Privacy Notice

1. Introduction

This Privacy Notice explains how we collect, use, store, share, and protect personal data when you use our website, contact us, sign up to hear from us, or otherwise interact with us online.

We are committed to respecting your privacy and protecting your personal data, wherever you are visiting this website from. It is important that you read this notice so that you understand how and why we use your personal data. This notice supplements any other privacy or fair processing notices we may provide to you in specific circumstances and is not intended to override them.

This notice is intended to align with applicable UK and EU data protection and privacy laws, including the Data (Use and Access) Act 2025, the Data Protection Act 2018, the UK General Data Protection Regulation ("UK GDPR") and the EU General Data Protection Regulation ("EU GDPR"), and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") and the EU ePrivacy Directive (Directive 2002/58/EC, as amended).

2. Who we are

Spriggun Ltd (“Spriggun”), is a company registered in England and Wales with company number 16704429. Spriggun is a regulatory readiness, tech advisory and digital transformation firm. If you have any questions about this website or this Privacy Notice, contact us at: hello@spriggun.com

For data protection purposes, Spriggun is generally the controller of the personal data described in this notice. This means we decide why and how your personal data is used.

This website is not intended for children or for individuals below the age of legal adulthood in the place where they live, and we do not knowingly collect personal data from them, or relating to them.

3. Data we collect

Information you give us directly

your name;
your organisation name;
your email address;
your telephone number, if you choose to provide it;
the contents of your enquiry or message;
any attachments or information you send to us;
information you provide when you sign up to hear from us, including marketing and communications preferences; and
information you provide as part of an ongoing working relationship with us or in connection with services we are providing.

Technical information collected through the website

Our website uses only strictly necessary cookies, so the technical information we collect is limited to what is needed for the website to function and to remain secure. This may include:

IP address and / or server log data;
browser and device information;
request and error logs; and
basic technical information needed for website delivery and security.

We do not currently use Google Analytics, advertising pixels, marketing trackers, or optional analytics cookies.

4. How we collect your data

We collect personal data:

when you complete a contact form;
when you email us;
when you sign up to hear from us;
when you otherwise contact us directly;
when you engage with us as part of an ongoing working relationship or service relationship; and
automatically through the operation, hosting, and security of the website.

If you do not provide personal data where we need it to perform a contract with you, to take steps at your request before entering into a contract, or to comply with a legal obligation, we may not be able to provide the relevant services or continue the relevant engagement.

You should keep us informed if your personal data changes during our relationship with you, so that the information we hold remains accurate and up to date.

5. How we use your data

We will mainly use your personal data to perform a contract we have entered into with you or are about to enter into with you; where it is necessary for our legitimate interests (or those of a third party), provided your interests and fundamental rights do not override those interests; and / or where we need to comply with a legal obligation.

We use personal data to:

respond to your enquiries;
communicate with you;
manage prospective client, client, supplier, and other business relationships;
send you updates or newsletters if you have asked to hear from us;
provide and manage services;
operate, maintain, and secure the website;
identify and fix technical issues;
protect the website and our systems;
comply with legal, regulatory, or professional obligations; and
establish, exercise, or defend legal or regulatory matters where necessary.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another compatible reason.

6. Legal bases

Different legal bases may apply to different uses of your personal data, and more than one basis may sometimes apply to the same activity depending on the circumstances. If you would like more detail about the legal basis for any particular use of your personal data, please contact us.

We process personal data for the purposes set out below. Depending on the circumstances, we rely on one or more lawful bases under Article 6 of the UK GDPR and, where applicable, the EU GDPR:

Processing activity	Purpose of processing	Categories of personal data	Lawful basis
Responding to contact form enquiries	To receive, review and respond to enquiries submitted via our contact form, and to take any related follow-up action	Name, organisation, email address, and the contents of your enquiry	Article 6(1)(f) UK GDPR / EU GDPR: legitimate interests; Article 6(1)(b): pre-contract
Responding to email enquiries	To communicate with you, respond to your enquiry, and manage related correspondence	Email address, message contents, attachments	Article 6(1)(f); Article 6(1)(b) where relevant
Providing and managing services	To provide services and manage relationships	Contact details, correspondence	Article 6(1)(b); Article 6(1)(f); Article 6(1)(c) where applicable
Sending newsletters	To send communications and manage preferences	Name, email, preferences	Article 6(1)(a) consent; or 6(1)(f) where allowed
Hosting and operating website	To provide and secure website	IP, logs, device data	Article 6(1)(f)
Security and abuse prevention	To prevent misuse and attacks	Logs, metadata	Article 6(1)(f); Article 6(1)(c)
Compliance and record-keeping	To meet obligations	Records and correspondence	Article 6(1)(c); Article 6(1)(f)
Regulatory matters and legal claims	To protect legal position	Relevant records	Article 6(1)(f); Article 6(1)(c)

Where we rely on legitimate interests as a lawful basis, we consider and balance any potential impact on you and your rights before carrying out the relevant processing.

In some cases, more than one lawful basis may apply to the same processing activity, depending on the context in which personal data is collected and used. For example, when you contact us about a potential engagement, we may process your information both because it is in our legitimate interests to manage and respond to business enquiries and because the processing is necessary to take steps at your request before entering into a contract.

7. Cookies and similar technologies

Our website uses only strictly necessary cookies required for the website to function and for core security and operational purposes.

We do not currently use analytics cookies, advertising cookies, social media pixels, remarketing technologies, or other non-essential cookies or trackers.

8. Who we share your data with

We may share personal data where necessary with the following categories of recipient.

Website administration tools

We use certain third-party tools to help administer, maintain, and support the website.

Google Search Console - We may use Google Search Console to monitor search visibility, indexing, and technical website issues. It is used for website administration and search optimisation.

Service providers

We use third-party providers to support the website and our business operations. These may include providers of website hosting, email and form handling, IT and security, website maintenance and support, and communications tools.

Regulators and authorities

We may disclose personal data where required to comply with legal obligations, regulatory requests, or lawful investigations.

Professional advisers

We may share data with lawyers, accountants, auditors, insurers, or other professional advisers where this is reasonably necessary.

Business transfers

We may transfer personal data to third parties in connection with the sale, transfer, merger, or reorganisation of all or part of our business, or if we acquire or merge with another business. If this happens, the new owners or counterparties may use your personal data in the same way as set out in this Privacy Notice.

We require third parties to respect the security of personal data and to handle it in accordance with applicable law. Where third parties process personal data on our behalf, we require them to use it only for specified purposes and not for their own purposes.

9. How long we keep your data

We keep personal data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, regulatory, professional, accounting, reporting, contractual, and legitimate business requirements.

Retention periods may vary depending on:

the nature of the personal data;
the reason it was collected;
whether there is an ongoing relationship or engagement;
whether we need the data to provide services or respond to enquiries;
whether the data is needed for record-keeping, legal, regulatory, tax, or accounting purposes; and
whether the data is relevant to a complaint, dispute, investigation, or legal / regulatory matter.

When personal data is no longer needed, we will delete it, anonymise it, or securely archive it where lawful and appropriate.

10. International transfers

Some of our service providers may process personal data outside the UK and / or the EEA.

Where this happens, we will ensure that appropriate safeguards are in place. Depending on the circumstances, this may include reliance on an adequacy decision, use of Standard Contractual Clauses or equivalent transfer safeguards, and / or other lawful transfer mechanism(s) permitted under applicable data protection law.

11. AI-enabled features

We do not currently use AI-enabled website features or AI systems that make decisions about website users. If we introduce AI-enabled website features in future, we will update this notice where needed to reflect applicable transparency requirements, including under the EU AI Act.

12. Security

We have put in place appropriate technical and organisational security measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful or unauthorised processing.

We limit access to personal data to those employees, contractors, advisers, and service providers who have a genuine business need to know it.

If we become aware of a personal data breach, we will assess it and, where legally required, notify the relevant regulator and / or affected individuals.

13. Your rights

Depending on your location and the circumstances, you may have the following rights under applicable data protection law.

Right to be informed

You have the right to be told how your personal data is collected and used.

Right of access

You can ask us for a copy of the personal data we hold about you, together with certain information about how we use it.

