Privacy Notice
We are OCU Group Limited (“OCU”), and we’re responsible for the personal information we collect and use in connection with our services. Under data protection laws, this makes us the “data controller.”
Throughout this notice, when we use terms like “we,” “us,” “our,” or just “OCU,” we’re referring to OCU Group Limited. There are several companies within the OCU Group, but this notice explains the general safeguards that apply to all our group companies in the UK, unless a separate privacy notice applies specifically to one of our other companies.
Privacy Notice
We last updated this notice in April 2025
We are OCU Group Limited (“OCU”), and we’re responsible for the personal information we collect and use in connection with our services. Under data protection laws, this makes us the “data controller.”
Throughout this notice, when we use terms like “we,” “us,” “our,” or just “OCU,” we’re referring to OCU Group Limited. There are several companies within the OCU Group, but this notice explains the general safeguards that apply to all our group companies in the UK, unless a separate privacy notice applies specifically to one of our other companies.
Our company registration details are:
OCU Group Limited is a company incorporated in England and Wales.
Registration number: 9307607
Registered office: Artemis House, 6–8 Greek Street, Stockport, SK3 8AB
In the UK, the Information Commissioner’s Office (ICO) is our data protection supervisory authority. Here are our details:
Data Controller Name: OCU Group Limited
ICO Registration Reference:� ZA262630
We also maintain separate data protection registrations for other companies within OCU Group. If you’d like to know who they are, you can contact our Privacy & Data Protection Team.
If you ever have a question about how we’re handling your personal information or want to exercise a right regarding your data, you can contact our Data Protection Officer (DPO).
Postal AddressData Protection Officer
OCU Group Limited
Artemis House
6–8 Greek Street
Stockport
SK3 8AB
Email: dpo@ocugroup.com
Phone: +44 (0)161 248 9922
We’ll talk more about your specific rights later on in this notice, things like requesting a copy of your personal information or asking us to delete it. But if at any point you want to exercise one of these rights, just get in touch using the details above.
Our website and our services are not intended for children, and we do not knowingly collect personal data relating to children. If you are under the age of 16, please obtain consent from your parent or guardian before submitting any personal data to us. If you’re a parent or guardian and believe your child has provided us with their personal data without your consent, please contact us, and we’ll do our best to erase that information or unsubscribe them.
We’re committed to upholding your privacy and protecting the information we hold. Data protection laws continue to evolve, and so do we, in fact our privacy notice may be updated from time to time to reflect new laws, regulations, or how we use your personal information. The version displayed here is always the most up-to-date.
We encourage you to re-visit this notice now and then, so you’re aware of any relevant updates we’ve made.
Under the UK GDPR, personal information means:
“Any information relating to an identified or identifiable natural person (‘data subject’).”
That’s quite a broad scope, and it can be anything from a name or email address to more technical data like your IP address. Essentially, if it’s information that can identify you (directly or indirectly), it’s personal data.
We only collect personal information that is appropriate, lawful, and relevant to our relationship with you. Below are categories of data we may collect:
Identity InformationMay include name, title, date of birth, national insurance details, or other official identity data.
Contact InformationMay include email address, telephone number, postal address, and social media handles.
Technical DataInternet Protocol (IP) address, browser type and version, time zone settings, location, and other technology on the devices you use to access our website or services.
Marketing & Communications DataInformation about your communication preferences, such as how and when you’d like us to contact you.
Work and role specific information
If you’re an employee, a contractor, or part of a contracting organisation, we’ll process personal information that is relevant to your role and work.
Location DataIf you enable location services on your device and use certain features, we may use this to provide location-based services (e.g., showing you site offices near you or other relevant content).
Transactional & Financial InformationIf you or the organisation you work for purchase from us or we issue invoices, we may collect billing addresses, payment details, and transaction logs.
Special Categories of Personal InformationTypically, we do not process special category data (like health or biometric data) unless it is for a specific purpose (e.g., recruitment or handling an internal HR matter) and we’re legally allowed to do so.
Criminal Data or Background ChecksThere may be instances (e.g., safeguarding requirements) where we process criminal background checks or “DBS” checks in the UK. We only do so where strictly necessary and in accordance with local law.
