Privacy Policy
Summary: OrenTech Ltd takes your privacy seriously. We collect only the information we need to provide our services, protect it properly, and never sell it to anyone. This policy explains what we collect, why, and what your rights are under UK GDPR.
1. Who We Are
OrenTech Ltd ("OrenTech", "we", "us", "our") is a managed IT and cybersecurity services provider registered in Wales. We are the data controller for personal data collected through our website (orentech.co.uk) and in the course of providing managed IT and cybersecurity services to our clients.
OrenTech Ltd is registered with the Information Commissioner's Office (ICO) under the UK Data Protection Act 2018.
| Detail | Information |
|---|---|
| Company Name | OrenTech Ltd |
| Registered in | Wales, United Kingdom |
| Company Number | 17208387 |
| Data Controller Email | privacy@orentech.co.uk |
| Website | orentech.co.uk |
2. Data We Collect
We collect personal data in two main ways: directly from you when you interact with us, and automatically through your use of our website.
2.1 Data You Provide Directly
- Contact and enquiry data: name, email address, phone number, company name, and the content of any message when you contact us via our website, email, or phone
- Client onboarding data: business contact details, billing information, and technical information required to set up and manage your IT services
- Correspondence: emails, messages, and notes from calls or meetings in the course of providing services
- Assessment data: information collected during a free security or IT assessment, including details about your IT environment
2.2 Data Collected Automatically
- Usage data: pages visited, time spent on pages, referring URLs, and browser type via analytics tools
- Device and technical data: IP address, browser version, operating system, and device type
- Cookie data: as described in Section 8 below
2.3 Data We Process on Behalf of Clients (Processor Role)
When delivering managed IT and cybersecurity services, OrenTech may process personal data on behalf of our clients as a data processor. In this capacity we act under the instructions of our clients, who are the data controllers for their employees' and customers' personal data. This processing is governed by the Data Processing Agreements included in our client service contracts.
Important: OrenTech does not sell, rent, or trade personal data. We never have and never will.
3. How We Use Your Data
We use the personal data we collect for the following purposes:
| Purpose | Description | Legal Basis |
|---|---|---|
| Responding to enquiries | Responding to contact form submissions, emails, and phone calls | Legitimate interests |
| Providing managed services | Delivering the IT support, monitoring, and cybersecurity services you have contracted | Contract performance |
| Billing and invoicing | Processing payments and maintaining financial records | Contract performance / Legal obligation |
| Security monitoring | Monitoring IT systems and security events as part of managed service delivery | Contract performance |
| Service communications | Sending service updates, maintenance notices, and security alerts relevant to your account | Contract performance / Legitimate interests |
| Marketing communications | Sending news, insights, and service information where you have opted in or we have a legitimate interest as an existing client | Consent / Legitimate interests |
| Legal compliance | Meeting our legal, regulatory, and contractual obligations | Legal obligation |
| Website analytics | Understanding how our website is used to improve content and user experience | Legitimate interests / Consent |
4. Legal Basis for Processing
Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:
- Contract performance (Article 6(1)(b)): Processing necessary to provide the managed IT and cybersecurity services you have engaged us to deliver, or to take steps prior to entering a contract at your request
- Legal obligation (Article 6(1)(c)): Processing required to comply with UK law, including tax obligations, anti-money laundering regulations, and data retention requirements
- Legitimate interests (Article 6(1)(f)): Processing that is necessary for our legitimate business interests — including responding to enquiries, improving our services, maintaining security, and communicating with existing clients — where these interests are not overridden by your privacy rights
- Consent (Article 6(1)(a)): Where you have given explicit consent, for example when signing up for marketing communications or consenting to non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing
5. Sharing Your Data
We do not sell or rent your personal data to any third party. We may share your data in the following limited circumstances:
5.1 Service Providers and Sub-processors
We use carefully selected third-party platforms to deliver our services. Each is subject to appropriate data processing agreements and operates under UK GDPR and equivalent international standards:
| Provider | Purpose | Data Processed |
|---|---|---|
| SuperOps.ai | Managed IT platform (RMM, PSA, helpdesk) | Client contact details, device and asset data, support tickets |
| Cynet Security | Cybersecurity and threat detection | Endpoint telemetry, user activity data, security event logs |
| Microsoft (M365) | Productivity, identity, and cloud services | User accounts, email, documents, identity data |
| Datto | Backup and disaster recovery | Copies of business data as part of backup service |
| Email / communication tools | Client correspondence and service notifications | Name, email address, message content |
| Accounting software | Invoicing and financial records | Billing contact details, payment records |
5.2 Legal and Regulatory Disclosure
We may disclose personal data where required by law, court order, or regulatory requirement — including to the ICO, HMRC, or law enforcement agencies where lawfully compelled. We will notify you of any such disclosure where we are legally permitted to do so.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of all or part of OrenTech's business, personal data may be transferred to the acquiring entity as part of that transaction. We will notify affected individuals before any such transfer takes effect and ensure equivalent privacy protections are maintained.
5.4 International Transfers
Some of our third-party service providers process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place — including UK Adequacy Decisions, Standard Contractual Clauses (SCCs), or equivalent mechanisms — in accordance with UK GDPR Chapter V requirements.
