Privacy Policy

1. Introduction and Controller Information

Serqet ("we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller: Serqet is the data controller responsible for processing personal data collected through our services and website.

This Privacy Policy applies to personal data processed when you engage our services, visit our website, or otherwise interact with Serqet. By using our services or providing personal information, you acknowledge that you have read and understood this Privacy Policy.

2. Personal Data We Collect

We collect and process various types of personal data depending on your interaction with us:

2.1 Information You Provide Directly:

• — Contact Information: Name, business name, email address, phone number, postal address
• — Professional Information: Job title, company details, professional background, business requirements
• — Communication Data: Consultation requests, project specifications, feedback, correspondence, meeting notes
• — Financial Information: Billing details, payment information, invoice history (processed securely through third-party payment processors)
• — Project Data: Business processes, technical requirements, system information, documentation provided for service delivery

2.2 Information Collected Automatically:

• — Website Usage Data: IP address, browser type and version, device information, operating system
• — Analytics Data: Pages viewed, time spent on pages, navigation paths, referring websites, click patterns
• — Technical Data: Cookies, session identifiers, log files, error reports

2.3 Information from Third Parties:

• — Professional references and recommendations
• — Publicly available business information from professional networks and databases
• — Information from business partners and associates (with appropriate consent)

3. Legal Basis and Purposes for Processing

We process personal data only where we have a lawful basis under UK GDPR. The legal bases and purposes include:

3.1 Contract Performance (Article 6(1)(b) UK GDPR):

• — Processing consultation requests and engaging in pre-contractual discussions
• — Delivering professional services under Engagement Agreements
• — Managing projects, providing deliverables, and fulfilling contractual obligations
• — Handling payments, invoicing, and financial administration
• — Communicating about projects and service delivery

3.2 Legitimate Interests (Article 6(1)(f) UK GDPR):

• — Operating and improving our business operations and services
• — Website administration, security, and technical functionality
• — Business analytics, market research, and service development
• — Marketing communications to existing clients about similar services
• — Fraud prevention, security monitoring, and risk management
• — Exercising or defending legal claims
• — Internal record-keeping and quality assurance

3.3 Legal Obligation (Article 6(1)(c) UK GDPR):

• — Compliance with tax, accounting, and financial regulations
• — Responding to lawful requests from authorities
• — Meeting statutory retention requirements
• — Anti-money laundering and due diligence obligations

3.4 Consent (Article 6(1)(a) UK GDPR):

• — Marketing communications where consent is required
• — Use of non-essential cookies and tracking technologies
• — Processing special categories of data (if applicable)
• — Any processing not covered by other lawful bases

You may withdraw consent at any time, though this does not affect the lawfulness of processing based on consent before withdrawal.

4. How We Use Your Personal Data

We use personal data collected for the following purposes:

• — Service Delivery: Providing consulting, development, and implementation services; managing projects; delivering solutions; providing support and maintenance
• — Communication: Responding to inquiries; providing project updates; sending service-related notifications; maintaining client relationships
• — Business Administration: Contract management; invoicing and payment processing; financial record-keeping; resource allocation
• — Service Improvement: Analysing service performance; gathering feedback; developing new offerings; improving methodologies and processes
• — Marketing: Sending information about services and updates (with appropriate consent or legitimate interest); maintaining marketing lists; analysing marketing effectiveness
• — Legal and Compliance: Complying with legal obligations; establishing, exercising, or defending legal claims; preventing fraud and protecting against security threats
• — Website Operations: Operating and securing our website; providing requested functionality; analysing usage patterns; troubleshooting technical issues

5. Data Sharing and Disclosure

We do not sell, rent, or trade personal data. We share personal data only in the following circumstances:

5.1 Service Providers and Processors:

We engage trusted third-party service providers who process personal data on our behalf under strict contractual obligations:

• — Cloud hosting and infrastructure providers
• — Payment processors and financial services
• — Communication and email service providers
• — Analytics and website performance services
• — Project management and collaboration tools
• — Professional advisors (legal, accounting, insurance)

All processors are carefully selected and required to implement appropriate security measures and process data only according to our instructions.

5.2 Legal and Regulatory Authorities:

We may disclose personal data when required by law or to:

• — Comply with legal obligations, court orders, or regulatory requests
• — Enforce our Terms of Service or protect our legal rights
• — Prevent fraud, security threats, or illegal activities
• — Protect health, safety, or vital interests of individuals

5.3 Business Transfers:

If Serqet undergoes a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected individuals and ensure the transferee maintains equivalent data protection standards.

5.4 With Your Consent:

We may share personal data with third parties where you have provided specific consent for such disclosure.

6. International Data Transfers

Our primary operations are in the United Kingdom. However, some service providers may process data outside the UK or European Economic Area (EEA). When transferring personal data internationally, we ensure adequate protection through:

• — UK GDPR adequacy decisions for countries with equivalent protection
• — Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
• — Binding Corporate Rules or other approved transfer mechanisms
• — Appropriate safeguards ensuring data protection equivalent to UK standards

You may request information about specific safeguards applied to international transfers by contacting us at privacy@serqet.co.uk.

