The Governance Risk & Compliance Hub - Data Protection and Cybersecurity Specialists Logo.
Contact us

Privacy Notice

GRC HUB PRIVACY NOTICE

Last updated: February 2026

1. Introduction

Governance Risk & Compliance Hub (GRC Hub) is committed to protecting your privacy and ensuring that your personal data is handled securely and responsibly.

This notice explains:

  • What information we collect and from whom.

  • How and why we use it.

  • Who we may share it with.

  • Your rights and how to exercise them.

GRC Hub (“we”, “us”, “our”) is a trading name of Governance Risk & Compliance Hub, a company registered in England and Wales under the Companies Act 2006. We are registered with the Information Commissioner’s Office (ICO) under registration number ZB901170 and act as the data controller for the personal data we collect.

If you have any questions about this notice or how we handle your data, you can contact our Privacy Officer at:

We are not currently required to appoint a Data Protection Officer and have instead appointed a Privacy Officer; we review this decision periodically.

2. Personal data we collect

When you access or use our services, visit our website, interact with us, or when we contact you in a business to business context, we may collect the following types of personal data:

  • Identification and contact details: full name, address, business email address, phone number (including mobile), employer, job title and role.

  • Account and contract data: details relating to your contract with us, services requested, billing and payment records (for example Direct Debit, bank details). We do not process, store or transmit payment card information and are therefore not in scope for PCI-DSS.

  • Communication data: emails, messages, notes from calls or meetings, responses to surveys and feedback forms.

  • Technical and usage data: IP address, device identifiers, browser type and version, operating system, referring URL, pages visited, time spent on site and other diagnostic data.

  • Marketing and prospecting data: preferences about how you wish to hear from us, records of marketing communications, newsletter subscriptions, responses and engagement with our campaigns.

  • Meeting and event data: registrations, attendance, and where applicable, recordings and or transcriptions of online meetings (see section 8).

We only collect the data we need to manage our relationship with you and deliver the services you have requested or that we reasonably believe may be of legitimate interest to you in a professional context.

Our services are not directed at children under 16, and we do not knowingly collect personal data from children.

We do not routinely process special category (sensitive) personal data. If this changes, we will update this notice and implement additional safeguards.

3. How we collect your data

We collect personal data from a variety of sources:

  • Directly from you: when you contact us, request information, sign up to our newsletter or events, complete forms, or engage our services.

  • From your organisation: where we provide services to, or receive services from, your employer or another organisation you represent.

  • From referrals: where someone who knows you (for example a colleague or business contact) shares your details with us because they believe our services may be relevant.

  • From publicly available sources: such as company websites, LinkedIn and other professional networking platforms, and public registers.

  • From third party tools and data providers: including Apollo.io, which we use for business to business prospecting and enrichment of professional contact information (see section 9).

  • Automatically: via cookies and similar technologies when you use our website (see section 10 and our Cookie Notice).

4. How we use your information (purposes and lawful bases)

We process your personal data only when we have a lawful basis under the UK GDPR. The main purposes and legal bases are:

  1. To manage and fulfil your service contract

    • Purposes: setting up and managing your account, delivering services, arranging access to specialist consultants, handling enquiries and support.

    • Lawful basis: performance of a contract (Article 6(1)(b)) or taking steps at your request prior to entering into a contract.

  2. To manage our business relationship and operations

    • Purposes: invoicing, payment collection, supplier management, internal reporting, service improvement and quality assurance.

    • Lawful basis: performance of a contract; our legitimate interests in running and improving our business (Article 6(1)(f)).

  3. To comply with legal and regulatory obligations

    • Purposes: record keeping, responding to regulatory requests, tax and accounting, fraud prevention, and exercising or defending legal claims.

    • Lawful basis: compliance with legal obligations (Article 6(1)(c)); legitimate interests in establishing, exercising or defending legal claims (Article 6(1)(f)).

  4. To conduct marketing and business to business prospecting

    • Purposes: contacting individuals in their professional capacity by phone or email, maintaining suppression lists, sending newsletters and updates, and targeted outreach using tools such as Apollo.io.

    • Lawful basis: our legitimate interests in promoting our services to relevant organisations and professionals (Article 6(1)(f)); where required by law, your consent (Article 6(1)(a)).

  5. To improve our services and communications

    • Purposes: analysing service usage, monitoring website performance, enhancing customer experience, and developing new services.

