Privacy Policy

PRIVACY POLICY 

Information we collect 

We may collect and process the following information:  

  • Personal identifiers, contacts, and characteristics (for example: name, date of birth, address, email address, social media handles, username and phone number) 
  • Information about your business / employer 
  • Information about your address / location 
  • Your contact history with us 
  • Your purchase history with us 
  • Information about your phone, laptop, PC or other device you used to access our services 
  • Information from social media or other accounts you link with us 
  • Your post comments about us, our products or in our forums 
  • Your responses to surveys, feedback and competitions 

 

How we collect information and why 

Most of the information we process is provided to us directly by you as required to enjoy the services we offer.  

We also collect information directly from any social media posts or activity you engage in which tags us, mentions us or the products and services we sell.  

We use all the information we collect to help match our services to your needs and to align you with a community of similar users in our system.  

We do not share this information with anyone.  

Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are: 

  • Your consent. You are able to remove your consent at any time. You can do this by contacting us.  
  • We have contractual obligations 
  • We have legal obligations 
  • We have a vital interest 
  • We have a legitimate interest 

 

How we store information 

All the information we collect is stored on secure clouds globally (in the UK and USA). Where applicable these systems are also PCI compliant. Access to these secure cloud locations is restricted to company employees only.  

 

Your data protection rights 

Under UK data protection law, you have rights including: 

Your right of access – You have the right to ask us for copies of your personal information.  

Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.  

Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.  

Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.  

Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances. 

Your right to data portability – You have the right to ask that we transfer the personal inform you gave us to another organisation, or to you, in certain circumstances. 

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. 

Please contact us if you wish to make a request. 

How to contact us 

Infratech Digital (UK) Limited – privacy@infratech.digital 

How to complain: 

If you have any concerns about our use of your personal information, you can make a complaint to us directly. 

You can also complain to the ICO if you are unhappy with how we have used your data. 

The ICO’s address:             

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow

Cheshire, SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

Info-Sec Policy

Purpose 

Information that’s collected, analysed, stored, communicated and reported upon may be subject to theft, misuse, loss and corruption. Information may be put at risk by poor education and training, and the breach of security controls. 

Information security incidents can give rise to embarrassment, financial loss, non-compliance with standards and legislation, as well as possible judgements being made against Infratech Digital (UK) Limited (‘Infratech’). 

This high level Information Security Policy sits alongside the ‘Information Risk Management Policy’ and ‘Data Protection Policy’. This is to provide the high-level outline of, and justification for, Infratech’s risk-based information security controls. 

Objectives 

Infratech’s security objectives are that: 

  • our information risks are identified, managed and treated according to an agreed risk tolerance
  • our authorised users can securely access and share information in order to perform their roles
  • our physical, procedural and technical controls balance user experience and security
  • our contractual and legal obligations relating to information security are met
  • our teaching, research and administrative activity considers information security
  • individuals accessing our information are aware of their information security responsibilities
  • incidents affecting our information assets are resolved and learnt from to improve our controls

Scope 

The Information Security Policy and its supporting controls, processes and procedures apply to all information used at Infratech, in all formats. This includes information processed by other organisations in their dealings with Infratech. 

The Information Security Policy and its supporting controls, processes and procedures apply to all individuals who have access to Infratech’s information and technologies. This includes external parties that provide information processing services to Infratech. 

Compliance monitoring 

Compliance with the controls in this policy will be monitored by the Information Security Team, and reported to the Information Governance Board. 

Review 

A review of this policy will be undertaken by the COO. This will be annually or as required, and will be approved by the CTO. 

Policy Statement 

It is Infratech’s policy to ensure that information is protected from a loss of: 

  • confidentiality – information will be accessible only to authorised individuals
  • integrity – the accuracy and completeness of information will be maintained
  • availability – information will be accessible to authorised users and processes when required

Infratech will implement an Information Security Management System based on certified standards as required. Infratech will be mindful of the approaches adopted by its stakeholders, including research partners. 

 

Infratech will adopt a risk-based approach to the application of the following controls: 

  1. Information security policies

A set of lower-level controls, processes and procedures for information security will be defined, in support of the high-level Information Security Policy and its stated objectives. This suite of supporting documentation will be approved by the COO, published and communicated to Infratech users and relevant external parties. 

