Privacy Policy

Adev Group builds and implements revenue systems, performs diagnostics and short sprints, and operates a website at adevgroup.co.uk. We take privacy and data protection seriously. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, how long we keep it, and the rights you have.

For clients and prospects we also provide a separate DPA (Data Processing Agreement) as part of our engagement documentation. If you are a client, the DPA governs the processing of personal data relating to that engagement in greater detail.

This policy applies to:

• Visitors to our website and users of our public resources;

• People who request a diagnostic, book calls, or engage for services;

• Contacts at organisations that are current, prospective or former clients;

• Job applicants and other individuals who interact with us.

If you are a supplier, a partner, or a subcontractor, a different or additional privacy notice or contractual terms may apply.

We collect and process personal data only to the extent necessary for legitimate business purposes and in line with applicable law (including the UK GDPR / EU GDPR where applicable). Below are the categories we process and the purposes.

​

A. Contact & identity data

What: Name, email address, job title, company name, telephone number, LinkedIn profile.
Why: To respond to enquiries, manage bookings, run diagnostics, maintain client relationships, and perform contract obligations.
Legal basis: Performance of a contract and/or legitimate interests (managing business relationships).

​

B. Business & firmographic data

What: Company website, ARR / revenue band, headcount, tech stack (tools used), sales/GTM team size.
Why: To pre-qualify diagnostics, tailor proposals, and for internal analytics (improving our services).
Legal basis: Legitimate interests (business development and service delivery), or performance of contract.

​

C. Technical & usage data (website)

What: IP address, browser type, pages visited, UTM and referrer information, cookies (see Cookie Policy).
Why: To operate and secure the website, analyse usage, and improve user experience.
Legal basis: Legitimate interests (security and analytics) and/or consent for non-essential cookies.

​

D. Diagnostic & engagement data (clients)

What: Exports or read-only access to CRM data, marketing events, invoices, basic personal data of contacts (names, email, phone) where necessary for the engagement; project documents and logs.
Why: To perform diagnostics, implement interventions, build dashboards, and provide deliverables as agreed.
Legal basis: Performance of a contract; where necessary, legitimate interests (service improvement) and/or legal compliance.

Important note on diagnostics: We prioritise read-only access whenever possible. Where API keys or temporary credentials are needed, we require scoped, minimal-access keys and treat them as secrets. We do not make changes to client systems during the diagnostic phase unless explicitly agreed in writing.

​

E. Payment & billing information

What: Billing contact, invoicing information, transaction records (we do not store full card details). Payment processors (e.g., Stripe, bank) may collect card and payment data.
Why: To invoice and receive payment, and to meet accounting obligations.
Legal basis: Performance of a contract and legal compliance.

​

F. Cookies & third-party analytics

We use cookies and third-party analytics tools to understand site usage and to operate the site reliably. See our Cookie Policy for details and consent options.

​

G. Special categories of data

We do not intentionally collect special category personal data (sensitive data such as racial or health details). If such data is submitted accidentally, we will securely delete it unless there is a lawful basis to retain it.

Where GDPR applies, our legal bases for processing are one or more of:

• Performance of a contract: to deliver diagnostics, sprints, and related client services.

• Legal compliance: to meet accounting, tax, and regulatory obligations.

• Legitimate interests: for business development, fraud prevention, analytics, and ensuring the security and reliability of our services — always balanced against your rights and interests.

• Consent: where required (e.g., optional cookies and marketing where applicable). You can withdraw consent at any time for those purposes.

We will not sell your personal data.

​

We may disclose personal data to:

• Our subprocessors and service providers who assist with payments, hosting, analytics, scheduling, communications and other operational needs. Typical categories include: payment processors (Stripe, bank partners), hosting providers (AWS, GCP), calendar/scheduling providers (Calendly), contract signing services (DocuSign), analytics (Google Analytics), email platforms, and collaboration tools. We require each subprocessor to implement appropriate safeguards and process data only as instructed. (A current list of named subprocessors is available on request or bound in our DPA.)

• Legal and regulatory authorities where required by law or order of a court or regulator.

• Third-party auditors where required for security or compliance reviews (subject to confidentiality).

​

If we transfer personal data outside the UK/EEA, we will ensure appropriate mechanisms (e.g., EU Standard Contractual Clauses, adequacy decisions) are in place or other safeguards required by law.

We retain personal data only as long as necessary for the purposes set out above, and to meet legal and accounting obligations.

​

Typical retention periods (examples – confirm with account's manager):

• Client engagement data (project files, exports): duration of engagement + 7 years for accounting and legal recordkeeping.

