Last updated: 22 May 2026
Indigo Cross ("we", "us", "our") is committed to protecting the privacy of our clients, website visitors, employees, and anyone else whose personal data we handle in the course of our business. This policy explains what data we collect, why we collect it, how we use it, and what rights you have.
We are a UK-based business and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Indigo Cross is a sole trader / partnership providing IT support, network maintenance, bespoke software development, and secure media disposal services for small and medium businesses, primarily across Hertfordshire and London.
If you have any questions about this policy or wish to exercise your data rights, please contact us using the details on our contact page.
We collect and process personal data in several contexts. The table below sets out what we collect, when, and the lawful basis under UK GDPR.
| Data | Purpose | Lawful basis |
|---|---|---|
| Name, email address, company name, message | To respond to enquiries submitted through the contact form | Legitimate interest |
| IP address | Anti-spam protection (included in form submissions and processed by Google reCAPTCHA) | Legitimate interest |
This website does not use analytics or advertising trackers. We do not add website enquiries to any mailing list.
| Data | Purpose | Lawful basis |
|---|---|---|
| Contact details (names, email addresses, phone numbers, business addresses) | Day-to-day communication and service delivery | Contract performance |
| Billing information (invoices, payment records) | Invoicing, accounting, and legal/tax obligations | Contract performance / legal obligation |
| Support records and correspondence (emails, notes, tickets) | Providing and managing IT support services | Contract performance |
| System access credentials provided to us by clients | Remote and onsite access to client systems in order to deliver support | Contract performance |
In the course of providing IT support, we may have access to data held on our clients' systems, including files, backups, email systems, and other information stored on servers and workstations we maintain. We access this data only as necessary to deliver the services requested. We do not copy, retain, or use this data for any other purpose. Where we carry out work that involves handling client data, we treat it with the same duty of care and confidentiality as we would our own.
Clients remain the data controller for any personal data held on their own systems. Our access to that data is in the capacity of a data processor acting on their instructions.
We provide degaussing and physical destruction of magnetic media (hard drives, tapes, etc.). Hardware received for disposal may contain personal data belonging to our clients or their customers. We do not access, read, or attempt to recover any data from media received for destruction. All media is destroyed in accordance with our disposal procedures, and certificates of destruction are provided where requested.
| Data | Purpose | Lawful basis |
|---|---|---|
| Contact details, address, date of birth, National Insurance number | Employment administration, payroll, HMRC obligations | Contract performance / legal obligation |
| Bank details | Salary payments | Contract performance |
| Emergency contact information | Health and safety | Legitimate interest |
Employee data is only accessible to those who need it for payroll, HR administration, or legal compliance. We do not share employee data with third parties except where required by law (for example, HMRC).
We store personal data using a combination of electronic systems (email, spreadsheets, documents, and a CRM/ticketing system) and, in some cases, paper records. We take reasonable steps to keep all records secure, including password-protecting electronic files and restricting physical access to paper records.
Contact form submissions from the website are delivered to us by email via a third-party relay service and are not stored in any database on this website.
We do not keep personal data for longer than necessary. Our general retention practices are as follows:
| Data type | Retention period |
|---|---|
| Website enquiries | Deleted once the enquiry has been dealt with, unless it leads to a client relationship |
| Client records and correspondence | Duration of the client relationship plus 6 years (to meet accounting and legal obligations) |
| Invoices and financial records | 6 years from the end of the financial year they relate to, as required by HMRC |
| Employee records | Duration of employment plus 6 years |
| Media disposal records / certificates | 6 years |
We do not sell, rent, or trade personal data. We only share data with third parties where it is necessary to deliver our services or meet legal obligations. The parties we may share data with include:
| Third party | Purpose |
|---|---|
| HMRC | Tax and payroll obligations (required by law) |
| Our accountant / bookkeeper | Preparing accounts and tax returns |
| SMTP2Go (email relay) | Delivering contact form submissions from the website. See their privacy policy. |
| Google (reCAPTCHA v3 and Fonts) | Spam prevention and font delivery on this website. See Google's privacy policy. |
This website does not set any first-party cookies. However, Google reCAPTCHA v3 may set third-party cookies as part of its bot-detection process. These are controlled by Google. You can manage or block cookies through your browser settings.
We take the security of personal data seriously and implement appropriate measures to protect it, including encrypted connections (TLS) for data in transit, password protection for electronic records, and restricted access to physical records. Client credentials entrusted to us are stored securely and are only accessed when required to deliver support services.
While no method of storage or transmission is completely secure, we take reasonable and proportionate steps to protect data from unauthorised access, loss, or misuse.
Under UK GDPR, you have the following rights in relation to your personal data:
Right of access — you can request a copy of the personal data we hold about you. Right to rectification — you can ask us to correct inaccurate or incomplete data. Right to erasure — you can ask us to delete your data, where there is no compelling reason for us to continue holding it. Right to restrict processing — you can ask us to limit how we use your data. Right to data portability — you can request your data in a structured, commonly used format. Right to object — you can object to processing based on legitimate interest.
To exercise any of these rights, please contact us using the details on our contact page. We will respond within one month. There is no fee for making a request in most circumstances.
If you are unhappy with how we have handled your personal data, we would appreciate the chance to address your concerns directly. However, you also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Telephone: 0303 123 1113
We may update this policy from time to time to reflect changes in our business practices or legal requirements. Any updates will be posted on this page with a revised "last updated" date.
