Skip to content

Home / Privacy Notice

 

Privacy Notice

Effective Date: 15 September 2025

1. Who We Are and How to Contact Us

Corporate Project Solutions Limited (“CPS”, “we”, “us” or “our”) is the “data controller” responsible for your personal data when you interact with our services as a client or user. Our company is registered in England (Company No. 03014568) with headquarters at 450 Brook Drive, Reading, RG2 6UU, UK 

If you have questions about this Privacy Notice or wish to exercise any of your rights, you can contact us at:  

  • Phone: +44 (0)1628 321321  
  • Postal Mail: Data Protection Team, CPS, 450 Brook Drive, Reading, RG2 6UU, United Kingdom.  

CPS is registered with the UK Information Commissioner’s Office (ICO) as a data controller (Registration No. Z7234767). While we are not required to appoint a formal Data Protection Officer for our current scope of activities, our Head of Compliance and data protection team oversee our GDPR compliance efforts and serve as points of contact for data protection matters.

2. Personal Data We Collect

We collect various categories of personal data from clients and users. We are committed to data minimisation, meaning we only collect what we truly need for the purposes outlined in this notice. Below are the types of personal data CPS may collect: 

  • Identity and Contact Information: This includes your name, title, job role, company or organization name, email address, telephone number, and postal address. For example, when you fill out a contact form on our website or request information about our services, we will ask for basic contact details so we can respond to you. If you register for a CPS event or webinar, we might also request your job title and company to tailor the content or follow-up appropriately.  
  • Communication Data: Any personal data contained in your communications with us. If you send us an email inquiry, provide feedback, or call our support line, we will collect the information you provide (like the details of your inquiry or problem) along with your contact information and our subsequent correspondence. This helps us address your needs and keep records of our communications. 
  • Service and Transaction Data: Information related to the services you obtain from CPS and your transactions with us. This includes: 
  • Contract Details: If you or your company become a client, we will have records of the proposals, contracts or Statements of Work, and any project plans that contain your personal details (e.g. your name, signature, business contact info). 
  • Service Usage Data: If our service involves providing access to a software tool or platform, we may collect data on your usage of that service (e.g. account login, activity logs) for support and improvement purposes. 
  • Support Tickets and Project Communications: When you engage with our support team or consultants, we document the issue and resolution. These records may include your personal contact info and any screenshots or examples you provided (which might occasionally contain personal data if, say, a screenshot includes a name or email). 
  • Billing and Payment Records: If you are involved in the billing process, we will have records of invoices, payment amounts, and payment dates. (Payment method details are handled separately as described below.) 
  • Payment Information: For clients who purchase services or products, we may process payment-related data. CPS uses secure third-party payment processors for handling credit card or bank transactions. We typically collect: 
  • Billing Contact Details: Name and contact information of the individual responsible for payment (which may be you or a colleague at your organization). 
  • Payment Method Details: If paying by credit card, you might provide cardholder name, card number, expiry, and CVV to our payment processor. CPS itself does not store your full card details on our systems. If paying by bank transfer, we might receive account info through invoices or remittance advice. 
  • Transaction Records: We keep records of transaction dates, amounts, and references (e.g. invoice numbers, last four digits of a card, or a transaction ID from our payment processor). These records are needed for accounting and are retained per legal requirements. 
  • Marketing Preferences and Feedback: If you subscribe to CPS newsletters or opt in to receive marketing communications, we will collect your name, email, and communication preferences (e.g., types of updates you want to receive). We also record when and how you gave consent. Likewise, if you respond to a survey or provide feedback (for example, a post-project satisfaction survey), any personal info in your responses will be collected. Survey participation is optional, and you can choose to respond anonymously where possible. 
  • Online Data (Website Usage): When you visit our website (cps.co.uk) or interact with our online services, we automatically collect some data via cookies and similar technologies: 
  • Technical Data: This may include your IP address, browser type and version, device type, operating system, and device identifiers. We use this to ensure the website works well for your device and to troubleshoot technical issues. 
  • Usage Data: Information about how you navigate or use our site, such as the pages or content you view, the time spent on pages, links clicked, and the page that led you to our site. We use analytics tools (like Google Analytics) to gather this information in aggregate form to understand and improve site usage. These tools may set cookies in your browser. We obtain consent for non-essential cookies where required by law. 
  • Cookies & Similar Technologies: Cookies can also collect and store information such as user preferences (to remember your login or language choice), or track your browsing behaviour on our site. For details, please see our Cookie Policy on our website, which explains what cookies we use and how you can manage them. 
  • Third-Party Personal Data Provided by Clients: In some cases, you (as a client) may provide CPS with personal data about other individuals in the context of our services. For example, if we are implementing a system for you, you might give us a dataset containing your customers’ or employees’ information to migrate into the new system. Similarly, you might share colleague contact information for a project. In these situations, CPS is typically acting as a data processor on your behalf, and this Privacy Notice (which is mainly about CPS as a controller) does not cover the specifics of that data processing. Instead: 
  • We ensure such data is handled only according to your instructions and our contract (including any Data Protection Addendum) with you. 
  • We treat that data confidentially and securely, and we do not use it for CPS’s own purposes. 
  • It is your responsibility as the controller to have collected that data lawfully and to provide relevant notices to those individuals; our responsibility is to protect it and process it only as you direct. 
  • We will return or delete that data at the end of our engagement as per our agreement. We mention this scenario here for transparency, but details will be defined in our service agreement with you. 

