Privacy Policy
Our Responsibilities
This Privacy Policy for Bridewell Consulting Limited (‘Bridewell’, ‘we’, ‘us’, or ‘our’,), describes how and why we collect, store, use, and/or share (‘process’) your personal data and information when you use our services (‘Services’) such as when you:
- Visit our website at https://www.bridewell.com/us/
- Express an interest in or take up one of our Cyber Security Services
- Engage with us in other related ways, including any sales, marketing, or events.
Bridewell is responsible for the data we collect and process for our own purposes. We’re committed to maintaining the security and privacy of the personal data we process, whether through our website or through our interactions with clients, prospects, or industry partners.
Whether we are supporting our clients or managing our own data, privacy and security are at the heart of our operations. Whilst we take appropriate measures in our own practices, security and privacy is at the core of our business operations, so it is imperative we operate in accordance and where possible above industry and regulatory requirements.
Contacting us
Should you wish to contact us to find out more about how we process personal data and information, to exercise your rights, make a complaint or to discuss our practices, please contact us using the following details:
- Email: dataprivacy@bridewell.com
- Post: Data Protection Officer, Bridewell Consulting Ltd, 40 Caversham Road, Reading, RG1 7EB.
- Telephone: +44 (0) 3303 110 940
What personal data will we collect about you?
Personal data or Personal Information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data and personal information about you including:
| Category | Personal Data Items |
|---|---|
| Identifiers | Contact details, such as real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, and account name |
| Internet or other similar network activity | Online behavior and interactions with our and other websites, applications, systems, and advertisements |
| Professional or employment-related information | Business contact details to provide you our Services at a business level or job title. |
How will we collect your personal data?
We use different methods to collect data from and about you including:
Personal data and information provided by you: The personal data and information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products you use.
Third parties or publicly available sources: To enhance our ability to provide relevant marketing, offers, and services to you and update our records, we may obtain information about you from other sources, such as public databases, joint marketing partners, data providers, and from other third parties. This information includes postal addresses, job titles, email addresses, phone numbers, intent data (or user behavior data), Internet Protocol (IP) addresses, social media profiles, social media URLs, and custom profiles, for purposes of targeted advertising and event promotion.
Information automatically collected: We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes. Like many businesses, we also collect information through cookies and similar technologies, which you can read more about in our Cookie Policy.
How do we use your personal data?
The following table sets out why we process your personal data and information and our lawful basis for processing your personal data, in accordance with UK and EU Legislation. We may rely on more than one lawful basis for processing your personal data depending on the context of the processing activity.
| Purpose/activity | Lawful basis for processing | Personal Data Categories | Third Party Recipients | |||||
| Security and Privacy Consulting Services. Although our core services do not revolve around collecting and processing personal data, we often process personal data as part of delivering our Cyber Security and Data Privacy services to clients. This can range from our client’s data or our client’s employee’s or end users’ data. | This work and subsequent processing of data is all performed under a contract or with a view of entering one, which Bridewell and our clients are subject to. | · Name · Email addresses · Address · Contact number · Signatures · Business contact details | · Microsoft | |||||
| Website Enquiries We have a Contact Us page on this website, which allows individuals to ask questions about our services, including exercising your rights under Data Protection Legislation. The Contact Us page and any correspondence sent via email is monitored by our internal teams, to ensure we identify and handle your request effectively. | This data is processed under our legitimate Interests and only used to facilitate your enquiry. | · Name · Business email address · Business telephone number · Job title · Subject Field · Free text field | · WordPress · Pardot · Salesforce | |||||
| Prospective Clients We process basic business contact information of prospective clients and opportunities, which may initially be collected via sales meetings, business cards, verbally, events we may host, speak at, or attend. | This processing is in Bridewell’s Legitimate Interests or fulfilling our requirements when entering into or in the Performance of a Contract with a client. | · Name · Email addresses · Address · Contact number · Business contact details · Email conversations · Physical and Electronic Signatures | · Salesforce · DocuSign · GoToWebinar · Pardot | |||||
