Effective Date: 24 May 2026
Last Updated: 24 May 2026
Version: 2

This Privacy Policy explains how Assured Consultancy Services Ltd collects, uses, stores, shares and protects personal data. It also explains the rights individuals have in relation to their personal data and how to contact us or raise a complaint. We aim to be clear, practical and transparent, reflecting the same people-first approach we take in our consultancy work.

This policy is intended for visitors to our website, prospective clients, clients, suppliers, business contacts, training participants, event attendees, professional partners and other people who interact with us. It also explains how we handle personal data that may be made available to us when we deliver data privacy, data security, data compliance, governance, risk, assurance, training, coaching or responsible AI consultancy services.

1. Who We Are

Assured Consultancy Services Ltd is a private limited company registered in England and Wales.

Company Number: 16543932
Registered Office: 128 City Road, London, EC1V 2NX, United Kingdom
Trading Address: Fusion@Magna Business Centre, Magna Way, Rotherham, S60 1FE
Website: www.assuredconsultancyservices.com
General Enquiries: [email protected]
Customer Service: +44 (0) 333 772 4102
ICO Registration Reference: ZB997396 (registered 23 September 2025, expires 22 September 2026, Tier 1)

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions about this policy and our data protection compliance.
๐Ÿ“ง DPO: [email protected]

2. Our Role: Controller and Processor

We may act in different roles depending on the situation:

Controller: We decide why and how personal data is used. This usually applies to our website, enquiries, client relationship management, contracts, accounts, marketing, complaints, supplier management and our own business administration.

Processor: We process personal data on a client’s documented instructions. This may apply where a client gives us access to personal data so that we can provide consultancy, audits, assurance reviews, training support, data mapping, DPIAs, policy work, data security reviews, compliance improvement support or responsible AI services.

Independent controller or joint controller: In limited cases, we may act as an independent controller or joint controller with another organisation. Where this applies, we will make the arrangement clear in the relevant engagement terms or privacy information.

Where we act as a processor, the client is usually responsible for providing privacy information to the individuals whose personal data is included in the client materials. We will protect that data and use it only as agreed with the client and as required by law.

3. Personal Data We Collect

The personal data we collect depends on how you interact with us and which services are involved. We may collect and use:

Category Examples
Identity and contact data Name, job title, organisation, work address, email address, telephone number, social media profile or professional contact details.
Enquiry and communications data Messages sent through our website, email, telephone, social media or messaging platforms; meeting notes; call details; preferences; records of our communications.
Client and service data Information needed to provide proposals, contracts, consultancy, audits, assurance reviews, training, coaching, policy support, compliance assessments, data protection support, data security support or responsible AI services.
Project materials and client evidence Documents, policies, records of processing, data maps, risk assessments, DPIAs, breach logs, audit evidence, security questionnaire responses, screenshots, system or process descriptions and other materials supplied by a client.
Account and billing data Billing contact details, purchase orders, invoices, payment records, bank or payment references and accounting records.
Marketing and preference data Newsletter or event sign-ups, marketing preferences, consent records, opt-out records, areas of interest and engagement with our communications.
Website and technical data IP address, device identifiers, browser type, operating system, pages visited, referral sources, approximate location derived from technical data, cookie identifiers and analytics information.
Training and event data Attendance records, booking details, feedback, questions, learning needs, accessibility requirements where provided, and any materials or contributions shared during a session.
Supplier and partner data Business contact details, contract details, due diligence information, insurance or compliance information and payment records.
Recruitment or contractor data, where applicable CVs, work history, qualifications, interview notes, references, right-to-work information and information needed to assess or manage an application or engagement.

We do not intentionally collect more personal data than we need. Please do not send us special category data or criminal offence data unless it is necessary for the specific service or request and you are authorised to provide it.

4. Special Category and Criminal Offence Data

Special category data includes information about health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, sex life or sexual orientation. Criminal offence data includes information about criminal allegations, proceedings, convictions or offences.

We do not usually need this type of information for general enquiries or routine business administration. However, it may appear in client materials that we review as part of data protection, data security, compliance, audit, assurance, training, safeguarding, employment-related, complaints, incident or responsible AI consultancy work.

