Cressive Privacy Notice 

Version 2.1 | Effective date: 28.04.2026

Summary 

We believe deeply in the privacy of – and your control of – your own personal information. Indeed we are advocates of individual privacy, to the point of helping others improve for it. 

 This notice explains what personal data Cressive collects through cressive.com, why we collect it – if we collect it, how we use it, and what rights you have. 

We only collect the personal data we need to answer your enquiries, deliver the assessments you request, and keep you informed if you ask to be. We do not sell your data, we do not share it for anyone else’s marketing, and we do not automatically add people who submit assessment requests to our marketing list. 

The rest of this notice sets out, in detail, what we collect, why, on what legal basis, how long we keep it, who processes it on our behalf, and what rights you have. For any further information, please email [email protected]

This notice covers personal data processed through our public website at cressive.com. It does not cover personal data processed through our customer platform at my.cressive.com, where Cressive acts as a processor on behalf of its customers; that relationship is governed by the Data Processing Agreement entered into with each customer, and is by default contractual rather than pre-contract. 

1. About this notice 

This Privacy Notice explains how Cressive Limited (“Cressive”, “we”, “us”, “our”) processes personal data collected through our public website at cressive.com and related marketing activities. It applies to: 

  • Visitors to the site; 
  • People who submit a form on the site (general contact form or website assessment forms); 
  • Subscribers to our newsletters and marketing communications; 
  • Business contacts we meet, correspond with, or connect with on LinkedIn. 

In this notice, “you” means any individual whose personal data we process, including those in the categories above. 

We act as a data controller for the purposes of UK GDPR and the Data Protection Act 2018 in relation to all the activities covered by this notice. We are mindful and respectful of any global regulations. 

2. Who we are – the data controller 

The controller of personal data processed via cressive.com is: 

Cressive Limited 

Trading office: The Surrey Technology Centre, 40 Occam Road, Guildford, Surrey GU2 7YG 

Registered office: 12 Railton Road, Guildford, Surrey GU2 9LX, United Kingdom  

Company registered number: 5500007 (England and Wales) 

ICO registration: ZA315879 

Cressive DX and Cressive Digital are trading names of Cressive Limited. 

We are not required under UK GDPR to appoint a statutory Data Protection Officer, but we have a nominated privacy contact, reachable at [email protected]

3. How to contact us 

For privacy enquiries, to exercise your rights, or to raise a complaint: 

  • Post: Privacy Contact, Cressive Limited, The Surrey Technology Centre, 40 Occam Road, Guildford, Surrey GU2 7YG 

For general enquiries: +44 (0)1483 688 455 or through the website contact form. 

We aim to respond to privacy enquiries well within one calendar month. In complex cases we may extend this by up to two further months and will tell you if we need to. 

4. What personal data we collect 

4.1 Personal data you give us directly 

When you contact us or use a form on our website, we collect the information you choose to provide. Specifically: 

  • General contact form: your name, email address, company name, and the content of your message. 
  • Website assessment forms: your name, email address, company name, and the URL(s) of the website(s) you want us to assess. 
  • Newsletter and marketing subscriptions: your name, email address, and (optionally) company and role. 
  • Email and telephone correspondence: any personal data contained in the messages you send us or the call notes we take. 

We do not intentionally collect special category data (for example, health, racial or ethnic origin, political opinions, religious beliefs). Please do not submit special category data in free-text fields. If you do, we will treat it with additional care and, unless required to retain data, delete it. 

4.2 Personal data we collect automatically 

When you visit cressive.com we collect limited technical data via cookies and similar technologies – pseudonymised identifiers, device and browser information, pages viewed, referral source, and IP-derived country or region (not precise location). This happens only after you provide consent through our cookie banner. See Section 11 for the full cookie model and preference controls. 

4.3 Personal data we obtain from third parties 

We do not purchase marketing lists. We do not enrich contact records from third-party data providers. Where we meet or connect with someone at a professional event or on LinkedIn, we may retain their publicly available business contact details (name, role, company, work email) together with our own notes of the interaction. 

5. How we use your personal data and on what legal basis 

The table below sets out each purpose for which we process personal data and the lawful basis we rely on under UK GDPR. 

Purpose Legal basis (UK GDPR Art. 6) 
Responding to enquiries submitted via our general contact form, email, or by telephone. Legitimate interests – responding to people who have chosen to contact us, and (where the enquiry concerns a potential engagement) taking pre-contractual steps at your request. 
Delivering a website assessment you have requested, including running it against the URL(s) you provide and sending you the output. Performance of a contract / pre-contractual steps taken at your request. We consider the submission of the form to be your request for us to provide this service. 
Sending marketing communications, newsletters, and product updates to people who have actively subscribed to receive them. Consent – which you may withdraw at any time by using the unsubscribe link in any email or by emailing [email protected]
Business-to-business marketing to professional contacts we have met, corresponded with, or connected with on LinkedIn, where the content is relevant to their role. Legitimate interests – keeping existing business contacts informed about our work, subject to your right to object at any time. 
Analytics and performance monitoring of our website (via Google Analytics 4) to understand which content is effective and to improve the site. Consent – analytics are loaded only after you accept the relevant category in our cookie banner. 
Managing security of our website and systems, detecting and preventing fraud or misuse. Legitimate interests – keeping our site and data secure; and compliance with a legal obligation under UK GDPR Art. 32. 
Complying with legal, regulatory, accounting, and professional obligations (including tax record retention and responding to regulatory enquiries). Compliance with a legal obligation. 
Establishing, exercising or defending legal claims. Legitimate interests – protecting our lawful rights. 