| Financial Management, Accounting and Administration Our financial management and accounting services process basic client contact information to fulfil our accounting requirements. This ranges from invoices, account details, timesheet approvals, statement of works, terms and conditions and bank details | This processing is primarily to enable us to perform our side of the contract with our client and meet our legal obligations for financial reporting. | · Name · Email addresses · Address · Contact number · Business contact details · Email conversations · Signatures · Client and Supplier Bank Details | · Salesforce · Xero | |||||
| Associates / Contractors We process basic contact and work information in relation to associates and contractors who would like to work with us or one of our clients. This information could be collected through our website, email, LinkedIn, recruitment agencies or job advertising boards. | This processing is undertaken under Bridewell’s legitimate interests and in the performance of a contract or with a view to entering into one. | · Name · Email addresses · Address · Telephone details · Skills · Job history · Bank account details · Company insurance details · Passport · Driving license · References and email conversations. | · LinkedIn | |||||
| To send you marketing and promotional communications: From time to time, we may email you about our Services which may be of interest to you or your organization. We will only ever contact you with these communications if we consider you to be a ‘ Corporate subscriber’ and the content is relevant to your role as an employee at the organization you work for. | We only send communications to individuals within organizations where we believe we have a legitimate interest to do so. | · Full name · Job title · Email address · Phone number | · Dotmailer · Pardot | |||||
| To identify usage trends: We will process information about how you use our Services to better understand how they are being used so we can improve them. | This processing is carried out in Bridewell’s legitimate interests so that we can better understand and improve our Services. | · IP Address · Social Media ID’s · Unique Visitor ID’s | · Google Analytics · Meta (Facebook, Instagram) · Pardot | |||||
In certain circumstances, we will process your personal data based on our legitimate interests. We have decided this by carrying out a balancing exercise to make sure our legitimate interest does not override your privacy rights as an individual. We document the balancing exercises that we carry out when relying upon this lawful basis for processing your personal data.
Marketing and Events
We want to ensure that our customers and businesses with an interest in Cyber Security and Data Privacy can receive the latest insights, news, and information regarding our services. We only send communications to individuals within organizations where we believe we have a legitimate interest to do so. Where an individual uses our contact page, we also ask for consent to send communications, as a simple enquiry does not satisfy grounds to send communications of this nature after dealing with your request.
Our main form of providing information on our products, services, events and industry research and insight are via;
Industry Events – This is where Bridewell are either showcasing our services, whereby we produce information about our services and capabilities. We may also run competitions but will only communicate with you for the purposes of that competition, so entering a competition doesn’t mean you get bombarded with marketing material. We may also exchange business cards at events and we will email you to follow up on our interaction with you. This does not mean we will send you marketing material, but we will enter any information about opportunities into our sales system to ensure we have provided you with the information you require.
Social Media – Bridewell make use of social media platforms such as LinkedIn, Instagram, Facebook and Twitter. We as a business sign up to the terms and conditions of the provider and use the platforms to provide insight into the latest cyber security and data privacy activities taking place across the world, to promote Bridewell’s employees, services and provide you with our latest thought leadership content on different subject matter.
Webinars – We conduct webinars on topics which are relevant to our services and industries we operate within. In order to deliver the webinar, we require your personal data to provide you with the webinar details and how you can access the services. Our webinars are publicized through our website, social media platforms, email and via Eventbrite. Anyone wishing to attend would be required to register via our website or Eventbrite. We collect first name, surname, email addresses and company name of the person wishing to attend. When collecting this information, we will also ask for your permission to contact you for future marketing purposes. You may also have the opportunity to provide questions prior to the webinar and this may involve an optional request for your email address beforehand to facilitate answering the question during the webinar. We process your data only for delivering the webinar and this is processed under Bridewell’s Legitimate Interests.
If you do not wish to receive any form of communication from Bridewell then simply inform us through our contact page, email dataprivacy@bridewell.com or you can unsubscribe using the ‘unsubscribe’ link available at the bottom of any of our communications.
