purple shirt glasses computer

Privacy Policy

Our Responsibilities

This Privacy Policy for Bridewell Consulting Limited (‘Bridewell’, ‘we’, ‘us’, or ‘our’,) describes how and why we collect, store, use, and/or share (‘process’) your personal data and information when you use our services (‘Services’) such as when you:

  • Visit our website at https://www.bridewell.com/
  • Express an interest in or take up one of our Services.
  • Engage with us in other related ways, including any sales, marketing, or events.

Bridewell is responsible for the data we collect and process for our own purposes. We’re committed to maintaining the security and privacy of the personal data we process, both through our website or through our interactions with clients, prospects, or industry partners.

Whether we are supporting our clients or managing our own data, privacy and security are at the heart of our operations. Whilst we take appropriate measures in our own practices, security and privacy is at the core of our business operations, so it is imperative we operate in accordance and where possible above industry and regulatory requirements.


Contacting us

Should you wish to contact us to find out more about how we process personal data and information, to exercise your rights, make a complaint or to discuss our practices, please use the following details:

  • Email: dataprivacy@bridewell.com
  • Post: Data Protection Officer, Bridewell Consulting Ltd, 40 Caversham Road, Reading, RG1 7EB.
  • Telephone:  +44 (0) 3303 110 940


What personal data will we collect about you?

Personal data or personal information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data and personal information which have been grouped together below:

Category Personal Data Items
Identity data  
Includes first name, last name, alias, unique personal identifier (such as an ID number or password), online identifiers (such as an IP address) and account name (the name provided as the account holder).
Contact data Includes postal address, email address and telephone or mobile number.
Internet or other similar network activity Online behaviour and interactions with our and other websites, applications, systems, and advertisements. Some of this information will be collected through cookies and similar technologies. You can read more about this in our Cookie Policy.
Professional or employment-related information Business contact details to provide you our Services at a business level or job title.


How will we collect your personal data?

We use different methods to collect data from and about you including:

Personal data and information provided by you: The personal data and information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products you use. We will typically collect personal data directly from you via our website or in-person, such as during an industry event.

Third parties or publicly available sources: To enhance our ability to provide relevant marketing, offers, and Services to you and update our records, we may obtain information about you from other sources, such as public databases, joint marketing partners, data providers, and from other third parties. Third party sources include LinkedIn and Cognism Limited.

Information automatically collected: We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes. Like many businesses, we also collect information through cookies and similar technologies, which you can read more about in our Cookie Policy.

How do we use your personal data? 

The following table sets out why we process your personal data and information and our lawful basis for processing your personal data, in accordance with UK and EU Legislation. We may rely on more than one lawful basis for processing your personal data depending on the context of the processing activity.


Purpose/activity Lawful basis for processing Personal Data Categories
Viewing on Mobile?
Swipe across to see more 

To provide our Services.
Although our core Services do not revolve around collecting and processing personal data, we may process small amounts of personal data in order to fulfil our contractual obligations. This includes management of contracts, using job titles in reports and sending email communications to our clients.
This processing may be necessary for the performance of a contract, or to take steps prior to entering a contract, which Bridewell and our clients are subject to. ·         Name
·         Email addresses
·         Address
·         Contact number
·         Signatures
·         Business contact details
To handle website enquiries
We have a Contact Us page on this website, which allows individuals to ask questions about our Services, The Contact Us page and any correspondence sent via email is monitored by our internal teams, to ensure we identify and handle your request effectively.
This processing is carried out for our legitimate interests, enabling Bridewell to facilitate your enquiry. ·         Name
·         Business email address
·         Business telephone number
·         Job title
To engage with prospective clients
We process basic business contact information of prospective clients and opportunities, which may initially be collected via sales meetings, business cards, verbally, events we may host, speak at, or attend. We may obtain information from third parties or publicly available sources, including those outlined under the section ‘How will we collect your personal data?’
This processing is carried out for our legitimate interests for us to promote our Services to your organisation. This information may also be processed for the performance of a contract, or to take steps prior to entering a contract, when you are a named signatory within the contract. ·         Name
·         Email addresses
·         Address
·         Contact number
·         Business contact details
·         Email conversations
·         Physical and Electronic Signatures
To manage Financial Accounting and Administration
Our financial management and accounting Services process basic client contact information to fulfil our accounting requirements. This ranges from invoices, account details, timesheet approvals, statement of works, terms and conditions and bank details
This processing is necessary for the performance of a contract with you, or to meet our legal obligations for financial reporting.  ·         Name
·         Email addresses
·         Address
·         Contact number
·         Business contact details
·         Email conversations
·         Signatures
·         Client and Supplier Bank Details
To collect information on Associates / Contractors
We process basic contact and work information in relation to associates and contractors who would like to work with us or one of our clients. This information could be collected through our website, email, LinkedIn, recruitment agencies or job advertising boards.
This processing is necessary for the performance of a contract with you, or to take steps prior to entering a contract when you are a named signatory within the contract. ·         Name
·         Email addresses
·         Address
·         Telephone details
·         Skills
·         Job history
·         Bank account details
·         Company insurance details
·         Passport
·         Driving licence
·         References and email conversation
To send  you marketing and promotional communications:
From time to time, we may email you about our Services or events (including webinars and in-person) which may be of interest to you or your organisation.
We will only ever contact you with these communications if we consider you to be a ‘Corporate subscriber’ and the content is relevant to your role as an employee at the organisation you work for.
This processing is carried out for our legitimate interests for us to promote our Services or events to your organisation. You can tell us not to contact you by following the unsubscribe instructions on any communications sent to you. We will only send communications to individuals within organisations where we believe we have a legitimate interest to do so. 
If you do not wish to receive any form of communication from Bridewell then simply inform us through our contact page, email dataprivacy@bridewell.com or you can unsubscribe using the ‘unsubscribe’ link available at the bottom of any of our communications.
·         Full name
·         Job title
·         Email address
·         Phone number
To identify usage trends and understand our customer journeys:
We will process information about how you use our Services.
This processing is carried out for our legitimate interests to analyse and improve your user experience and the performance of our website.
·         IP Address
·         Social Media IDs
·         Unique Visitor IDs
·         Telephone Number

