Legal

Website Privacy Notice

This notice explains what personal information we collect, why we collect it, and how we use it. Version 2.2 — last updated June 2026.

Data Controller	Osprey Consulting Limited
Data Protection Contact	Mark Hart, Director
Company number	14597272
ICO registration number	ZC141119
Version	2.2
Date issued	June 2026
Next review	June 2027 (or earlier if material changes)

Osprey Consulting Limited (company number 14597272) is a company registered in England and Wales. Our registered address is 3rd Floor, 86–90 Paul Street, London, EC2A 4NE.

In this notice, we refer to ourselves as 'we', 'us' or 'our'. We are the Data Controller of the personal information we collect, hold and use about you.

You can contact us by emailing contact@ospreyconsulting.co.uk or by writing to us at the address above.

We take the privacy and security of your personal information seriously. This notice explains what information we collect, why we collect it, and how we use it. Please read it carefully.

We may update this notice from time to time. This version was last updated in June 2026.

1. Key definitions

Data Controller: the organisation or person responsible for deciding how personal information is collected, stored and used.
Data Processor: an organisation appointed by a Data Controller to carry out certain tasks with personal information on its behalf.
Personal Information: any information from which a living individual can be identified. It does not include anonymised information.
Special Information: certain particularly sensitive categories of personal data that require extra protection under data protection law, including health information, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sex life and sexual orientation, genetic information, and biometric information.

2. Personal information we collect

Osprey is a B2B consultancy. The personal information we hold is limited to what is needed to provide our services and run our business. The table below sets out the categories we collect.

Category	Types of data	Retention period
Identity information	Name, job title	10 years
Contact information	Business email address, business telephone number, business address	10 years
Transaction information	Details of services provided, invoices, payment records	10 years (statutory requirement)
Marketing and communications preferences	Preferences for receiving marketing communications from us	Until you opt out or request deletion

We do not collect or hold any Special Information about you.
We do not collect information relating to criminal convictions or offences.
We do not take payments through our website. We invoice clients directly and receive payment by bank transfer.

3. How and why we use personal information

We can only use your personal information for certain legal reasons set out in data protection law. In most cases we will rely on one or more of the following:
1. Contract Reason: to perform our obligations under a contract we have entered into with you.
2. Legitimate Interests Reason: where use of your personal information is necessary for our legitimate interests (or those of a third party), provided those interests do not override your fundamental rights and freedoms.
3. Legal Obligation Reason: where we are required to use your personal information to comply with a legal obligation.
4. Consent Reason: where you have given us your specific consent to use your personal information for a stated purpose.

The table below sets out the purposes for which we use your personal information and the legal basis for each.

Purpose	Legal basis
Providing our consulting services and managing our client relationship	Contract Reason
Raising and processing invoices and recovering payment	Contract Reason; Legitimate Interests Reason (debt recovery)
Complying with legal and accounting obligations	Legal Obligation Reason
Sending service-related communications	Contract Reason
Sending marketing communications about our services	Legitimate Interests Reason (existing client contacts); Consent Reason (where required by law)
Ensuring the smooth operation of our website and understanding how visitors use it	Legitimate Interests Reason

Where we rely on the Legitimate Interests Reason, we have carried out a balancing assessment and are satisfied that our legitimate interests are not overridden by your rights and interests.
Where we rely on consent, you have the right to withdraw it at any time by contacting us at the details above. Withdrawal of consent does not affect the lawfulness of any processing carried out before withdrawal.

4. How we collect personal information

We collect personal information in the following ways:
1. Directly from you: when you contact us, engage our services, correspond with us by email or telephone, or subscribe to our mailing list.
2. From publicly available professional sources: where we obtain personal information from publicly available professional sources, we do so only where relevant to our legitimate business interests and in accordance with applicable data protection laws.
3. Automatically: via our website (see section 5 below).

5. Cookies and website data

Our website does not currently use tracking or analytical cookies. We may use essential technical cookies required for the website to function correctly. No cookie consent is required for essential cookies.
We do not collect or store information about your device, browser, IP address, or the pages you visit on our website.
For more information about cookies generally, see allaboutcookies.org.

6. Who we share personal information with

We may share your personal information with:
1. Our professional advisers: lawyers, accountants, auditors and insurers.
2. HMRC and other regulatory bodies: where we are required to do so by law.
3. Our banking provider (Tide): for payment processing.
4. IT service providers: including our email provider (Microsoft 365) and website hosting and analytics providers.
5. Any organisation that proposes to acquire our business or assets: on a confidential basis to enable the transaction.
Where we share your personal information with a third party acting as a Data Processor, we put in place a contract that requires them to handle your information securely and only in accordance with our instructions.
We do not sell or trade your personal information.

7. International transfers

Our primary operations and data storage are in the United Kingdom. We use Microsoft 365 (OneDrive and SharePoint) to store personal information, which is hosted in UK-based Microsoft data centres.
Some of our service providers may be located in the European Economic Area or other countries. Where personal information is transferred outside the UK, we ensure that appropriate safeguards are in place, such as:
1. the transfer is to a country approved by the UK Information Commissioner as providing adequate protection;
2. the transfer is made under UK-approved standard contractual clauses or international data transfer agreements; or
3. another lawful transfer mechanism applies.

8. How long we keep personal information

We keep personal information for as long as necessary for the purposes set out in section 3, taking into account any legal obligations (such as accounting and tax record-keeping requirements) and any legitimate business need to retain records in case of legal claims.
Specific retention periods are set out in the table in section 2. These are the maximum periods; we review what we hold and delete it sooner when it is no longer needed.

9. Automated decision-making

We do not carry out automated decision-making (including profiling) that produces legal effects or similarly significant effects on you. If we ever decide to do this, we will notify you and tell you the legal basis for doing so.

10. Your rights

Under data protection law you have the following rights in relation to your personal information:
1. Right of access: to obtain a copy of the personal information we hold about you.
2. Right to rectification: to have inaccurate or incomplete personal information corrected.
3. Right to erasure: to request deletion of your personal information in certain circumstances.
4. Right to restrict processing: to request that we limit how we use your personal information in certain circumstances.
5. Right to data portability: to receive your personal information in a structured, commonly used format and transfer it to another organisation in certain circumstances.
6. Right to object: to object to us processing your personal information for direct marketing purposes, or where we rely on the Legitimate Interests Reason.
To exercise any of these rights, please contact us at contact@ospreyconsulting.co.uk. We will respond within one month. We may ask you to verify your identity before processing your request. We do not charge a fee unless a request is manifestly unfounded or excessive.

11. Marketing

We may send you marketing communications about our services where we have a legitimate interest in doing so (for example, where you are an existing client contact) or where you have consented.
You can opt out of marketing communications at any time by contacting us at contact@ospreyconsulting.co.uk or by clicking the unsubscribe link in any marketing email we send you. Opting out of marketing does not affect service communications.
We do not pass your personal information to third parties for marketing purposes.

12. Complaints

If you are unhappy about how we have handled your personal information, please contact us in the first instance so that we have the opportunity to resolve the matter.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority, at www.ico.org.uk or by calling 0303 123 1113. Osprey Consulting Limited is registered with the ICO under registration number ZC141119.

13. Third-party websites

Our website may contain links to third-party websites. This privacy notice does not apply to those websites. We encourage you to read the privacy notices of any websites you visit.