Further Information About InteractionsWe may collect details of reviews, comments, or other content you submit. We may also have situational or process specific privacy notices that we provide, and we’ll provide those as and when you engage with us.
You’re welcome to browse our website without registering or submitting your personal information if that suits you better.
1. Personal Information You Voluntarily Provide
When you visit our websites or use our online platforms, we use cookies to help tailor your experience. For details, see our Cookie Policy.
When you sign up for newsletters or other mailing lists.
When you contact us via phone, email, or social media.
When you attend events or training sessions we organise
When you appear in photos or videos that we take
When you apply for a job or send us your CV.
When you or your organisation purchases something from us.
When you submit personal data to us for any other reason.
2. Personal Information Provided by Others
Sometimes we receive your data from third parties (e.g., marketing agencies, credit reference agencies).
If you apply for a job, we may get references from previous employers.
We may also obtain publicly available information from sources like Companies House or professional networking sites.
Lawful Basis
Data protection law requires that we have a lawful basis for processing your personal information. If you’d like more details about a specific processing activity, just ask. Below are some common ways we process your data, our lawful basis, and how we respect your rights:
Processing Type
Data Category
Lawful Basis
Specific Purpose & Respect for Your Rights
Website Communication (Email, Forms, Telephone)
Contact Data
Contractual Obligation / Legitimate Interest
To respond to queries or provide requested information (e.g., via “Contact Us” forms). Without processing this data, we can’t address your request. You can ask us to stop contacting you at any time, though it may affect our ability to follow up on your query or service needs.
Customer Relationship Management (CRM)
Identity & Contact Data
Legitimate Interest
We maintain a secure CRM system to keep track of Clients, suppliers, and partners, including contact form submissions. You can ask to see what we hold about you, request corrections, or ask us to remove it unless we need to keep it for legal or contractual reasons.
National Operations Centre (NOC) interactions
Identity, Contact, Technical
Legitimate Interest / Contractual Obligation / Legal obligation
We record enquires and contacts / interactions with our National Operations Centre, which is used by our Clients, Customers, Members of the Public and other third parties. We use our own system called OCU One to record our interactions. We also use a third-party communication platform to record, track and report on the contact we have at our NOC, which can include recording phone calls and online interactions.
Email Marketing
Identity & Contact Data
Legitimate Interest (existing customers), Consent (others)
If you’re an existing Client, we may send relevant updates about our products/services under legitimate interest. If you’re not yet a Client (e.g., you sign up to our newsletter), we rely on consent, unless it’s clear to us that our relationship is of a business-to-business nature. You can unsubscribe or opt out at any time.
Promotional Images & Video
Identity Data
Consent, Legitimate interests
We may occasionally feature images or videos (e.g., from events) on our website. If you are clearly identifiable, we will seek your consent before using your photo. You can withdraw consent at any time or opt out on the spot. If photos or footage is of a whole room or crowd, we’ll rely on our legitimate interests as the lawful basis.
Website Analytics (Statistics & Usage)
Technical & Usage Data
Consent (for non-essential cookies), Legitimate Interest (for essential cookies)
We use analytics tools, often called cookies and other tracking information to understand how visitors use our site. We request consent for any non-essential cookies. You can manage or withdraw cookie preferences at any time.
Marketing Engagement Metrics
Identity, Contact, Technical & Usage
Consent
With your consent (e.g., cookie acceptance, email open tracking), we monitor interactions with our website, emails, or social channels to tailor future communications and improve marketing effectiveness. You can revoke consent or opt out of marketing at any time.
Administrative Purposes & Group Operations
Identity, Contact, Financial, etc.
Legitimate Interest
We may share certain website-generated information within our Group (or with service providers) for business continuity, IT hosting, invoice management, or similar operational needs. This includes ensuring the site functions properly and your data remains consistent across our internal systems.
Job Roles & Recruitment (through our dedicated Careers site)
Identity, Contact, (Special Category if relevant)
Contractual Obligation / Legitimate Interest
If you apply for a job via our website, we process your application details (e.g., CV). We will share your details with our Recruitment and HR teams to see if there are suitable roles. You can ask us not to share further, though it may affect your application. We only process special category data if required for the role/law.
