Legal & Compliance · Data Protection

Privacy Policy

How we collect, use, and protect your personal data — transparently, securely, and in full accordance with UK GDPR & DPA 2018.

Effective 27 May 2026
Last reviewed 27 May 2026
Next review May 2027
Governed by England & Wales

Contents

1. Introduction
2. Who We Are
3. Data We Collect
4. How We Use Data
5. Lawful Basis
6. Disclosure & Sharing
7. International Transfers
8. Data Retention
9. Data Security
10. Automated Decisions
11. Cookies
12. Marketing
13. Your Rights
14. Third-Party Links
15. Children’s Privacy
16. Policy Changes
17. Governing Law
18. Contact Us

Introduction

Webxcell Digital & Technology Ltd is committed to protecting your privacy and handling your personal data with the highest standards of transparency, security, and integrity. This Privacy Policy explains who we are, what data we collect, how we use it, and your rights.

Webxcell Digital & Technology Ltd (“Webxcell”, “we”, “us”, or “our”) is a digital transformation and technology advisory company incorporated in England and Wales. We operate the website www.webxcell.com (the “Site”) and provide services to clients, partners, and other stakeholders worldwide.

This Privacy Policy applies to all personal data we collect through the Site, during our service delivery activities, through our marketing and communications, and in any other interactions you have with us. It should be read together with our Cookie Policy and Terms of Use, available at www.webxcell.com/legal.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications Regulations 2003 (PECR), and all other applicable data protection legislation. Where we process data of individuals in the EEA, we also comply with the EU GDPR (Regulation 2016/679).

Who We Are: Data Controller Details

Webxcell Digital & Technology Ltd is the data controller for the personal data described in this Privacy Policy. This means we determine the purposes and means of processing your personal data.

Company Name	Webxcell Digital & Technology Ltd
Registered	England and Wales · Company No. 171220206
Registered Office	128 City Road, London EC1V 2NX, United Kingdom
Website	www.webxcell.com
General Enquiries	hello@webxcell.com
Privacy & Data Protection	privacy@webxcell.com
Data Protection Officer	dpo@webxcell.com

We have appointed a Data Protection Officer (DPO) responsible for overseeing questions regarding this Privacy Policy and our data protection practices. We aim to acknowledge all enquiries within 48 business hours and provide a substantive response within 30 calendar days.

Personal Data We Collect

We collect personal data from and about you in various ways, depending on how you interact with us.

3.1 Information You Provide Directly

Identity data — full name, job title, professional designation
Contact data — email address, telephone number, business & postal address
Professional data — company name, industry sector, seniority, LinkedIn profile
Communication data — the content of enquiries, messages, or correspondence
Event data — registration details and attendance at webinars, events, or presentations
Recruitment data — CV, cover letter, professional history, qualifications, right-to-work information
Transaction data — details of any services purchased or enquired about

3.2 Information Collected Automatically

Device & technical data — IP address, browser type/version, operating system, device identifiers
Usage & behavioural data — pages visited, time on page, click-through paths, referring URLs
Location data — approximate geographic location derived from IP address (country/region level)
Cookie & tracking data — data collected via cookies and similar technologies
Log data — server logs, access times, error reports, and performance metrics

3.3 Information from Third Parties

Business partners & referrals — when a partner or client refers you to us
Publicly available sources — Companies House, LinkedIn, professional directories
Marketing & lead generation platforms — where you have consented to data being shared
Analytics & advertising partners — aggregated and pseudonymous interaction data

3.4 Special Category & Sensitive Data

We do not seek to collect special category personal data through the Site or in the ordinary course of our business. Should we ever need to process such data, we will seek your explicit consent or rely on another permitted legal gateway, and will notify you separately. Special category data includes data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic/biometric data, health data, and data concerning sex life or sexual orientation.

How We Use Your Personal Data

We use personal data only where we have a lawful basis for doing so.

4.1 Operating & Improving the Site

To deliver and maintain the Site and ensure it functions correctly
To monitor performance, identify technical errors, and carry out testing
To personalise your experience and remember your preferences
To conduct analytics and improve user experience

Lawful basis: Legitimate interests (Art. 6(1)(f) UK GDPR) — to operate, improve, and secure our online presence.