No Special Categories: CPS does not aim to collect any “special categories” of personal data from clients or users (such as racial or ethnic origin, political opinions, religious beliefs, health information, or biometric data), nor do we collect information about criminal convictions, etc., in the normal course of our services to clients. We ask that you refrain from providing such sensitive data to us unless it is necessary for a specific service and we have expressly agreed (with appropriate legal safeguards in place).  

If You Fail to Provide Personal Data: Where we need to collect personal data by law or under the terms of a contract we have with you (or your employer), and you fail to provide the data when requested, we may not be able to fulfil the service or contract. For example, if we require a business email to provision an account and you do not provide one, we cannot create the account. We will inform you at the time if certain information is mandatory and the consequences of not providing it.

3. How We Use Your Personal Data (Purposes and Legal Bases)

CPS will only use your personal data when we have a valid legal basis under GDPR to do so, and for the purposes that we have informed you about. Below we describe the purposes for which we process client and user data, along with the corresponding legal bases that make the processing lawful. Often, one piece of data (like your name or email) may be used for multiple purposes, each with its own justification. We will not use your personal data for a completely new or unrelated purpose without notifying you and, if required, obtaining your consent.

a) To Provide Products and Services (Contractual Necessity)

We process personal data primarily to deliver the services or products you have requested from CPS. This covers a range of activities, such as: 

  • Setting up and administering your account or project. 
  • Communicating with you about the services (e.g., sending pre-project questionnaires, delivering project updates or reports, providing user credentials). 
  • Performing the services, which might involve accessing or inputting your data into systems, customizing solutions for you, or providing training and support. 
  • Fulfilling orders for software licenses, hardware, or consulting hours. 
  • Processing payments and transactions for the services. 

For example, if you’ve engaged CPS for a software implementation project, we will use your contact and identity information to coordinate meetings and deliverables. If we’re providing a cloud solution, we’ll use your details to set up user accounts. When you purchase a training course through our site, we use your provided info to enrol you and take payment. 

Legal Basis: Performance of a contract (GDPR Article 6(1)(b)). Most of this processing is done because it is necessary to fulfil our contract with you (if you are contracting as an individual) or with your company (if you represent a corporate client). Even if the contract is with your employer, we consider that we have a legitimate interest in processing your data to provide the service effectively to your organization, which is often intertwined with contractual necessity. If you have only inquired about our services, this processing may be considered pre-contractual steps at your request (also covered under Art 6(1)(b)). We will make clear when collecting data if it is required for these purposes. Without this data, we cannot provide the requested service.

b) Client Support and Communications (Legitimate Interests or Contract)

We regularly use personal data to communicate with you and manage our relationship. This includes: 

  • Responding to questions, requests for information, or support issues you raise. 
  • Sending service-related communications, such as confirming receipt of an order, notifying you about changes or upgrades to services, or alerting you to maintenance downtime. 
  • Scheduling and holding meetings or calls (in-person or virtual) as part of delivering our services or discussing your needs. 
  • Keeping you updated on project status and milestones. 
  • Providing post-implementation support or check-ins to ensure everything is working as expected. 

For instance, if you email our support team about an issue with a deliverable, we will use your email address and the details you provide to investigate and reply with a solution. We may also call you if that’s an efficient way to resolve the issue. We maintain internal notes or a ticketing system for such interactions. 

Legal Basis: Legitimate interests (GDPR Article 6(1)(f)). It is in both CPS’s and our clients’ interest that we communicate effectively and address customer needs. We consider this fundamental to running our business and keeping clients satisfied. In cases where support is explicitly part of the service contract (e.g., a support agreement), the legal basis can also be performance of the contract. We ensure our communications are professional and relevant. We do not use this data for unrelated purposes (like marketing, unless you’ve consented separately). You always have the option to specify preferred communication channels or to ask us to limit certain communications, and we will accommodate reasonable requests.

c) Marketing and Promotional Communications (Consent or Legitimate Interests)

CPS may use your contact information to send you marketing communications about our services, events, or content that we think could interest you. This can include: 

  • Email newsletters with industry insights, CPS news, or updates on our offerings. 
  • Invitations to webinars, workshops, or events we are hosting. 
  • Promotions or special offers for CPS services or partner services. 
  • Follow-ups after events (e.g., sending slides or asking if you want more info on a topic). 

We conduct marketing in a compliant manner: you will receive our email marketing only if you have an existing relationship with CPS or have affirmatively opted in. For instance, if you downloaded a whitepaper from our site and opted to receive updates, we will add you to our mailing list. If you are an established client contact, we might send you related service info under a soft opt-in basis permitted by law (e.g., the UK PECR). Every marketing email from CPS includes a clear unsubscribe link so you can opt out at any time. 

We might also occasionally use third-party marketing platforms (Dynamics 365 Marketing or Mailchimp) to manage our contact lists and send communications. These platforms may track whether you open emails or click links, which helps us gauge engagement. We typically only see aggregate or basic data such as “user X opened the newsletter.” 

Legal Basis: Consent (GDPR Article 6(1)(a)), or Legitimate Interests for existing customers in some cases.  

  • Consent: We will seek your opt-in consent before sending you electronic marketing if you are a new prospect. For example, filling out a form on our website that includes a checkbox “Yes, I’d like to receive updates from CPS.” We keep a record of that consent. You have the right to withdraw consent at any time, and we will stop the marketing use of your data. 
  • Legitimate Interests: We may process your personal data under the lawful basis of legitimate interests in order to send you information about our products, services, and events that may be relevant to your role or organisation. This includes contacting individuals at business email addresses who we reasonably believe will benefit from our solutions. We balance this interest against your rights and freedoms by ensuring that: All communications are relevant, proportionate, and not excessive; You are always provided with a clear and simple way to opt out of further marketing; We respect any marketing preferences you have previously communicated. Where we source business contact data from reputable third parties, we require assurances that the data was collected fairly, that individuals were informed their data may be shared with third parties for marketing, and that such use complies with data protection and electronic communications laws. You can opt out of our marketing at any time by clicking the unsubscribe link in our emails or by contacting us directly. 

