Privacy Policy

Risk Evolves – Privacy Policy

In compliance with UK and European data protection regulations, this privacy policy explains what personal information we collect from you when you visit our website, are a recipient of our services or attend one of our courses. 

Risk Evolves is committed to processing personal information about its customers in ways that comply with its legal and regulatory obligations, and to being clear with customers about what it does with their personal information.

Who are “We”?

In this policy, whenever you see the words ‘we’, ‘us’, ‘our’ or ‘Risk Evolves’, it refers to Risk Evolves Limited , registered company number 09490698. Our ICO registration number is ZA127400.

If you have any questions relating to this privacy policy or how we use your personal data, please send them to the contact information shown below.

Data collection

Risk Evolves may collect personal information which we receive when:
  • you use our website
  • you use our services
  • you contact us or
  • you are a recipient of our services.
We may collect the following types of information:
  • your name, address, email address, telephone number(s) and other contact details
  • information required to provide you with a service, and details of our services that you have used
  • your company’s name, your position in the company; the company’s address, company’s email address and telephone number
  • your payment information such as credit or debit card details and bank account details.

Working at Risk Evolves

If you are a staff member at Risk Evolves (i.e., Employee, Contractor or Associate) you should review the Employee Privacy Policy Handbook for further information. If you are applying for a position to join us, this document will be made available to you on request.

If you are unsuccessful with your application, your data will be deleted after 180 days.

Website cookies

Cookies are small files of letters or numbers downloaded onto a device when users access websites. They are widely used in order to make websites work, for example to make the videos play, or to work more efficiently, as well as to provide service information to the owners of the site.

Gathering information on how a website performs is important for all businesses – the information is critical to understanding how a website is functioning, of the articles and pages that a visitor uses the most and ultimately how the visitor experience can be improved. Many companies will use third party organisations to generate this information, and the data that is collected will be shared with both the website owner and the organisation providing the website analytics, with the analytics provider then using the information for their own data mining purposes. This information is frequently transferred outside of the UK and the European Union.

At Risk Evolves, we’re passionate about Data Privacy. We understand the importance of privacy for our users and have adopted a different approach. We use an open source platform called Matomo, which has been endorsed by the supervisory body in France, CNIL, and is also used by the European Commission. Any data collected is used only by Risk Evolves and our UK based web developer. It is not shared with any other organisations. We retain control of this data, which is stored and processed within the European Union.

The use of Matomo allows us to collect information which is anonymous and to prepare aggregated reports of how the Risk Evolves website is used. The data collected contains no personal information and ‘finger prints’ change daily. This means that visitors who return to the site on several different days will not be tracked. The software generates a random ID which prevents the identification of individual visitors. We do not track our visitors across multiple websites as some analytics tools do, meaning that we won’t collect information on your internet searches, your social media profiles, your user detail and so on.

Why do we collect this information ?

We collect your personal information to:
  • provide you with services that you may request from us.
  • to allow us to communicate with you
  • for necessary administration purposes
  • meet our legal and regulatory obligations. 

How do we collect this information ?

We collect personal information:
    • directly from our customers: e.g. when a customer signs up to receive our services or registers on our website
    • from publicly available sources: eg. social media (such as LinkedIn), internet services (such as Companies House, company websites etc).
We are committed to keeping your information up to date. If you believe that we have made an error, then please contact us as we have outlined below and we will use reasonable endeavours to correct.

Keeping your information safe and secure.

Risk Evolves is committed to keeping customers’ personal information secure to protect it from being inappropriately or accidentally accessed, used, shared or destroyed, and against it being lost. We have been certified to Cyber Essentials and IASME since 2015, and in March 2020 certified to the international standards for Information Security and Data Privacy, ISO27001 and ISO27701. We endeavour to ensure that our suppliers take similar steps to keep your data secure. We take organisational measures to keep information secure and provide regular training for staff on data protection. This includes regular phishing training for all staff.

However, we understand that even the best laid plans can sometimes go wrong, and therefore we have developed and rehearsed a breach management process. In the unlikely event that we, or one of our partners or suppliers, accidently compromise the confidentiality, integrity or availability of your data, then we will endeavour to notify you within 72 hours of becoming aware of the incident. We will do this by informing you via the contact details that we have recorded on our CRM database.

