Legal
Privacy policy
Last updated: 7 May 2026 · Effective from: 7 May 2026
1. About this notice
This privacy notice explains how Indivillage UK Pvt Ltd ('we', 'us', 'our') collects, uses, and protects your personal data. It applies to visitors to our website at indivillage.co.uk, persons who submit enquiries or forms, attendees at events, participants in calendar bookings, and recipients of our email communications.
This notice is written in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
If you are an employee or applicant, separate privacy notices apply — see 'Separate notices' below.
2. Who we are
Data Controller: Indivillage UK Pvt Ltd
Registered Address: 40 Gordon Place, London, England, W8 4JF
Companies House Registration: 14512282
We are the data controller for your personal data collected through indivillage.co.uk and our communications. If you have questions about how your data is used, you may contact our data protection contact at the email address above.
3. What personal data we collect
We collect personal data in the following categories:
3.1 Information you provide to us
Web form submissions:
- Name
- Email address
- Phone number
- Company name and role
- Message content (including any information you choose to include)
Email enquiries:
- Your email address
- Name (if provided)
- Message content
- Any attachments you send
Calendar bookings and event registration:
- Name
- Email address
- Company affiliation (if relevant)
- Time zone
- Meeting preferences
Sales and proposal requests:
- Business contact details
- Information about your organisation's data requirements
- Budget, timeline, and project scope details
3.2 Information collected automatically
When you visit indivillage.co.uk, we automatically collect:
Technical data:
- IP address
- Browser type and version
- Device type and operating system
- Pages visited and time spent on each page
- Referral source (where you came from)
- Approximate location (country and city level only, derived from IP)
Cookies and tracking:
- Session identifiers
- Analytics data via Google Analytics 4
- User interaction data (clicks, scrolls, form interactions)
See our separate Cookie Policy for details on cookie types, purposes, and how to manage your preferences.
3.3 Information from third parties
In some cases, we receive personal data from:
- Lead generation partners: If you have engaged with IndiVillage through a referral partner or lead-gen agency, we may receive your contact details and interaction history.
- CRM and marketing platforms: Analytics services may share interaction data with us.
- Publicly available sources: LinkedIn, industry directories, and publicly available company information.
4. How we use your personal data
We process your personal data for the purposes shown in the table below. Each purpose is supported by a lawful basis under UK GDPR Article 6.
| Purpose | Categories of Data | Lawful Basis | Retention Period |
|---|---|---|---|
| Responding to enquiries | Name, email, phone, message content | Contractual / Legitimate interest | Until matter is resolved; archive for 6 years if contract follows |
| Delivering services | All data collected in forms, bookings, proposals | Contract | For duration of engagement + 6 years (statutory record-keeping) |
| Marketing and outbound communications | Name, email, company details, conversation history | Consent (email) / Legitimate interest (LinkedIn) | Until you unsubscribe or object; engagement tracking for 24 months |
| Website analytics and performance | Technical data, pages visited, user behaviour | Legitimate interest | 14 months (Google Analytics default retention) |
| Compliance and legal obligations | All data as required | Legal obligation | As required by law; typically 6 years for business records |
| Fraud prevention and security | IP address, session data, login attempts | Legitimate interest | 12 months |
| Improving our services | Technical data, user feedback, form submissions | Legitimate interest | Until service improvement is complete; anonymised thereafter |
| Event and meeting logistics | Calendar booking data, timezone, contact details | Contract / Legitimate interest | Until event concludes; archive for 1 year for calendar audit |
4.1 Legitimate interests assessment
Where we rely on legitimate interest as the lawful basis, we have assessed that:
- Responding to and managing enquiries: We have a legitimate interest in understanding customer needs, managing our sales pipeline, and maintaining professional relationships.
- Website analytics: We have a legitimate interest in understanding how visitors use our site, improving user experience, and measuring campaign effectiveness.
- Marketing via LinkedIn and industry platforms: We have a legitimate interest in finding and engaging potential customers in relevant sectors.
- Fraud prevention: We have a legitimate interest in detecting and preventing misuse of our systems and protecting our assets.
In each case, we consider that our interests do not override your rights and freedoms, particularly given the non-intrusive nature of the processing (primarily contact details, event data, and anonymous analytics).
4.2 Consent-based communications
Email marketing: If we send you marketing or promotional emails, we do so on the basis of:
- Your consent (if you have opted in via a form or subscription), or
- Existing relationship (if you are a current or recent customer, we may contact you about related services under PECR soft opt-in rules)
You may withdraw consent at any time by clicking 'Unsubscribe' in any email or by contacting us. We will honour your request within 10 working days.
