Privacy Policy

We are committed to protecting your personal information and respecting your privacy. Our Privacy Policy outlines how we collect, use, and safeguard your data. Read on to learn more about your rights and our practices.

Our Responsibilities

This Privacy Policy for Bridewell Consulting Limited (‘Bridewell’, ‘we’, ‘us’, or ‘our’,) describes how and why we collect, store, use, and/or share, (‘process’) your personal data and information when you use our services (‘Services’) such as when you:

  • Visit our website at https://www.bridewell.com
  • Express an interest in or take up one of our Services.
  • Engage with us in other related ways, including any sales, marketing, or events.

Bridewell are responsible for the data we collect and process for our own purposes. We’re committed to maintaining the security and privacy of the personal data we process, both through our website or through our interactions with clients, prospects, or industry partners.

Whether we are supporting our clients or managing our own data, privacy and security are at the heart of our operations. Whilst we take appropriate measures in our own practices, security and privacy is at the core of our business operations, so it is imperative we operate in accordance and where possible above industry and regulatory requirements.

Contacting us

Should you wish to contact us to find out more about how we process personal data and information, to exercise your rights, make a complaint or to discuss our practices, please use the following details:

  • Email: dataprivacy@bridewell.com
  • Post: Data Protection Officer, Bridewell Consulting Ltd, 40 Caversham Road, Reading, RG1 7EB.
  • Telephone: +44 (0) 3303 110 940

What personal data will we collect about you?

Personal data or personal information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data and personal information which have been grouped together below:

Category Personal Data Items
Identity data  
Includes first name, last name, alias, unique personal identifier (such as an ID number or password), online identifiers (such as an IP address) and account name (the name provided as the account holder).
Contact data Includes postal address, email address and telephone or mobile number.
Internet or other similar network activity Online behaviour and interactions with our and other websites, applications, systems, and advertisements. Some of this information will be collected through cookies and similar technologies. You can read more about this in our Cookie Policy.
Professional or employment-related information Business contact details to provide you our Services at a business level or job title.

 

How will we collect your personal data?

We use different methods to collect data from and about you including:

  • Personal data and information provided by you: The personal data and information we collect depends on the context of your interactions with us and the Services, the choices you make, and the products you use. We will typically collect personal data directly from you via our website or in-person, such as during an industry event.
  • Third parties or publicly available sources: To enhance our ability to provide relevant marketing, offers, and Services to you and update our records, we may obtain information about you from other sources, such as public databases, joint marketing partners, data providers, and from other third parties. Third party sources include LinkedIn and Cognism Limited.
  • Information automatically collected: We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes. Like many businesses, we also collect information through cookies and similar technologies, which you can read more about in our Cookie Policy.

How do we use your personal data?

The following table sets out why we process your personal data and information, including our lawful basis for processing your personal data, in accordance with UK and EU Legislation. We may rely on more than one lawful basis for processing your personal data depending on the context of the processing activity.

Purpose/activity Lawful basis for processing Personal Data Categories
To provide our Services.
Although our core Services do not revolve around collecting and processing personal data, we may process small amounts of personal data in order to fulfil our contractual obligations. This includes management of contracts, using job titles in reports and sending email communications to our clients.
This processing is carried out in our legitimate business interests of providing you with our services.
 
This processing may be necessary for the performance of a contract, or to take steps prior to entering into a contract which Bridewell and our clients are subject to.
·         Name
·         Email addresses
·         Address
·         Contact number
·         Signatures
·         Business contact details
 
To handle website enquiries
We have a Contact Us page on this website, which allows individuals to ask questions about our Services, The Contact Us page and any correspondence sent via email is monitored by our internal teams, to ensure we identify and handle your request effectively.
This processing is carried out for our legitimate interests, enabling Bridewell to facilitate to your enquiry. ·         Name
·         Business email address
·         Business telephone number
·         Job title
·        
 
To engage with prospective clients
We process basic business contact information of prospective clients and opportunities, which may initially be collected via sales meetings, business cards, verbally, events we may host, speak at, or attend. We may obtain information from third parties or publicly available sources, including those outlined under the section ‘How will we collect your personal data?’
This processing is carried out for our legitimate interests of promoting our Services to your organisation.
 