In certain circumstances, we will process your personal data based on our legitimate interests. We have decided this by carrying out a balancing exercise to make sure our legitimate interest does not override your privacy rights as an individual. We document the balancing exercises that we carry out when relying upon this lawful basis for processing your personal data.


Sharing your personal data

As you’d expect, our employees will access personal information for the purposes mentioned above. For example, our Business Development staff may need access to your details to support you when you get in contact with us. 

We will also share information with third parties including service providers, business partners and sub-contractors for business administration, support, processing, Services, or IT purposes.

Please note that any third parties will only process your personal data on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We may also share your personal data with a third party who has purchased or merged with our organisation, in which case personal data held by us, about you, will be transferred to that third party to carry on our business.

Security of your personal data

At Bridewell we take the security of personal data extremely seriously. We have implemented a mixture of cyber security and privacy controls including encryption, and a Business Management System (BMS) which underpins our ISO27001:2013, ISO9001:2015, ISO27701:2019 and Cyber Essentials Plus Certifications.

Bridewell are also a certified National Cyber Security Centre (NCSC) consultancy and a registered member of the Council for Registered Ethical Security Testers (CREST), which ensures our methodologies used for delivery of our Services meet the expectations of the UK Governments Technical security arm.

We assess security for Confidentiality, Integrity, and Availability to ensure that data remains protected, accurate and available for its intended purposes. Some of the core controls we have implemented as part of these certifications are:

  • Multi-Factor Authentication (MFA) on all internet-based systems
  • Encryption of data at rest and in transit
  • Technical assessments of our systems for vulnerabilities and configuration weaknesses
  • Controlled access to only approved individuals
  • Screening of all employees to a minimum of the Baseline Personnel Security Standard (BPSS)
  • Data handling training for all employees
  • Policies and procedures on secure operations and configuration of systems


International Data Transfers

Although our systems and Services are primarily located within the United Kingdom and EEA, there may be occasions where your personal data will be processed outside of this, in countries not deemed by UK and EU GDPR to have adequate Data Protection safeguards in place. Bridewell has implemented appropriate measures to ensure an adequate level of protection of your personal data if it is transferred outside of the UK or EEA. These measures include our processors entering into Standard Contractual Clauses or by way of derogations for specific circumstances.


Automated decision making and profiling

Automated decisions are where a computer makes decisions about you without a person being involved.  Profiling is the recording and analysis of a person's psychological and behavioural characteristics, to assess or predict their capabilities or to assist in identifying categories of people.

Bridewell does not make automated decisions about or profile its clients or customers.


How long will we keep your personal data?

Bridewell only processes personal data for as long as necessary to meet our legal obligations or where we have a legitimate business reason for keeping it. We review personal data on a case-by-case basis and document the period of retention for each.

For further information on how long personal data is likely to be kept before being removed from our systems and databases, please contact us via: dataprivacy@bridewell.com


Your rights

Under Data Protection Legislation you have a number of Rights that are focused on placing you in control of how your data is processed.

You can exercise these Rights by emailing us at dataprivacy@bridewell.com or by writing to: Bridewell Consulting, 40 Caversham Road, Reading, RG1 7EB.

We may ask you for identification prior to disclosing any data, as we need to ensure we only disclose information to the person entitled to it.

