Privacy Policy

Last updated: 27 September 2025

This Privacy Policy explains how AIC Professional Services UK Ltd collects, uses, stores, shares, and protects personal data.

AIC Professional Services UK Ltd is committed to protecting your privacy and handling personal data lawfully, fairly, and transparently in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018, and other applicable data protection and privacy laws.

This Privacy Policy applies to personal data collected through our website, communications with us, customer and supplier relationships, account services, enquiries, business development activity, professional services delivery, recruitment, procurement, and other interactions with AIC.

1. Data Controller

The data controller is:

AIC Professional Services UK Ltd
Company number: 12252641
Registered office: 167-169 Great Portland Street, Fifth Floor, London, W1W 5PF
Email: privacy@aicuk.ltd
Website: https://www.aicuk.ltd

Where this Privacy Policy refers to “AIC”, “we”, “us”, or “our”, it means AIC Professional Services UK Ltd.

Where this Privacy Policy refers to “you” or “your”, it means the person whose personal data we process.

2. Personal Data We Collect

We may collect and process the following categories of personal data.

2.1 Identity Data

This may include:

Name
Title
Job title
Organisation
Department
Professional role
Username or account identifier
Customer, supplier, contractor, or stakeholder status

2.2 Contact Data

This may include:

Email address
Telephone number
Postal address
Business address
Billing address
Delivery address
Organisation contact details

2.3 Business and Professional Data

This may include:

Employer or organisation
Role and responsibilities
Procurement status
Contract involvement
Security, assurance, compliance, or delivery responsibilities
Professional qualifications or experience where relevant
Business communications and meeting records

2.4 Technical Data

This may include:

IP address
Browser type and version
Device type
Operating system
Time zone setting
Location derived from IP address
Referral source
Pages visited
Session data
Security logs
Access logs
Error logs
Cookie identifiers
Analytics identifiers

2.5 Usage Data

This may include information about:

How you use our website
Pages viewed
Links clicked
Forms submitted
Downloads accessed
Portal activity
Account activity
Interaction with emails or digital communications

2.6 Account Data

Where accounts or restricted areas are provided, this may include:

Login credentials
User profile information
Authentication events
Access permissions
Account preferences
Audit logs
Security events
Password reset activity
Multi-factor authentication status

2.7 Communication Data

This may include:

Emails
Contact form submissions
Telephone notes
Meeting notes
Support requests
Procurement enquiries
Supplier communications
Customer communications
Complaints
Feedback
Records of instructions or requests

2.8 Transaction and Commercial Data

This may include:

Contracts
Statements of work
Purchase orders
Invoices
Payment records
Supplier records
Customer records
Service history
Delivery records
Procurement information
Commercial correspondence

2.9 Recruitment Data

Where you apply for a role, subcontractor opportunity, supplier engagement, or consultancy position, we may collect:

Curriculum vitae
Work history
Qualifications
References
Right-to-work information
Security clearance status where relevant
Interview notes
Assessment results
Professional background information

2.10 Security and Compliance Data

Depending on the nature of your relationship with us, we may process:

Due diligence records
Conflict of interest declarations
Access control records
Incident records
Audit records
Compliance checks
Supplier assurance information
Information required for legal, regulatory, contractual, or security purposes

2.11 Special Category Data

We do not usually seek to collect special category personal data through our website.

Special category data includes information about health, race, ethnicity, political opinions, religious beliefs, trade union membership, genetics, biometrics, sex life, or sexual orientation.

Where special category data is processed, we will only do so where permitted by law and where an appropriate lawful basis and condition for processing applies.

3. How We Collect Personal Data

We may collect personal data:

Directly from you when you contact us, complete forms, register for an account, request information, apply for work, provide services, or communicate with us.

From your organisation, employer, customer, supplier, partner, or representative.

Through website cookies, analytics tools, server logs, and security monitoring.

Through email, telephone, video call, meetings, events, procurement processes, or contractual engagement.

From public sources such as Companies House, professional directories, business websites, public registers, procurement portals, sanctions lists, or regulatory databases.

From third-party service providers, customers, suppliers, advisers, platforms, or systems used in connection with our business.

4. How We Use Personal Data

We use personal data for the following purposes.

4.1 Website Operation

To operate, maintain, secure, improve, and administer our website, including analytics, troubleshooting, performance monitoring, security logging, and user experience improvement.

4.2 Responding to Enquiries

To respond to enquiries, requests for information, proposal requests, service enquiries, partnership requests, supplier communications, support requests, and other communications.

4.3 Service Delivery

To provide consultancy, software, security, investigation, assurance, technical, professional, or other services requested by customers or delivered under contract.

4.4 Contract Management

To prepare, negotiate, enter into, manage, perform, and enforce contracts, statements of work, framework agreements, supplier agreements, licences, support arrangements, and related commercial documents.

4.5 Customer and Supplier Management

To manage relationships with customers, suppliers, subcontractors, partners, advisers, and other business contacts.

