Privacy Policy 1 — SOURCECHANGE

Privacy Policy

Website Privacy Policy

1 INTRODUCTION

1.1 Important information and who we are

Welcome to Sourcechange Limited’s Privacy and Data Protection Policy (“Privacy Policy”). At Sourcechange Limited (“we”, “us”, or “our”) we are committed to protecting and respecting your privacy and Personal Data in compliance with the United Kingdom General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and all other mandatory data protection laws and regulations of the United Kingdom. This Privacy Policy explains how we collect, process, and keep your data safe. It also outlines your privacy rights, how the law protects you, and informs our employees and staff members of their obligations when processing data.

This Privacy Policy applies to all our employees, staff members, and all Personal Data processed at any time by us.

1.2 Your Data Controller

Sourcechange Limited is your Data Controller and responsible for your Personal Data. For any GDPR-related queries and requests please email our GDPR Lead at Operations@sourcechange.com.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

1.3 Processing data on behalf of a Controller and processors’ responsibility to you

In discharging our responsibilities as a Data Controller we may use employees or third parties to process your data on our behalf (“Processors”).

The Data Controller and our Processors have the following responsibilities:

● Ensure that all processing of Personal Data is governed by one of the legal bases laid out in the GDPR (see 2.2 below).

● Ensure that authorised Processors commit to confidentiality or are under statutory obligations of confidentiality.

● Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

● Obtain prior authorisation before engaging another Processor.

● Assist in fulfilling obligations to respond to requests for exercising data subject rights.

● Maintain records of all categories of processing activities.

● Cooperate with supervisory authorities.

● Ensure that any person with access to Personal Data only processes it on instruction.

● Notify the Controller without undue delay of any Personal Data Breach.

2 LEGAL BASIS FOR DATA COLLECTION

2.1 Types of data / Privacy policy scope

“Personal Data” means any information about an individual from which that person can be identified. It does not include anonymous data.

We do not collect any Special Categories of Personal Data (such as ethnicity, religion, health, biometric, or criminal data).

2.2 The Legal Basis for Collecting That Data

We rely on the following justifications under the GDPR:

● Consent – when you opt in to services such as newsletters.

● Contractual obligations – when processing is necessary to fulfil our contract with you.

● Legal compliance – when we must process data by law.

● Legitimate interest – when processing is required for business purposes that do not materially impact your rights.

We apply the GDPR principles of data minimisation and storage limitation, ensuring data is adequate, relevant, and not kept longer than necessary.

3 HOW WE USE YOUR PERSONAL DATA

We will only use your Personal Data when the law allows us to. If we need to use it for another reason compatible with the original purpose, we will notify you. We may process your data without your knowledge or consent where required by law.

4 YOUR RIGHTS AND HOW YOU ARE PROTECTED BY US

4.1 Your legal rights

Under data protection laws you have the following rights: right to be informed, right of access, right to rectification, right to erasure, right to object, right to restrict processing, and right to data portability.

If you exercise your right to erasure, we will delete your Personal Data unless we are required by law or have overriding legitimate grounds to continue holding it (such as compliance or legal defence).

4.2 How we protect your Personal Data

Your data is accessible only by authorised staff and subcontractors under strict confidentiality. We apply technical and organisational measures to protect against loss or unauthorised access. While we strive to protect your data, internet transmission cannot be guaranteed fully secure.

4.3 How to request your data

You may submit a data subject access request. We may request additional information to verify your identity. Requests that are manifestly unfounded may be refused.

5 YOUR DATA AND THIRD PARTIES

We may share your Personal Data:

● In connection with a business transfer, acquisition, or change of control.

● Where required by law or to enforce our terms.

● With authorised third-party service providers under strict contractual safeguards.

6 HOW LONG WE RETAIN YOUR DATA

We will only retain your Personal Data for as long as necessary to fulfil the purposes for which it was collected. By default, we retain most Personal Data for no longer than 2 years from the date of your last interaction with us. After this period, your data will be securely deleted or anonymised.

Some categories of data must be kept longer to comply with legal requirements:

● Financial and accounting records – up to 6 years (UK tax law).

● Contractual and business records – up to 6 years (limitation periods for legal claims).

● Recruitment and candidate data – 6–12 months unless consented for longer.

● Marketing consent records – retained for as long as consent is valid (reviewed every 2 years).

● Litigation or regulatory requirements – data may be retained beyond standard periods to establish, exercise, or defend legal claims.

We review retention practices annually to ensure compliance.

7 INTERNATIONAL TRANSFER OF DATA

Your information may be stored and processed in the US or other countries where Sourcechange Limited has facilities. By using our services, you consent to such transfers, subject to adequate safeguards.

8 NOTIFICATION OF CHANGES AND ACCEPTANCE OF POLICY

We keep this Privacy Policy under review and will post any updates on our website. Continued use of our services after changes means you accept the updated Privacy Policy.

9 INTERPRETATION

● “Including” means “including but not limited to.”

● Email addresses provided are solely for their stated purpose.

● Staff are not authorised to contract, waive rights, or make representations unless expressly stated as from the legal department of Sourcechange Limited.