You have the following Rights in relation to the processing of your personal data:

Data Subject Right Description
Right to be informed A right to be informed about the personal data we hold about you.
Right of access A right to access the personal data we hold about you.
Right to rectification A right to require us to rectify any inaccurate personal data we hold about you.
Right to erasure A right to ask us to delete the personal data we hold about you. This right will only apply where (for example):
· We no longer need to use the personal data to achieve the purpose we collected it for.
· Where you withdraw your consent if we are using your personal data based on your consent.
· Where you object to the way we process your data (see the right to object described below).

If you request us to delete your data, we will retain minimum personal data to document these requests and thereby avoid using your personal data for any other purpose.
Right to restrict processing In certain circumstances, a right to restrict our processing of the personal data we hold about you. This right will only apply where (for example):
· You dispute the accuracy of the personal data held by us.
· Where you would have the right to ask us to delete the personal data but would prefer that our processing is restricted instead.
· Where we no longer need to use the personal data to achieve the purpose, we collected it for, but you need the data for the purposes of establishing, exercising, or defending legal claims.
Right to data portability In certain circumstances, a right to receive the personal data you have given us, in a structured, commonly used, and machine-readable format. You also have the right to require us to transfer this personal data to another organisation, at your request.
Right to object A right to object to our processing of the personal data we hold about you where our lawful basis is for the purpose of our legitimate interests, unless we can demonstrate, on balance, legitimate grounds for continuing to process the personal data which override your rights, or which are for the establishment, exercise or defence of legal claims.

In particular, you can exercise your right to object to marketing communications being sent to you by utilising opt-out mechanisms in emails we send to you.
Right related to automated decision-making and profiling A right for you not to be subject to a decision based solely on an automated process, including profiling, which produces legal effects concerning you or similarly significantly affects you.
Right to withdraw your consent A right to withdraw your consent, where we are relying on it to use your personal data (for example, to provide you with brochures and newsletters). 


Your right to complain to the supervisory authority

If you’re unhappy with how we’re using your personal data, you have the right to complain to a Supervisory Authority.  We’d encourage you to contact us first, so we can handle any queries or concerns you may have.

In the UK, the Supervisory Authority is The Information Commissioner who can be contacted by:

  • Visiting their website www.ico.org.uk
  • Phone on 0303 123 1113
  • Write to Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF


Additional Information for US Residents

If you reside in the US, this section supplements the information contained in the Privacy Policy. US residents have specific rights regarding their personal information which are set out in Applicable Data Privacy Legislation including but not limited to:

The California Consumer Privacy Act (“CCPA”) became effective on January 1, 2020 and is supplemented by the California Privacy Rights Act (“CPRA”) which became effective on January 1, 2023 (applicable to personal data collected from January 1, 2022) and created a variety of privacy rights for California consumers. Additionally, Virginia (effective January 1, 2023), Colorado (effective July 1, 2023), Connecticut (July 1, 2023), and Utah (December 31, 2023) have passed laws extending similar privacy rights to their consumers.

Please note that in the preceding twelve (12) months, we have not sold your personal information.

We may disclose certain personal information, such as your first and last name,  email address, job title/position, and other similar contact data, financial information, and employment details with our subsidiaries and affiliates and other third parties, including service providers who provide Services on behalf of Bridewell. When personal information is disclosed to a subsidiary, affiliate or other third party the recipient entity will be obligated to provide the same level of privacy protection required under Applicable Data Privacy Legislation.

You have the following Rights in relation to the processing of your personal data.

Personal Information Right Description
Notice of and Access to personal information A right to notice of and access to certain information about our collection and use of your information.
Correction of personal information A right to ask for inaccurate personal information be to be corrected.
Deletion of personal information A right to ask that we delete your personal information relating to you, subject to certain exceptions.
Objection to the sale of or sharing of personal information A right to ask for your personal information to not be sold or shared with a third party, subject to certain exceptions.
To transmit personal information to another entity A right to ask for your personal information to be transferred, in a readily useable format, to another entity.


None of these rights are absolute and there may be circumstances in which we are required or permitted under applicable law not to address your request.

Only you or an authorised agent (that you authorise to act on your behalf), may make a verifiable request related to your personal information.

Any verifiable request (including those to delete data) must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorised representative (such as by requiring you to provide a signed written authorisation that the agent is authorised to make a request on your behalf).
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.


We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

You may exercise your rights under Applicable Data Privacy Legislation by contacting us by the means described in the ‘Contacting Us’ section of this policy.


Changes to our Privacy Policy

We keep this notice under review and will reflect any updates or changes to practice within this notice (to reflect changes in operations and the way we process your data). This notice was last updated in November 2023.