6. How Long We Keep Your Data
We retain personal data only for as long as necessary for the purposes described in this policy, or as required by applicable law.
| Data Type | Retention Period | Reason |
|---|---|---|
| Enquiry and contact data (non-clients) | 12 months from last contact | Legitimate interest in responding to and following up on enquiries |
| Active client data | Duration of contract + 7 years | Contract performance and legal/financial obligations (HMRC) |
| Financial and billing records | 7 years from transaction date | Legal obligation (Companies Act, HMRC requirements) |
| Security event logs | 12 months rolling | Security monitoring, incident investigation, and compliance |
| Support ticket records | Duration of contract + 3 years | Service history, dispute resolution, and quality assurance |
| Marketing opt-in records | Until withdrawal of consent + 2 years | Evidence of consent |
| Website analytics data | 26 months | Website improvement; standard analytics retention period |
At the end of the applicable retention period, data is securely deleted or anonymised in accordance with our data disposal procedures.
7. Your Rights Under UK GDPR
As a data subject under UK GDPR, you have the following rights in respect of your personal data. We will respond to any valid request within one calendar month of receipt.
Your Rights at a Glance
To exercise any of these rights, please contact us at privacy@orentech.co.uk. We may need to verify your identity before processing your request. There is generally no charge for exercising your rights, except in cases of manifestly unfounded or excessive requests.
Note: Some rights are not absolute and may be subject to exemptions under UK GDPR or the Data Protection Act 2018 — for example, where retention is required for legal compliance or where data is processed in the context of providing managed services under a client contract.
8. Cookies
Our website uses cookies — small text files placed on your device — to improve your browsing experience and understand how visitors use our site.
8.1 Types of Cookies We Use
| Cookie Type | Purpose | Legal Basis |
|---|---|---|
| Strictly Necessary | Essential for the website to function correctly (e.g. security, session management). Cannot be disabled. | Legitimate interests |
| Analytics | Help us understand how visitors interact with our website so we can improve it. No personally identifiable data is collected. | Consent |
| Functional | Remember your preferences to personalise your experience (e.g. language, region). | Consent |
| Marketing | Track your activity across sites to deliver relevant advertising. OrenTech does not currently use marketing cookies. | Consent (not currently used) |
8.2 Managing Cookies
You can control and manage cookies through your browser settings. Please note that disabling certain cookies may affect website functionality. You can also opt out of analytics tracking by using browser extensions such as the Google Analytics Opt-out Browser Add-on.
Our cookie banner allows you to accept or decline non-essential cookies when you first visit the site. You can update your preferences at any time by clearing your browser cookies and revisiting the site.
9. Security of Your Data
As a cybersecurity provider, data security is central to everything we do. We apply the same enterprise-grade standards to protecting your personal data that we apply to our clients' environments.
- All data is encrypted in transit using TLS 1.2 or higher
- Data at rest is encrypted on all systems storing personal data
- Access to personal data is restricted on a strict need-to-know basis with role-based access controls
- Multi-factor authentication is enforced on all OrenTech internal systems
- Our own IT environment is protected by Cynet XDR with 24/7 SOC monitoring
- All staff handling personal data receive regular data protection and security awareness training
- We maintain a documented Information Security Management System aligned to ISO 27001 principles
- Third-party suppliers are assessed for security compliance before engagement
9.1 Data Breach Notification
In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, OrenTech will notify the ICO within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to affected individuals, we will also notify those individuals directly without undue delay.
10. Third-Party Links and Services
Our website may contain links to third-party websites. We have no control over the content or privacy practices of those sites and are not responsible for their privacy policies. We encourage you to review the privacy policy of any third-party site you visit.
Where we embed third-party tools or widgets (such as scheduling tools or form services), those providers may process your data under their own privacy policies. We will clearly indicate where this is the case and provide a link to the relevant policy.
11. Children's Privacy
Our website and services are directed at business professionals and are not intended for use by children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data without parental consent, please contact us immediately at privacy@orentech.co.uk and we will take prompt steps to delete the information.
12. Changes to This Privacy Policy
We review and update this privacy policy periodically to reflect changes in our practices, services, or applicable law. When we make material changes, we will update the "Last Updated" date at the top of this page.
Where changes are significant, we will notify active clients by email. We encourage you to review this policy periodically. Continued use of our services or website following notification of changes constitutes acceptance of the updated policy.
Previous versions of this policy are available on request by emailing privacy@orentech.co.uk.
13. Contact Us & Complaints
If you have any questions about this privacy policy, wish to exercise your data rights, or have a concern about how we have handled your personal data, please contact us using the details below.
Data Controller
OrenTech Ltd
Registered in Wales
Company No. [to be added]
privacy@orentech.co.uk
hello@orentech.co.uk
01443 551935
Supervisory Authority
If you are not satisfied with our response, you have the right to complain to the UK's data protection supervisory authority:
Information Commissioner's Office (ICO)
ico.org.uk
0303 123 1113
You also have the right to seek judicial remedy through the courts.
Response time: We will acknowledge all data rights requests within 5 working days and provide a full response within one calendar month. Where requests are complex or numerous, we may extend this by a further two months — we will notify you if this applies.