Sharing your personal data
As you’d expect, our employees will access personal information for the purposes mentioned above. For example, our Business Development staff may need access to your details to support you when you get in contact with us.
We will also share information with third parties including:
- Service providers, business partners and sub-contractors for business administration, support, processing, services, or IT purposes.
- A third party who has purchased or merged with our organization, in which case personal data held by us, about you, will be transferred to that third party to carry on our business.
Please note that any third parties will only process your personal data on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
Security of your personal data
At Bridewell we take the security of personal data extremely seriously. We have implemented a mixture of cyber security and privacy controls including encryption, and a Business Management System (BMS) which underpins our ISO27001:2013, ISO9001:2015, ISO27701:2019 and Cyber Essentials Plus Certifications.
Bridewell are also a certified National Cyber Security Centre (NCSC) consultancy and a registered member of the Council for Registered Ethical Security Testers (CREST), which ensures our methodologies used for delivery of our services meet the expectations of the UK Governments Technical security arm.
We assess security for Confidentiality, Integrity, and Availability to ensure that data remains protected, accurate and available for its intended purposes. Some of the core controls we have implemented as part of these certifications are:
- Multi-Factor Authentication (MFA) on all internet-based systems
- Encryption of data at rest and in transit
- Technical assessments of our systems for vulnerabilities and configuration weaknesses
- Controlled access to only approved individuals
- Screening of all employees to a minimum of the Baseline Personnel Security Standard (BPSS)
- Data handling training for all employees
- Policies and procedures on secure operations and configuration of systems
International Data Transfers
Primarily our systems and services are located within the United Kingdom and EEA.
There may be occasions where your Personal Data will be processed outside of UK or EEA and in countries that are deemed not to have adequate Data Protection safeguards in place, in accordance with the UK and EU GDPR. Some locations of the industry leading systems we use are hosted in the UK but process data outside of the UK or EEA in countries, including but not limited to, the United States of America.
There may also be rare occasions where our employees work outside of Europe and access systems from outside the EEA.
Bridewell has implemented appropriate measures to ensure an adequate level of protection of your Personal Data, when transferred to countries outside of the UK or EEA and countries deemed to have inadequate safeguards. These measures include our processors entering into Standard Contractual Clauses or by way of derogations for specific circumstances.
Automated decision making and profiling
Automated decisions are where a computer makes decisions about you without a person being involved. Profiling is the recording and analysis of a person's psychological and behavioral characteristics, to assess or predict their capabilities or to assist in identifying categories of people.
Bridewell does not make automated decisions about or profile its clients or customers.
How long will we keep your personal data?
Bridewell only processes personal data for as long as necessary to meet our legal obligations or where we have a legitimate business reason for keeping it. We review personal data on a case-by-case basis and document the period of retention for each.
For further information on how long Personal Data or Personal Information is likely to be kept before being removed from our systems and databases, please contact us via: dataprivacy@bridewell.com
Your rights
Under Data Protection Legislation you have a number of Rights that are focused on placing you in control of how your data is processed.
You can exercise these Rights by emailing us at dataprivacy@bridewell.com or by writing to: Bridewell Consulting, 40 Caversham Road, Reading, RG1 7EB.
We may ask you for identification prior to disclosing any data, as we need to ensure we only disclose information to the person entitled to it.