7. Data Security

We implement comprehensive technical and organisational security measures to protect personal data against unauthorised access, alteration, disclosure, or destruction:

7.1 Technical Security Measures:

• — Encryption of data in transit (TLS/SSL) and at rest
• — Secure authentication and access controls
• — Regular security testing and vulnerability assessments
• — Firewall protection and intrusion detection systems
• — Secure backup and disaster recovery procedures
• — Regular software updates and security patching

7.2 Organisational Security Measures:

• — Confidentiality agreements for all personnel with access to personal data
• — Role-based access controls limiting data access to authorised personnel
• — Data protection training for employees and contractors
• — Regular security awareness programmes
• — Incident response and breach notification procedures
• — Vendor security assessments and due diligence

7.3 Data Breach Notification:

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Information Commissioner's Office (ICO) within 72 hours of discovery, as required by UK GDPR. Notifications will include the nature of the breach, likely consequences, and measures taken to address it.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations:

8.1 Retention Periods:

• — Client Data: Retained for the duration of the engagement plus six (6) years for legal and tax compliance purposes
• — Financial Records: Retained for seven (7) years as required by UK tax and accounting regulations
• — Communications: Retained for three (3) years unless required for ongoing projects or legal matters
• — Marketing Data: Retained until consent is withdrawn or three (3) years of inactivity
• — Website Analytics: Aggregated data retained for two (2) years; identifiable data for six (6) months
• — Legal Claims: Data relevant to legal proceedings retained until resolution plus applicable limitation periods

8.2 Secure Disposal:

When personal data is no longer required, it is securely deleted or anonymised using industry-standard methods to prevent recovery or reconstruction. Physical records are securely destroyed through cross-cut shredding or incineration.

9. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

9.1 Right of Access (Article 15): You have the right to request copies of your personal data and information about how it is processed.

9.2 Right to Rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure (Article 17): You have the right to request deletion of personal data in certain circumstances, including:

• — Data no longer necessary for the purpose collected
• — Withdrawal of consent (where consent is the legal basis)
• — Objection to processing (where legitimate interest is the legal basis)
• — Personal data processed unlawfully
• — Compliance with legal obligations

9.4 Right to Restriction of Processing (Article 18): You have the right to request limitation of processing in certain circumstances, such as:

• — Contesting accuracy of personal data (pending verification)
• — Processing is unlawful but you prefer restriction over erasure
• — Data no longer needed by Serqet but required for legal claims
• — Objection to processing (pending assessment of legitimate grounds)

9.5 Right to Data Portability (Article 20): You have the right to receive personal data in a structured, commonly used, machine-readable format and transmit it to another controller where:

• — Processing is based on consent or contract performance
• — Processing is carried out by automated means

9.6 Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

9.7 Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Serqet does not currently engage in automated decision-making of this nature.

9.8 Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

9.9 Exercising Your Rights:

To exercise any of these rights, please contact us at:

We will respond to requests within one (1) month, though this may be extended by two (2) months for complex requests. We may request additional information to verify your identity before fulfilling requests. Most rights can be exercised free of charge, though we may charge a reasonable fee for manifestly unfounded or excessive requests.

10. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance functionality and analyse usage patterns.

10.1 Types of Cookies We Use:

• — Essential Cookies: Necessary for website operation and security (cannot be disabled)
• — Functional Cookies: Enable enhanced functionality and personalisation
• — Analytics Cookies: Help us understand website usage and improve performance
• — Marketing Cookies: Track effectiveness of marketing campaigns (require consent)

10.2 Managing Cookies:

You can control cookies through your browser settings and our cookie consent tool. Disabling certain cookies may affect website functionality. Most browsers allow you to:

• — View and delete cookies
• — Block third-party cookies
• — Block all cookies
• — Delete cookies when closing the browser

For detailed cookie information and management options, please refer to our Cookie Policy or contact us at privacy@serqet.co.uk.

11. Children's Privacy

Our services are intended for business and professional use only. We do not knowingly collect personal data from individuals under 18 years of age. If we become aware that we have inadvertently collected data from a minor, we will take steps to delete it promptly. Parents or guardians who believe we may have collected data from a minor should contact us immediately.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technologies, legal requirements, or business operations. Material changes will be notified through:

• — Prominent notice on our website
• — Email notification to active clients
• — Direct communication for significant changes affecting your rights

The "Last Updated" date at the top of this policy indicates when changes were last made. We encourage you to review this policy periodically to stay informed about how we protect your personal data.

Continued use of our services following notification of changes constitutes acceptance of the updated Privacy Policy. If you disagree with changes, please discontinue use of our services and contact us to discuss data deletion.

13. Complaints and Regulatory Authority

We are committed to resolving privacy concerns fairly and promptly. If you have complaints about our data processing practices, please contact us first:

We will investigate complaints and respond within thirty (30) days. If you remain unsatisfied with our response or believe we have breached data protection laws, you have the right to lodge a complaint with the supervisory authority:

14. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact:

This Privacy Policy was last updated on October 4, 2025 and is effective immediately.