This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
This Site is owned by Shearwater Group (SWG). SWG is a member of the Alternative Investment Market, registered at 22 Great James Street, London, WC1N 3ES and with Company Number 05059457.
SWG is committed to safeguarding the privacy of personal and sensitive personal data (special category data). We collect, use and are responsible for certain personal data about you. When we do so, we are subject to the UK Data Protection Act 2018 (DPA) and UK General Data Protection Regulation (UK GDPR), along with similar and applicable laws in other jurisdictions.
We take your privacy very seriously. Please read this privacy notice carefully as it contains important information on who we are and how and why we collect, store, use and share any information relating to you (your personal data) in connection with your use of our website. It also explains your rights in relation to your personal data and how to contact us or a relevant regulator in the event you have a complaint.
What personal data do we process?
We will only process the minimum amount of data needed for the purposes outlined below. For website visitors, when you visit our website, there is certain information that we may automatically collect, whether you decide to use our services or not. This includes your IP address, the date and the times and frequency with which you access the website and the way you browse its content. For more details about information captured via cookies please refer to our separate cookies policy at Cookie Policy | Shearwater Group (theshearwatergroup.co.uk). For subscribers to our marketing communication, we only process your name and email address.
Lawful basis
SWG operates under a number of lawful bases as required under the data protection laws. These include:
- Consent
- Legitimate interests
- Performance of a contract
- Compliance with a legal obligation
We have provided below, examples of some data processing activities that are carried out across the SWG, along with the respective lawful bases being relied upon.
Purpose of processing | Types of Personal Data | Lawful Basis Relied Upon |
Sending marketing emails (business to business) | Name, email address, marketing preferences | Legitimate interests |
Sending marketing emails (business to customer) | Name, email address, marketing preferences | Consent |
Carrying out a data protection ‘gap analysis’ for a client | Name, email address and job role of contact | Contract |
Carrying out an audit for a client | Name, email address and job role of contact | Contract |
How do we collect your data?
SWG only collects data directly from you when you provide us with information by filling in forms on our Website.
Who do we share your data with?
We only disclose your personal data in the ways set out in this Privacy Notice or subject to any agreements in place between us.
We might need to share data in the following circumstances:
1. Across the SWG lines of business, as part of a need to know or as part of improving our existing solutions and services or as part of providing new solutions and services. These lines of business consist of the following legal entities, all registered at 22 Great James Street, London, England, WC1N 3ES
- Xcina limited, company number 10835789
- Xcina Consulting limited, company number 1085775
- Shearwater Shared Services limited, company number 11331923
- Geolang limited, company number 05719222
- SecurEnvoy limited, company number 04866711
- Brookcourt Solutions limited, company number 05356175
- Pentest limited, company number 11925182
2. To trusted third parties who process personal data on our behalf, such as systems providers.
We do not sell, rent or trade any of your personal data.
3. In certain circumstances we may also disclose your personal information to third parties:
- In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets
- If we are, or substantially all of our assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights, property, or safety of SWG, our lines of business, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Data retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We have provided below, examples of the data retention periods applied across the SWG for different types of personal data
Type of personal data | Retention period | Type of personal data (change to Justification) |
Applications relating to unsuccessful job applicants | 6 months from date of application | Business need / best practice |
Invoices from suppliers | 7 years from invoice date | Limitation Act 1980 |
Employee personnel files | 7 years after employee leaves the company | Limitation Act 1980 |
Data subject access requests | 2 years from last action | Business need/best practice |
How do we protect your data?
Where SWG acts as the data controller of personal data, it will ensure that necessary and adequate safeguards are in place to prevent unauthorised access, loss, misuse or alteration of your personal data.
We store all personal data on secure servers with relevant access and firewall controls. We also carry out regular security testing to ensure that your personal data is protected.
Any personal data sent to us, either in writing or email, may be insecure in transit and we cannot guarantee its delivery.
International data transfers
Personal data that we collect is only stored in the UK, the EU and the USA. Where data is stored outside the UK or the EU, we ensure that there are adequate security controls in place, such as contractual arrangements, to ensure it is processed appropriately.
Your legal rights
SWG tries to be as open as it can be in terms of giving people access to their personal data and we have outlined your rights below.
You have the right to ask us:
- whether we are processing your personal information and the purposes it is processed for (the right to be informed) – this is delivered through ‘fair processing information’ such as this Privacy Notice;
- for a copy of the personal information that we hold about you (the right of access);
- to update or correct your personal information (the right to rectification);
- to delete your information (the right to erasure); and
- to restrict processing of your personal information where appropriate (the right to restrict processing).
In certain circumstances you also have the right to:
- object to the processing of your personal information (the right to object);
- object to automated decision making and profiling (the right not to be subject to automated decision-making including profiling); and
- request that information about you is provided to a third party in a commonly used, machine readable form (the right to data portability)
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable admin fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex. In such instances, we will notify you and keep you updated.
How to manage your marketing consents
You may give and withdraw consent to the receipt of marketing information and tell us your communication preferences at any time. If you wish to change your preferences regarding the receipt of marketing or other communications from us please contact marketing-group@theshearwatergroup.co.uk. You may also use the ‘unsubscribe’ link at the bottom of any marketing communication.
Updates to this policy
In order to remain compliant with any legal and regulatory obligations, or as part of our evolving business practices, we may update this Privacy Notice from time to time by publishing a new version. In certain instances, we may notify you.
Third party websites
We are not responsible for the practices employed by Third Party Websites linked to or from our Website nor the information or content contained therein. Often links to other websites are provided solely as reference points to information on topics that may be useful to the users of our Website. Please remember that when you use a link to go from our Website to a Third-Party Website, our Privacy Notice will no longer apply. Your browsing and interaction on any other Website, including Third Party Websites, which have a link on our Website, are subject to that Website’s own Privacy Notice.
How to get in touch/making a complaint
To exercise all relevant rights, queries or complaints in relation to this policy or any other data protection matter between you and us, please in the first instance contact us via:
- Email: dpo@theshearwatergroup.co.uk
- Telephone: +44 (0)20 3745 7820
- In Writing: Data Protection Officer, Xcina Consulting, 32 Threadneedle Street, London EC2R 8AY, UK
If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the data protection regulator; the Information Commissioner’s Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England, UK.
Shearwater Group plc website use of Cookies
Details of how cookies are used on the Shearwater Group’s website can be found here.