This is the Koru Consulting Limited privacy notice. This is how we process and protect your data and how we manage your privacy. This Notice is made for and applies to anyone who is a Koru customer or subscriber, or just anyone who is visiting Koru’s website.


Our Contact Details

If you have any questions about privacy at Koru, please contact Koru Consulting Limited, 37 Oxlip Leyes, Bicester, Oxfordshire.  OX26 3ED

This notice

This notice sets out what personal data we might collect, how we process and protect that data, the lawful grounds for that processing, and your related rights.  ‘Personal data’ means any information relating to an identified or identifiable natural person.

You are not required to provide any personal information on the public areas of this website. However, you may choose to do so by completing the forms on various ages of the site. Koru  will only use the information you provide to Koru  on these pages to process the relevant form.

If you no longer want to receive marketing related emails from us, you may opt-out by contacting your primary point of contact.

 In most cases, the lawful basis will be that the processing:

  • is necessary for Koru’s legitimate interests in carrying out Koru’s  business, provided those interests are not outweighed by your rights and interests (‘Legitimate Interests’),
  • is necessary to perform a contract with you (‘Contract’), or
  • is necessary to comply with Koru’s  legal obligations (‘Legal Obligation’).
  • Where processing is based on your consent (‘Consent’), we will identify the processing purposes and provide you with relevant information to make the processing fair and transparent.

As data protection law is evolving, Koru needs to update this notice from time to time, which we will do by posting a new notice on the Koru website that takes effect from the date stated.  If possible, Koru will send you an email to confirm the changes as well.


How Does Koru  Obtain Personal Data?

Koru collects or is provided with personal data in the normal course of business, for example:

  • You may provide Koru with your details during discussions.
  • When you visit the Koru website, Koru may collect information about your visit such as your IP address and the pages you visited.
  • You may provide Koru with your details when you ask about Koru’s Services via the Koru website, or by email or other communications ) and Koru may obtain legally compliant lists of potential customers for Koru Services for Koru marketing purposes.


Information you give to us

Contact details – such as your name, address, email address, phone number.

Organisation and Contacts Information, Information your employer or organisations that you are a member.

Identity Information, government-issued identification information, tax identifiers, social security numbers, Account Information, security-related information (including usernames and passwords, authentication methods), service-related information


Categories of Data Subjects

Customers, Staff, Customer Suppliers’, Subcontractors and their staff.

 Categories of Data

  • Basic identifiers (Account Names etc.)
  • Contact details
  • Location
  • IP address
  • Device information
  • Identity Information
  • Which products you are interested in / enquiring about
  • The end point number(s) / licence number(s) you are enquiring for

When you provide Koru with personal data about yourself or another person, you are confirming to Koru that you are authorised to provide Koru with that information and that any personal data you give Koru is accurate and up-to-date.


Special Category Personal Data

 Given the nature of Koru business, we do not ask for ‘sensitive’ or ‘special categories of personal data’, such as information about your health, political opinions, racial origins or sexual life and Koru would ask you this not to be sent.

 How does Koru  use personal data?

 Koru uses personal data in the normal course of Koru  business, for example:

  • To respond to enquiries about the Services, to provide the Koru websites and Services, to provide advice and support.
  • Lawful basis: Legitimate Interests or Contract.
  • To analyse and improve the Koru website, the Services, for example for technical or security purposes and to improve the customer experience. Lawful basis: Legitimate Interests, however where for example applicable law requires your consent to use certain cookies, Koru asks for your Consent having provided you with relevant information.
  • To market Koru Services – if we do so, we will provide you with an easy and free way to opt-out of receiving such communications in the future. Lawful basis: Legitimate Interests (or Consent as above).
  • In certain circumstances, to share it with a limited number of third parties as described in this notice, for example for operational requirements and business continuity purposes.
  • Lawful basis: most processing will be based on Legitimate Interests, some processing is based on Contract and, where necessary (as above) some processing may be based on your prior Consent.
  • Verify your identity for security, anti-money laundering, or other statutory purposes.
  • Carry out credit checks and to obtain personal references.
  • Provide other parties with whom you have expressed interest to contract and their representatives with sufficient information to make a decision as to whether to enter into a contract with you, and then to enter into a contract with you;
  • Negotiate on your behalf.
  • Provide you with advice
  • Process transactions related to Koru Services and administer accounts or profiles related to you or your company.
  • Contact and communicate with you in connection with Services or other notifications, programs, events, updates you may have registered for.
  • Detect, prevent fraud and abuse to ensure the security and protection of all customers and others, as well as to identify and authenticate access to Koru Service.
  • To identify and authenticate you before we provide you with certain information.
  • Comply with the law and Koru legal obligations.


For Koru to fulfil the terms of Koru’s contact with you, your personal data may be shared with Koru’s business partners, product providers such as lenders and insurers, advisers, agents, sub-contractors, lawyers and by any of Koru or their subsidiary or associated companies.

