This notice sets out how I, as the data controller for Varnham Consulting Ltd, process personal data. It is written under Articles 13 and 14 of the UK GDPR. If anything here is unclear, the intake form is the right place to ask.
Varnham Consulting Ltd is the data controller for the personal data described in this notice. The company is registered in England with Companies House and registered with the Information Commissioner's Office under registration number ZA000000.
The Data Protection Officer is Matthew Varnham. To contact me on any matter relating to this notice — including exercising any of your rights — use the intake form on the contact page and select the appropriate option (option 9 for general privacy enquiries, option 10 for complaints, option 11 for subject access requests).
I collect different categories of personal data depending on how you interact with the consultancy:
Name, email address, telephone number, the nature of your enquiry, and any optional notes you provide. This is the minimum needed to respond to your enquiry.
Contact details for your nominated points of contact, organisational and compliance information you provide as part of the engagement, and records of advice given. Where engagement involves processing personal data on your behalf as a processor, that data is governed by a separate Article 28 data processing agreement and is not described in this notice.
Name and email address. Subscription is by explicit opt-in via the intake form (option 12 or by direct request) and you can unsubscribe at any time.
Technical data via cookies. See the cookie policy for details. The website does not use marketing or advertising cookies.
Where I identify potential clients through publicly available sources — Companies House, the ICO Register, the Charity Commission register, professional directories — I may hold name, job title, organisation, and business contact details for the purpose of considering whether to make a referral introduction. Prospects identified this way are processed under legitimate interests and have specific rights of objection.
Lawful basis: legitimate interests under Article 6(1)(f) UK GDPR, where the legitimate interest is responding to your enquiry. The legitimate interests assessment is documented and reviewed annually.
Lawful basis: contract performance under Article 6(1)(b) UK GDPR — processing is necessary for the performance of the services agreement, or to take steps prior to entering into it.
Lawful basis: consent under Article 6(1)(a) UK GDPR. Subscription is opt-in and you can withdraw consent at any time.
Lawful basis: legitimate interests under Article 6(1)(f) UK GDPR for B2B referral introductions, in accordance with PECR for any direct contact made.
Lawful basis: consent — placed only where you have accepted analytics cookies via the cookie banner.
I do not sell personal data. I share personal data with the following categories of recipient, where necessary for the purposes set out above:
I do not transfer personal data to third parties for marketing purposes.
Where my providers process personal data outside the UK — primarily Microsoft, which may process data in the EU or the US — appropriate safeguards are in place under the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or under adequacy regulations made by the Secretary of State.
I retain personal data only for as long as necessary for the purposes set out above, then delete it. Specific retention periods are:
The full schedule is documented in the Records Retention Schedule (an internal document; available on request).
You have the following rights under the UK GDPR, exercisable through the intake form on the contact page:
I will respond to any rights request within one calendar month, as required by Article 12(3) UK GDPR. If a request is complex or part of a series of requests, I may extend the response period by up to two further months and will write to you within the first month to explain why.
If you are dissatisfied with how I have processed your personal data, please tell me first — using the intake form, option 10. The formal complaints procedure is documented separately and available on the complaints page. The procedure was established under section 164A of the Data Protection Act 2018, as inserted by the Data (Use and Access) Act 2025.
You also have the right to complain to the Information Commissioner's Office at ico.org.uk/make-a-complaint. The ICO recommends raising concerns with the data controller first.
I may update this notice from time to time to reflect changes to my processing or to legal requirements. The latest version, with the date it was updated, will always be on this page. Material changes that affect your rights will be communicated separately to existing clients and subscribers.
For any question about this notice, or to exercise any of your rights, use the intake form on the contact page. Direct contact details are not displayed on the website by design — the intake form ensures every enquiry is captured, classified, and responded to consistently and within a documented compliance framework.