4.2 Responding to Enquiries & Delivering Services

To respond to enquiries, requests for proposals, and contact form submissions
To provide professional services and fulfil contractual obligations
To manage the client relationship, including onboarding, project delivery, and invoicing

Lawful basis: Performance of a contract or pre-contractual steps (Art. 6(1)(b) UK GDPR); legitimate interests where relevant (Art. 6(1)(f)).

4.3 Marketing & Communications

To send thought leadership, industry insights, newsletters, and event invitations
To inform you of services relevant to your business needs
To conduct market research and client satisfaction surveys
To manage marketing preferences and honour opt-out requests promptly

Lawful basis: Consent (Art. 6(1)(a)) where required by PECR; legitimate interests (Art. 6(1)(f)) for B2B communications. You may opt out at any time.

4.4 Recruitment & Employment

To receive, assess, and respond to applications for employment or freelance engagements
To conduct background verification and right-to-work checks where applicable
To manage onboarding, payroll, performance, and employee relations

Lawful basis: Performance of a contract (Art. 6(1)(b)); legal obligations (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)).

4.5 Legal, Regulatory & Compliance

To comply with applicable laws, regulations, and codes of practice
To respond to requests from regulators, courts, or law enforcement
To detect, investigate, and prevent fraud and security incidents
To exercise or defend legal claims and manage disputes

4.6 Business Operations & Administration

To manage supplier and partner relationships
To administer access controls, IT systems, and internal security
To conduct corporate transactions including mergers or acquisitions
To prepare financial accounts, audit reports, and corporate filings

Lawful Basis Summary

Category of Processing	Lawful Basis	UK GDPR Article	Special Category?
Site operation & analytics	Legitimate interests	Art. 6(1)(f)	No
Responding to enquiries	Pre-contractual / contract steps	Art. 6(1)(b)	No
Service delivery	Performance of contract	Art. 6(1)(b)	No
Electronic marketing (B2C)	Consent	Art. 6(1)(a)	No
Electronic marketing (B2B)	Legitimate interests	Art. 6(1)(f)	No
Recruitment	Contract / legitimate interests	Art. 6(1)(b/f)	Possible
Legal & regulatory compliance	Legal obligation	Art. 6(1)(c)	No
Fraud prevention & security	Legitimate interests	Art. 6(1)(f)	No
Employment administration	Contract / legal obligation	Art. 6(1)(b/c)	Possible
Business operations	Legitimate interests	Art. 6(1)(f)	No

Disclosure & Sharing of Personal Data

We do not sell, rent, or trade your personal data. We share data only in the circumstances set out below, and only to the extent necessary for the stated purpose.

6.1 Service Providers & Data Processors

IT infrastructure and cloud hosting providers (e.g. Microsoft Azure, Amazon Web Services)
Website analytics and performance tools (e.g. Google Analytics, Hotjar)
CRM and marketing automation platforms (e.g. HubSpot, Mailchimp)
Accounting, payroll, and HR software providers
Legal, audit, and professional advisory firms
Customer support and live-chat platforms (e.g. Intercom)

All processors enter into data processing agreements per Article 28 UK GDPR, and are prohibited from processing your data for any other purpose.

6.2 Professional Advisers

We may share personal data with lawyers, accountants, insurers, and other professional advisers who require access in performance of their services. All are bound by professional confidentiality obligations and, where applicable, data processing agreements.

6.3 Regulatory Authorities & Law Enforcement

We may disclose personal data to the ICO, FCA, HMRC, law enforcement agencies, courts, or other regulatory bodies where required by law or to protect our legal position.

6.4 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, personal data may be disclosed to prospective buyers or transferred to a new entity. We will notify you of any such transfer in accordance with applicable law.

6.5 With Your Consent

We may disclose your personal data to third parties where you have given explicit, informed consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.

International Data Transfers

Webxcell is based in the United Kingdom. Some of our service providers, partners, and group entities are located in countries outside the UK and the EEA. When we transfer personal data internationally, we ensure appropriate safeguards are in place as required by Article 46 UK GDPR.

