rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:
- Right of access: obtain a copy of the personal data we hold about you.
- Right to rectification: ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): ask us to delete your personal data, subject to statutory retention obligations.
- Right to restriction of processing: ask us to limit how we use your data while a query is resolved.
- Right to data portability: receive a copy of your data in a machine-readable format.
- Right to object: object to processing based on legitimate interests (including direct marketing, although we do not undertake direct marketing).
- Rights related to automated decision-making: we do not make decisions about you solely by automated means.
- Right to withdraw consent: where processing relies on consent, you can withdraw it at any time without affecting the lawfulness of earlier processing.
To exercise any of these rights, please email privacy@giveconsultancy.co.uk. We will respond within one calendar month, and may ask for proof of identity before releasing information.
9. Children
This website is not directed at children under sixteen and we do not knowingly collect personal data from children. If you believe we have, please contact us and we will delete the relevant data.
10. Complaints
If you are not satisfied with how we have handled your personal data, you have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Telephone 0303 123 1113. Website ico.org.uk.
We would appreciate the opportunity to address your concern directly first; please email privacy@giveconsultancy.co.uk before raising a complaint with the ICO.
11. Changes to this policy
We review this Privacy Policy from time to time. Material changes will be reflected in the "Last updated" date at the top of this page. Where required by law, we will notify users directly.