We never share your data with third parties for them to market to you without explicit consent. We might mention that some events or webinars are co-hosted with partners; in those cases, if we propose sharing attendee info with the partner, we will be transparent and give you a choice.

d) Compliance with Legal Obligations

CPS will process personal data as needed to comply with our legal and regulatory obligations. This includes: 

  • Accounting and Tax Records: We maintain records of transactions (invoices, payments, contracts) that may include client personal data (names, business contact details) to satisfy HMRC (UK tax authority) requirements and financial auditing standards. For example, laws require keeping sales and purchase records for a number of years. 
  • Legal Claims and Investigations: If we are involved in legal proceedings or enforcement actions (e.g., receiving a court subpoena), we might process or disclose relevant personal data to comply. If a dispute arises with you or your company, we may use your information to establish our position (for instance, emails as evidence of what was communicated). 
  • Regulatory Filings: In certain sectors or contracts, we may need to provide customer information to regulatory bodies or as part of certifications (e.g., if a government contract requires reporting of client interactions or diversity data). 
  • Data Protection Compliance: We keep records of processing activities and, if you exercise your data rights, we will process your data to comply with that (for example, searching our systems for your data when you make an access request, or marking your record as “do not process” if you object). 

Legal Basis: Legal obligation (GDPR Article 6(1)(c)). When laws of the UK or EU require us to process or retain certain data, we do so on that basis. For instance, UK companies must retain certain financial records for 6 years – if those records contain personal data, we keep them because the law says so. We also consider Article 6(1)(f) legitimate interests for legal claims (defending or pursuing legal claims is generally recognized as a legitimate interest). In all these cases, we will limit the data to what is necessary and ensure it’s handled securely. 

If we receive a government or law enforcement request for client data, we will only comply if required by law and after verifying the legitimacy of the request. We would inform affected clients if permitted.

e) Business Administration and Improvements (Legitimate Interests)

We may use personal data internally to improve our services and operations: 

  • Service Improvement: We might review support requests to identify common pain points and improve our offerings. For example, if multiple clients ask how to perform a certain task in a software we delivered, we might create better documentation or improve the interface. 
  • Analysis and Reporting: We could use client data in aggregate to analyse things like what industries our clients come from, what services are most popular, or what times of year have high demand. This typically would involve removing or not focusing on individual personal identifiers. 
  • Training: We sometimes use real case examples (anonymized where possible) to train our staff or to create case studies. If we wanted to create a public case study involving your story, we would seek permission and possibly have a separate agreement for that; otherwise, any use of actual data for training is kept internal and confidential. 
  • Financial Planning and Administration: We use client data to forecast revenue, manage our consultants’ schedules, and allocate resources. For example, knowing the approximate number of users at a client (which might have been collected during sales) helps us plan project team size. 

Legal Basis: Legitimate interests (GDPR Art 6(1)(f)). Running and improving our business is a legitimate interest. In doing so, we consider and minimise the impact on your privacy. Often, for these purposes, we either use aggregated data or redact personal elements. The aim is that this kind of processing should be something you would reasonably expect as part of our relationship, and it does not override your rights. You have the right to object if you have particular concerns (see Section 9 on your rights).

f) Security and Abuse Prevention (Legitimate Interests and Legal Requirement)

CPS processes certain data to maintain the security of our services, systems, and to prevent fraud or misuse: 

  • Access and Authentication: If we provide you with an account for a CPS service or portal, we will process personal data to manage logins and verify identity. For example, your username (often your email) and password, and possibly a phone number for multi-factor authentication. Our systems log login attempts, password changes, and similar events tied to your user ID. 
  • Monitoring and Logs: Our websites and internal systems automatically log certain information (IP addresses, device info, timestamps) to create audit trails. This helps in diagnosing issues, identifying unauthorized access attempts, and ensuring system integrity. For instance, if we detect multiple failed login attempts to your account, we log this and may take action (like temporarily locking the account) to protect you. 
  • Fraud and Malicious Activity Prevention: If you make a purchase or fill forms on our site, we may use automated tools to screen for common fraud signals (e.g., checking if a payment comes from a high-risk IP or if the email provided has been associated with spam). This might involve third-party security services. 
  • Compliance with Security Standards: We implement measures required by GDPR (Article 32) such as encryption, pseudonymization, and regular testing of our security. In doing so, we might process some personal data – for example, running a test that involves generating synthetic data similar to real personal data, or reviewing a random sample of records to ensure proper encryption. 

Legal Basis: Legitimate interests for CPS to ensure security (this protects both us and our clients) and legal obligation in certain contexts (GDPR requires us to take appropriate security measures; various laws mandate breach prevention and prompt detection). The data processed for security is used only for that purpose. For example, log data is not used for marketing or profiling; it’s purely for security and troubleshooting. If we suspect criminal activity (like a cyber-attack), we might have a legal obligation to report certain data (possibly to law enforcement or affected parties). 

CPS does not engage in any solely automated decision-making that produces legal or similarly significant effects on clients or users. For instance, we do not have algorithms that decide to deny service to a person without human review. Should this ever change, we will update this notice and ensure any required procedures (including the ability to request human intervention) are in place.