UK Adequacy Regulations — transfers to countries with an adequacy decision from the UK Secretary of State under Section 17A DPA 2018
International Data Transfer Agreements (IDTAs) — the UK standard contractual clauses approved by the ICO
Standard Contractual Clauses (SCCs) — European Commission-approved clauses for EU GDPR transfers
Binding Corporate Rules (BCRs) — where applicable for multinational group structures
UK-US Data Bridge — for transfers to certified US organisations under the UK Extension to the EU-US Data Privacy Framework

For further information about safeguards for any specific transfer, please contact privacy@webxcell.com.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying legal, regulatory, accounting, or reporting requirements.

Category of Data	Retention Period	Rationale
Website enquiry & contact form data	3 years from last contact	Legitimate business interest; contractual limitation period
Client & project data	7 years from end of engagement	Legal, regulatory, and professional indemnity obligations
Marketing & communications data	Until opt-out or 3 years inactivity	ICO guidance on marketing consent records
Recruitment applications (unsuccessful)	12 months from decision	Future roles consideration; equal opportunities claims
Recruitment applications (successful)	Employment + 7 years	Employment law & statutory limitation periods
Employee records	Employment + 7 years	HMRC requirements; employment tribunal limitation periods
Supplier & contractor data	6 years from end of contract	Contractual & statutory limitation periods
Financial & accounting records	7 years from end of financial year	HMRC & Companies Act statutory requirements
Website analytics data	26 months (aggregated thereafter)	ICO guidance on analytics data retention
Security & access logs	12 months	Security monitoring & incident investigation
CCTV footage (if applicable)	31 days unless required for investigation	ICO guidance on CCTV retention
Correspondence & legal documents	7 years or duration of claim	Statutory limitation periods under the Limitation Act 1980

At the end of the applicable retention period, personal data is securely deleted, anonymised, or pseudonymised in accordance with our Data Disposal Policy and ICO guidance. Retention schedules are reviewed annually.

Data Security

We have implemented comprehensive technical and organisational security measures to protect your personal data against accidental loss, unauthorised access, alteration, disclosure, or destruction.

9.1 Technical Measures

🔐

Encryption in Transit

TLS 1.2+ across all Site communications

💾

Encryption at Rest

AES-256 enterprise-grade encryption

🛡️

Multi-Factor Auth

MFA on all systems processing personal data

🔑

Role-Based Access

RBAC limiting access on a need-to-know basis

🔍

Vulnerability Scanning

Regular automated scanning & penetration testing

📡

24/7 Monitoring

Intrusion detection, firewalls & security monitoring

9.2 Organisational Measures

Mandatory data protection training for all employees on joining and annually thereafter
Documented data protection policies, procedures, and standards reviewed annually
Data Protection Impact Assessments (DPIAs) for high-risk processing activities
Vetted and contractually bound third-party processors with regular compliance reviews
Incident response plan aligned with ICO breach notification obligations (72-hour reporting window)
Regular internal audits and third-party assessments of our data protection practices

9.3 Personal Responsibility

Where we have given you a password to access parts of the Site, you are responsible for keeping it confidential. Please do not share your password with anyone. Transmission of information via the internet is not completely secure; any such transmission is at your own risk.

Automated Decision-Making & Profiling

We do not currently use automated decision-making processes that produce legal or similarly significant effects without human oversight. Where we use profiling — for example, to segment website visitors for analytics or personalise marketing — we do so on an aggregated, anonymised, or pseudonymised basis.

If we introduce automated decision-making processes that could significantly affect you, we will notify you in advance, explain the logic involved, and provide a mechanism to request human review in accordance with your rights under Article 22 UK GDPR.

Cookies & Similar Technologies

The Site uses cookies and similar tracking technologies to operate correctly, analyse usage, and support our marketing activities.

Strictly Necessary — essential for the Site to function
Performance & Analytics — help us understand how visitors interact with the Site
Functional — enable enhanced functionality and personalisation
Targeting & Marketing — used to deliver relevant advertising and track campaigns

You can manage your cookie preferences at any time through our cookie consent banner or the “Cookie Settings” link in the Site footer. For full details, please refer to our Cookie Policy.