Cookies requiring consent: Non-essential cookies (analytics, marketing pixels) are only set after you consent via our cookie banner. Essential cookies (session management) are set automatically.
5. Who we share your data with
We may share your personal data with the following categories of recipients:
5.1 Service providers (data processors)
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Brevo | Transactional and marketing email | Name, email, company details | EU (data centres) |
| Zoho CRM | Sales pipeline, lead management, contact history | All form data, interaction history | EU (eu.zoho.com) |
| Google Analytics 4 | Website analytics and user behaviour | Technical data, anonymised event data | US |
All processors are contractually bound by Data Processing Agreements (DPAs) to process data only on our instructions and to maintain appropriate security.
5.2 Other recipients
- Machani Group entities: We may share contact details and engagement history with other companies within Machani Group (parent company) for the purpose of coordinating sales and service delivery, under intra-group data sharing agreements.
- Professional advisers: Legal, tax, and audit advisers on a need-to-know basis under confidentiality obligations.
- Law enforcement and regulators: Where required by law (court orders, regulatory requests, tax authorities, ICO data subject access requests), we disclose personal data to the extent legally required.
- Corporate transactions: If we merge, acquire, or are acquired, your personal data may be transferred to the acquiring organisation, which will be bound by the same obligations.
We do not sell or rent your personal data to third parties for their own marketing purposes.
6. International transfers
Some of your personal data is transferred outside the United Kingdom and EEA to our operating entity and service providers. Below are the mechanisms we rely on:
6.1 Transfers to India
Recipient: IndiVillage Tech Solutions, Bengaluru, India
Status: Data processor (acts under our instructions via a Data Processing Agreement)
Data transferred: Form submissions, customer enquiries, proposal data
Transfer mechanism: UK International Data Transfer Agreement (IDTA) supplemented by Standard Contractual Clauses where applicable, with a Transfer Impact Assessment completed for transfers to India.
6.2 Transfers to the United States
Recipient: Google LLC (for Google Analytics)
Data transferred: Technical data, event data, user behaviour (anonymised)
Transfer mechanism: Standard Contractual Clauses (SCCs) as published by the US under the Data Privacy Framework (DPF); Google is DPF-certified
6.3 Transfers to other locations
Email service provider (Brevo): EU-based; no transfer outside EU/UK
Zoho CRM: EU instance (eu.zoho.com); no transfers outside the EU
6.4 Your rights regarding transfers
If you are concerned about international transfers, you have the right to:
- Request information about the specific mechanisms protecting your data in transit
- Object to transfers where you believe adequate safeguards are absent
- Contact the ICO if you believe a transfer violates UK GDPR
7. How long we keep your data
We retain personal data for as long as necessary to fulfil the purposes outlined in Section 4, subject to legal obligations and legitimate business needs.
Retention by category:
| Data Category | Retention Period | Reason |
|---|---|---|
| Enquiry forms (no follow-up) | 36 months | Respond to enquiry; delete if no engagement |
| Prospecting contacts | 36 months | Engagement tracking; thereafter delete or anonymise |
| Active customers / clients | Duration of engagement + 6 years | Contract fulfilment, statutory record-keeping (tax, company law) |
| Email marketing subscribers | Until unsubscribe; thereafter 12 months | Comply with PECR; allow re-engagement requests |
| Website analytics (Google Analytics) | 14 months | Platform default; older data auto-deleted by Google |
| Cookies and session data | Session duration or 13 months | Functional and performance purposes |
| Event attendees | 1 year after event | Calendar audit, follow-up communications |
| Job applicants | 6 months after decision | Recruitment law; longer if hired (employee record rules apply) |
Archived data: Where we have a legal or business obligation to retain data (e.g., invoices, contracts, communications), we move it to secure archive storage, restrict access, and do not use it for any new purpose beyond compliance.
Deletion requests: If you request deletion and we have no legal obligation to retain data, we will delete or anonymise your data within 30 days.
8. Security
We implement appropriate technical and organisational measures to protect your personal data from unauthorised access, alteration, disclosure, or destruction.
Security measures include:
- Encrypted transmission of data (HTTPS/TLS for all web forms)
- Role-based access control (only staff who need data for their role can access it)
- Regular security assessments and penetration testing
- Incident response procedures (see Section 8.1 below)
- Staff data protection training
- Secure deletion of outdated data
Data processing partners: All service providers (Brevo, Zoho, Google, lead-gen agencies) are required by contract to maintain equivalent security standards.