    • Lawful basis: our legitimate interests in service improvement and business development (Article 6(1)(f)); for certain analytics cookies, your consent.

  6. To record and transcribe meetings

    • Purposes: documenting key information, enabling non attendees to catch up, internal training, and quality assurance (see section 8).

    • Lawful basis: legitimate interests (Article 6(1)(f)); in some cases, consent where recordings are published (for example podcasts).

We do not use your personal data for automated decision making that produces legal or similarly significant effects.

5. Data retention and storage

We retain personal data for up to six years following the end of your relationship with us, unless a longer or shorter period is required or permitted by law. This period allows us to meet our legal, tax and regulatory obligations and respond to any future enquiries or complaints.

Client data is stored securely within the European Economic Area (EEA):

  • Data held in Microsoft 365 services (including SharePoint, OneDrive and Microsoft Teams) is hosted within the United Kingdom.

  • Data managed through our HubSpot CRM is stored in Germany.

For prospecting data obtained from third party providers such as Apollo.io, we retain contact details only for as long as we reasonably consider our services may be relevant to you and we have a lawful basis to contact you. We carry out regular list reviews and remove or anonymise outdated contacts, and we maintain a suppression list to ensure that if you opt out we do not re add you from Apollo.io or other sources in the future.

We do not currently transfer your data outside the UK/EEA. If this changes, we will ensure appropriate safeguards are in place (such as standard contractual clauses) and update this notice.

6. Sharing your information

We do not sell your personal information and we do not share it with third parties for their independent marketing purposes.

We may share your data with trusted third parties where necessary to:

  • Provide the services you have requested (for example consultants, training platforms, communication tools).

  • Support our operations (for example IT service providers, CRM and email platforms, meeting and transcription tools).

  • Obtain specialist advice (for example legal, regulatory or professional advisors).

  • Comply with legal or regulatory requirements, court orders or to prevent fraud or other unlawful activity.

  • Facilitate a business sale, acquisition, merger or restructuring, in which case we will ensure that appropriate confidentiality and data protection obligations apply.

All third party service providers who process personal data on our behalf are bound by contract to keep your information confidential and secure and to use it only in accordance with our instructions and applicable law.

7. Marketing preferences

We undertake digital marketing activities, including outbound telephone calls and email communications, aimed at individuals in their professional capacity. We make every reasonable effort to ensure that we use only business contact information, not personal details.

We rely on our legitimate interests as the lawful basis for business to business marketing. Before making outbound calls, we check numbers against the Telephone Preference Service (TPS) and Corporate TPS (CTPS) to avoid contacting individuals who have opted out.

In some cases, we may unintentionally receive or use a personal (non business) email address or phone number. If this occurs, we sincerely apologise. Once we become aware, we will promptly add those contact details to our “Do Not Contact” suppression list so that you are not contacted again via that channel.

We may send a monthly newsletter via email to individuals who:

  • Have expressed interest in our business or services; or

  • We reasonably believe may benefit from updates related to our work.

Our newsletters typically include insights into developments in areas such as:

  • Regulatory and legal frameworks and standards (for example GDPR, ISO 27001, PCI DSS).

  • Cybersecurity.

  • Training, quizzes and other resources.

You can manage your marketing preferences or opt out at any time by:

  • Clicking the “unsubscribe” link included in all marketing emails; or

  • Contacting us using the details in section 1.

We fully respect your preferences and will always honour your choices.

8. Online meeting recordings and transcriptions

Some online meetings (for example Microsoft Teams) may be recorded or transcribed using AI tools. We will always inform participants in advance wherever reasonably possible. You will have the option to:

  • Turn off your camera.

  • Use the chat function instead of speaking.

  • Request that recording or note taking does not take place, where it is not required as part of service delivery.

Personal data that may be captured includes:

  • Name or username.

  • Photo or profile image.

  • Email address.

  • Audio or video participation, background image, and chat content.

Purpose of processing:
We record and or transcribe meetings to:

  • Document key information accurately.

  • Support internal use, quality assurance and training.

  • Provide access to attendees or individuals who were unable to attend live sessions.

Legal basis:
Processing is based on our legitimate interests in documenting and improving our services, unless overridden by your privacy rights. Where recordings will be made publicly available (for example podcasts), we will obtain your consent before publishing.