Right to rectification

You can ask us to correct inaccurate personal data, or complete data that is incomplete.

Right to erasure

You can ask us to delete your personal data in certain circumstances.

Right to restrict processing

You can ask us to limit the way we use your personal data in certain cases.

Right to data portability

Where the law applies, you may ask for your personal data in a structured, commonly used format so that you can reuse it elsewhere.

Right to object

You can object to processing in certain circumstances, especially where we rely on legitimate interests.

Rights related to automated decision-making

You have rights in relation to certain types of solely automated decision-making and profiling. We do not currently use website features that make this kind of decision about you.

Right to withdraw consent

If we rely on consent, you have the right to withdraw it at any time.

Right to complain

If you have any concerns about our use of your personal data, you may contact us at any time, wherever you are located, and we will seek to address those concerns.

You also have the right to lodge a complaint with the competent data protection authority, supervisory authority, or privacy regulator in the jurisdiction where you live, work, or where the alleged infringement occurred. In the UK, further information about making a complaint is available on the ICO website. In the EU / EEA, a list of supervisory authorities is available from the European Data Protection Board. If you are in another jurisdiction, you may contact your local data protection authority or privacy regulator.

Important limits on rights

The above rights are not absolute. In some cases, we may be unable to comply fully with a request, for example where it would: adversely affect the rights and freedoms of another person; the law requires us to keep certain information; the request is manifestly unfounded, excessive, or otherwise unreasonable; or where an exemption or restriction under applicable law applies.

How to exercise your rights

To exercise any of your rights, please contact us using the details below. We may need to verify your identity before responding. We will respond within the time limits required by applicable law in your location.

14. Accessibility

We are committed to making this Privacy Notice, and our website more generally, clear, accessible, and usable.

We aim to support broader accessibility expectations and good practice in the design and maintenance of this website, including recognised web accessibility standards such as WCAG 2.2 AA as an appropriate baseline for core website content. Enhanced accessibility measures may also be considered where appropriate, and we strive to meet AAA requirements.

If your accessibility needs mean that you cannot easily read or use this Privacy Notice, please contact us and ask for help, at hello@spriggun.com. You can request this notice in an alternative format, or ask us to explain it to you.

15. Third-party links

This website may include links to third-party websites, plug-ins, or services. We do not control those third-party websites and are not responsible for their privacy practices, content, or accessibility. We encourage you to read their privacy notices when you leave our site.

16. Changes to this notice

We may update this Privacy Notice from time to time to reflect changes to our website, services, suppliers, or legal obligations. When we do, we will update the “Last updated” date and version details at the top of this notice.

17. Contact us

If you have questions about this Privacy Notice or want to exercise your rights, please contact hello@spriggun.com

Glossary

Data (Use and Access) Act 2025 - UK legislation relating to data use, access, privacy, electronic communications, and related information law matters.

UK GDPR - The UK General Data Protection Regulation, which forms part of UK data protection law.

EU GDPR - Regulation (EU) 2016/679, the European Union’s General Data Protection Regulation.

Data Protection Act 2018 - UK legislation that sits alongside and supplements the UK GDPR.

PECR - The Privacy and Electronic Communications (EC Directive) Regulations 2003, which contain specific rules about cookies, similar technologies, and certain electronic communications.

Controller - The person or organisation that decides why and how personal data is used.

Processor - A person or organisation that processes personal data on behalf of a controller.

Personal data - Any information relating to an identified or identifiable person.

Processing - Anything done with personal data, including collecting, storing, using, sharing, or deleting it.

Legitimate interests - A lawful basis that may apply where processing is necessary for a real business or organisational interest and is not overridden by the person’s rights and freedoms.

Strictly necessary cookies - Cookies needed for the website to work properly, securely, or for core operational purposes. Under PECR, non-essential cookies are treated differently to those that are strictly necessary.

Adequacy decision / adequacy regulation - A formal legal mechanism recognising that a country, territory, or sector provides an adequate level of data protection for personal data transfers.

SCCs - Standard Contractual Clauses used as contractual safeguards for certain international transfers of personal data.

Last updated: March 2026

Version: 2.0