Privacy Policy
Companion Group - Privacy Notice
Last updated: March 2026
Companion Group Ltd (CRN 14384045) ("we", "us" or "our") understands that protecting your personal data is important. This Privacy Notice sets out our commitment to protecting the privacy of personal data provided to us, or otherwise collected by us, when providing our website and software development services ("Services") or when otherwise interacting with you.
It is important that you read this Privacy Notice together with any other detailed privacy notices we may provide when we are collecting or processing personal data about you, so that you understand our privacy practices in relation to your data.
This Privacy Notice has been prepared in accordance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, the Data (Use and Access) Act 2025 ("DUAA"), and the Privacy and Electronic Communications Regulations 2003 ("PECR").
1. Data Protection Contact
We have appointed a data protection lead who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact:
Data Protection Lead: James Umstot (CTO)
Email:[email protected]
Companion Group Ltd (CRN 14384045)
2. The Information We Collect
Personal information is information that relates to an identified or identifiable individual. We may collect, use, store and disclose different kinds of personal data about you, which we have grouped together as follows:
- Identity Data: first name, last name, title.
- Contact Data: billing address, delivery address, email address and telephone number.
- Financial Data: bank account and payment card details (processed through our third-party payment processor).
- Transaction Data: details about payments to and from you, and other details of products and services you have purchased from us or we have purchased from you.
- Technical and Usage Data: internet protocol (IP) address, browser session and geo-location data, device and network information, statistics on page views and sessions, acquisition sources, search queries and browsing behaviour, information about your access and use of our website (including through the use of cookies), your communications with our website, the type of browser and operating system you are using, and the domain name of your internet service provider.
- Profile Data: your interests, preferences, feedback and survey responses.
- Marketing and Communications Data: your preferences in receiving marketing from us and your communication preferences.
- Professional Data: where you are a worker of ours or applying for a role with us, your professional history such as your previous positions and professional experience.
- Special Categories of Personal Data: this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership,
3. How We Collect Personal Information
We collect personal data in a variety of ways, including:
- Directly: We collect personal information which you directly provide to us, including through the "contact us" form on our website, when you discuss entering into a contract with us for our provision of Services (and where you sign a contract with us), or when you request our assistance via email or over the telephone.
- Indirectly: We may collect personal information which you indirectly provide to us while interacting with us, such as when you use our website, in emails, over the telephone and in your online enquiries.
- From third parties: We collect personal information from third parties, such as from your employer where they provide your details when we work on a project with you. Where we are providing our Services to a client, we may come across your personal data if they store it in systems that they share with us.
- From publicly available sources: We collect data from publicly available resources such as Companies House and professional networking sites such as LinkedIn.
- Through automated technologies: As you interact with our website, we may automatically collect Technical and Usage Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and similar technologies. Please see Section 10 below for further details.
4. Purposes and Legal Bases for Processing
We collect and process personal data about you only where we have legal bases for doing so under applicable laws. The table below describes the ways we use your personal data and the legal bases we rely on.
We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need further details about the specific legal ground we are relying on.
| Purpose of Use | Type of Data | Legal Basis |
|---|---|---|
| To provide our Services to you. | Identity Data, Contact Data | Performance of a contract with you. |
| To contact and communicate with you about our Services, including in response to any enquiries you make with us. | Identity Data, Contact Data, Profile Data | Performance of a contract with you. |
| To contact and communicate with you about any enquiries you make with us via our website. | Identity Data, Contact Data | Legitimate interests: to ensure we provide the best client experience by answering all of your questions. |
| For internal record keeping, administrative, invoicing and billing purposes. | Identity Data, Contact Data, Financial Data, Transaction Data | Performance of a contract with you; to comply with a legal obligation; legitimate interests: to recover debts due to us and ensure we can notify you about administrative matters. |
| For analytics, market research and business development, including to operate and improve our Services, associated applications and associated social media platforms. | Technical and Usage Data | Legitimate interests: to keep our website updated and relevant, to develop our business, improve our Services and to inform our marketing strategy. |
| For advertising and marketing, including to send you information that we consider may be of interest to you. | Identity Data, Contact Data, Technical and Usage Data, Profile Data, Marketing and Communications Data | Legitimate interests: to develop our Services and grow our business. You can opt out of marketing at any time (see Section 8). |
| If you have applied to work with us, to consider your application. | Identity Data, Contact Data, Professional Data | Legitimate interests: to consider your application. |
| To comply with our legal obligations or if otherwise required or authorised by law. | As required by the obligation in question. | To comply with a legal obligation; recognised legitimate interests (where applicable under DUAA Annex 1, e.g., crime prevention, safeguarding, national security). |
Consent: If you have consented to our use of data about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place.