Where we process special category or criminal offence data as a processor, we do so on the client’s documented instructions and subject to appropriate contractual, confidentiality and security controls. Where we process such data as a controller, we will only do so where we have a lawful basis, an additional condition under data protection law and appropriate safeguards.

5. How We Collect Personal Data

We may collect your data through:

  • Directly from you, for example when you contact us, complete a form, request a proposal, attend a meeting, sign up to training or communicate with us.
  • From your organisation, employer, client, supplier or another professional contact where they involve you in a service, project, contract, event or enquiry.
  • From client systems, documents, policies, records, evidence packs or other materials supplied to us for consultancy, audit, assurance or compliance work.
  • From our website and cookie technologies, subject to your choices and our Cookie Policy.
  • From public sources, such as Companies House, professional networking platforms, public websites and social media where relevant to our business relationship or due diligence.
  • From trusted third parties, such as professional advisers, IT providers, payment providers, event platforms or other suppliers who support our business.

6. Why We Use Personal Data and Our Lawful Bases

We only use personal data where we have a lawful basis under UK data protection law. The table below explains the main purposes for which we use personal data and the lawful bases we usually rely on.

Purpose Data Used Lawful Basis
Respond to enquiries and requests Identity and contact data; enquiry and communications data Legitimate interests in responding to business enquiries and developing client relationships; steps prior to entering into a contract where relevant.
Prepare proposals, scopes of work and contracts Identity and contact data; organisation details; service requirements; communications Steps prior to entering into a contract; performance of a contract; legitimate interests in managing proposals and commercial relationships.
Deliver consultancy, audit, assurance, training, coaching, compliance, data security and responsible AI services Client and service data; project materials; communications; training/event data Performance of a contract; legitimate interests in delivering professional services; legal obligation where specific compliance duties apply; processor processing under client instructions where applicable.
Review client materials and evidence for data privacy, data security, data compliance or responsible AI projects Project materials and client evidence, which may include personal data supplied by the client Performance of a contract; legitimate interests in providing consultancy and assurance services; processor processing under client instructions where applicable.
Manage client relationships and service quality Contact details; communications; feedback; service records Legitimate interests in maintaining relationships, improving services and managing our business; performance of a contract.
Provide service communications Contact details; communications; contract and service data Performance of a contract; legitimate interests in keeping clients informed about services, meetings, deliverables and operational matters.
Process invoices, payments, accounts and tax records Account and billing data; contract records; payment references Legal obligation; performance of a contract; legitimate interests in managing payments and financial records.
Meet legal, regulatory, insurance and professional obligations Relevant identity, contact, contract, service, billing, complaint and compliance information Legal obligation; legitimate interests in protecting our business, clients and legal rights.
Handle complaints, data protection requests and disputes Identity information; communications; relevant service, contract or complaint records Legal obligation; legitimate interests in resolving issues and defending or exercising legal rights.
Protect our website, systems, confidential information and business Technical data; audit logs; security records; access information Legitimate interests in security, fraud prevention, business continuity and protecting personal data; legal obligation where applicable.
Send marketing, insights, event invitations or updates Contact details; marketing preferences; consent and opt-out records; engagement data Consent where required; legitimate interests for appropriate business-to-business marketing; soft opt-in where legally available; compliance with PECR and direct marketing rules.
Use cookies and analytics Website and technical data; cookie identifiers; consent choices Consent where required; legitimate interests for strictly necessary or low-risk site operation and security, subject to applicable cookie rules.
Assess applications from employees, contractors or associates, where applicable Recruitment or contractor data; communications; references; due diligence information Steps prior to entering into a contract; legitimate interests in assessing suitability; legal obligation for right-to-work or other checks where applicable.

Where we rely on legitimate interests, we consider and balance our interests against the rights, freedoms and expectations of the individuals affected. You can object to processing based on legitimate interests at any time; see section 14.

7. Marketing and Communications

We do not sell personal data. When you engage with us, complete a contact form, request information, download resources, attend an event or otherwise interact with us, we may ask whether you would like to receive updates, offers, insights, event invitations and marketing messages relevant to our services.

