Privacy Policy

Umbizo Limited

Last updated: 8 January 2026

1. Who We Are

Umbizo Limited is a data science and bioinformatics company registered in England and Wales (Company Number: 11601159). 

Contact details: Data Protection Lead: heather.robinson@umbizo.co.uk

2. What Personal Data We Collect

We may collect and process the following categories of personal data:

•      Contact information: name, email address, telephone number, job title, organisation

•      Professional information: qualifications, work history, areas of expertise

•      Technical data: IP addresses, browser type, device information

•      Client project data: as specified in individual client agreements

3. How We Use Your Personal Data

We process your personal data for the following purposes:

•      Providing consultancy services: to deliver contracted services to our clients

•      Contract performance: to manage client relationships and fulfil contractual obligations

•      Business operations: for invoicing, record-keeping, and internal administration

•      Legal compliance: to meet regulatory and legal obligations

•      Legitimate interests: to improve our services, maintain security, and pursue business development where appropriate

4. Legal Basis for Processing

We process personal data on the following legal bases under UK GDPR:

•      Contract performance: where processing is necessary to fulfil our contractual obligations

•      Legal obligation: where we must process data to comply with legal or regulatory requirements

•      Legitimate interests: where we have assessed that processing is necessary for our legitimate business interests and your rights do not override these interests

•      Consent: where you have given explicit consent for specific processing activities

5. Who We Share Your Data With

We may share your personal data with:

•      Clients: where necessary to deliver contracted services

•      Service providers: Microsoft (Azure, Microsoft 365), Databricks, and other technical suppliers operating under data processing agreements

•      Professional advisers: lawyers, accountants, and auditors where necessary

•      Regulatory authorities: where required by law

We do not sell personal data to third parties. All data sharing is governed by appropriate contracts and security measures.

 6. International Data Transfers

Our standard practice is to process all personal data within the United Kingdom. Where international transfers are necessary, we implement appropriate safeguards including Standard Contractual Clauses (SCCs) and conduct Transfer Impact Assessments to ensure adequate protection of your personal data.

7. How Long We Keep Your Data

We retain personal data in accordance with our Data Retention Schedule:

•      Client project data: 7 years after project completion (to meet professional indemnity requirements)

•      Financial records: 7 years (to meet tax and accounting obligations)

•      Employee records: 7 years after employment ends

•      Marketing contacts: until you withdraw consent or we determine the data is no longer relevant

Data is securely deleted once the retention period expires unless we are legally required to retain it longer.

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

•      Right to be informed: about how we use your data (this notice)

•      Right of access: to request a copy of your personal data

•      Right to rectification: to correct inaccurate data

•      Right to erasure: to request deletion of your data

•      Right to restriction: to limit how we use your data

•      Right to data portability: to receive your data in a structured format

•      Right to object: to object to processing based on legitimate interests

•      Rights related to automated decision-making: including profiling

To exercise any of these rights, please contact our Data Protection Lead at heather.robinson@umbizo.co.uk. We will respond within one month of receiving your request.

9. How We Protect Your Data

We implement appropriate technical and organisational measures to protect personal data, including encryption, access controls, staff training, regular security testing, and incident response procedures. We are working towards ISO 27001:2022 certification and Cyber Essentials Plus accreditation to demonstrate our commitment to information security.

10. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the ICO within 72 hours in accordance with UK GDPR requirements.

11. How to Complain

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): www.ico.org.uk

12. Changes to This Notice

We review this privacy notice annually and may update it to reflect changes in our practices or legal requirements. The current version is always available at www.umbizo.co.uk/contact/privacy-policy. Material changes will be communicated to affected individuals where appropriate.