Legitimate interests: Where we are using your data because we or a third party have a legitimate interest to do so, you have the right to object to that use, though in some cases this may mean we can no longer provide our Services to you.
5. Our Disclosures of Personal Information to Third Parties
We may disclose personal information to:
- Our employees, contractors and related entities.
- IT service providers, data storage, web-hosting and server providers.
- Analytics providers, including Google (see Section 10).
- Professional advisors, bankers, auditors, our insurers and insurance brokers.
- Payment systems operators.
- Our existing or potential agents or business partners.
- Anyone to whom our business or assets (or any part of them) are, or may (in good faith) be, transferred.
- Courts, tribunals and regulatory authorities, in the event you fail to pay for goods or services we have provided to you.
- Courts, tribunals, regulatory authorities and law enforcement officers, as required or authorised by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights.
- Any other third parties as required or permitted by law, such as where we receive a subpoena.
6. Overseas Transfers
Where we disclose personal data to the third parties listed above, these third parties may store, transfer or access personal data outside of the United Kingdom. Where we transfer your personal data outside of the United Kingdom, we will ensure that we do so using appropriate safeguards in accordance with the requirements of applicable data protection laws and we will protect the transferred personal data in accordance with this Privacy Notice. This includes:
- Only transferring your personal data to countries that have been deemed by applicable data protection laws to provide an adequate level of protection for personal data;
- Including the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or other approved transfer mechanisms in our agreements with overseas third parties.
7. Data Retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
To determine the appropriate retention period, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process the data, whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
The following are our standard retention periods:
| Data Category | Retention Period |
|---|---|
| Client contract and project data (Identity, Contact, Transaction Data) | Duration of the contract plus 6 years after termination (in line with the Limitation Act 1980). |
| Financial and tax records (Financial Data, Transaction Data) | 6 years from the end of the financial year to which they relate (in line with HMRC requirements). |
| Marketing contacts (Identity, Contact, Marketing and Communications Data) | Until you unsubscribe or withdraw consent; reviewed annually and removed after 2 years of inactivity. |
| Job applicant data (Identity, Contact, Professional Data) | 6 months after the conclusion of the recruitment process, unless you consent to us retaining your details for future opportunities. |
| Website analytics data (Technical and Usage Data) | 26 months (in line with Google Analytics default retention settings). |
| Enquiry and correspondence records | 2 years from the date of last correspondence, unless the enquiry leads to a contractual relationship. |
After the applicable retention period, we will securely delete or anonymise your personal data.
8. Your Rights and Controlling Your Personal Data
Under UK data protection law, you have the following rights:
- Right of access: You may request details of the personal data we hold about you and how we process it (commonly known as a "data subject access request"). We will respond to your request within one calendar month. Where a request is complex or we receive a high volume of requests, we may extend this period by a further two months, and we will notify you if this is the case.
- Right to rectification: You have the right to have inaccurate personal data corrected or incomplete data completed.
- Right to erasure: You may request that we delete your personal data in certain circumstances (e.g., where it is no longer necessary for the purpose for which it was collected).
- Right to restrict processing: You may request that we restrict the processing of your personal data in certain circumstances.
- Right to data portability: In certain circumstances, you may request that we transfer your personal data to you or to another organisation in a structured, commonly used, machine-readable format.
