Privacy Policy

Last updated: 06 December 2021

Introduction

At Indigo House we are committed to protecting personal data and to fair and transparent processing, in accordance with the UK GDPR and the Data Protection Act 2018. Please read this privacy notice: it will help you to understand how we collect and use personal data from individuals, our clients, suppliers or others during the course of our business. We will only use personal data for the purposes described in this privacy notice or as stated at the point of collection.

We regularly review this privacy notice and may make changes at any time.

Who we are

We are The Indigo House Group Ltd (Indigo House)- company registration number SC544395. Our registered office is 15 Lauriston Place, Edinburgh, EH3 9EP. We are registered as a data controller with the registration number ZA276858.

Our lawful basis for processing

We rely on several lawful basis of processing when we collect and use personal data to operate our business and provide products and services to our clients. These include:

Performance of a task in the public interest – where the processing of data is necessary for providing certain services to our clients.
Legal obligations – in order to comply with the legal and regulatory obligations we are subject to as a provider of consultancy services and as a commercial business.
Legitimate interests – the legitimate interests can be ours, our clients or other third parties (eg to provide our services, to develop or protect our business, or to keep people informed about relevant products and services) and we always balance the rights of individuals with ours’ and others’ legitimate interests.
Consent – where an individual has freely given consent at the time their personal data was provided to us.

How and why we process your personal data

To find out more about how and why we process your personal data and from where we may get personal data about you, please visit the relevant section of this notice:

Clients and Client Services
Suppliers
Business Contacts
Visitors to our website
Our people

How we keep data secure

Security is of the upmost importance to us. We take all reasonable steps to safeguard the personal data we hold and we have in place appropriate technical and organisational measures. These include detailed policies, procedures and training of our people relating to data protection, confidentiality and information security. These are regularly reviewed to ensure they are effective and fit for purpose.

Who we share data with

We only share personal data with others when absolutely necessary and where appropriate contractual arrangements and security mechanisms are in place. We will only share your personal data in compliance with data protection law.

We will pass your personal data to:

Suppliers that support us and help provide services to our clients, such as providers of IT systems, security, archiving storage and destruction, recruitment, due diligence and background checks, marketing and payment services.
Professional advisors, auditors or insurers, where we are required by law or as reasonably required in the management of our business.
Law enforcement or other government and regulatory agencies or to other third parties, where we are required by law, the courts or any legal or regulatory authority we are subject to. We will only provide personal data in these circumstances where permitted or there is a legal requirement.

Whilst we store personal data on servers within the UK, in line with the above, we may need to transfer personal data outside the UK. This includes to countries that are not recognised by the Government of the UK as providing an equivalent level of protection for personal data as in the UK (also known as having adequacy). Where we do so, we ensure that appropriate measures are in place to comply with our obligations under data protection legislation. This can include entering into an agreement governing the transfer containing the ‘standard contractual clauses’ (also known as ‘model clauses’) approved for this purpose by the Government of the UK.

How long do we keep personal data?

Our standard retention policy is one year, unless otherwise agreed with our clients. In all cases, we keep personal data only for as long as necessary and this will reflect the requirements of:

the activity or service for which it is being processed
any legal, regulatory or contractual requirements
the time in which any litigation or investigations might arise from providing a service.

Typically, we collect personal data directly from our clients or from third parties acting on their instructions (eg their suppliers, professional advisors, former service providers, research participants).

Your rights

Individuals have certain rights over their personal data that we process as data controllers.

If we process your personal data and you exercise any of your rights, we will aim to respond promptly and within any required time limit. However, please note that the length of time it will take us to respond will be dependent on the nature and extent of your request. A fee will not generally be charged for exercising any of these rights; however if your requests are manifestly unfounded or excessive we reserve the right to charge a fee or, or to refuse your request.

You have a right to:

access – you can ask us for a copy of the personal data that we hold on you
rectification – if you become aware of any errors or inaccuracies concerning your personal data, please let us know either by updating your details on the website or applications you are registered with or contacting us
withdraw consent – where we process personal data based on consent, you have a right to withdraw consent at any time.
erasure/deletion – you can ask us to erase or delete your personal data when we no longer need it for the purposes it was obtained
data portability – you can ask for your personal data to be sent to you or to another organisation
automated decision making – if we make automated decisions about you, you can ask for those decisions to be reviewed
restrict or object to our processing – you can ask to restrict or object to our processing of your personal data (eg removal from a marketing subscription list).

If you wish to exercise any of your rights, please contact us.

