Privacy Policy
Effective date: 28 February 2026
NorthWave Solutions (“we”, “us”, “our”) is committed to protecting personal data and processing it lawfully, fairly and transparently. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, how long we keep it, and what rights you have.
We act as the data controller for the personal data described in this notice, except where we act solely as a processor under a written contract with you (the client).
1. What personal data do we collect?
From website visitors & enquirers
- Name, email address, telephone number, company name
- Details of your enquiry / IT requirements / project description
- IP address, browser type/version, operating system, pages visited, timestamps
- Referral source / UTM parameters (if applicable)
From clients & business contacts
- Contact details of key personnel (name, job title, email, phone)
- Technical & security information necessary to deliver services (IP ranges, system architecture diagrams, user lists, etc.)
- Financial & billing information (invoices, payment references – limited)
- Correspondence & meeting notes
- Identity verification documents (where required for due diligence)
2. How & why do we use your personal data?
Purpose: Responding to enquiries & providing quotations
Lawful basis: Steps taken prior to entering into a contract (Art. 6(1)(b) UK GDPR)
We use your contact details and enquiry information to understand your needs and provide accurate quotations and advice.
Purpose: Delivering contracted IT services
Lawful basis: Performance of a contract (Art. 6(1)(b))
We process data necessary to migrate, secure, develop, monitor or support your IT environment as agreed in the service contract / statement of work.
Purpose: Business administration, invoicing & accounting
Lawful basis: Legal obligation (Art. 6(1)(c)) + legitimate interests (Art. 6(1)(f))
Keeping financial records, raising invoices, pursuing debts, complying with tax & anti-money laundering rules.
Purpose: Marketing similar services to existing clients
Lawful basis: Legitimate interests (Art. 6(1)(f))
We may inform existing clients about related services or updates. You can opt out at any time (easy unsubscribe in every message).
3. Who do we share personal data with?
- Sub-processors & service providers (Microsoft Azure, AWS, Microsoft 365, email & ticketing platforms, backup providers) – under Article 28 UK GDPR data processing agreements
- Professional advisers (accountants, lawyers, insurance brokers) when necessary for legitimate business purposes
- Regulatory authorities (HMRC, ICO, police) when legally required
- Business transfer recipients (in the unlikely event of sale/merger – subject to strict confidentiality)
We do not sell personal data to third parties for marketing purposes.
4. International transfers
Some of our sub-processors (e.g. certain cloud & support tools) are based outside the UK/EEA. Where this occurs we ensure appropriate safeguards are in place, typically:
- UK International Data Transfer Agreement (IDTA) or Addendum
- Reliance on adequacy regulations (where applicable)
- Standard Contractual Clauses (old or new) + Transfer Risk Assessment
5. How long do we keep personal data?
| Data type | Retention period |
|---|---|
| Website enquiry / quote records (no contract) | 12 months |
| Client contract & project records | Duration of contract + 6 years (statute of limitations / tax purposes) |
| Financial / invoicing records | Current tax year + 6 years |
| Server access / security logs | 90 days – 24 months (depending on purpose) |
6. Your rights under UK GDPR
Right to be informed
You have the right to know how we use your data (this policy).
Right of access
You can request a copy of your personal data.
Right to rectification
You can ask us to correct inaccurate or incomplete data.
Right to erasure (“right to be forgotten”)
In certain circumstances (not usually while under active contract).
Right to restrict processing
In specific situations (e.g. while accuracy is contested).
Right to data portability
Where processing is based on contract or consent and carried out by automated means.
Right to object
To processing based on legitimate interests (including marketing).
To exercise any of these rights, contact our Data Protection Lead at:
Email: info@northwavesolutions.com
7. Security of your personal data
We implement technical and organisational measures appropriate to the risk, including:
- Encryption of data in transit (TLS 1.3) and at rest where appropriate
- Strong access controls, multi-factor authentication, least-privilege principles
- Regular security patching, vulnerability scanning and penetration testing
- Staff confidentiality obligations and data protection training
- Incident response plan and breach notification procedures
8. Complaints
If you are unhappy with how we have handled your personal data or responded to a rights request, please contact us first so we can try to resolve the matter.
You also have the right to complain to the UK supervisory authority:
Information Commissioner’s Office (ICO)
Website: https://ico.org.uk/make-a-complaint
Helpline: 0303 123 1113
9. Changes to this Privacy Policy
We review and may update this notice from time to time. The date at the top of the page shows when it was last revised. Significant changes that affect your rights will be communicated prominently on the website and/or by direct contact where appropriate.