- Right to object: You have the right to object to processing based on our legitimate interests, or for direct marketing purposes. Where you object to direct marketing, we will stop processing your data for that purpose.
- Rights related to automated decision-making: You have the right to not be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects on you, except in limited circumstances and subject to appropriate safeguards. We do not currently carry out solely automated decision-making.
- Right to withdraw consent: Where we are relying on consent to process your personal data, you have the right to withdraw your consent at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
- Right to unsubscribe: To unsubscribe from our email database or opt out of marketing communications, please contact us using the details in Section 1 or use the opt-out facilities provided in the communication.
Your choice: You do not have to provide personal information to us; however, if you do not, it may affect our ability to provide our Services to you.
Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this Privacy Notice. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person's consent to provide the personal information to us.
9. Complaints
We take all complaints about our handling of personal data seriously.
How to complain: If you wish to raise a complaint about how we handle your personal data, you can contact us at:
Email: [email protected]
You may also submit a complaint through the complaints form on our website.
Our process: We will:
- Acknowledge your complaint within 30 days of receipt.
- Investigate your complaint promptly and take appropriate steps without undue delay.
- Communicate the outcome of our investigation to you in writing.
The ICO: You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues. You can contact the ICO via their website at www.ico.org.uk or by calling their helpline on 0303 123 1113. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
10. Cookies
Our website uses cookies and similar technologies to distinguish you from other users. This helps us provide you with a good experience when you browse our website and also allows us to improve it.
What Are Cookies?
Cookies are small text files that are placed on your device when you visit a website. They are widely used to make websites work more efficiently and to provide information to the owners of the site.
Cookies We Use
| Cookie Type | Purpose | Legal Basis |
|---|---|---|
| Strictly necessary cookies | These are required for the operation of our website, such as session management and security. They cannot be switched off. | These cookies are essential and do not require consent. |
| Functional cookies | These enable enhanced functionality and personalisation, such as remembering your preferences and settings. | Under the DUAA amendments to PECR, certain functional cookies may be set without consent where they are necessary for functionality you have requested. |
| Analytics cookies (Google Analytics) | These allow us to recognise and count the number of visitors and to see how visitors move around our website, helping us improve its performance. | Under the DUAA amendments to PECR, analytics cookies used for statistical purposes may qualify for an exemption from the consent requirement. Where the exemption does not apply, we rely on your consent. |
Managing Cookies
You can set your browser to refuse all or some cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly.
You can also manage your Google Analytics preferences using the a Google Analytics Opt-out Browser Add-on.
11. Children's Data
Our website and Services are directed at businesses and professionals, and we do not intentionally collect personal data from children under the age of 18. However, as our website is publicly accessible, we recognise that children may access it.
In accordance with the Data (Use and Access) Act 2025 and the ICO's Age Appropriate Design Code, where we become aware that we have collected personal data from a child, we will take steps to delete that data as soon as reasonably practicable, unless we have a lawful basis for retaining it. We are committed to taking children's higher protection matters into account in the design and operation of our website.
12. Storage and Security
We are committed to ensuring that the personal information we collect is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure personal information and protect it from misuse, interference, loss and unauthorised access, modification and disclosure.
While we are committed to security, we cannot guarantee the security of any information that is transmitted to or by us over the Internet. The transmission and exchange of information is carried out at your own risk.
13. Links to Other Websites
Our website may contain links to other parties' websites. We do not have any control over those websites and we are not responsible for the protection and privacy of any personal information which you provide whilst visiting those websites. Those websites are not governed by this Privacy Notice.
14. Amendments
We may change this Privacy Notice from time to time. We will notify you if we make a significant change to this Privacy Notice by contacting you through the contact details you have provided to us and by publishing an updated version on our website.
Any changes will be effective from the date the updated Privacy Notice is published on our website, unless stated otherwise.
15. Contact Us
For any questions, notices or requests regarding this Privacy Notice or your personal data, please contact us:
Companion Group Ltd (CRN 14384045)
Data Protection Lead: James Umstot (CTO)
Email: [email protected]
© Companion Group Ltd. All rights reserved 2026