Legal

Privacy Policy

Last updated: 21 May 2026 Controller: Formalus Limited

1. Who we are

This website (formalus.com) and the Commercial Readiness Assessment are operated by Formalus Limited, a company registered in England & Wales (company number 10374580), with registered office at 20–22 Wenlock Road, London N1 7GU, United Kingdom.

Formalus Limited is the data controller for the personal data described in this policy.

2. What data we collect

2.1 Data you provide directly

  • Identity data — name, job title, organisation, where you provide them
  • Contact data — email address, telephone number, where you provide them
  • Assessment data — your responses to the Commercial Readiness Assessment questionnaire
  • Correspondence — emails and messages you send us

2.2 Data collected automatically

  • Technical data — IP address, browser type, device information, time-zone
  • Usage data — pages visited, links clicked, session duration (via GA4)
  • Cookies — see our separate Cookie Notice

3. Why we process your data (legal bases)

  • To deliver the Commercial Readiness Assessment — legal basis: performance of a contract / pre-contract steps at your request
  • To respond to enquiries — legal basis: legitimate interest in responding to messages you send us
  • To send marketing communications (newsletter, where you have subscribed) — legal basis: consent, which you can withdraw at any time
  • To improve the website and our services — legal basis: legitimate interest in operating and improving our business
  • To comply with legal obligations — legal basis: legal obligation

4. How long we keep your data

  • Commercial Readiness Assessment data — 90 days from completion, after which the personal record is deleted. Anonymised summary statistics may be retained for benchmarking purposes.
  • Contact enquiries — 3 years from your last contact with us, after which the record is deleted unless an active engagement requires us to retain it longer.
  • Newsletter subscribers — until you unsubscribe. We retain a suppression record (email address only) indefinitely to honour your opt-out.
  • Client engagement records — 6 years after engagement close, in line with UK statutory record-keeping obligations under the Companies Act 2006, HMRC business-record requirements, and the Limitation Act 1980.

5. Who we share your data with

We share personal data only with the processors required to deliver our services:

  • WP Engine — website hosting
  • Google Workspace — email (transactional correspondence and newsletter delivery)
  • Google Analytics — anonymised website analytics
  • Professional advisers — where required for legal, tax or accountancy purposes

We do not sell personal data. We do not share data with third parties for their own marketing purposes.

6. International transfers

Some of our processors are based outside the UK and EEA. Where this is the case, transfers are governed by one or more of the following safeguards, as appropriate to the destination jurisdiction:

  • The UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses
  • UK adequacy regulations, where the destination jurisdiction has been recognised by the UK Government as providing an adequate level of data protection
  • Other appropriate safeguards under Article 46 of the UK GDPR

Each processor we engage is subject to an appropriate safeguard mechanism, and a Data Processing Agreement is in place before any transfer takes place.

7. Your rights under UK GDPR

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate or incomplete data
  • Erasure — ask us to delete your data, subject to legal retention obligations
  • Restriction — limit how we process your data
  • Portability — receive your data in a portable format
  • Object — to processing based on legitimate interests, or to direct marketing
  • Withdraw consent — at any time, where consent is the legal basis

To exercise any of these rights, contact us at privacy@formalus.com. We respond within one month.

You also have the right to complain to the Information Commissioner’s Office: ico.org.uk.

8. How we secure your data

We use appropriate technical and organisational measures to protect personal data, including TLS encryption in transit, access controls on storage systems, and Data Processing Agreements with all third-party processors that handle personal data on our behalf.

9. Changes to this policy

We update this policy when our processing changes. The “last updated” date above shows when the current version took effect. Material changes will be communicated where we hold an appropriate email address.

10. Contact

Questions, complaints, or rights requests: privacy@formalus.com or write to Formalus Limited, 20–22 Wenlock Road, London N1 7GU, United Kingdom.

Architecture Before Technology. The platform wraps around the business, not the other way around.

© Formalus Limited 2026 · Registered in England & Wales No. 10374580 · Registered office 20–22 Wenlock Road, London N1 7GU, United Kingdom