  1. Organisation of information security

Infratech will define and implement suitable governance arrangements for the management of information security. This will include identification and allocation of security responsibilities, to initiate and control the implementation and operation of information security within Infratech. 

Infratech will appoint: 

  • an Executive to chair the Information Governance Board and take accountability for information risk
  • an Information Governance Board to influence, oversee and promote the effective management of Infratech’s information
  • an Information Security specialist to manage the day-to-day information security function
  • Information Asset Owners (IAOs) to assume local accountability for information management
  • Information Asset Managers (IAMs) responsible for day-to-day information management
  1. Human resources security

Infratech’s security policies and expectations for acceptable use will be communicated to all users to ensure that they understand their responsibilities. Information security education and training will be made available to all staff. Poor or inappropriate behaviour will be addressed. 

Where practical, security responsibilities will be included in role descriptions, person specifications and personal development plans. 

  1. Asset management

All assets will be documented and accounted for. This includes: 

  • information
  • software
  • electronic information processing equipment
  • service utilities
  • people

Owners will be identified for all assets and they will be responsible for the maintenance and protection of their assets. 

All information assets will be classified according to their legal requirements, business value, criticality and sensitivity. Classification will indicate appropriate handling requirements. All information assets will have a defined retention and disposal schedule. 

  1. Access control

Access to all information will be controlled and will be driven by business requirements. Access will be granted or arrangements made for users according to their role and the classification of information, only to a level that will allow them to carry out their duties. 

A formal user registration and de-registration procedure will be maintained for access to all information systems and services. This will include mandatory authentication methods based on the sensitivity of the information being accessed, and will include consideration of multiple factors as appropriate. 

Specific controls will be implemented for users with elevated privileges, to reduce the risk of negligent or deliberate system misuse. The separation of duties will be implemented, where practical. 

  1. Cryptography

Infratech will provide guidance and tools to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and integrity of information and systems. 

  1. Physical and environmental security

Information processing facilities are housed in secure areas, physically protected from unauthorised access, damage and interference by defined security perimeters. Layered internal and external security controls will be in place to deter or prevent unauthorised access and protect assets. This includes those that are critical or sensitive, against forcible or hidden attacks. 

  1. Operations security

Infratech will ensure the correct and secure operations of information processing systems. This will include: 

  • documented operating procedures
  • the use of formal change and capacity management
  • controls against malware
  • defined use of logging
  • vulnerability management
  1. Communications security

Infratech will maintain network security controls to ensure the protection of information within its networks. Infratech will also provide the tools and guidance to ensure the secure transfer of information both within its networks and with external entities. This is in line with the classification and handling requirements associated with that information. 

  1. System acquisition, development and maintenance

Information security requirements will be defined during the development of business requirements for new information systems or changes to existing information systems. 

Controls to reduce any risks identified will be implemented where appropriate. 

Systems development will be subject to change control and separation of test, development and operational environments. 

  1. Supplier relationships

Infratech’s information security requirements will be considered when establishing relationships with suppliers, to ensure that assets accessible to suppliers are protected. 

Supplier activity will be monitored and audited according to the value of the assets and the associated risks. 

  1. Information security incident management

Guidance will be available on what constitutes an information security incident and how this should be reported. Actual or suspected breaches of information security must be reported and will be investigated. The appropriate action to correct the breach will be taken, and any learning built into controls. 

  1. Information security aspects of business continuity management

Infratech will have in place arrangements to protect critical business processes from the effects of major failures of information systems or disasters. This is to ensure their timely recovery in line with documented business needs. This will include appropriate backup routines and built-in resilience. 

Business continuity plans must be maintained and tested in support of this policy. Business impact analysis will be undertaken, detailing the consequences of:  

  • disasters
  • security failures
  • loss of service
  • lack of service availability
  1. Compliance

The design, operation, use and management of information systems must comply with all statutory, regulatory and contractual security requirements. 

Currently this includes:  

  • data protection legislation
  • the payment card industry standard (PCI-DSS)
  • the government’s Prevent strategy
  • Infratech’s contractual commitments

Infratech will use a combination of internal and external audits to demonstrate compliance against chosen standards and best practice, including against internal policies and procedures. This will include:  

  • IT health checks
  • gap analyses against documented standards
  • internal checks on staff compliance
  • returns from Information Asset Owners

 

Review of this document: annually by COO 

Next review date: August 2025. 