You have the following Rights in relation to the processing of your personal data:
| Data Subject Right | Description |
|---|---|
| Right to be informed | A right to be informed about the personal data we hold about you. |
| Right of access | A right to access the personal data we hold about you. |
| Right to rectification | A right to require us to rectify any inaccurate personal data we hold about you. |
| Right to erasure | A right to ask us to delete the personal data we hold about you. This right will only apply where (for example): · We no longer need to use the personal data to achieve the purpose we collected it for. · Where you withdraw your consent if we are using your personal data based on your consent. · Where you object to the way we process your data (see the right to object described below). If you request us to delete your data, we will retain minimum personal data to document these requests and thereby avoid using your personal data for any other purpose. |
| Right to restrict processing | In certain circumstances, a right to restrict our processing of the personal data we hold about you. This right will only apply where (for example): · You dispute the accuracy of the personal data held by us. · Where you would have the right to ask us to delete the personal data but would prefer that our processing is restricted instead. · Where we no longer need to use the personal data to achieve the purpose, we collected it for, but you need the data for the purposes of establishing, exercising, or defending legal claims. |
| Right to data portability | In certain circumstances, a right to receive the personal data you have given us, in a structured, commonly used, and machine-readable format. You also have the right to require us to transfer this personal data to another organization, at your request. |
| Right to object | A right to object to our processing of the personal data we hold about you where our lawful basis is for the purpose of our legitimate interests, unless we can demonstrate, on balance, legitimate grounds for continuing to process the personal data which override your rights, or which are for the establishment, exercise or defense of legal claims. In particular, you can exercise your right to object to marketing communications being sent to you by utilizing opt-out mechanisms in emails we send to you. |
| Right related to automated decision-making and profiling | A right for you not to be subject to a decision based solely on an automated process, including profiling, which produces legal effects concerning you or similarly significantly affects you. |
| Right to withdraw your consent | A right to withdraw your consent, where we are relying on it to use your personal data (for example, to provide you with brochures and newsletters). |
Your right to complain to the supervisory authority
If you’re unhappy with how we’re using your personal data, you have the right to complain to a Supervisory Authority. We’d encourage you to contact us first, so we can handle any queries or concerns you may have.
In the UK, the Supervisory Authority is The Information Commissioner who can be contacted by:
- Visiting their website www.ico.org.uk
- Phone on 0303 123 1113
- Write to Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Additional Information for US Residents
If you reside in the US this section supplements the information contained in the Privacy Policy. US residents have specific rights regarding their personal information which are set out in Applicable Data Privacy Legislation including but not limited to:
The California Consumer Privacy Act (“CCPA”) became effective on January 1, 2020 and is supplemented by the California Privacy Rights Act (“CPRA”) which became effective on January 1, 2023 (applicable to personal data collected from January 1, 2022) and created a variety of privacy rights for California consumers. Additionally, Virginia (effective January 1, 2023), Colorado (effective July 1, 2023), Connecticut (July 1, 2023), and Utah (December 31, 2023) have passed laws extending similar privacy rights to their consumers.
Please note that in the preceding twelve (12) months, we have not sold your personal information.
We may disclose certain personal information, such as your first and last name, email address, job title/position, and other similar contact data, financial information, and employment details with our subsidiaries and affiliates and other third parties, including service providers who provide services on behalf of Bridewell. When personal information is disclosed to a subsidiary, affiliate or other third party the recipient entity will be obligated to provide the same level of privacy protection required under Applicable Data Privacy Legislation.
You have the following Rights in relation to the processing of your personal data;
| Personal Information Right | Description |
|---|---|
| Notice of and Access to Personal Information | A right to notice of and access to certain information about our collection and use of your information. |
| Correction of Personal Information | A right to ask for inaccurate personal information be to be corrected. |
| Deletion of Personal Information | A right to ask that we delete your personal information relating to you, subject to certain exceptions. |
| Objection to the sale of or sharing of Personal Information | A right to ask for your personal information to not be sold or shared with a third party, subject to certain exceptions. |
| To transmit Personal Information to another entity | A right to ask for your personal information to be transferred, in a readily useable format, to another entity. |
None of these rights are absolute and there may be circumstances in which we are required or permitted under applicable law not to address your request.
Only you or an authorized agent (that you authorize to act on your behalf), may make a verifiable request related to your personal information.
Any verifiable request (including those to delete data) must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative (such as by requiring you to provide a signed written authorization that the agent is authorized to make a request on your behalf).
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.
You may exercise your rights under Applicable Data Privacy Legislation by contacting us by the means described in the ‘Contacting Us’ section of this policy.
Changes to our Privacy Policy
We keep this notice under review and will reflect any updates or changes to practice within this notice (to reflect changes in operations and the way we process your data). This notice was last updated in February 2023.