In the Event of Merger, Sale,etc. Koru may transfer this Privacy Statement and your personal information to a third party that acquires or is merged with Koru as part of a merger, acquisition, sale.

Koru may also share your personal data with credit reference agencies, with any agent that you have given Koru authority to communicate with and persons you ask Koru to share your data with, companies that we introduce you to, market researchers and customer service agencies for the purposes set out above.

Koru may also share your personal data without your permission with fraud prevention agencies, law enforcement agencies, regulators or in response to a court order.



Automated Decision Making

Koru does not perform any automated decision making, profiling on personal data.


How we store your information

Your information is securely stored in the data centres of Koru service providers. Koru will use reasonable and necessary procedural and technical security features to prevent unauthorised access to your data.  If we become aware of a data breach, we will notify the Information Commissioner’s Office and notify you in accordance with Koru legal obligations.


How long your personal data will be kept

Koru will retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

After the retention period, if there is no other on-going client relationship your personal data will be securely deleted, or anonymised so that it can be used for research and statistical purposes but without any method of identifying you individually.


Sharing Data & International Transfers

Koru  will not give, sell, or rent your personal data to third parties so they can market their services to you.   Nor do we accept advertising from third parties on the Koru bsite.  Koru  may share personal data in the following limited circumstances.

  • For provision of the Services, and for Koru  disaster recovery and business continuity purposes, we may store or transmit personal data to or through third party providers, such as withKoru  contractors and advisors to help Koru  operate, secure and analyse Koru  business. Lawful basis: Legitimate Interests or Contract.
  • Koru  may be obliged to disclose your personal data to comply with a law, order or request of a court, government authority, other competent legal or regulatory authority or any applicable code of practice or guideline. Lawful basis: Legal Obligation.
  • If Koru  enter negotiations with a third party for the sale or purchase of all or part of Koru  business, we will only disclose personal data to that third party to the extent it relates to that business and only under conditions of confidentiality requiring the third party to be bound by the privacy Noticethat applies to that data. Lawful basis: Legitimate Interests.

 In each case, we share the minimum personal data necessary and we have written contracts in place incorporating relevant wording to safeguard that personal data and comply with applicable laws, and we will only share such data as is necessary for the purpose in question.

However, to carry out the above purposes, we may use third parties and their facilities both inside and outside the EEA and /or the UK

In all such cases we will ensure that appropriate security measures are in place to protect your personal data and a valid legal basis for the transfer applies.



Koru does not market to or enter into contracts with children nor do we collect personal data from any person under 18 years of age.  Please do not access or use the website or services if you are under 18 years of age.



Koru will only retain personal data for any statutory retention period, then a reasonable period (if any) necessary for the above purposes.



The security of data is very important to Koru .

In accordance with Koru’s legal obligations, we take appropriate technical and organisational measures to protect your personal data and keep those measures under continuous review.

However, we can only be responsible for systems that we control, and we would note that the internet itself is not inherently a secure environment.

No method of transmission over the Internet or method of electronic storage is 100% secure. Koru will use commercially acceptable measures designed to protect personal information; we cannot guarantee its absolute security.

Koru security procedures mean that we may request proof of identity before we disclose personal information to you before we process your requests.


Anonymised data

 Koru may create anonymised data from personal data, and any anonymisation would be carried out in accordance with applicable law as well as relevant guidelines from regulators such as the UK Information Commissioner (‘UK ICO’).




Third Party Services

If you access the services of another provider through Koru websites or services, for example through a link on the Koru website, your use of those services is entirely at your risk and governed by the terms and privacy Notice of that third party provider.

If we resell a service delivered or provided by a third party (‘Third Party Service’), including any software that is delivered or owned by a third party (‘Third Party Software’), it is that third party’s separate privacy notice that will apply to your personal data and your use of the Third-Party Service and Third Party Software.

Your use of a Third-Party Service is not covered by this Privacy Policy. Please therefore review the privacy notice for any Third-Party Service and Third-Party Software before using it.


Your data protection rights

Under data protection law, you have certain rights.  These include:

Your right of access

You have the right to ask Koru for copies of your personal information.

 Your right to rectification

You have the right to ask Koru to rectify information you think is inaccurate. You also have the right to ask Koru to complete information you think is incomplete.

 Your right to erasure (right to be forgotten)

 You have the right to ask Koru to erase your personal information in certain circumstances.

 Your right to restriction of processing

You have the right to ask Koru to restrict the processing of your information in certain circumstances.

Your right to object to processing

You have the right to object to the processing of your personal data in certain circumstances.

Your right to data portability

You have the right to ask that we transfer the information you gave Koru to another organisation, or to you, in certain circumstances (where the processing is carried out by automated means.)

Your right to withdraw consent

You have the right to withdraw your consent at any time.

If you are unsure how to withdraw your consent contact the Privacy department at the top of this notice.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.



You have the right, at all times, to notify a complaint to any regulator such as the UK Information Commissioner, although we would welcome the opportunity to discuss and resolve any complaint with you first.

The ICO’s address:

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline number: 0303 123 1113

Version: September 2020