We may send service communications that are necessary for an enquiry, proposal, contract, project, training session or client relationship.

We may send electronic marketing where we have your consent, where the soft opt-in applies under PECR, or where another lawful basis is available for appropriate business-to-business communications. Where the soft opt-in applies, it will only be for our own similar services and we will provide a clear opt-out when we collect your details and in every marketing message.

You can withdraw consent, object to direct marketing, unsubscribe or update your marketing and communication preferences at any time by:

We will honour opt-outs and unsubscribe requests. We may retain a limited suppression record so we know not to contact you again for marketing.

8. Cookies and Website Use

Our website uses cookies and similar technologies. Some are necessary for the website to work. Others, such as analytics or marketing cookies, are used only where permitted by law and subject to your cookie choices.

For more information about the cookies we use, how long they last and how to change your choices, please see our Cookie Policy on www.assuredconsultancyservices.com.

9. Responsible Use of AI and Automation

Because we advise clients on data and responsible AI, we apply practical safeguards to our own use of AI and automation.

  • We do not use solely automated decision-making that produces legal or similarly significant effects on individuals through our website or routine business processes.
  • We do not use client confidential information or client personal data to train public AI models.
  • We will not input client personal data or confidential project material into public AI tools unless this is authorised, lawful, proportionate and covered by appropriate contractual, security and due diligence controls.
  • Where AI-assisted tools are used to support our internal work, we apply human review, data minimisation and appropriate confidentiality and security controls.

10. Who We Share Personal Data With

We share personal data only where necessary and appropriate. Recipients may include:

  • IT, hosting, email, cloud storage, secure file transfer, cyber security, website and technical support providers.
  • CRM, project management, document management, webinar, training, event, marketing or communications platforms where used.
  • Payment processors, banks, accounting software providers, accountants, bookkeepers, auditors and tax advisers.
  • Professional advisers, insurers, legal advisers and debt recovery providers where needed.
  • Associates, subcontractors or specialist consultants who support delivery of services, subject to confidentiality and data protection controls.
  • Clients, client representatives or third parties involved in a project where sharing is necessary to deliver the service and is authorised by the relevant engagement.
  • Regulators, public authorities, courts, law enforcement bodies or other organisations where required by law or necessary to protect legal rights.
  • Potential buyers, investors, professional advisers or successors if we restructure, merge, sell or transfer part of our business, subject to appropriate safeguards.

Where we use processors, we require them to protect personal data and use it only for authorised purposes. Where we work with a client as processor, the relevant data processing agreement or contract will set out the instructions, security measures, confidentiality requirements and return or deletion arrangements.

11. International Transfers

We are based in the United Kingdom. Some of our suppliers or systems may involve personal data being accessed from, stored in or transferred to countries outside the UK. Where this happens, we will use appropriate safeguards required by UK data protection law. These may include:

  • A UK adequacy regulation or decision for the destination country
  • The UK International Data Transfer Agreement or UK Addendum to EU Standard Contractual Clauses
  • EU Standard Contractual Clauses where EU GDPR is also relevant
  • Transfer risk assessments and additional technical, organisational or contractual measures where appropriate
  • Another lawful transfer mechanism permitted by data protection law

12. How Long We Keep Personal Data

We keep personal data only for as long as needed for the purposes described in this policy, including legal, accounting, regulatory, insurance, audit, complaint and dispute requirements. We may keep data for longer where this is required by law or necessary for legal claims, investigations or disputes.

Record Type Typical Retention
General enquiries and prospect records Usually up to 24 months after the last meaningful contact, unless the matter becomes a client relationship or we need to keep it longer for legal or business reasons.
Client contracts, project records and service correspondence Usually up to 6 years after the end of the client relationship or completion of the relevant service, unless a longer period is required or justified.
Client project materials where we act as processor Returned, deleted or retained according to the client contract or data processing agreement. Where no specific period is agreed, we aim to minimise retention and delete or return project materials when they are no longer needed.
Accounting, invoicing and tax records Usually 6 years from the end of the relevant financial year or accounting period, or longer if required by law.
Marketing records Until you unsubscribe, withdraw consent, object or the record is no longer needed. We may keep a limited suppression record to respect opt-outs.
Website analytics and cookie data For the period stated in our Cookie Policy or cookie consent tool.
Complaints, rights requests, disputes and legal claims For as long as needed to handle the matter and usually up to 6 years afterwards, unless a longer period is required or justified.

