Privacy Notice (UK/EU)

Effective date: 18/08/2024 Last updated: 18/08/2024

Riada Consultancy ("we", "us", "our") is committed to protecting your personal data and being transparent about how we use it. This Privacy Notice explains what personal data we collect on our website and through our services, why we collect it, how we use it, how long we keep it, who we share it with, and the rights you have.

Important: Some sections include bracketed placeholders [like this] where you should insert your specific information.

1. Who we are (Controller details)

Controller: Riada Consultancy Ltd, Registered office: Spaces Ealing Aurora 71- 75 Uxbridge Road, Ealing, London, England, W5 5SL  Company number: 10566124, ICO registration number: ZB131839

Contact for privacy matters: Name: Gemma Adair Role: Data Protection Lead Email: gemma@riadaconsultancy.com]Telephone: +44 (0)203 897 9453 Office Location: Spaces Ealing Aurora, 71–75 Uxbridge Road, Ealing, London W5 5SL, UK

EU representative (Article 27 GDPR):If we offer goods/services to individuals in the EEA or monitor their behaviour, we have appointed an EU Representative. Name: Gemma Adair Role: Data Protection Lead Email: gemma@riadaconsultancy.com]Telephone: +44 (0)203 897 9453 Office Location: Spaces Ealing Aurora, 71–75 Uxbridge Road, Ealing, London W5 5SL, UK

UK representative (for non‑UK controllers):Not applicable — we are UK‑established.

Data Protection Officer (DPO):We are not required to appoint a DPO. If we do appoint one in future, we will update this notice.

2. What data we collect

We collect and process the following categories of personal data:

Website usage data (when you visit our site): IP address, device and browser information, pages viewed, buttons clicked, referral URLs, session duration, and cookie identifiers.

Contact and enquiry data: name, email address, phone, company, role, and the content of your message.

Event data: registration details, attendance, dietary/access requirements (optional), payment details via our payment provider (we do not store full card numbers).

Marketing preferences: your subscriptions, consent records, and opt‑out choices.

Recruitment/applicant data: CV/résumé, cover letter, work history, referees, interview notes; for certain roles we may process special category data (e.g., health information or equal opportunities data) only where lawful and necessary.

Supplier/partner data: contact details for contract management, due diligence and invoicing.

Security and support data: logs and metadata generated by our websites, apps and support tools.

We do not intend to collect data about children under 18, and we do not knowingly do so.

3. Where we get your data from

Directly from you (web forms, emails, phone calls, meetings, event registrations, CV submissions).

Automatically from your device when you use our website (via cookies and similar technologies).

From third parties, where lawful (e.g., event platforms, recruitment agencies, public professional profiles, or your employer if you are nominated as a contact). When this happens, we provide you with the information required by Article 14 GDPR.

4. How and why we use your data (purposes & lawful bases)

We only process personal data when we have a lawful basis. The table below explains our typical purposes and the legal bases we rely on under the UK GDPR and, where applicable, EU GDPR.

Purpose

Examples

Lawful basis

Notes

Responding to enquiries and providing quotes

Contact forms, emails, phone calls

Legitimate interests (to respond and manage business relationships) or Steps to contract

You may object at any time (see Section 10).

Performing a contract and providing services

Account creation, delivery of services, support, billing

Contract

Includes necessary communications about the service.

Event administration

Registration, attendee communications, on‑site management

Contract; Legitimate interests (to run events)

Where we collect dietary/access needs, we rely on explicit consent or employment/social protection conditions as appropriate.

Direct marketing (email)

Newsletters, updates about similar services

Consent or Legitimate interests (soft opt‑in for existing UK customers)

Always includes an unsubscribe link. We do not use bought‑in lists.

Website analytics (non‑essential cookies)

Understanding site usage and improving content

Consent (via cookie banner)

Analytics run only once you opt‑in. See Cookies section.

Security and fraud prevention

Protecting systems, preventing misuse

Legitimate interests or Legal obligation

Uses minimal necessary data (e.g., logs).

Recruitment

Assessing candidates, arranging interviews

Legitimate interests; Steps to contract; Legal obligation

Special category data processed only where necessary and lawful, using appropriate safeguards.

Legal and regulatory compliance

Tax and accounting records, responding to lawful requests

Legal obligation

We may need to retain certain records for statutory periods.

When we rely on legitimate interests, we balance our interests against your rights and expectations through a Legitimate Interests Assessment and apply safeguards. Where we rely on consent, you can withdraw it at any time (see Section 10).

5. Cookies and similar technologies

We use cookies and similar technologies to operate our website and, with your permission, to measure usage and improve our services.

Essential cookies (strictly necessary): enable core site functionality; they do not require consent.

Analytics/measurement cookies: help us understand how the site is used; set only with your consent.

Advertising/third‑party cookies: used only if we introduce advertising features and only with your consent.