• Diagnostic-specific data & artifacts: retention period of 2 years after engagement end, unless otherwise agreed.

• Website analytics data: aggregated/anonymous as long as useful; raw logs typically 90 days unless needed for investigation.

• Marketing contacts / CRM leads: 2 years since last contact unless you opt out.

• Job applicant data: 6–12 months after the recruitment process unless otherwise agreed.

​

You can request earlier deletion where feasible; note that certain retention obligations (e.g., tax) may prevent immediate deletion of some records.

We maintain security appropriate to the risk, including:

• Encryption of data in transit (TLS) and where feasible at rest;

• Access controls and least privilege; role-based access; mandatory MFA for sensitive accounts;

• Secrets management and rotation for API keys and credentials;

• Regular backups and tested restore procedures;

• Logging and monitoring of access to systems;

• Periodic security reviews and third-party scans where appropriate.

​

• Despite these measures, no internet service is 100% secure. If we detect a personal data breach where there is a risk to your rights and freedoms, we will notify affected individuals and the relevant supervisory authority as required by applicable law.

We use cookies and similar technologies for necessary site operation and for analytics/marketing where consent has been given.

Categories:​

• Strictly necessary cookies: required for site functionality. No consent required.

• Functional cookies: remember preferences.

• Analytics cookies: performance and usage analytics (Google Analytics or similar) — typically processed on legitimate interests or consent.

• Marketing cookies: third-party ads/tracking — consent required.

​

Detailed cookie information and a cookie consent control are provided on our site. You can manage your preferences at any time via the cookie banner or browser settings.

If you are in the EU/UK, you have the following rights in relation to your personal data (subject to applicable exemptions):

• Access: request a copy of personal data we hold about you.

• Rectification: correct inaccurate or incomplete data.

• Erasure: request deletion where there is no overriding legal reason for us to retain it.

• Restriction: request restriction of processing in certain circumstances.

• Portability: receive personal data in a structured, machine-readable format (where applicable).

• Object: object to processing based on legitimate interests or direct marketing.

• Withdraw consent: where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, contact privacy@adevgroup.co.uk. We will respond within the timescales required by law (typically one month). We may require verification of identity before fulfilling requests.

​

If you are unhappy with our response, you may lodge a complaint with a supervisory authority (e.g., the Information Commissioner’s Office in the UK — ICO: ico.org.uk).

For clients, we include a Data Processing Agreement (DPA) as an annex to the SOW/contract.

The DPA sets out:

• our roles (controller/processor) as applicable;

• permitted processing activities and categories of data;

• security measures;

• subprocessors list & rights;

• international transfer mechanisms;

• assistance with data subject requests;

• deletion/return of data at contract termination.

If you require a custom DPA or additional safeguards (e.g., security assessment, SSAE/ISO report), please raise this prior to engagement; we will consider reasonable requests and may charge for additional third-party assessments.

We may engage subprocessors or subcontractors to deliver services. We use a limited, vetted set of suppliers and require contractual commitments on confidentiality, data protection and security.

​

We sometimes operate under delivery aliases for client-facing interactions (this is part of the operational model). We include an Alias & Representation clause in our contracts and will disclose, upon request, the identity of any individuals or firms delivering services to your engagement.

Our services are business-to-business and we do not knowingly process personal data of children under 16. If you believe we have accidentally collected such data, please contact us and we will delete it promptly.

​

We do not intentionally collect special category (sensitive) data. If such data is provided, we will either delete it or seek a lawful basis to retain it as required.

Where personal data is transferred outside the UK/EEA, we will rely on:

• adequacy decisions, or

• appropriate safeguards (such as Standard Contractual Clauses) and other measures required by law.

If you require details about the specific safeguards we use for a transfer, contact privacy@adevgroup.co.uk.

We may update this Privacy Policy from time to time. Material changes will be published on our website with an updated effective date. We encourage you to review this page periodically.

Questions, requests, or complaints should be sent to:

​

privacy@adevgroup.co.uk
Adev Group Ltd
128, City Road,
London EC1V 2NX

United Kingdom

​

If you are in the UK and want to escalate, you may contact the Information Commissioner’s Office (ICO). If you are in the EU, you may contact your local supervisory authority.

• Data minimization: we will ask only for the data necessary to deliver the diagnostic and proposed interventions.

• Scoped credentials: we request read-only or minimally-scoped credentials wherever possible; credentials are stored securely and rotated after use.

• Anonymisation in public materials: any public case study or evidence pack will be anonymised unless you provide written permission to use identifying information.

• Incident response: we maintain an incident response plan and will notify clients and authorities as required by law in the event of a breach affecting their data.