4.6 Account and Access Management

To create and manage accounts, authenticate users, control access, monitor activity, manage permissions, and protect restricted areas.

4.7 Security and Fraud Prevention

To protect our website, systems, services, data, customers, suppliers, personnel, and business from unauthorised access, misuse, fraud, cyber threats, malicious activity, security incidents, and legal risks.

4.8 Legal and Regulatory Compliance

To comply with legal obligations, regulatory requirements, court orders, law enforcement requests, tax obligations, accounting duties, procurement rules, data protection obligations, and other compliance requirements.

4.9 Business Administration

To manage internal administration, record keeping, finance, accounting, audit, reporting, insurance, business continuity, governance, and operational planning.

4.10 Marketing and Business Development

To send relevant business communications, updates, service information, event invitations, capability information, or marketing communications where permitted by law.

You can opt out of marketing communications at any time.

4.11 Recruitment and Supplier Onboarding

To assess applicants, contractors, consultants, subcontractors, suppliers, and other prospective business relationships.

4.12 Dispute Management

To establish, exercise, defend, investigate, or resolve legal claims, contractual disputes, complaints, regulatory matters, or security incidents.

5. Lawful Bases for Processing

We only process personal data where we have a lawful basis to do so.

Depending on the circumstances, we may rely on one or more of the following lawful bases.

5.1 Contract

Where processing is necessary to perform a contract with you or take steps before entering into a contract.

Examples include service delivery, account creation, supplier onboarding, invoicing, support, and contract management.

5.2 Legitimate Interests

Where processing is necessary for our legitimate business interests, provided your rights and freedoms do not override those interests.

Examples include website security, business development, fraud prevention, customer relationship management, service improvement, internal administration, analytics, and protecting our legal position.

5.3 Legal Obligation

Where processing is necessary to comply with a legal obligation.

Examples include tax, accounting, regulatory, employment, data protection, procurement, legal, and statutory record keeping obligations.

5.4 Consent

Where you have given consent.

Examples may include certain marketing communications, optional cookies, or specific uses of personal data where consent is required.

You may withdraw consent at any time.

5.5 Vital Interests

Where processing is necessary to protect someone’s life. This is unlikely to apply in most normal business interactions.

5.6 Public Task

Where processing is necessary for a task carried out in the public interest or in the exercise of official authority. This is unlikely to apply unless specifically relevant to a particular engagement.

6. Legitimate Interests

Where we rely on legitimate interests, those interests may include:

Operating and improving our business
Securing our website, systems, and services
Preventing fraud and misuse
Managing customer and supplier relationships
Responding to enquiries
Developing services
Keeping business records
Managing risk
Protecting our legal and commercial position
Conducting due diligence
Supporting business continuity
Maintaining professional communications
Promoting relevant services to business contacts

We consider and balance any potential impact on your rights before relying on legitimate interests.

7. Marketing Communications

We may send marketing communications to business contacts where permitted by law.

Marketing communications may include updates about services, capability statements, events, insights, publications, or relevant business information.

You can opt out of marketing communications at any time by using any unsubscribe link provided or by contacting:

privacy@aicuk.ltd

We do not sell personal data for marketing purposes.

8. Cookies and Analytics

Our website may use cookies and similar technologies to operate properly, improve performance, understand usage, secure the website, and support analytics.

Cookies may include:

Essential cookies
Security cookies
Analytics cookies
Preference cookies
Performance cookies
Third-party service cookies

Where required, we will obtain consent before using non-essential cookies.

Further details should be set out in our separate Cookie Policy.

9. Data Sharing

We may share personal data with third parties where lawful and necessary.

This may include:

IT service providers
Cloud hosting providers
Email and communications providers
Analytics providers
Professional advisers
Legal advisers
Accountants
Auditors
Insurers
Payment providers
Customers
Suppliers
Subcontractors
Business partners
Regulators
Law enforcement bodies
Government bodies
Courts or tribunals
Procurement authorities
Security or compliance bodies

We require service providers to protect personal data appropriately and only process it in accordance with our instructions where they act as processors.

We do not sell personal data.

10. International Transfers

Some personal data may be transferred outside the United Kingdom where we use international service providers, cloud platforms, professional systems, or business partners.

Where personal data is transferred outside the United Kingdom, we will ensure appropriate safeguards are in place. These may include:

UK adequacy regulations
International Data Transfer Agreements
UK Addendum to Standard Contractual Clauses
Contractual protections
Technical and organisational safeguards
Risk assessments where required

11. Data Retention

We keep personal data only for as long as necessary for the purposes for which it was collected.

Retention periods depend on the nature of the data, the purpose of processing, legal requirements, contractual requirements, operational needs, security needs, and dispute risk.

Typical retention considerations include:

Website analytics data may be kept for a limited analytics period.

Enquiry records may be kept for a reasonable business follow-up period.

Contract and commercial records may be kept for at least the duration of the contract and then for legal limitation, tax, accounting, and audit purposes.

Financial records may be kept for statutory accounting and tax retention periods.

