Privacy Policy

1. Introduction

Amplifi & Impact Limited (the "Company", "we", "us", or "our") is committed to protecting the privacy and security of personal data.

This Privacy Policy explains how we collect, use, store and share personal data relating to individuals who interact with us, including visitors to our website, prospective clients, current and former clients, suppliers, partners, and other business contacts.

A separate Workforce Privacy Notice covers personal data we hold about members of our workforce (employees, workers, consultants, contractors and other service providers). That notice is available on request from the contact below.

This Policy is provided in accordance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

The Company is the data controller in respect of the personal data described in this Policy.

We may update this Policy from time to time in accordance with section 17 below.

2. Data Protection Principles

We will comply with UK data protection law. This means personal data we hold about you must be:

• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you.
• Relevant and limited to what is necessary.
• Accurate and kept up to date.
• Retained only as long as necessary.
• Kept securely.

3. The Personal Data We Collect

We may collect, store and use the following categories of personal data:

Identity and Contact Data

• Name, job title and employer
• Business email address
• Business telephone number
• Business address

Engagement Data

• Information you provide in enquiries, proposals, and project briefings
• Records of meetings, calls, and other communications
• Project deliverables and working materials
• Feedback and references

Financial Data

• Billing contact and address
• Bank account details (for invoicing and payment, where applicable)
• VAT and tax identifiers
• Payment history

Technical and Usage Data

• Information about your visits to our website (pages viewed, time spent, referrer)
• IP address and device identifiers (for security and analytics)
• Cookies and similar tracking technologies (see section 12)

Compliance and Legal Data

• Information necessary to verify identity and prevent fraud
• Records relevant to legal claims or regulatory investigations

Marketing Data

• Your preferences for receiving marketing communications from us
• Records of communications sent and your responses

Special Category Data

We do not routinely collect special category personal data (such as health, ethnicity, religious belief, or trade union membership). Where, in unusual circumstances, such data is necessary (for example, to make reasonable adjustments for a meeting), we will only process it where lawful under UK GDPR Article 9.

4. How We Collect Personal Data

We collect personal data:

• Directly from you (for example, through our website, in meetings, or in written communications)
• From your employer or organisation, where you are acting on its behalf
• From third parties (for example, referrers, professional networks, or public sources such as Companies House)
• Automatically when you interact with our website (see section 12 on cookies)

5. Lawful Basis for Processing

We process personal data where one or more of the following apply:

• Performance of a contract with you or the organisation you represent
• Compliance with a legal obligation (for example, tax and accounting record-keeping)
• Legitimate interests pursued by the Company in operating, marketing, and protecting our business (provided these are not overridden by your rights)
• Consent, where you have specifically agreed to a particular use (for example, marketing communications)
• Establishment, exercise or defence of legal claims

Where we rely on legitimate interests, those interests include responding to enquiries, delivering services to our clients, maintaining business relationships, protecting our legal and commercial interests, securing our systems and information, and the prevention and detection of fraud.

6. How We Use Personal Data

We use personal data to:

• Respond to enquiries and proposal requests
• Deliver consulting services and contracted engagements
• Manage client relationships and project communications
• Invoice clients and process payments
• Comply with tax, accounting, and other regulatory obligations
• Send service-related communications and, where you have agreed, marketing
• Maintain business operations and continuity
• Protect our legal, commercial, and security interests
• Improve and secure our website
• Respond to legal or regulatory requests

We will not use personal data for purposes that are incompatible with the purposes for which it was collected.

7. Data Sharing

We may share personal data with:

• Accountants, auditors, and tax advisers
• Bankers and payment service providers
• IT and infrastructure service providers (including hosting, productivity software, and security tools)
• Professional advisers (legal, financial, compliance, insurance)
• Subcontractors engaged to deliver services on our behalf, under written agreements that include appropriate data protection terms
• Regulatory bodies or law enforcement agencies, where required by law
• Potential or actual buyers in the event of a business sale, restructure or merger, subject to appropriate confidentiality

We do not sell personal data to third parties.

Where Amplifi acts as a data processor on behalf of a client (for example, when operating an instance of our Matter AI platform that holds the client's data), the data-handling commitments are governed by a separate Data Processing Agreement between Amplifi and the client (as data controller). Such arrangements are set out in writing before any client personal data is processed.

All third parties are required to process personal data in accordance with UK data protection law and appropriate contractual safeguards.

8. International Transfers

Our primary infrastructure is in the United Kingdom. We may, however, transfer personal data outside the UK in the course of using common business tools (for example, communications, productivity and collaboration software).

Where personal data is transferred to a country that does not benefit from a UK adequacy decision, we will ensure appropriate safeguards are in place in accordance with UK data protection law. These may include:

• The UK International Data Transfer Agreement (IDTA);
• The UK Addendum to the EU Standard Contractual Clauses; or
• Other legally recognised transfer mechanisms.

For client engagements where data location is material (for example, regulated-industry clients), we agree the location and transfer arrangements with the client in advance and document them in writing.

9. Data Security

We have implemented appropriate technical and organisational measures to protect personal data against accidental loss, unauthorised access, disclosure, alteration or destruction.

These measures include:

• Encryption of devices and storage
• Access controls and multi-factor authentication on all critical systems
• Secure credential management
• Logged and monitored access to client systems
• Vetted suppliers for hosting, productivity, and security tooling
• Regular review and updating of our practices

Access to personal data is limited to those who have a legitimate business need to know.

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including:

• The duration of our relationship with you or the organisation you represent
• Any applicable statutory or regulatory retention period (for example, tax records for at least six years)
• Any period reasonably necessary to defend or pursue legal claims

Where data is no longer required, it will be securely deleted or anonymised.

11. Your Rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Erasure (in certain circumstances)
• Object to processing based on legitimate interests
• Restrict processing in certain circumstances
• Portability — request transfer of your personal data
• Withdraw consent where processing is based on consent
• Lodge a complaint with the Information Commissioner's Office (see section 15)

Requests should be made in writing to the contact details below. We aim to respond within one month. We may need to verify your identity before responding to a request.

12. Cookies and Website Analytics

Our website uses cookies and similar technologies. We use:

• Strictly necessary cookies required for the website to function (these do not require consent)
• Analytics cookies to understand how visitors use our website and improve it

We do not use third-party advertising or tracking cookies.

A cookie banner is presented on first visit. You can adjust your cookie preferences at any time through your browser settings.

13. Children's Data

Our services are aimed at businesses and we do not knowingly collect personal data from individuals under the age of 18. If you become aware that a child has provided us with personal data, please contact us and we will take steps to remove it.

14. Automated Decision-Making

We do not make decisions that produce legal or similarly significant effects on individuals based solely on automated processing.

Where we use AI tools as part of delivering services (including our Matter AI platform), human review remains part of any decision that materially affects an individual.

15. Complaints

If you have concerns about how your personal data is handled, please contact us using the details below. We will aim to resolve any concerns promptly.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

• Website: ico.org.uk
• Helpline: 0303 123 1113

16. Contact Details

Amplifi & Impact Limited

ICO data protection registration: 00018521168

Email: privacy@amplifi-impact.com

17. Updates to This Policy

We may update this Privacy Policy from time to time.

Where we make material changes, we will update the version number and effective date at the top of this page and, where appropriate, notify clients and contacts directly. The current version will always be available on our website.

This Privacy Policy is reviewed at least annually.