Governance Risk & Compliance Hub - Data Protection and Cybersecurity Specialists
Contact us

Privacy Notice

1. Introduction

Governance Risk & Compliance Hub (GRC Hub), a company registered in England and Wales under the Companies Act 2006, is committed to protecting your privacy and ensuring that your personal data is handled securely and responsibly.

This notice explains:

  • What information we collect
  • How we use and store it
  • Who we may share it with
  • Your rights regarding your personal data
 

GRC Hub (referred to as “we”, “us”, or “our”) is a trading name of Governance Risk & Compliance Hub. We are registered with the Information Commissioner’s Office (ICO Registration Reference: ZB901170) and act as the data controller for the personal data we collect.

If you have any questions, you can contact our Privacy Officer at privacy@grc-hub.co.uk.

2. Personal Information We Collect

When you access or use our services, we may collect the following types of personal data:

  • Full name
  • Address
  • Phone number (including mobile)
  • Email address
  • Date of birth
  • Payment details (e.g. Direct Debit, credit/debit card information)
  • IP address (when using our website or app)
 

We only collect the data we need to manage your contract and deliver the services you have requested. Unless otherwise stated, we do not use your information for any unrelated purposes without your consent.

Our services are not directed at children under 16, we do not knowingly collect personal data from children.

We do not process special category (sensitive) personal data. If this changes, we will update this notice and implement additional safeguards.

3. How We Use Your Information

Your personal data is used to:

  • Manage and fulfil your service contract
  • Deliver services, including access to specialist consultants if necessary
  • Comply with legal or regulatory obligations
  • Improve our service delivery and communications
 
We do not use your personal data for automated decision-making or profiling.

4. Data Retention and Storage

We retain personal data for up to six years following the end of your relationship with us. This retention period enables us to meet our legal, tax, and regulatory obligations, as well as to respond to any future enquiries or complaints.

Client data is stored securely within the European Economic Area (EEA). Specifically:

  • Data held in Microsoft 365 services (including SharePoint, OneDrive, and Microsoft Teams) is hosted entirely within the United Kingdom.
  • Data managed through our Customer Relationship Management (CRM) system, HubSpot, is stored in Germany.

We do not transfer your data outside the UK/EEA. If this changes, we will ensure appropriate safeguards are in place and update this notice.

5. Sharing Your Information

We do not sell or share your personal information for marketing purposes. However, we may share your data with third parties:

  • To provide the services you’ve requested
  • With specialist consultants (where relevant to your service)
  • For legal, regulatory, or fraud prevention purposes
  • As part of a business sale, acquisition, or restructuring

We may share your data with trusted service providers such as legal or regulatory advisors, solely for the purposes outlined in this notice.

6. Marketing Preferences

We undertake digital marketing activities—including outbound telephone calls and email communications—with the aim of engaging individuals in their professional capacity. To support this, we make every reasonable effort to ensure that we use only business contact information, not personal details.

We rely on our legitimate interests as the lawful basis for business-to-business (B2B) marketing. Before making calls, we check numbers against the Telephone Preference Service (TPS) and Corporate TPS (CTPS) to avoid contacting individuals who have opted out.

In some cases, we may unintentionally receive or use a personal (i.e., non-business) email address or phone number. If this occurs, we sincerely apologise. Upon being made aware, we will take immediate action to add the contact details to our “Do Not Contact” suppression list to ensure you are not contacted again via that channel.

We may also send a monthly newsletter via email to individuals who:

  • Have expressed interest in our business or services, or
  • We reasonably believe may benefit from updates related to our work
 

Our newsletters typically include insights into developments in areas such as:

  • Regulatory/legal frameworks and standards (e.g. GDPR, ISO27001, PCI-DSS)
  • Cybersecurity
  • Training and Quizzes
 

You can manage your marketing preferences or opt out at any time by:

  • Contacting us directly using the details provided in the “Contact Us” section
  • Clicking the “unsubscribe” link included in all of our marketing emails
 

We fully respect your preferences and will always honour your choices.

7. Online Meeting Recordings and Transcriptions

Some online meetings (e.g., MS Teams) may be recorded or transcribed using AI. We will always inform participants in advance, and you will have the option to:

  • Turn off your camera
  • Use the chat function instead of speaking
  • Or, request that the recording/notetaking does not take place (in instances where it is not required as part of the service delivery)
 

Personal Data That May Be Captured:

  • Name or username
  • Photo or profile image
  • Email address
  • Audio/video participation, background, and chat content
 

Purpose of Processing:

We record/transcribe meetings:

  • To document key information
  • For internal use, quality assurance, or formal records
  • [For Service Delivery] to provide access to attendees/individuals who were unable to attend so that they can access later.  
 

Legal Basis:

The processing is based on our legitimate interests, unless overridden by your privacy rights. If you do not wish to be recorded, please let the meeting organiser know or adjust your settings.

Storage & Access:

Recordings and transcripts are retained for 120 days, after which they are deleted. They are only accessible by GRC Hub staff. No external participants (e.g., from outside GRC Hub) have access. In some cases, such as the recording of podcasts, these recordings may be uploaded onto our site or, however attendees will be notified and consent will be obtained prior to publishing.

We process your personal data to fulfil our contract with you, comply with legal obligations and for our legitimate interests in service improvement and marketing. Where we rely on consent, you may withdraw it at any time.

We process your personal data to fulfil our contract with you (Article 6(1)(b)), comply with legal obligations (Article 6(1)(c)), and for our legitimate interests in service improvement and marketing (Article 6(1)(f)). Where we rely on consent, you may withdraw it at any time

8. Your Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of your data
  • Correction: Ask us to correct any inaccurate information
  • Deletion: Request erasure of your data (where appropriate)
  • Objection: Object to specific data processing activities
  • Portability: Request your data be transferred to another provider
  • Restrict Processing: Restrict how GRC Hub processes your data

You also have a right to withdraw consent at any time.

 

To exercise your rights, contact us at:
📧 privacy@grc-hub.co.uk
📞 Tel: +44 (0) 113 532 7830

or visit our contact us page

we are not currently required to appoint a Data Protection Officer, we review this decision periodically and have instead appointed a privacy officer, whom can be contacted on the details above.  

9. Complaints

If you’re unhappy with how we’ve handled your data, please let us know. If you’re still not satisfied, you can contact the Information Commissioner’s Office (ICO):
🔗 www.ico.org.uk/concerns

You can contact the ICO’s helpline: 0303 123 1113 or mail their office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

10. Cookies

We use cookies on our website to improve user experience. When you visit our website, you will be presented with a cookie consent banner allowing you to manage your preferences in accordance with data protection laws.

More details on the types of cookies and how to manage your consent preferences whilst visiting our site can be found in our Cookies Notice at the bottom of the website.

11. Links to Other Websites

Our website may include links to other websites. Please note that once you leave our site, this privacy notice no longer applies. We recommend reviewing the privacy policy of any external sites you visit.

12. Updates to This Notice

We may update this notice periodically. Please check this page regularly for the latest version.

Version: 1.0
Effective Date: June 2025