Privacy Policy
This policy explains what personal data Northshine Group collects through this website, how we use it, who we share it with, and your rights under UK data protection law.
Last updated: 5 June 2026
Who we are
Northshine Group (“Northshine”, “we”, “our”, “us”) is a UK-based group of specialist businesses spanning advisory, research, technology and innovation services. We are registered in England and Wales.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Northshine Group is the data controller for personal data collected through this website.
What data we collect
We only collect personal data that you actively provide to us through our forms:
Contact form (/contact)
- Your name
- Your email address
- Your organisation (optional)
- The content of your enquiry message
We do not run advertising pixels, marketing tracking pixels, third-party analytics cookies, session-replay tools or behavioural profiling on this website.
How we use your data
- To respond to your enquiry or expression of interest
- To send you follow-up correspondence directly relevant to the request you submitted
- To maintain a record of the enquiry for legitimate business and audit purposes
- To improve our services based on aggregated, anonymous patterns in enquiries
We do not use your data for automated decision-making or profiling, and we do not sell your data to any third party.
Lawful basis for processing
We rely on the following lawful bases under UK GDPR Article 6:
- Consent — when you voluntarily submit a contact or interest form, you are providing consent for us to process your data to respond.
- Legitimate interests — to operate and improve our website, prevent misuse and maintain enquiry records, balanced against your rights and freedoms.
Who we share your data with
We use a small number of carefully selected technology providers to operate this website. They act as our data processors and only process your data on our instructions:
- Supabase — secure database and storage for form submissions. Data is stored in EU-region infrastructure.
- Google Workspace — email delivery and routing of notifications to our team when you submit an enquiry. Google may process this data under its standard Workspace data processing terms.
- Lovable / Cloudflare — hosting and content delivery for this website. Limited request metadata (such as IP address) is processed transiently to serve pages and protect against abuse.
We do not share your personal data with advertisers, marketing networks or data brokers. We only share data with third parties where we are legally required to do so (for example, in response to a lawful request from a regulator or court).
International transfers
Where any processor is based outside the UK, transfers are protected by the UK International Data Transfer Agreement, UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision recognised by the UK Government, as appropriate.
How long we keep your data
- Contact form enquiries: retained for up to 24 months from the date of last correspondence, then deleted or anonymised.
- Healthcare interest submissions: retained for up to 24 months, or until you ask us to delete them, whichever is sooner.
- Email correspondence: retained in Google Workspace in line with our internal records management policy, normally no longer than 6 years.
Your rights
Under UK GDPR you have the right to:
- Be informed about how we use your data (this policy)
- Request a copy of the personal data we hold about you
- Ask us to correct inaccurate or incomplete data
- Ask us to erase your data (the “right to be forgotten”)
- Restrict or object to our processing of your data
- Request data portability where applicable
- Withdraw consent at any time, without affecting prior processing
To exercise any of these rights, email us via the address on our contact page. We will respond within one month.
If you believe we have not handled your data properly, you can also complain to the UK Information Commissioner's Office at ico.org.uk.
Security
Our website is served over HTTPS with HSTS enforced. Form submissions are transmitted over TLS and stored in access-controlled infrastructure with audit logging. We apply security headers (Content Security Policy, Permissions-Policy, X-Content-Type-Options, Referrer-Policy) to protect visitors from common web threats.
What this site does not do
- We do not process payments or collect payment card data.
- We do not operate customer accounts, logins or password storage.
- We do not run an e-commerce store or take orders through this site.
- We do not run advertising pixels or third-party marketing trackers.
Changes to this policy
We may update this policy from time to time. Material changes will be reflected in the “Last updated” date at the top of this page. We encourage you to review it periodically.
Contact
Questions about this policy or your personal data can be sent to us via the contact page.