Storage and access:
Recordings and transcripts are generally retained for 120 days, after which they are deleted. They are only accessible to GRC Hub staff and are not shared with external participants, unless explicitly agreed. In some cases (for example podcasts), recordings may be uploaded to our site or other platforms; in those cases, attendees will be notified and consent will be obtained prior to publishing.

9. Apollo.io and business prospecting

9.1 How we use Apollo.io

For business prospecting, we use Apollo.io to identify and contact businesses and professionals who we believe may benefit from our services and solutions, and to inform them of relevant news and updates. We rely on our legitimate interests to carry out this business to business marketing activity and have completed a Data Protection Impact Assessment for this processing.

Apollo.io provides business contact data sourced from its customers, partners and publicly available information, and acts as an independent controller for its own data collection. Apollo’s privacy policy explains how it collects and uses personal data and the options available to individuals, including opt out mechanisms.

9.2 Data we use via Apollo.io

When we use Apollo.io for prospecting, we may process the following types of personal data in a professional context:

  • Name.

  • Business email address and business telephone number.

  • Job title, role, seniority and department.

  • Employer name, industry and location.

  • Public professional profile information (for example LinkedIn URL, company website biography).

We seek to ensure that we only process corporate contact details; however, there may be a small margin for error with mobile numbers where it is not technically possible to determine in advance whether a device is corporate or personal.

We keep Apollo.io sourced prospect information under regular review and do not keep it indefinitely; where we have had no engagement with you over a reasonable period, we will delete or anonymise your details in our systems.

9.3 TPS or CTPS and accuracy

Apollo.io has built in TPS checking facilities, which we enable, and we also carry out our own screening to minimise the risk of contacting numbers registered with the TPS or CTPS. While Apollo.io aims to ensure corporate and non personal contact details, we recognise that some inaccuracies may occur and we will rectify or suppress data promptly when notified.

9.4 Transparency and your rights

When we contact new prospects using data obtained via Apollo.io, we will:

  • Inform you of where we obtained your information (for example “via Apollo.io or publicly available sources”).

  • Provide a clear option to object to further processing and to unsubscribe from future contact.

  • Include a link to this privacy notice (or a dedicated prospecting privacy summary) in the first contact and in subsequent outreach.

9.5 Your choices regarding Apollo.io

You can at any time ask us to stop using your data obtained via Apollo.io by objecting to our prospecting or marketing, unsubscribing, or asking to be added to our suppression list. We will then stop using Apollo.io data about you for our own purposes and will not re add you from future Apollo.io exports.

You can also exercise your rights directly with Apollo.io by using its privacy tools to request removal or restriction of your profile in Apollo’s own database. This is in addition to, not instead of, your rights with us as the controller using Apollo.io for prospecting.

If you object, unsubscribe, or ask us not to contact you again, we will respect your request and add your details to our suppression list so that we do not contact you again via that channel.

10. Cookies

We use cookies and similar technologies on our website to improve user experience, understand how our site is used and support certain features. When you visit our website, you will see a cookie banner that allows you to manage your preferences in line with data protection laws.

More information about the types of cookies we use and how to manage your preferences can be found in our Cookie Notice at the bottom of our website.

11. Links to other websites

Our website may include links to other websites or services that are not operated by us. Once you leave our site, this privacy notice no longer applies. We recommend that you review the privacy policy of any external sites you visit.

12. Your rights

You have the following rights in relation to your personal data, subject to certain conditions and exemptions:

  • Access: request a copy of the personal data we hold about you.

  • Correction: ask us to correct inaccurate or incomplete information.

  • Deletion: request the erasure of your data where there is no longer a lawful basis for us to keep it.

  • Restriction: ask us to restrict our use of your data in certain circumstances.

  • Portability: request that we transfer your data to you or another provider in a structured, commonly used and machine readable format where applicable.

  • Objection: object to specific processing activities, including processing based on our legitimate interests and direct marketing.

  • Withdraw consent: where we rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact us at:

13. Complaints

If you are unhappy with how we have handled your personal data, we encourage you to contact us first so that we can try to resolve the issue.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

14. Updates to this notice

We may update this privacy notice from time to time to reflect changes in our services, legal requirements or how we process personal data. The current version will always be available on our website, together with the “last updated” date.

Version: 2.0
Effective date: February 2026
Review dates: June 2025, February 2026