Who to contact

If you have any questions about this privacy notice, wish to complain about our use of personal data or exercise one of your rights, in the first instance, please contact our Data Protection Director Lead:

karen.fitzsimons@indigohousegroup.com.

Our Data Protection Officer is provided by RGDP LLP and can be contacted at info@rgdp.co.uk.

You also have the right to report concerns or make complaints, in relation to how your personal data is being handled, to the Information Commissioner’s Office (ICO) at:

Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF ico.org.uk/make-a-complaint/

Clients and Client Services

Corporate and Business clients (and individuals associated with them)

We only ask our clients to share personal data with us where it is necessary in order to provide our services or other agreed purposes. We rely on our clients providing any necessary information to the individuals whose data is shared with us regarding its use.

In providing a range of services to our clients, we need to process many categories of personal data about individuals associated with them (such as employees, directors, senior management, trustees, members and their beneficiaries, professional advisors, suppliers), which could include personal identification and contact details, employment related information or financial data.

Generally for our services we do not expect our corporate and business clients to share special categories of personal data (defined as race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, genetic data, biometric data, sex life or sexual orientation) and criminal records. Where this is the case, we rely on our clients having a lawful basis to share the information with us, such as having gained the explicit consent of individuals, it being a legal obligation or another lawful basis.

We use such personal data collected for the following purposes:

Providing professional services: we offer different services to our clients, and many of these services require us to process personal data in order to give advice and deliver reports to our clients.
Managing our business: in order to run our business effectively we need to process personal data for multiple reasons, including managing our client relationships, developing our business and services, hosting events, and to manage and administer
Providing information about our services: we will use business contact details to provide information about us, our services and activities, including events that we believe will be of interest.
Complying with legal, regulatory or professional obligations: we are subject to various legal, regulatory and professional obligations that require us to keep records which will contain personal data.

Suppliers

Suppliers (and individuals associated with our suppliers)

We only process personal data about our suppliers (this includes subcontractors and any individuals associated with them) where it is necessary for us to receive goods and services, contract, manage our relationship and help provide services to our clients (where relevant).

Typically, we collect personal data directly from our suppliers but sometimes from third parties as a part of due diligence.

We use personal data in these circumstances for the following purposes:

Providing professional services: where a supplier helps us to deliver services to our clients, we process the personal data of its people involved to help manage our relationship and to deliver those services to our clients.
Managing our business: in order to run our business effectively we will need to process personal data for multiple reasons, including managing our client relationships, developing our business and services, hosting events, and to manage and administer our website, IT systems and applications.
Providing information about our services: we will use business contact details to provide information about us, our services and activities, including events that we believe will be of interest.
Complying with legal or professional obligations: we are subject to various legal and professional obligations that require us to keep records which will contain personal data.

Business contacts

Client or prospective client contacts

We process personal data about contacts, these are existing clients, prospective clients and individuals connected with them. This personal data includes name, employer identity, job title and business contact details.

Typically, we collect the personal data directly from the individuals themselves or from public sources such as public registers, social media and professional networking sites, news articles and internet searches.

Such personal data will be accessible to our people and used for the following purposes:

Developing, managing and administering our business
Providing information about us and the services we provide
Identifying the business needs of our clients or prospective clients
Performing analytics, including producing metrics for our leadership, such as on trends, relationship maps, sales intelligence and progress against account business goals

Visitors to our website

Our website contains links to other websites, but this privacy notice applies only to personal data collected by the website operated by Indigo House. We encourage our visitors to be aware when they leave our website to read the privacy notices of other sites that collect or use personal data.

When you make an enquiry via our online contact form, you will be asked to provide some personal data such as your name and email address. We will use this to process and respond to your enquiry.

We would not expect to receive any special categories of personal data from any enquiry made using our website, such as race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, genetic data, biometric data, sex life or sexual orientation, or criminal records. If you choose to provide such sensitive data, you are giving your explicit consent for us to process it for the reasons you are choosing to provide it.

Cookies – a cookie is a small piece of data or message that is sent from an organisation’s web server to your web browser and is then stored on your hard drive. Cookies can’t read data off your hard drive or cookie files created by other sites, and do not damage your system. Some cookies are essential to make the website work. Other cookies measure how you interact with our website and the data can be used to improve our services to you, or to send you targeted marketing; these are classed as ‘non-essential’ cookies. Indigo House will ask for your opt-in consent to place non-essential cookies each time you visit our website.

Our people

Associates and Contractors – we will process personal data about you during and after the period you provide the services to the firm in line with our legal and regulatory obligations and our services agreement with you or your employer. For more information please refer to your services agreement.