You can manage your preferences at any time via the Cookie Settings link in the site footer. For detailed information (names, providers, purposes, durations), please see our separate Cookie Policy: [link to Cookie Policy].

We do not set non‑essential cookies until you have made a choice in our cookie banner.

6. Who we share your data with (recipients)

We share personal data only with:

Service providers (processors) acting on our instructions — e.g., website hosting, cloud storage, email/SMS service providers, analytics providers, CRM, event platforms, payment processors, IT/security suppliers.

Professional advisers (lawyers, accountants), and authorities where legally required.

Business partners where you ask us to make an introduction or where this is necessary to deliver a joint service to you.

All processors are bound by contracts that require appropriate security and restrict use to our documented purposes. We maintain a current list of our processors and sub‑processors which is available on request at [privacy@riadaconsultancy.com].

We do not sell your personal data.

7. International transfers

Some recipients may be located outside the UK (and EEA). Where this involves a restricted transfer of personal data, we ensure appropriate safeguards are in place, such as:

An adequacy decision (e.g., UK–US Data Bridge for certified organisations);

Standard Contractual Clauses (SCCs) and, where required, a Transfer Risk Assessment (TRA); or

Other legally recognised safeguards.

Details of relevant safeguards for your data are available on request.

8. How long we keep your data (retention)

We keep personal data only for as long as necessary for the purposes set out above, and to meet legal, accounting or reporting requirements. Typical retention periods are:

Enquiries and general correspondence: 24 months after last contact.

Client records and contracts: 6 years after the end of the contract (statutory limitation/accounting).

Event registration data: 24 months after the event; financial records 6 years.

Marketing contact data: until you unsubscribe or we identify inactivity for 24 months.

Recruitment/applicant data: 6–12 months from decision unless you agree to a longer talent‑pool retention; onboarding records follow employee retention schedules.

Website logs and security data: typically 12 months unless needed longer for investigations.

If we need to retain data longer (e.g., to establish or defend legal claims), we will restrict access to it.

9. Security

We use appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit, regular patching, least‑privilege access, backups, and staff training. We assess suppliers for security and confidentiality and include appropriate terms in our contracts.

10. Your rights

Depending on the circumstances and subject to applicable law, you have the right to:

Access your personal data and obtain a copy;

Rectify inaccurate or incomplete data;

Erase your data in certain situations;

Restrict how we use your data in certain situations;

Data portability (receive your data in a structured, commonly used and machine‑readable format, and have us transmit it to another controller where technically feasible) where our lawful basis is consent or contract and the processing is automated;

Object to processing based on our legitimate interests, and to object at any time to direct marketing (including profiling for marketing);

Withdraw consent where processing is based on consent;

Not be subject to a decision based solely on automated processing, including profiling, that has legal or similarly significant effects (we do not carry out such processing).

To exercise your rights, contact us at gemma@riadaconsultancy.com. We may ask for proof of identity. We aim to respond within one month, or as required by law.

Complaints: You can also complain to the Information Commissioner’s Office (ICO) at http://www.ico.org.uk or to your local supervisory authority in the EEA, without prejudice to other remedies. We would appreciate the chance to deal with your concerns first.

11. Direct marketing

We send electronic marketing communications only in line with applicable laws. Where required, we obtain your consent. If you are an existing UK customer, we may send you marketing about similar products or services under the "soft opt‑in" rule, provided we offered you a chance to opt out at collection and include an unsubscribe link in every message. You can opt out at any time.

We do not use bought‑in marketing lists or send marketing to individuals who have opted out.

12. Recruitment privacy information

If you apply for a role with us, we use your data to assess your application, arrange interviews, and keep appropriate records. We will provide you with a Recruitment Privacy Notice at the point of collection or via our recruitment partners. Special category data is processed only where necessary and lawful, with additional safeguards.

13. Personal data breaches

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the ICO without undue delay and, where feasible, within 72 hours. Where the breach is likely to result in a high risk to you, we will also inform you without undue delay. We keep internal records of all personal data breaches, whether or not they require notification.

14. Third‑party links and social media

Our website may include links to third‑party websites, plug‑ins and platforms (e.g., LinkedIn, X/Twitter, Instagram, YouTube). Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third‑party sites and are not responsible for their privacy practices. We encourage you to read the privacy notices of every site you visit.

15. Changes to this notice

We may update this Privacy Notice from time to time to reflect changes in law, technology, or our practices. We will post any updates on this page and indicate the Last updated date above. Significant changes will be notified on our website and, where appropriate, by email.

16. Contact us

If you have questions about this Privacy Notice or how we handle your personal data, please contact:

Riada Consultancy: gemma@riadaconsultancy.com

Telephone: +44 (0)203 897 9453 Office location: Spaces Ealing Aurora, 71–75 Uxbridge Road, Ealing, London W5 5SL, UK