This information may also be processed for the performance of a contract or to take steps prior to entering a contract, when you are a named signatory within the contract.
·         Name
·         Email addresses
·         Address
·         Contact number
·         Business contact details
·         Email conversations
·         Physical and Electronic Signatures
To manage Financial Accounting and Administration
Our financial management and accounting Services process basic client contact information to fulfil our accounting requirements. This ranges from invoices, account details, timesheet approvals, statement of works, terms and conditions and bank details
This processing is necessary for the performance of a contract with you, in our legitimate interests with your organisation, or to meet our legal obligations for financial reporting.  ·         Name
·         Email addresses
·         Address
·         Contact number
·         Business contact details
·         Email conversations
·         Signatures
·         Client and Supplier Bank Details
To collect information on Associates / Contractors
We process basic contact and work information in relation to associates and contractors who would like to work with us or one of our clients. This information could be collected through our website, email, LinkedIn, recruitment agencies or job advertising boards.
This processing is necessary for the performance of a contract with you, or to take steps prior to entering a contract when you are a named signatory within the contract. ·         Name
·         Email addresses
·         Address
·         Telephone details
·         Skills
·         Job history
·         Bank account details
·         Company insurance details
·         Passport
·         Driving licence
·         References and email conversation
To recruit employees
We process your information in our recruitment processes and when you apply for a role with us. This information could be collected through our website, email, LinkedIn, recruitment agencies or job advertising boards.
This processing is necessary for the performance of a contract of employment with you, or to take steps prior to entering such a contract with you. ·         Name
·         Email addresses
·         Address
·         Telephone details
·         Skills
·         Job history
·         Bank account details
·         Company insurance details
·         Passport
·         Driving licence
·         References and email conversation
To send you marketing and promotional communications:
From time to time, we may email you about our Services or events (including webinars and in-person) which may be of interest to you or your organisation.
We will only ever contact you with these communications if we consider you to be a ‘Corporate subscriber’ and the content is relevant to your role as an employee at the organisation you work for.
This processing is carried out for our legitimate interests, for us to promote our Services or events to your organisation. You can tell us not to contact you by following the unsubscribe instructions on any communications sent to you. We will only send communications to individuals within organisations where we believe we have a legitimate interest to do so. 
 
If you do not wish to receive any form of communication from Bridewell then simply inform us through our contact page, email dataprivacy@bridewell.com or you can unsubscribe using the ‘unsubscribe’ link available at the bottom of any of our communications.
 
·         Full name
·         Job title
·         Email address
·         Phone number
To identify usage trends and understand our customer journeys:
We will process information about how you use our Services.
This processing is carried out for our legitimate interests to analyse and improve your user experience and the performance of our website.
 
·         IP Address
·         Social Media IDs
·         Unique Visitor IDs
·         Telephone Number
Teams meeting recordings This processing is carried out in our legitimate interests of accurately capturing a Teams call/meeting. ·         Full name
·         Image
Call logging
If you telephone us, we use that to add it to our database.
This processing is carried out in our legitimate interests of analysing and improving the user journey when contacting us. ·         IP address
·         Telephone number
 
CCTV
We will process your images if you visit our Cardiff Office.   
 
This processing is carried out in our legitimate interests of the prevention and detection of crime, for protecting the safety of individuals and the security of our premises. ·         Moving images

Where we process your personal data based on our legitimate interests, we have carried out a balancing exercise to make sure our legitimate interest does not override your privacy rights as an individual. We document the balancing exercises we carry out when relying upon this lawful basis for processing your personal data.

Sharing your personal data

As you’d expect, our employees will access personal information for the purposes mentioned above. For example, our Business Development staff may need access to your details to support you when you get in contact with us. 

We will also share information with third parties including service providers, business partners and sub-contractors for business administration, support, processing, Services, or IT purposes.

Please note that any third parties will only process your personal data on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We may also share your personal data with a third party who has purchased or merged with our organisation, in which case personal data held by us, about you, will be transferred to that third party to carry on our business.

Security of your personal data

At Bridewell we take the security of personal data extremely seriously. We have implemented a mixture of cyber security and privacy controls including encryption, and a Business Management System (BMS) which underpins our ISO27001:2013, ISO9001:2015, ISO27701:2019 and Cyber Essentials Plus Certifications.

Bridewell are also a certified National Cyber Security Centre (NCSC) consultancy and a registered member of the Council for Registered Ethical Security Testers (CREST), which ensures our methodologies used for delivery of our Services meet the expectations of the UK Governments Technical security arm.

We assess security for Confidentiality, Integrity, and Availability to ensure that data remains protected, accurate and available for its intended purposes. Some of the core controls we have implemented as part of these certifications are:

  • Multi-Factor Authentication (MFA) on all internet-based systems
  • Encryption of data at rest and in transit
  • Technical assessments of our systems for vulnerabilities and configuration weaknesses
  • Controlled access to only approved individuals
  • Screening of all employees to a minimum of the Baseline Personnel Security Standard (BPSS)
  • Data handling training for all employees
  • Policies and procedures on secure operations and configuration of systems

International Data Transfers

Although our systems and Services are primarily located within the United Kingdom and EEA, there may be occasions where your personal data will be processed in countries not deemed by UK and EU to have adequate Data Protection safeguards in place. Bridewell has implemented appropriate measures to ensure an adequate level of protection of your personal data, if they are transferred outside of the UK or EEA. These measures being that we ensure there’s a proper legal agreement or mechanism in place covering the transfer and protecting the data.