Modern Slavery Policy

Introduction

This Modern Slavery and Human Trafficking Statement is made in accordance with and as a response to Section 54(1), Part 6 of the Modern Slavery Act 2015 and relates to actions and activities for the financial year ending 31 December 2025.

Infratech Digital (UK) Limited ('the Company', 'we', 'us' or 'our') is committed to preventing slavery and human trafficking violations in its own operations, its supply chain, and its products. We have zero tolerance towards slavery and require our supply chain to comply with our values.

Our overall responsibility for identifying, assessing, and managing modern slavery risk and responding to modern slavery is overseen by the COO.

Organisational Structure

Infratech Digital (UK) Limited and has business operations in the United Kingdom.

We operate in the Information Technology sector. The nature of our supply chains is as follows: We work with a number of key direct suppliers, who provide us with goods, such as equipment for our premises, and services, such as outsourced business processes, IT software and marketing services.

For more information about the Company, please visit our website: https://infratech.digital.

Policies

We operate a number of internal policies to ensure that we are conducting business in an ethical and transparent manner.

These include the following:

Recruitment and selection policy - We conduct checks on all prospective employees to verify that they are eligible to work in the UK. Certain roles require a Disclosure and Barring Service (DBS) check where employees may be working with sensitive material and others where we go further to a full Security Check (SC clearance) with UK Security Vetting.

Supplier code of conduct - We operate this policy to ensure our suppliers operate in full compliance with the laws, rules and regulations of the countries in which they operate, and to seek similar commitments across their own supply chain.

Whistleblowing policy - We operate this policy so that employees are able to raise concerns about how staff are being treated or practices within our business or our supply chains without fear of reprisal.

Staff code of conduct - We are committed to the fair treatment of all staff. Our staff code of conduct reflects our core values and expected behaviours. The code of conduct makes it clear that we have a zero tolerance approach to modern slavery.

Procurement policy - We want to make sure that potential suppliers are committed to ensuring that slavery and human trafficking is not taking place within their own supply chains. Our procurement policy and supporting procedures set out controls and checks undertaken to help verify this.

Safeguarding policy - This policy highlights the potential risks of modern slavery and human trafficking, including how to identify signs of exploitation and how to report concerns.

We make sure our suppliers are aware of our policies and adhere to the same standards.

Due Diligence

As part of our efforts to monitor and reduce the risk of slavery and human trafficking occurring in our supply chains, we have adopted the following due diligence procedures:

  • Internal supplier audits.

Our due diligence procedures aim to:

  • Identify and action potential risks in our business and supply chains.
  • Monitor potential risks in our business and supply chains.
  • Engage with workers and suppliers.
  • Reduce the risk of slavery and human trafficking occurring in our business and supply chains.
  • Provide adequate grievance mechanisms and protection for 

Risk and Compliance

The Company has evaluated the nature and extent of its exposure to the risk of slavery and human trafficking occurring in its UK supply chain through:

  • Evaluating the slavery and human trafficking risks of each new supplier.
  • Creating an annual risk profile for key suppliers.
  • Reviewing on a regular basis all aspects of the supply chain based on supply chain mapping.

We do not consider that we operate in a high-risk environment because the majority of our supply chain are large multinational companies from low-risk industries such as technology products and services. .

We do not tolerate slavery and human trafficking in our supply chains. Where there is evidence of failure to comply with our policies and procedures by any of our suppliers, we will seek to terminate our relationship with that supplier immediately.

Effectiveness

The Company uses Key Performance Indicators (KPIs) to measure its effectiveness and ensure that slavery and human trafficking is not taking place in its business and supply chains.

These KPIs are as follows:

  • We will contact suppliers to enquire about their modern slavery practices every12 
  • We will train our staff about modern slavery issues and increase awareness within the Company.

Training Staff

The Company requires its staff to complete training and ongoing refresher courses on slavery and human trafficking.

The Company's training covers:

  • How to identify the signs of slavery and human trafficking.
  • What initial steps should be taken if slavery or human trafficking is suspected.
  • How to escalate potential slavery or human trafficking issues to the relevant parties within the

The statement was approved by the board of directors on 05 January 2026.

Review of this document: annually by COO.

Next review date: Dec 2026.

  • How technology leaders achieve positive outcomes by focusing on sound design principles.
  • Enabling change through a cloud of technology
Linkedin-in

© 2025 All Right Reserved

Design by Elder Creative Agency