4. Summary Table of Data Categories, Purposes, Legal Bases, Third Parties, and Retention

Below is a table summarizing the key categories of personal data we collect, why we collect it, the legal basis under GDPR, who we share it with, and how long we keep it: 

Category of Personal DataPurpose of ProcessingLegal BasisTypical Third-Party RecipientsRetention Period
Identity & Contact Data (e.g. name, email, phone, address, company, job title)• Respond to inquiries and requests • Perform contracts and provide services •Communicate with clients (project updates, support) • Maintain client account recordsContract (performance or pre-contract steps); Legitimate interest in business communications– Cloud hosting providers (for data storage/CRM) – Email service providers (for sending communications) – IT support vendors (for system maintenance)For active clients: during the business relationship and typically 6 years after its end (to satisfy legal and business obligations). Inquiry data (if no contract results) is retained ~3 years for potential follow-up.
Service & Transaction Data (e.g. services purchased, project files, support tickets, contracts, billing info)• Deliver and manage services/products • Provide customer support and troubleshooting • Project management and delivery • Internal reporting and service improvementContract; Legitimate interest (service improvement, record-keeping); Legal obligation (for financial records)– Accounting software or auditors (for financial recordkeeping) – Subcontractors or partners assisting in service delivery (bound by DP contracts) – Cloud storage/backup services (for safe storage of project data)Core service records kept for the contract duration + up to 6 years after (aligning with statutes of limitation and audit needs). Support tickets: typically 3-5 years after resolution. Project deliverables: retained as needed for client and internal reference, often archived within 1 year post-project (with personal data minimized).
Payment Information (billing contact, transaction details;* note: CPS does not store full card numbers*)• Process payments and verify transactions • Fraud prevention • Compliance with tax and accounting lawsContract (to receive payment); Legal obligation (tax laws); Legitimate interest (prevent fraud)– Payment processors and banks (to execute payments securely) – Accounting systems (to record invoices and payments) – External auditors (may review transaction records)Financial transaction records: kept 6 full years + current year (per UK financial regulations). Credit card details: not stored by CPS beyond the moment of processing. Bank details (for B2B clients) retained while contract is active; removed when no longer needed.
Marketing & Communications Data (newsletter sign-ups, marketing email engagement, survey responses)• Send newsletters, updates, and event invites • Manage opt-ins/opt-outs and preferences • Conduct client surveys and gather feedbackConsent (for email marketing opt-in); Legitimate interest (informing existing clients and new prospects about related services, subject to opt-out)– Email marketing platform (to design/send bulk emails) – Survey tools (for sending questionnaires and recording responses) – CRM system (managing marketing contacts and tracking interactions)Until you unsubscribe or withdraw consent. We maintain active marketing contacts indefinitely only with continued consent/interest. Upon opt-out, we immediately cease marketing and either delete your data or suppress it to remember your opt-out. Survey responses: identifiable data is usually deleted or anonymized after analysis, typically within 1 year.
Website Usage Data (IP address, device info, cookies, analytics data)• Enable website functionality and user experience • Analyse site usage to improve content and navigation • Ensure security (e.g. detect excessive failed logins or attacks)Legitimate interest (smooth, secure website operation); Consent (for non-essential cookies/analytics in jurisdictions requiring it)– Analytics providers (e.g. Google Analytics, with anonymization settings) – Web hosting and security providers (who may process IP addresses in logs or firewall systems)-Lead Forensics, tracks visitor organisation IP not individual and their journey around our website.Cookies: as per our Cookie Policy (session cookies expire on logout; analytics cookies typically 6–24 months unless cleared). Server logs: stored 3 to 12 months for security and then deleted or anonymized. Aggregated analytics (no personal IDs) may be kept longer for trend analysis.
Third-Party Data Processed for Clients (personal data you supply to us about your end-users, employees, or customers during our service delivery)• (As a Processor on your behalf) To perform the services you have contracted (e.g. migrating data, configuring systems with real user info, conducting communications as instructed)Your instructions/contract – CPS acts under the controller’s (your) legal basis, as per our Data Processing Agreement.– Potential sub-processors (cloud providers, software tools necessary for the project) approved by you and bound by GDPR terms – Returning data to you or onward transfer at your directionOnly for the duration of the project/contract. We will delete or return these personal data as agreed once the service is completed. Temporary files and backups are securely wiped after project closure. (If any need to be retained longer for legal reasons, that will be per contract or legal requirement, not by CPS’s choice.)

Note: The retention periods above are general guidelines. We may retain data longer if required by applicable laws or if needed for a legal claim, or shorter if you exercise your right to deletion (and no exception applies). We periodically review the data we hold and securely delete or anonymize anything no longer needed for its intended purpose.

5. How We Share Your Data (Third-Party Disclosures)

CPS will share personal data with third parties only in the ways described in this notice, and primarily to support our service to you or to meet legal requirements. We do not sell or rent your personal data to third parties for their own use. Here are the types of third parties with whom we may share data and why: 

a) CPS Group and Personnel: Your information may be shared internally within CPS among our staff who need it to perform their jobs (for example, the consulting team delivering the project, the finance team for invoicing, etc.). All CPS employees and contractors are bound by confidentiality and data protection obligations. If CPS has affiliates or subsidiaries (currently we operate mainly as a single UK entity), and it’s necessary to involve them, they will handle your data only under the same conditions as CPS itself.

b) Service Providers (Processors): We use a number of trusted third-party companies to assist us in running our business and delivering services to you. These third parties process personal data on our behalf under strict instructions, and they are not allowed to use your data for their own purposes. Key categories include: 

