top of page
outlier-logo.png

PRIVACY POLICY

Privacy Notice (Privacy Policy) — Outlier Technology Limited 

Last updated: 10th March 2026 

Applies to: https://outliertechnology.co.uk  and Outlier Technology Limited's own business operations. 

1. Who we are 

Outlier Technology Limited ("Outlier Technology", "we", "us") is a UK-based information technology consultancy, registered in England and Wales (company number 11303595). 

This notice explains how we handle personal data for which we are responsible (for example: business contact details, recruitment information, and limited supplier/finance records). 

In most client engagements, we work inside client-controlled environments and do not store or operate client production data on Outlier Technology systems as part of normal operations. 

2. How to contact us about privacy (including deletion requests) 

  • Postal address: Popeshead Court Offices, Peter Lane, York, England, YO1 8SU 

If your request relates to data held in a client's systems (where the client is the controller), we may direct you to the relevant client contact rather than acting unilaterally. 

3. What personal data we collect 

Depending on your relationship with us, we may collect: 

  • Identity and contact data: name, job title, employer, email address, phone number, work address. 

  • Communications: emails and messages with us, meeting notes, and records of requests you make (including privacy requests). 

  • Business operations: invoices, purchase orders, and payment reconciliation information (where relevant). 

  • Recruitment / HR (where relevant): CVs, employment history, references, right-to-work checks, and other information you provide during recruitment. 

  • Website usage: basic technical and usage information (for example IP address, timestamps, user agent, pages accessed, and error/security events) in server/security logs. 

  • Website contact / scheduling (if you use our contact/booking features): information you submit such as name, email address, organisation, meeting time, and any notes you choose to provide. 

Where we get this data from: 

  • Directly from you (for example when you email us, apply for a role, or book a meeting) 

  • From your organisation / our clients (for example where you are a named stakeholder on an engagement) 

  • From public / professional sources (for example your organisation website or LinkedIn, where relevant to a business relationship) 

  • From our systems and service providers (for example Website logs and scheduling confirmations) 

Our Website may use essential cookies and similar technologies. Embedded features (for example scheduling) may also set cookies. Where we use non-essential cookies (for example analytics/marketing), we will provide appropriate notice and choices. 

We do not intentionally collect special category data (for example health data) unless you choose to provide it, or it is required by law. 

4. How we use personal data (purposes and lawful bases) 

We only use personal data where we have a lawful basis under UK GDPR / GDPR. Common bases include: 

  • Contract (to provide requested services or manage a relationship) 

  • Legal obligation (to comply with tax, accounting, employment, or other laws) 

  • Legitimate interests (to run our business responsibly, keep systems secure, and communicate with business contacts) 

  • Consent (only where required; you can withdraw consent at any time) 

Typical processing activities: 

  • Delivering and managing consulting services (contract / legitimate interests) 

  • Responding to enquiries and maintaining business relationships (legitimate interests) 

  • Recruitment and onboarding (legitimate interests / contract steps) 

  • Accounting and tax compliance (legal obligation) 

  • Security, fraud prevention, and audit trails (legitimate interests / legal obligation where applicable) 

You do not usually have to provide personal data to us by law. However, if you do not provide information that is necessary for a contract or to progress an enquiry (for example contact details), we may not be able to respond or provide the requested services. 

5. Who we share personal data with 

We may share personal data with: 

  • Service providers we use to operate our business (for example email, document storage, accounting, security tooling), under appropriate contractual protections. 

  • Website providers we use to host and operate our Website (including embedded features such as scheduling). 

  • Professional advisers (for example legal, insurance, or accounting) where needed. 

  • Regulators and authorities where we are legally required to do so. 

  • Clients only where necessary for an engagement (for example to coordinate with named stakeholders) and in line with contractual terms. 

We do not sell personal data. 

6. International transfers 

Some of our service providers may process data outside the UK/EEA. Where that happens, we use appropriate safeguards (for example UK IDTA / EU Standard Contractual Clauses, and vendor due diligence). 

7. Retention 

We keep personal data only as long as needed for the purposes described above, including legal and contractual requirements. Retention is determined by: 

  • the type of relationship (for example applicant vs supplier vs business contact), 

  • legal requirements (for example tax/finance records), and 

  • security/audit needs. 

Website logs are typically retained for a short period for security and troubleshooting, and longer where needed to investigate or evidence security incidents. 

Data subject request records (including deletion requests) are retained for at least 3 years (or longer where required) as evidence of compliance and decision-making. 

8. Your rights (data subject rights) 

Subject to applicable law, you may have the right to: 

  • Access your personal data 

  • Rectify inaccurate data 

  • Erase data (deletion) in certain circumstances 

  • Restrict processing in certain circumstances 

  • Object to processing based on legitimate interests 

  • Data portability (where applicable) 

  • Withdraw consent (where we rely on consent) 

  • Complain to a supervisory authority (for the UK, the ICO) 

If you are unhappy with how we handle your data, we encourage you to contact us first so we can try to resolve it. You also have the right to complain to the UK Information Commissioner's Office (ICO): https://ico.org.uk

9. Data deletion requests and how we track them 

To request deletion (erasure) or exercise other rights, use: 

Our approach: 

  • We verify identity where appropriate (to prevent unauthorised disclosure or deletion). 

  • We assess the request against legal and contractual requirements (for example, we may need to retain certain records for legal obligations). 

  • We respond within required timeframes (typically within one month, and sooner where practical). 

  • We track and log requests in a restricted-access Data Subject Request (DSR) log, including receipt date, request type, decision, and completion date. 

 

10. Direct marketing 

We do not send direct marketing communications unless we have a lawful basis to do so (for example where you have requested information, or where you have consented and you can opt out at any time). 

If you receive email from us and want to stop, reply to the message or email hello@outliertechnology.co.uk

11. Automated decision-making 

We do not use your personal data for solely automated decision-making (including profiling) that produces legal or similarly significant effects. 

12. Stakeholder rights and obligations (ISO 42001) 

We aim to address stakeholder rights and obligations explicitly: 

  • Customers: we treat business contact data confidentially, use it only for legitimate service/business purposes, and align with client instructions when working in client-controlled environments. 

  • Regulators: we maintain privacy governance, respond to lawful requests, and retain appropriate evidence (for example DSR logs). 

  • Society: we minimise personal data use, avoid unnecessary collection, and support safe, lawful, and responsible use of technology (including any AI-related activities) consistent with applicable laws and contractual commitments. 

13. Changes to this notice 

We keep this notice under review and update it promptly when our practices change (target: within 30 days of any significant change). The "Last updated" date above shows the current version.

 

14. Related documents 

bottom of page