Marketing Communications

Where you have consented, or where we have a legitimate interest under applicable law, we may send you information about our services, industry insights, events, and other professionally relevant content.

You have the right to opt out of marketing communications at any time:

Click the “Unsubscribe” link in any marketing email we send you
Email privacy@webxcell.com with your name, email address, and an opt-out request
Contact our DPO at dpo@webxcell.com

Please note that we may still send you service-related communications necessary for the performance of a contract or the fulfilment of a legal obligation (such as invoices, legal notices, or security alerts). These are not marketing communications and cannot be opted out of while the relevant relationship continues.

Your Data Subject Rights

Under the UK GDPR and DPA 2018, you have the following rights. We will respond to all valid requests within the statutory one-month timeframe.

13.1

Right to be Informed

Receive clear, transparent information about how and why we process your personal data.

13.2

Right of Access

Obtain confirmation of processing and receive a copy of your data. Subject Access Requests answered free within one month.

13.3

Right to Rectification

Request correction of inaccurate or incomplete personal data without undue delay.

13.4

Right to Erasure

Request deletion of your personal data in certain circumstances, subject to legal retention obligations.

13.5

Right to Restriction

Request that we restrict processing of your data in specific circumstances while retaining it.

13.6

Right to Portability

Receive your data in a structured, machine-readable format (CSV or JSON) and transfer to another controller.

13.7

Right to Object

Object to processing based on legitimate interests. Absolute right to object to direct marketing.

13.8

Automated Decision Rights

Not be subject to solely automated decisions producing significant effects, per Article 22 UK GDPR.

13.9

Right to Withdraw Consent

Withdraw consent at any time without affecting the lawfulness of prior processing.

13.10 How to Exercise Your Rights

Please submit a written request to dpo@webxcell.com. We will respond to all valid requests within one calendar month. We may need to verify your identity before processing your request.

If you are dissatisfied with our response or believe we are not processing your personal data in accordance with the law, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO): ico.org.uk · 0303 123 1113 · Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Third-Party Links & External Websites

The Site may contain links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy practices or content.

We encourage you to review the privacy policy of every website you visit. This Privacy Policy applies only to the Site and Webxcell’s own processing activities.

Children’s Privacy

The Site is directed exclusively at business and professional audiences and is not intended for, nor directed at, children under 18. We do not knowingly collect personal data from minors.

If you are a parent or guardian and believe your child has provided personal data to us, please contact us immediately at privacy@webxcell.com. We will investigate and delete such data promptly upon confirmation.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in applicable law, our data processing activities, or our business practices. All changes will be published on this page with updated Effective Date and Last Reviewed dates.

Where we make material changes to this Policy, we will:

Update the “Effective Date” and “Last Reviewed” fields at the head of this document
Display a prominent notice on the Site drawing your attention to the changes
Where required by law or consent obligations, contact you directly and if necessary seek fresh consent

We encourage you to review this Privacy Policy periodically. The current version will always be accessible at www.webxcell.com/legal/privacy-policy.

Governing Law & Jurisdiction

This Privacy Policy and any dispute or claim arising out of, or in connection with, it shall be governed by and construed in accordance with the laws of England and Wales. Subject to any mandatory consumer protection rights, any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Our processing of personal data is subject to the supervision of the Information Commissioner’s Office (ICO). Where we process personal data of individuals in the EEA, we recognise the jurisdiction of the relevant EU member state data protection authority.

Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal data, please contact us through any of the following channels.

Data Protection Officer

dpo@webxcell.com

All data subject rights requests & DPA queries

Privacy Team

privacy@webxcell.com

Privacy enquiries, consent withdrawal & opt-outs

General Enquiries

hello@webxcell.com

All other questions about Webxcell

Postal Address

128 City Road
London EC1V 2NX
United Kingdom

Marked: Data Protection Officer

We aim to acknowledge all privacy-related enquiries within 48 business hours and provide a substantive response within 30 calendar days, in line with our UK GDPR obligations. For complex requests, we may extend this period by a further two months, in which case we will inform you of the extension and the reason for it.