Third party (Sub-Processor) organisations

For our general day to day data processing activities, we use third party organisations to help us administer and monitor the services we provide:
    • for the provision of software services to enable the management of our customers, staff and office administration
    • for payroll and financial accounting
    • to share newsletters, promotional detail, industry news or other information that maybe of interest to you
    • to help us improve our services
    • for the administration of our website and customer interactions
    • for any legal guidance in the provision of our services

As part of the process required for certification to ISO27701, we have validated the notification process that our third parties will use in the event that they suffer a data breach and have confirmed their commitment to notify us within 72 hours of them becoming aware of any issues. For full details of the third-party suppliers we use, please contact us at the address below. Access to your personal information is only allowed when required by the law or is required as part our fulfilling our service obligations.  We do not, and will never, sell your personal information to other third parties.

Third Countries or International Organisations

The following third countries (i.e., where your information is not held in the European Union / EEA) are listed below will receive your personal data for the processing activity as detailed below. Following the ruling in July 2020 by the European Courts, and the subsequent invalidation of the EU-US Privacy Shield agreement, we have reassessed our providers as follows :

Third Country (non EU / non EEA / International organisation) Purpose of processing Safeguards in place and further information
Xero – hosted in New Zealand and EU. Accountancy, invoicing etc Standard Contractual agreements are in place with companies if data is transferred outside of the EU. Additional information is held here
Eventbrite – Hosted in the US Course bookings Article 49 Consent requirement.

As part of our booking process we will ensure that you are aware that your data is transferred to the US. If you do not wish to proceed, then we will provide you with an alternative mechanism for booking a course.
Mailchimp – Hosted in the US Email marketing Standard Contract Clauses.

Link to additional information is here
PandaDocs – Hosted in the US Proposal creation, electronic signature and contract management system Standard Contract Clauses included in a data processing ageement https://www.pandadoc.com/security/
GoToWebinar Webinar hosting system Standard Contract Clauses included in a data processing ageement https://www.logmeininc.com/trust/privacy
To the best of our knowledge, all other data is processed either in the UK or within the EU.

How long do we keep personal information?

We will only retain customers’ personal information for as long as is required to carry out a particular purpose or to meet a particular obligation. In order that we are able to provide the best possible service to you, we have agreed and documented retention schedules that we consider to be relevant and proportionate to the service we are providing. This has been reviewed and externally audited as part of our certification process to ISO27001 and ISO27701. If you would like more information on our retention periods, then please contact us, using the details below.

We retain details on services delivered for a period of 6 years post the end of the engagement.

Legitimate Interest

From time to time, we may process your information as part of the day to day running of Risk Evolves Ltd. It is in our interests to ensure that our processes and systems operate effectively in order that we can continue the high quality of service to you.

This may include processing your information to:

  • Monitor, maintain and improve internal business processes. We seek to improve the quality of service to you
  • To perform credit assessments
  • To send you news updates.

We may send you marketing emails, letting you know about our news, offers, events and new services that we think may be of interest to you. However, we understand that needs and requirements may change, and you may opt out at a later date by writing to us at info@riskevolves.com or by selecting ‘unsubscribe’ in the email link. We will not send you information if you’ve asked us not to. You have a right at any time to stop us from contacting you for marketing purposes.

Links to other websites:

Our website may contain links to other websites of interest. However, you should note that we do not have any control over these other websites. Once you have used any of these links to leave our site, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting these sites and such sites are not governed by this privacy statement.

Access to personal information

We take the management of your information very seriously. Please do contact us if:
  • you feel that any information which we may have about you is incorrect
  • you want to see what personal information we hold about you (and receive a copy)
  • have any queries regarding the accuracy or the processing of your data (including any mis-use or unauthorised use)
  • want to withdraw your consent where any processing is based upon consent.
If you ever have any concerns that we are not processing your personal information in accordance with the law, please contact us using the postal address as follows:

Risk Evolves Ltd.
1 Athena Court,
Tachbrook Park,
Warwick,
CV34 6RT


Or by emailing us at info@riskevolves.com.

If you are still concerned, you can contact the Information Commissioners Office at www.ico.org.uk

Changes to our Privacy Policy:

We keep our privacy policy under regular review, and we will place any updates on this web page.

This privacy policy was last updated in August 2022
Previously updated February 2022