Privacy Policy

Risk Evolves - Privacy Policy

In compliance with UK and European data protection regulations, this privacy policy explains what personal information we collect from you when you visit our website, are a recipient of our services or attend one of our courses.

Risk Evolves is committed to processing personal information about its customers in ways that comply with its legal and regulatory obligations, and to being clear with customers about what it does with their personal information.

Data collection

Risk Evolves may collect personal information which we receive when:

  • you use our website
  • you use our services
  • you contact us or
  • you are a recipient of our services.

We may collect the following types of information:

  • your name, address, email address, telephone number(s) and other contact details
  • information required to provide you with a service, and details of our services that you have used
  • your company’s name, your position in the company; the company’s address, company’s email address and telephone number
  • your payment information such as credit or debit card details and bank account details.

Website cookies

Cookies are small files of letters or numbers downloaded onto a device when users access websites. They are widely used in order to make websites work, or work more efficiently, as well as to provide service information to the owners of the site.

Cookie Purpose
Google Analytics We use cookie to gather data about how visitors use our website.  We then use this to help us to improve your experience of our website. The cookies collect information in an anonymous form, and capture information such as the number of visitors to the website, which pages they have used, where they have from etc.

To find out more about cookies, including how to see what cookies have been set, visit or

Find out how to manage cookies on popular browsers:

To find information relating to other browsers, visit the browser developer's website.

To opt out of being tracked by Google Analytics across all websites, visit

Why do we collect this information ?

We collect your personal information to:

  • provide you with services that you may request from us.
  • to allow us to communicate with you
  • for necessary administration purposes
  • meet our legal and regulatory obligations.

How do we collect this information ?

We collect personal information:

  • directly from our customers: e.g. when a customer signs up to receive our services or registers on our website
  • from publicly available sources: social media (such as LinkedIn), internet services (such as Companies House, company websites etc).

We are committed to keeping your information up to date. If you believe that we have made an error, then please contact us as we have outlined below and we will use reasonable endeavours to correct.

Keeping your information safe and secure.

Risk Evolves is committed to keeping customers’ personal information secure to protect it from being inappropriately or accidentally accessed, used, shared or destroyed, and against it being lost. We have been certified to Cyber Essentials and IASME since 2015, and in March 2020 certified to the international standards for Information Security and Data Privacy, ISO27001 and ISO27701. We endeavour to ensure that our suppliers take similar steps to keep your data secure. We take organisational measures to keep information secure and provide regular training for staff on data protection. This includes regular phishing training for all staff.

In August 2019, we have certified to ‘Digitally Aware’ status as part of a new scheme from the Police Digital Security Centre and BSI.

However, we understand that even the best laid plans can sometimes go wrong, and therefore we have developed and rehearsed a breach management process. In the unlikely event that we, or one of our partners or suppliers, accidently compromise the confidentiality, integrity or availability of your data, then we will endeavour to notify you within 72 hours of becoming aware of the incident. We will do this by informing you via the contact details that we have recorded on our CRM database.

Third party (Sub-Processor) organisations

For our general day to day data processing activities, we use third party organisations to help us administer and monitor the services we provide:

  • for the provision of software services to enable the management of our customers, staff and office administration
  • for payroll and financial accounting
  • to share newsletters, promotional detail, industry news or other information that maybe of interest to you
  • to help us improve our services
  • for the administration of our website and customer interactions
  • for any legal guidance in the provision of our services

As part of the process required for certification to ISO27701, we have validated the notification process that our third parties will use in the event that they suffer a data breach and have confirmed their commitment to notify us within 72 hours of them becoming aware of any issues.

For full details of the third party suppliers we use, please contact us at the address below.

Access to your personal information is only allowed when required by the law or is required as part our fulfilling our service obligations.  We do not, and will never, sell your personal information with other third parties.

Third Countries or International Organisations

The following third countries (ie. where your information is not held in the European Union / EEA) are listed below will receive your personal data for the processing activity as detailed below. Following the ruling in July 2020 by the European Courts, and the subsequent invalidation of the EU-US Privacy Shield agreement, we have reassessed our providers as follows :

Third Country

(non EU / non EEA / International organisation)

Purpose of processing Safeguards in place and further information
Xero – hosted in New Zealand and EU. Accountancy, invoicing etc Standard Contractual agreements are in place with companies if data is transferred outside of the EU.  Additional information is held here



Eventbrite –

Hosted in the US

Course bookings Article 49 Consent requirement


As part of our booking process we will ensure that you are aware that your data is transferred to the US. If you do not wish to proceed, then we will provide you with an alternative mechanism for booking a course.


Mailchimp –

Hosted in the US



Email marketing


Standard Contract Clauses


Link to additional information is  here

PandaDocs –

Hosted in the US

Proposal creation, electronic signature and contract management system Standard Contract Clauses included in a data processing agreement.

All other data is processed either in the UK or within the EU.

How long do we keep personal information ?

We will only retain customers’ personal information for as long as is required to carry out a particular purpose or to meet a particular obligation. In order that we are able to provide the best possible service to you, we have agreed and documented retention schedules that we consider to be relevant and proportionate to the service we are providing. This has been reviewed and externally audited as part of our certification process to ISO27001 and ISO27701. If you would like more information on our retention periods, then please contact us, using the details below.

We retain details on services delivered for a period of 6 years post the end of the engagement.

Legitimate Interest

From time to time, we may process your information as part of the day to day running of Risk Evolves Ltd. It is in our interests to ensure that our processes and systems operate effectively in order that we can continue the high quality of service to you.

This may include processing your information to:

  • Monitor, maintain and improve internal business processes. We seek to improve the quality of service to you.
  • To perform credit assessments
  • To send you news updates

We may send you marketing emails, letting you know about our news, offers, events and new services that we think may be of interest to you. However we understand that needs and requirements may change, and you may opt out at a later date by writing to us at  or by selecting ‘unsubscribe’ in the email link. We will not send you information if you’ve asked us not to.   You have a right at any time to stop us from contacting you for marketing purposes.

Links to other websites:

Our website may contain links to other websites of interest. However, you should note that we do not have any control over these other websites. Once you have used any of these links to leave our site, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting these sites and such sites are not governed by this privacy statement.

Access to personal information

We take the management of your information very seriously. Please do contact us if:

  • you feel that any information which we may have about you is incorrect
  • you want to see what personal information we hold about you (and receive a copy)
  • have any queries regarding the accuracy or the processing of your data (including any mis-use or unauthorised use)
  • want to withdraw your consent where any processing is based upon consent

If you ever have any concerns that we are not processing your personal information in accordance with the law, please contact us using the email address or postal address as follows :

Risk Evolves Ltd.

Highdown House,

11, Highdown Road

Leamington Spa

CV31 1XT

Or by emailing us at

If you are still concerned, you can contact the Information Commissioners Office at

Changes to our Privacy Policy:

We keep our privacy policy under regular review, and we will place any updates on this web page.

This privacy policy was last updated in September 2020

Previously updated March 20202

Contact us