  • Cloud Infrastructure and IT Services: We rely on providers like Microsoft (e.g. Azure cloud, Office/Microsoft 365) for email, document storage, collaboration tools, and hosting of our internal systems. Your data (such as emails or project documents) may be stored or transmitted through these systems. Microsoft and similar providers act as data processors, with strong security and EU/UK data protection terms in place.  
  • Customer Relationship Management (CRM) and Project Management Tools: We maintain client contact details and project information in software tools (for example, a CRM database, support ticketing system, or project management platform) which may be cloud-based and hosted by third-party vendors. These vendors have access to data as needed to operate the service (but not to use it beyond that).  
  • Payment and Accounting Processors: If you make electronic payments, those are processed by accredited payment gateways (such as credit card processors or banking services). They receive the necessary personal and financial data to process the transaction. Similarly, our accounting software might be cloud-based (with data hosted securely by the software provider).  
  • Email Delivery and Marketing Platforms: To send out bulk emails like newsletters or service announcements, we may use specialised email services (for instance, Dynamics Marketing). We upload only the necessary contact info and message content. They help us manage subscriptions and to comply with email deliverability standards.  
  • Analytics and Web Services: Web analytics providers process online usage data (as described in Section 2) to give us insights, often with pseudonymization. Also, if we run webinars or virtual meetings, the platform (Microsoft Teams, etc.) will process participant contact information for login.  
  • Professional Advisors and Auditors: Occasionally, our lawyers, accountants, auditors, or insurers might need access to some personal data if it’s relevant to their services to us. For example, an auditor checking our finances might see client names on invoices, or a lawyer might review a contract that contains personal data. These parties are bound by professional secrecy or confidentiality agreements.  

All our service providers are subject to data processing agreements as required by GDPR. This means: 

  • They only act on CPS’s documented instructions. 
  • They must keep your data confidential and secure. 
  • They must assist us in upholding your data rights and notify us promptly if they experience a data breach. 
  • If located outside the UK/EEA, we put additional safeguards in place (see Section 6 on international transfers). 

We regularly review our vendors for their data protection practices. For example, we assess their compliance through questionnaires or certifications, and require updates if standards change. If a provider cannot meet our data protection requirements, we will either not share data with them or will switch to an alternative provider.

c) Third-Party Partners and Subcontractors: In some cases, CPS might collaborate with third-party partners to deliver a solution. For instance, we might bring in a specialized consultant or a partner company to fulfil part of a project. We will share with them only the data necessary for that task (often business contact info and relevant project data). Depending on the situation, these partners might operate as:

  • Sub-processors: If CPS retains control and just uses the partner to perform part of the processing on our behalf, then they are effectively our sub-processor. We will extend the data protection obligations downstream to them. 
  • Independent Controllers: If the partner is providing a distinct service to you alongside CPS, they might receive your data as a separate controller (e.g., we introduce you to a software vendor who then provides their service directly). In such cases, they should provide you with their own privacy notice. We will aim to clarify roles in contract or in communication so you know who is doing what. 

We will not subcontract any processing of personal data that you entrust to us as a processor (under a services contract) without your knowledge and approval as required in our agreement.

d) Legal Disclosures: We may disclose your personal data to third parties when required by law or if we reasonably believe such action is necessary to:

  • Comply with a legal obligation or request (e.g., court order, government regulation, legally binding request by law enforcement). 
  • Protect the rights, property, or safety of CPS, our clients, or others. This could include sharing information with law enforcement to prevent or investigate fraud or cybercrime. 
  • Enforce our contracts and legal rights (e.g., sharing relevant information with a collections agency for unpaid invoices, or with our legal counsel to seek legal remedies). 

If we receive a request for disclosure, we will carefully validate it. For instance, any government or police request is reviewed by our legal team. Unless prohibited, we would also inform the affected individuals or company of such requests.

e) Business Transfers: If CPS goes through a business transition such as a merger, acquisition, or sale of assets, your personal data may be transferred to the successor entity as part of the transaction. The new owner would still be bound to protect your personal data in line with this Privacy Notice (or provide notice of changes). Similarly, if CPS were involved in insolvency or restructuring, personal data might be considered an asset and handled under legal oversight. We will ensure continuity of privacy protection in any such scenario and notify you of any ownership change affecting your personal data.

Outside of the scenarios above, CPS will not share your personal data. Specifically, we do not share or disclose client personal data to third-party advertisers or unaffiliated entities for their independent use. Any external communications (like testimonials or case studies) that involve your personal data will only be published with your explicit consent.

6. International Data Transfers

CPS is based in the United Kingdom, which as of the effective date of this notice is governed by the UK GDPR. We primarily process and store client personal data within the UK or the European Economic Area (EEA). However, some of our third-party service providers or partners operate globally, and thus your personal data may be transferred to or accessible from countries outside the UK/EEA. 

Whenever we transfer your data internationally, we take steps to ensure an adequate level of protection as required by GDPR and the UK Data Protection Act 2018. Our approach includes: 

  • Adequacy: If data is transferred to a country that has been formally deemed by the UK (or EU) as providing an adequate level of data protection (such as countries in the European Union, or those with adequacy decisions like Canada, Japan, etc.), we rely on that decision. For example, transfers from the UK to the EEA are permitted as the UK deems the EEA adequate and vice versa. 
  • Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision (e.g., United States, India, etc.), we use the European Commission’s approved Standard Contractual Clauses and the UK’s International Data Transfer Addendum, as applicable. These are legal contracts that oblige the recipient to protect the data to GDPR standards. Our Data Processing Agreements with suppliers include SCCs by reference where needed. 
  • Supplementary Measures: In some cases, we implement additional technical and organizational measures (encryption, strict access controls, data minimization for the transfer) when using SCCs, especially after the Schrems II ruling. We also conduct Transfer Impact Assessments for key transfers to evaluate if the data might be at risk and to ensure additional safeguards if necessary. 
  • Binding Corporate Rules (BCRs) and other frameworks: If any of our processors have Binding Corporate Rules approved for international transfers or adhere to a recognized framework (for example, some companies participate in the new EU-U.S. Data Privacy Framework), we will consider those mechanisms. We stay updated on legal developments in this area to adjust our practices. 