13. How We Keep Personal Data Secure

We use appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures are proportionate to the nature of the data, the risks involved and the services we provide, and include:

  • Access controls, least-privilege permissions and role-based access where appropriate
  • Multi-factor authentication and password controls where available and appropriate
  • Encryption, secure transfer and secure storage measures where appropriate
  • Device security, endpoint protection and patching controls
  • Backups, resilience and business continuity arrangements
  • Supplier due diligence and contractual data protection obligations
  • Confidentiality obligations for staff, associates and subcontractors
  • Data minimisation and secure disposal processes
  • Incident response procedures for suspected personal data breaches
  • Training, awareness and practical guidance for people handling personal data

No system can be guaranteed to be completely secure. If we identify a personal data breach, we will assess it promptly and notify affected individuals, clients and/or the Information Commissioner’s Office where required by law or contract.

14. Your Data Protection Rights

Depending on the circumstances, you may have the following rights under UK data protection law:

Right What It Means
Access You can ask for confirmation that we use your personal data and request a copy of it.
Rectification You can ask us to correct inaccurate or incomplete personal data.
Erasure You can ask us to delete personal data in certain circumstances.
Restriction You can ask us to restrict the use of personal data in certain circumstances.
Objection You can object to processing based on legitimate interests. You can always object to direct marketing.
Portability You can ask for certain personal data to be provided in a structured, commonly used and machine-readable format.
Withdraw consent Where we rely on consent, you can withdraw it at any time. This will not affect processing already carried out before withdrawal.
Automated decision-making You have rights relating to solely automated decisions that have legal or similarly significant effects. We do not currently carry out this type of decision-making in routine business processes.

To exercise any of these rights, contact our DPO at [email protected]. You may also email [email protected] or call our customer service team on 0333 772 4102. We may need to verify your identity before responding. We usually respond within one month. If a request is complex or you have made several requests, we may extend the response period where the law allows and will let you know.

There may be situations where we cannot fully comply with a request, for example where we need to keep information for legal, regulatory, accounting, contractual, security or legal claims reasons, or where the request relates to data we process on a client’s instructions. Where this applies, we will explain our position as far as we can.

15. Complaints

We aim to provide excellent service and take complaints seriously. If you are unhappy with how we have handled your personal data or services, please contact us so we can try to resolve the matter.

๐Ÿ“ง Privacy / DPO: [email protected]
๐Ÿ“ง Service complaints: [email protected]
๐Ÿ“ง General enquiries: [email protected]
๐Ÿ“ž Phone: +44 (0) 333 772 4102
๐Ÿ“ฎ Post: Assured Consultancy Services Ltd, Fusion@Magna Business Centre, Magna Way, Rotherham, S60 1FE

You also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection.
๐Ÿ”— www.ico.org.uk | ๐Ÿ“ž 0303 123 1113 | Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

16. Children

Our website and services are intended for organisations and business contacts, not for children. We do not knowingly collect personal data from children through our website. If you believe a child has provided personal data to us, please contact us so we can review and take appropriate action.

17. Third-Party Websites and Platforms

Our website or communications may contain links to third-party websites, social media pages or platforms. We are not responsible for the privacy practices of those third parties. You should read their privacy information before providing personal data to them.

18. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, systems, suppliers, legal requirements or good practice. The latest version will be published on our website. Significant changes may also be communicated directly where appropriate.

Contact Us

Assured Consultancy Services Ltd
Fusion@Magna Business Centre, Magna Way, Rotherham, S60 1FE
๐Ÿ“ง [email protected]
๐Ÿ“ž +44 (0) 333 772 4102
๐Ÿ”— www.assuredconsultancyservices.com