Automated decision making and profiling

Automated decisions are where a computer makes decisions about you without a person being involved.  Profiling is the recording and analysis of a person's psychological and behavioural characteristics, to assess or predict their capabilities or to assist in identifying categories of people.

Bridewell does not make automated decisions about or profile its clients or customers.

How long will we keep your personal data?

Bridewell only processes personal data for as long as necessary to meet our legal obligations or where we have a legitimate business reason for keeping it. We review personal data on a case-by-case basis and document the period of retention for each.

For further information on how long personal data is likely to be kept before being removed from our systems and databases, please contact us via: dataprivacy@bridewell.com

Your rights

Data Protection Legislation gives you a number of Rights over your information which are focused on placing you in control of how your data are processed.

You can exercise these Rights by emailing us at dataprivacy@bridewell.com or by writing to: Bridewell Consulting, 40 Caversham Road, Reading, RG1 7EB.

We may verify your request and identity before any information is provided to you. This is to make sure you are entitled to receive the information.  

You have the following Rights in relation to the processing of your personal data:

Data Subject Right Description
Right to be informed A right to be informed about the personal data we hold about you.
Right of access A right to access the personal data we hold about you.
Right to rectification A right to require us to rectify any inaccurate personal data we hold about you.
Right to erasure A right to ask us to delete the personal data we hold about you. This right will only apply where (for example):
 
·      We no longer need to use the personal data to achieve the purpose we collected it for.
·      Where you withdraw your consent if we are using your personal data based on your consent.
·      Where you object to the way we process your data (see the right to object described below).


If you request us to delete your data, we will retain minimum personal data to document these requests and thereby avoid using your personal data for any other purpose.
Right to restrict processing In certain circumstances, a right to restrict our processing of the personal data we hold about you. This right will only apply where (for example):


·      You dispute the accuracy of the personal data held by us.
·      Where you would have the right to ask us to delete the personal data but would prefer that our processing is restricted instead.
·      Where we no longer need to use the personal data to achieve the purpose, we collected it for, but you need the data for the purposes of establishing, exercising, or defending legal claims.
Right to data portability In certain circumstances, a right to receive the personal data you have given us, in a structured, commonly used, and machine-readable format. You also have the right to require us to transfer this personal data to another organisation, at your request.
Right to object A right to object to our processing of the personal data we hold about you where our lawful basis is for the purpose of our legitimate interests, unless we can demonstrate, on balance, legitimate grounds for continuing to process the personal data which override your rights, or which are for the establishment, exercise or defence of legal claims.

In particular, you can exercise your right to object to marketing communications being sent to you by utilising opt-out mechanisms in emails we send to you.
Right related to automated decision-making and profiling A right for you not to be subject to a decision based solely on an automated process, including profiling, which produces legal effects concerning you or similarly significantly affects you.
Right to withdraw your consent A right to withdraw your consent, where we are relying on it to use your personal data (for example, to provide you with brochures and newsletters). 

Your right to complain to the Supervisory Authority

If you’re unhappy with how we’re using your personal data, you can contact us at dataprivacy@bridewell.com and we will work with you to resolve the matter. 

You also have the right to complain to a Supervisory Authority. In the UK, the Supervisory Authority is The Information Commissioner(ICO) who can be contacted by:

  • Visiting their website: www.ico.org.uk
  • Phoning: 0303 123 1113
  • Writing to: Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Additional Information for US Residents

If you reside in the US, this section supplements the information contained in the Privacy Notice. US residents have specific rights regarding their personal information.

Please note that in the preceding twelve months, we have not sold your personal information.

We may disclose certain personal information, such as your first and last name,  email address, job title/position, and other similar contact data, financial information, and employment details with our subsidiaries and affiliates and other third parties, including service providers who provide Services on behalf of Bridewell. When personal information is disclosed to a subsidiary, affiliate or other third party the recipient entity will be obligated to provide the same level of privacy protection required under Applicable Data Privacy Legislation.

You have the following Rights in relation to the processing of your personal data;

  
  
Personal Information Right Description
Notice of and Access to personal information A right to notice of and access to certain information about our collection and use of your information.
Correction of personal information A right to ask for inaccurate personal information be to be corrected.
Deletion of personal information A right to ask that we delete your personal information relating to you, subject to certain exceptions.
Objection to the sale of or sharing of personal information A right to ask for your personal information to not be sold or shared with a third party, subject to certain exceptions.
To transmit personal information to another entity A right to ask for your personal information to be transferred, in a readily useable format, to another entity.

None of these rights are absolute and there may be circumstances in which we are required or permitted under applicable law not to address your request.

We may verify your request and identity before any information is provided to you. This is to make sure you are entitled to receive the information. 

If you’d like to exercise any of your rights or have any questions, please contact us at dataprivacy@bridewell.com

Changes to our Privacy Policy

We keep this Policy under review and will reflect any updates or changes to practice within this notice (to reflect changes in operations and the way we process your data). This notice was last updated in November 2024.