Examples of international transfers relevant to CPS services: 

  • Our email marketing service’s servers may reside in the United States. We have an agreement in place including SCCs, and the provider has invested in compliance measures. 
  • If we use a subcontractor based in, say, India for development work, and they need to access personal data for the project, we will ensure a contract with SCCs and that they connect to our systems securely (e.g., via VPN to a UK server) rather than downloading any data. 
  • Microsoft cloud services might store some backups or enable support from non-EEA locations. Microsoft, as a global company, also uses SCCs and has commitments to handle data with the same level of protection. 

We understand that privacy laws in other countries might not be as strict as in the UK/EU. Our contractual and technical measures aim to compensate for that. You can request a copy of our relevant international data transfer agreements (like SCCs) by contacting us (contact details in Section 1). We may redact some parts for confidentiality, but you will see the standard commitments. 

If in the future we cannot ensure that a particular transfer will be protected (for instance, if a law changes in a destination country that undermines the SCC protections), we will suspend that transfer and work on alternative solutions or seek your consent where appropriate.

7. Data Security Measures

Keeping your personal data secure is a top priority for CPS. We have implemented a comprehensive set of technical and organisational security measures to prevent your data from being accidentally lost, used or accessed unlawfully, altered, or disclosed without authorization. We continuously improve our security practices in line with evolving threats and industry standards. Key measures include: 

  • Information Security Management: CPS maintains an Information Security Management System (ISMS) aligned with ISO/IEC 27001:2013 standards. We are also certified under the UK Cyber Essentials Plus scheme. These frameworks require us to systematically evaluate risks and apply controls across the organization. We have policies covering areas like access control, incident response, encryption, and more. 
  • Access Controls: We operate on a policy of least privilege. Staff can only access systems and data that are necessary for their role. All employees have unique user IDs; sharing credentials is strictly prohibited. Multi-factor authentication (MFA) is enforced for access to sensitive systems. Role-based access ensures, for example, that consultants can only see data related to their projects, and finance personnel only see billing information. 
  • Encryption and Pseudonymization: CPS uses encryption to protect data in transit and at rest. Our websites and web portals use HTTPS (TLS) for secure data transmission. Internal systems and laptops have full-disk encryption. Sensitive fields in databases (like passwords or keys) are encrypted at a field level. We also apply pseudonymization or anonymization techniques when feasible, especially for test environments or analytics, to reduce direct use of personal identifiers. 
  • Network Security: Our network is protected by firewalls, intrusion detection and prevention systems (IDPS), and anti-malware software. We segment networks so that only necessary traffic flows (for instance, public-facing servers are isolated from internal databases). We subscribe to threat intelligence and routinely update our firewall rules and security patches to defend against known vulnerabilities. Email coming into CPS is filtered through spam and malware detection systems to prevent phishing attacks. 
  • Endpoint and Device Security: All CPS-issued laptops and devices are secured with up-to-date antivirus/anti-malware, host-based firewalls, and are configured to auto-lock and require password/PIN or biometric for use. We have a Mobile Device Management (MDM) system that allows us to enforce security policies on devices and remotely wipe them if lost or stolen. Removable media use is restricted by policy. 
  • Secure Development and Vendor Management: When we develop or implement systems, we follow secure coding practices and conduct code reviews. We also evaluate the security posture of any third-party software or cloud services we use (as noted, we have a supplier due-diligence process). Data Protection Impact Assessments (DPIAs) are conducted for high-risk processing activities, including introduction of new technology. 
  • Organizational Policies and Training: CPS has clear internal policies on data protection and IT usage, such as our Data Protection Policy, E-Communication & Internet Acceptable Use Policy, and Clean Desk Policy. All employees must read and acknowledge these. We provide regular training on cybersecurity and data privacy to our staff, including how to spot phishing, handle data properly, and their obligations under GDPR. We reinforce a culture of security through simulated phishing exercises, and annual refresher courses. Additionally, every employee’s contract includes confidentiality clauses. 
  • Third-Party Assurance: As mentioned in Section 5, any third-party handling our client data must meet equivalent security standards. We include security requirements in contracts and often ask for proof of certifications or external audits. For critical vendors, we might require the right to audit their practices or at least get annual compliance attestations. 
  • Incident Response and Breach Notification: CPS has an Incident Response Plan that outlines steps for identifying, containing, eradicating, recovering from, and communicating security incidents. We have an internal incident response team and have designated roles (technical lead, communications lead, etc.) in case of a breach. If a personal data breach occurs that poses a risk to individuals’ rights and freedoms, CPS will notify the ICO within 72 hours of becoming aware of it, as required by GDPR. If the breach is likely to result in a high risk to you (e.g., potential for financial harm or identity theft), we will also inform you without undue delay, in clear language about what happened and any steps you should take.  
  • Backups and Business Continuity: We regularly back up critical data (with encryption). We also have business continuity plans (for scenarios like major IT outages or natural disasters) so that we can restore operations and data access in a timely manner, minimizing downtime. 