Security & Safety
Identity, Technical, Usage
Legal Obligation / Legitimate Interest
We may process personal information for security monitoring, fraud prevention, and threat detection (e.g., IP logs, suspicious activity flags). We also use CCTV at our physical sites and could reference relevant footage if necessary to investigate incidents or for compliance.
Sharing Information with Auditors & Authorities
Identity, Contact, Financial, Special Category
Legal Obligation
If required by law, we share data with regulators (e.g., HMRC, ICO) or in connection with legal proceedings (e.g., fraud investigations). We only disclose the minimum necessary to comply with these obligations.
When You Provide Consent
If we rely on consent, you can withdraw it at any time. Any processing done up to that point remains lawful.
When We Rely on Legitimate Interest
We do a legitimate interest assessment to ensure our interests do not override your fundamental rights and freedoms.
Use Permitted Under Applicable Laws
Sometimes, we might process personal data without your knowledge or consent where it is required or permitted by law.
We may share your personal information with trusted third-party processors or recipients to deliver the services or products you request. This could include:
Other OCU Group companies (including international colleagues, where relevant)
Vendors and service providers offering services including, IT support, hosting, auditing, legal advice, payment or delivery services, marketing.
Regulatory bodies or law enforcement where required (e.g., to aid investigations or meet legal obligations)
Potential buyers or investors if we sell or integrate parts of our business
We conduct due diligence on third parties to ensure they meet our standards and will only process personal data in accordance with our instructions.
Third-Party Links
Our website may contain links to external sites that we don’t control. If you follow a link to a third-party site, their privacy policy will apply, not ours. We encourage you to read their policies carefully.
Sometimes, our data processors or group entities are outside the UK, so your personal information may be transferred internationally. We safeguard these transfers and will generally use these mechanisms:
Adequacy decisions (where the recipient country is deemed by the UK to have adequate data protection), or
Standard contractual clauses approved by the UK authorities.
We also perform due diligence to ensure these partners follow strict data protection standards.
Unauthorised Access
We have put in place security measures to protect your information from unauthorised access, alteration, or disclosure. However, no system is entirely foolproof, and sending data electronically is always at your own risk.
Specific Access
We limit access to your personal data to employees, agents, and contractors who need it to do their jobs and who are under confidentiality obligations.
Vulnerabilities
We have procedures to detect, manage, and notify relevant parties of any personal data breaches, where required by law.
We retain your personal information only as long as necessary to fulfil the purposes for which it was collected, including any legal or regulatory requirements. When deciding the retention period, we consider:
Amount, nature, and sensitivity of the data
Potential risk of harm from unauthorised use or disclosure
The reasons for processing and whether they can be achieved by other means
If you’d like specifics about our retention schedules, feel free to contact us.
If you live in the UK or EEA or in other locations around the world, you most likely have the following rights, in any case, we recognise and respect the following rights which we apply to the personal information we process:
Right of Access
Request a copy of your personal data (a “Subject Access Request”).
Right to Rectification
Ask us to correct any inaccuracies or complete missing details.
Right to Erasure (“the right to be forgotten”)
Ask us to delete data if there’s no lawful basis to keep it.
Right to Restrict Processing
In certain cases, ask us to stop using your data for a period of time.
Right to Portability
Request a structured, machine-readable copy of certain data to transfer to another organisation.
Right to Object
Object to processing that relies on legitimate interest or direct marketing.
Right to Withdraw Consent
If we rely on consent, you can withdraw it any time.
Right to Object to Automated Decision-Making, Including Profiling
If any automated decisions produce legal or similarly significant effects.
If you want to exercise any of these rights, just reach out to us via the contact methods above. We’ll address your request within the timelines required by law.
We aim to handle your personal information responsibly, but if you feel we’ve fallen short:
Contact Us First
Please email or write to our DPO so we can try to resolve your complaint.
Right to Lodge a Complaint
If you’re unhappy with our response, you can complain to the Information Commissioner’s Office (ICO) in the UK.
ICO Contact Details
Postal Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Web: https://ico.org.uk/make-a-complaint/
Telephone: 0303 123 1113
If you have any queries about this Privacy Notice or want to know more about how we handle your personal data, please contact our DPO using the details provided. We’ll do our best to give you the information and reassurance you need.
This Privacy Notice is effective as of April 2025. We may update it now and then, and we’ll post any changes here so you’re always aware of the current version.