8.1 Data breach notification
In the event of a data breach affecting your personal data, we will:
- Assess the risk to your rights and freedoms within 72 hours
- Notify the UK Information Commissioner's Office (ICO) if the breach poses a risk to your data protection rights
- Notify you (if required) without undue delay if the breach is likely to result in high risk to your interests
9. Your rights under UK GDPR
You have the following rights regarding your personal data:
9.1 Right of access
You have the right to request a copy of the personal data we hold about you, along with information about why and how we use it.
How to exercise: Email indivillage.com with the subject line "Data Access Request". We will respond within 30 calendar days with your data in a structured, commonly used, machine-readable format (CSV or PDF).
9.2 Right to rectification
If your personal data is inaccurate or incomplete, you can request correction.
How to exercise: Email us with details of the inaccuracy. We will correct the data and confirm within 30 days.
9.3 Right to erasure ('right to be forgotten')
In certain circumstances, you can request deletion of your personal data. This right is not absolute; it does not apply where:
- We need the data to fulfil a contract with you
- We are required to keep it by law
- We need it for fraud prevention or security
- We are processing it for legitimate interests that override your right to erasure
How to exercise: Email us with "Erasure Request" in the subject line. We will assess your request within 30 days and confirm what data can be deleted.
9.4 Right to restrict processing
You can request that we limit how we use your data (e.g., restrict to storage only while we investigate a dispute).
9.5 Right to data portability
You can request your personal data in a portable, machine-readable format so you can transfer it to another organisation.
9.6 Right to object
You can object to processing of your personal data on the basis of legitimate interest, including for direct marketing purposes.
For marketing communications: Click "Unsubscribe" in any email or email us with "Unsubscribe" in the subject line.
For other processing: Email us with "Objection to Processing" in the subject line. We will assess your objection and respond within 30 days.
9.7 Rights related to automated decision-making
You have the right to request human review if we make a decision about you based solely on automated processing that produces a legal or similarly significant effect. We do not currently use automated decision-making or profiling in this manner.
10. Cookies and tracking
Indivillage.co.uk uses cookies and similar tracking technologies to improve your experience and understand how you use our site.
Types of cookies:
| Type | Purpose | Requires Consent | Duration |
|---|---|---|---|
| Session cookies | Login, form state, basic site functionality | No (essential) | Session duration |
| Analytics (Google Analytics 4) | Understand user behaviour, improve performance | Yes (optional) | 14 months |
| Marketing pixels | Track campaign performance, retargeting | Yes (optional) | 13 months |
| Preferences | Remember your language and settings | Yes (optional) | 1 year |
Managing cookies: You can control most cookies through your browser settings or via our cookie preference banner. Essential cookies cannot be disabled (they are necessary for the site to function).
For full details, see our Cookie Policy.
11. Links to third-party websites
Indivillage.co.uk may contain links to external websites (LinkedIn, GitHub, partner sites, etc.). We are not responsible for the privacy practices of external sites. Please review their privacy notices before providing personal data.
12. Children's privacy
Our website and services are not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided personal data to us, please contact us@indivillage.com immediately, and we will delete the data without delay.
13. Changes to this privacy notice
We may update this privacy notice to reflect changes in our data practices, legal requirements, or technical capabilities. We will:
- Update the "Last updated" date at the top of this notice
- Post the revised notice on this page
- For material changes, send you an email notification (if we have your email) or display a prominent notice on our site
Continued use of indivillage.co.uk after changes means you accept the updated notice.
14. Contact us and complaints
14.1 Questions about this notice
If you have questions about how we use your personal data, please contact:
Indivillage UK Pvt Ltd
Data Protection Enquiries
Address: 40 Gordon Place, London, England, W8 4JF
Telephone: +44-7595-068-054
We aim to respond to enquiries within 10 working days.
14.2 Complaints
If you believe we have breached your data protection rights, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).
ICO Contact:
Website: https://ico.org.uk/make-a-complaint/
Postal Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113 (local call rates apply)
You also have the right to pursue legal remedies under UK GDPR Article 82 if you suffer material or non-material damage due to our breach of the Regulation.
15. Separate notices
If you are applying for employment or are an employee of Indivillage UK, a separate privacy notice governs your personal data. Please contact HR or the main office for that notice.