8. Data Retention – How Long We Keep Your Data

CPS retains personal data only as long as necessary to fulfil the purposes for which it was collected, or as required by law or legitimate business needs. We have a Records Retention Policy that defines retention periods for various categories of data. Here is how we handle retention for client and user data: 

  • Prospective Client Inquiries: If you reach out to CPS for information or a proposal but do not end up engaging our services immediately, we will keep your inquiry correspondence and details for a reasonable period. Typically, this is about 3 years. We keep this data in case you come back with further questions or decide to use our services later; it also helps us understand the history of our interaction. If you want us to delete an inquiry sooner, you can request it, and we will do so unless we have a strong reason to retain (e.g., you asked us to keep you on a waiting list, or it’s relevant to potential legal matters). 
  • Contractual Client Data: For clients that enter into a contract with us, we will retain your data for the duration of the contract and then after the contract ends, generally for up to 6 years. This post-contract retention aligns with the statute of limitations for contractual claims in the UK (6 years), so if any dispute or need for records arises, we have the necessary information. During this time, your data is archived and access is restricted. For example, if your project ended in 2025, we would keep related records until roughly 2031. In practice, certain data may be kept even longer if required (for instance, some project documents might be useful for longer-term reference, but we would anonymize or strip personal info if possible). Conversely, if there’s no legal or business need to keep specific personal data that long, we may delete or anonymize it sooner. We evaluate on a case-by-case basis. 
  • Financial and Transaction Records: As a business, we must adhere to financial record-keeping laws. In the UK, that typically means keeping invoices, payment records, etc., for 6 years + current year. So, if you were billed in 2024, that record might be kept until end of 2030. These records may contain your name or business contact details if you were the billing contact or signatory. 
  • Support and Service Communications: Communications like emails, support tickets, and call logs related to client support are usually retained for a few years after resolution. We may keep these for around 3 years in active storage for reference (especially if you have ongoing services), and then archive or delete them. If a particular communication might be needed for legal reasons (e.g., instructions you gave, approvals, etc.), we align its retention with the contract data (up to 6 years post-contract). 
  • Marketing Data: If you are on our marketing list, we retain your data until you unsubscribe or the contact becomes clearly inactive or invalid. If emails bounce repeatedly, we remove or update those addresses. When you unsubscribe, we keep a minimal record (email, and your opt-out request) to ensure we honour your opt-out in the future. We don’t want to bother you again once you’ve opted out. This suppression record is kept indefinitely (unless you ask us to remove it, in which case we would only retain what is necessary to ensure we don’t accidentally re-add you). 
  • Website Analytics: Aggregated analytics data (which doesn’t identify you personally) might be stored for longer periods to observe trends over time. However, raw logs that could identify you (IP addresses, etc.) are typically disposed of within a year or less, as noted earlier. 
  • Data Provided for Services (as Processor): If you gave us a dataset or we had access to your systems during a project, we return that data and/or destroy any copies after the project per our agreement. We do not keep client-provided personal data longer than necessary. Often, our contract will specify the deletion upon project completion. We might retain evidence of deletion (like a certificate of destruction) and minimal metadata (e.g., that we processed X records for you) for accountability. 
  • Legal Hold: If we are aware of a potential legal dispute or are instructed by law enforcement, we may suspend the deletion of certain data (putting it on “legal hold”) even if the retention period is met. In that case, we’ll retain the data until the issue is resolved and the hold is lifted. 

After the applicable retention period is reached, we will either securely delete your personal data or anonymize it (so it can no longer be associated with you). Secure deletion includes measures like overwriting and purging from databases, and shredding paper files. Anonymization might involve removing identifiers so the data can be used for statistical purposes without linking back to any individual.

9. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018, individuals (data subjects) have certain rights regarding their personal data. CPS is committed to upholding these rights. This section explains what those rights are and how you can exercise them with CPS. 

  • Right to Be Informed: You have the right to be informed about the collection and use of your personal data. This Privacy Notice is our primary way of informing you. We aim to be transparent about what data we collect, why, and how we use it. If you have questions about any specific use, you can always contact us (Section 1). 
  • Right of Access: You can request a copy of the personal data we hold about you, as well as information on how we process it (commonly known as a “Data Subject Access Request”). We will provide you with copies of your personal data, usually free of charge, within one month of verifying your identity (a shorter timeframe for simple cases, or we can extend to two months for complex or numerous requests; we will inform you if an extension is needed). The information will include the categories of data, purposes of processing, any third parties we’ve shared with, and the source of the data if not collected from you. If you request it, we can provide the information electronically (e.g., via secure email or a portal). 
  • Right to Rectification: If you believe any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. Once you inform us, we will update our records accordingly, and also notify any third parties (processors) who received the incorrect data so they can correct it too. For instance, if we have the wrong spelling of your name or an outdated email, just let us know and we will fix it promptly (typically within a month or sooner). 
  • Right to Erasure: Also known as the “right to be forgotten.” You may ask us to delete or remove your personal data in certain circumstances: 
  • The data is no longer necessary for the purpose we collected it. 
  • You initially consented to the use of your data, but have now withdrawn that consent, and we have no other legal basis to keep it. 
  • You have objected to us using your data (see the right to object below) and we have no overriding legitimate grounds to continue. 
  • We processed your data unlawfully (in violation of GDPR). 
  • We must erase your data to comply with a legal obligation. 

Note that this right is not absolute. We may refuse erasure if the processing is necessary for exercising the right of freedom of expression, compliance with a legal obligation, reasons of public interest (e.g., public health, historical or scientific research), or for the establishment, exercise, or defence of legal claims. In the client context, if you request deletion, we will remove as much as we can but might retain some minimal data if needed (e.g., to prove a transaction took place or to abide by laws). We’ll explain any such necessity if it arises. 