Security logs may be retained for security monitoring, investigation, and audit purposes.

Recruitment records may be retained for recruitment, legal, and audit purposes.

Where data is no longer required, we will delete, anonymise, archive, or securely restrict it as appropriate.

12. Security

We use appropriate technical and organisational measures to protect personal data.

These may include:

Access controls
Encryption
Secure authentication
Role-based permissions
Logging and monitoring
Network security controls
Endpoint protection
Backup and recovery measures
Supplier due diligence
Staff confidentiality obligations
Policy controls
Incident response processes
Secure development practices
Data minimisation
Physical and organisational security controls

No system can be guaranteed completely secure. You are responsible for ensuring that any information you send to us is transmitted using appropriate secure methods, especially where the information is sensitive, confidential, commercially sensitive, or security-sensitive.

You must not send classified, highly sensitive, export-controlled, privileged, or special category personal data unless we have agreed an appropriate secure method of transfer in advance.

13. Data Breaches

Where we become aware of a personal data breach, we will assess the nature and risk of the breach.

Where required by law, we will notify the Information Commissioner’s Office and affected individuals within applicable timescales.

We may also notify customers, suppliers, regulators, law enforcement bodies, or other relevant parties where necessary or appropriate.

14. Your Data Protection Rights

Depending on the circumstances, you may have the following rights.

14.1 Right of Access

You can request a copy of the personal data we hold about you.

14.2 Right to Rectification

You can ask us to correct inaccurate or incomplete personal data.

14.3 Right to Erasure

You can ask us to delete personal data in certain circumstances.

14.4 Right to Restrict Processing

You can ask us to restrict how we use your personal data in certain circumstances.

14.5 Right to Object

You can object to certain processing, including processing based on legitimate interests and direct marketing.

14.6 Right to Data Portability

You can request that certain personal data be provided to you or another controller in a structured, commonly used, machine-readable format.

14.7 Right to Withdraw Consent

Where we rely on consent, you may withdraw that consent at any time.

14.8 Rights Relating to Automated Decision-Making

You may have rights in relation to automated decision-making where it produces legal or similarly significant effects.

We do not usually carry out automated decision-making that produces legal or similarly significant effects through the website.

15. How to Exercise Your Rights

To exercise your rights, contact:

privacy@aicuk.ltd

We may ask you to verify your identity before responding.

We aim to respond within one month, although this period may be extended where permitted by law for complex or multiple requests.

You will not usually have to pay a fee. However, we may charge a reasonable fee or refuse a request where permitted by law, for example where a request is manifestly unfounded, excessive, or repetitive.

16. Children’s Data

Our website and services are not intended for children.

We do not knowingly collect personal data from children through the website.

If you believe that a child has provided personal data to us, contact us at:

privacy@aicuk.ltd

17. Third-Party Websites

Our website may contain links to third-party websites, platforms, tools, or services.

We are not responsible for the privacy practices, content, security, or policies of third-party websites.

You should read the privacy policy of any third-party website before providing personal data.

18. Customer, Supplier, and Contract Data

Where we process personal data in connection with a customer, supplier, subcontractor, or professional services relationship, additional contractual terms may apply.

These may include:

Framework agreements
Statements of work
Supplier agreements
Subcontractor agreements
Data processing agreements
Non-disclosure agreements
Security schedules
Procurement terms
Service-specific terms

Where a separate agreement applies, that agreement may contain additional privacy, confidentiality, security, retention, audit, and data processing obligations.

19. Processor and Controller Roles

In some cases, AIC acts as a data controller. This means we decide why and how personal data is processed.

In other cases, especially when providing services to a customer, AIC may act as a data processor. This means we process personal data on behalf of a customer and in accordance with their documented instructions.

Where AIC acts as a processor, the relevant customer remains responsible for its own privacy notices, lawful basis, instructions, and controller obligations.

Where required, a separate Data Processing Agreement will apply.

20. Confidential and Sensitive Information

You must not submit confidential, classified, protectively marked, legally privileged, investigation-sensitive, security-sensitive, export-controlled, or highly sensitive information through the website unless we have expressly confirmed that the relevant channel is suitable.

If you need to send sensitive material, contact us first so that an appropriate secure transfer method can be agreed.

21. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

The latest version will be published on our website with an updated “Last updated” date.

Where changes are significant, we may take additional steps to notify you where appropriate.

22. Complaints

You have the right to complain to the UK data protection regulator:

Information Commissioner’s Office
Website: https://www.ico.org.uk

We would appreciate the opportunity to address your concern first. You can contact us at:

privacy@aicuk.ltd

23. Contact Details

For privacy questions, data protection requests, or complaints, contact:

AIC Professional Services UK Ltd
167-169 Great Portland Street
Fifth Floor
London
W1W 5PF

Email: privacy@aicuk.ltd

24. Version Control

Document owner: AIC Professional Services UK Ltd
Contact: privacy@aicuk.ltd
Website: https://www.aicuk.ltd
Last updated: 27 September 2025
Status: Current version for website publication