  • Right to Restrict Processing: You have the right to request that we ‘pause’ processing of your personal data in certain scenarios. Essentially, you can limit what we do with your data (short of full deletion) when: 
  • You contest the accuracy of the data – we’ll restrict processing until we verify the accuracy. 
  • The processing is unlawful but you don’t want the data erased (maybe you want us to keep it but not use it). 
  • We no longer need the data but you need us to keep it for establishment, exercise, or defence of legal claims. 
  • You have objected to our processing (see below) and we are considering whether our legitimate grounds override yours. 

While processing is restricted, we will not use or share the data except for storage, to protect rights, or if you consent, etc. We will inform you before lifting any restriction. 

  • Right to Data Portability: For data that you provided to us, you have the right to get that data in a structured, commonly used, machine-readable format (for example, a CSV or Excel file), and the right to have us transmit it to another controller if technically feasible. This applies where the processing is based on your consent or on a contract, and is carried out by automated means (digital). It likely covers things like account registration details or other information you directly submitted to us electronically. It wouldn’t cover our internal notes or data we derived about you. If you need such a transfer, let us know and we will work with you to provide it or send it securely. 
  • Right to Object: You may object, on grounds relating to your particular situation, to processing of your personal data that we have justified on the basis of legitimate interests. If you object, we will stop processing that data unless we have compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or we need to continue processing for the establishment, exercise, or defence of legal claims.
    Importantly, you have an absolute right to object to direct marketing. This means if you object to or unsubscribe from marketing, we will cease using your data for that purpose immediately (no exceptions). This includes any profiling related to marketing. Practically, this is as simple as clicking “unsubscribe” in an email or letting your CPS contact know you don’t want marketing. 
  • Rights related to Automated Decision-Making and Profiling: As noted, CPS does not currently engage in automated decision-making without human involvement that produces legal or similarly significant effects. Should we ever implement such processes, you would have the right not to be subject to such a decision (in most cases), and to request human intervention or challenge the decision. For completeness, we mention this right, but it isn’t applicable to our current processing of client data. 

These rights are provided free of charge. However, if a request is manifestly unfounded or excessive (for example, repetitive without good reason), we may charge a reasonable fee or refuse to act on it. We will of course explain our reasoning in such cases. 

How to Exercise Your Rights: Please contact us using the information in Section 1 (email is often most convenient: [email protected]) to make any request. To protect your privacy, we may need to verify your identity—this could be through confirming some details we have on file or asking for identification in a secure manner. We aim to respond to all legitimate requests within one month. If your request is particularly complex or if you’ve made a number of requests, we may extend this by a further two months, but we will let you know and keep you updated. 

If we cannot fulfil your request in whole or in part, we will provide a clear explanation. For example, if you request deletion, we might not erase data that we are required to keep for legal purposes—but we would tell you that and restrict its use. 

We will also inform other parties to whom we’ve disclosed your data, as far as possible, about any rectification, erasure, or restriction you’ve requested, unless doing so proves impossible or involves disproportionate effort (in which case we will, upon request, inform you about those recipients). 

10. Questions, Concerns, and Complaints

If you have any questions or concerns about this Privacy Notice or CPS’s handling of your personal data, we encourage you to contact us first (see Section 1 for how to reach us). Our team will do its best to resolve your issue quickly and thoroughly. We value the opportunity to address your concerns and improve our practices. 

However, if you are not satisfied with our response or believe we are processing your personal data unlawfully or not in line with data protection law, you have the right to lodge a complaint with a supervisory authority. 

For individuals in the UK, the relevant supervisory authority is the Information Commissioner’s Office (ICO). The ICO can be contacted as follows: 

  • Website (for reporting concerns online): https://ico.org.uk/make-a-complaint/  
  • Telephone: +44 303 123 1113  
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, UK. 

If you are in the European Union, you can contact the data protection authority in the country where you live or work, or where you believe an infringement occurred. For example, in Ireland it’s the Data Protection Commission (DPC), in France the CNIL, in Germany the regional Data Protection Authorities, etc. A list can be found on the European Data Protection Board’s website. 

You also have the right to seek a judicial remedy through the courts if you believe your rights have been violated. 

That said, we genuinely hope that will never be necessary. CPS is fully committed to protecting your data and addressing any issues. We will investigate and respond to any complaint we receive. If we have made a mistake, we will take responsibility and work to correct it and prevent it from happening again.

11. Changes to this Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, to clarify our policies, or to ensure compliance with applicable laws. If we make significant changes, we will notify clients and users by appropriate means – for example, by emailing our active clients or by placing a prominent notice on our website.  

The “Last Updated Date” at the bottom of this notice indicates when the latest changes were made.  

If changes are minor (e.g., wording improvements or small adjustments), we may not directly notify all clients, so we encourage you to review this notice periodically to stay informed about how we protect your data. 

If we were to use your personal data for a new purpose not originally described here, we would inform you and, if necessary, seek your consent before doing so. 

Using our services or engaging with us after an update to the Privacy Notice will be taken as acknowledgement of the revised terms, to the extent permitted by law.

12. Contact Information

If you have any questions about this Privacy Notice or our data protection practices, please don’t hesitate to reach out: 

Corporate Project Solutions Ltd (CPS)
Address: 450 Brook Drive, Reading, RG2 6UU, United Kingdom
Email: [email protected]
Phone: +44 (0)1628 321321  

This Privacy Notice is issued by Corporate Project Solutions Ltd. (registered in England and Wales, no. 03014568).  

Last Updated: 15 September 2025