6. Who we share your personal data with 

We do not sell your personal data. We do not share it with third parties for their own marketing. Personal data is shared only with service providers who act as our data processors under written contracts that meet the requirements of UK GDPR Article 28. 

The principal external processors are set out below. Transfer mechanisms for processors outside the UK are explained in Section 7. 

Processor Purpose Location 
Google LLC – Google Analytics 4 Website analytics and performance monitoring (loaded only with consent). United States 
Google LLC – Google Workspace (Drive, Sheets, Gmail) Storage of form submissions, correspondence, and internal working files. United States (EU regions where available) 
Cookieyes ApS Consent management platform (cookie banner and preference storage). European Union (Denmark) 
Email and CRM providers (categories) Outbound newsletters, transactional email, contact management. UK / EU / US depending on provider 
Website hosting and security providers (categories) Serving and securing cressive.com. UK / EU / US depending on provider 

We may also disclose personal data where required by law, to exercise or defend our legal rights, to cooperate with regulators or law enforcement, and to any successor entity in the event of a corporate reorganisation, merger, or sale of our business. 

7. International transfers 

Some of our processors, in particular Google LLC, are / can be located outside the United Kingdom. Where personal data is transferred to a country that has not received a UK adequacy decision, we rely on one or more of the following safeguards: 

  • The UK International Data Transfer Addendum to the EU Standard Contractual Clauses (“UK IDTA”), together with supplementary technical and organisational measures where appropriate; 
  • The UK Extension to the EU-US Data Privacy Framework, where the receiving organisation (including Google LLC) is a certified participant; 
  • Any other transfer mechanism recognised under UK GDPR. 

You can request a copy of the transfer mechanism relied upon for a specific processor, as known, by emailing [email protected]

8. How long we keep your personal data 

We keep proffered personal data only for as long as we need it for the purposes described in this notice, or for any longer period required by law. Our standard retention periods are: 

Category of personal data Retention period 
Form submissions (contact form, website assessment forms) Up to 24 months from our last substantive contact with you. 
Marketing subscriber list Until you unsubscribe, plus any minimum retention required to evidence consent and suppression (typically 2 years). 
Email correspondence Up to 24 months from the last exchange, unless part of an ongoing customer relationship. 
CRM records (business contacts) Up to 24 months from last meaningful interaction, reviewed periodically. 
Financial and transactional records (once you become a customer) 7 years from the end of the relevant tax year, as required by UK tax and company law. 

We review records periodically and delete, anonymise, or archive data that is no longer needed. 

9. How we protect your personal data 

We apply appropriate technical and organisational measures to safeguard personal data against loss, misuse, unauthorised access, alteration, and disclosure. These include: 

  • Encryption of data in transit (HTTPS / TLS) across our website and all business systems; 
  • Encryption at rest where offered by our processors; 
  • Role-based access controls – only Cressive personnel with a legitimate need can access personal data; 
  • Multi-factor authentication on all business systems that hold personal data; 
  • Regular review of our processors’ security posture and sub-processor arrangements; 
  • Periodic staff training on data protection, information security, and incident response. 

If a personal data breach occurs and is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (“ICO”) within 72 hours of becoming aware of the breach, in accordance with UK GDPR Article 33. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, as required by Article 34. 

10. Your rights 

Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights apply in the circumstances and subject to the exceptions set out in applicable law. 

  • Right of access – to be told what personal data we hold about you, and to receive a copy. 
  • Right to rectification – to have inaccurate or incomplete data corrected. 
  • Right to erasure (“right to be forgotten”) – to have your personal data deleted in certain circumstances. 
  • Right to restriction of processing – to limit how we process your data in certain circumstances. 
  • Right to object – to object to processing based on legitimate interests, and at any time to direct marketing. 
  • Right to data portability – to receive personal data you have provided in a structured, commonly used, machine-readable format, and to ask us to transmit it to another controller where technically feasible. 
  • Right to withdraw consent – where our processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. 
  • Right not to be subject to automated decision-making – see Section 13. 
  • Right to lodge a complaint with a supervisory authority – see Section 15. 

To exercise any of these rights, email [email protected]. We may ask you to verify your identity before we release information, to protect your data from unauthorised disclosure. Exercising these rights is free of charge except in limited circumstances permitted by law. 

11. Cookies and similar technologies 

Cressive operates on an opt-in consent model for all non-essential cookies. No analytics, marketing, or functional cookies are set before you provide consent through our banner. Only a strictly necessary cookie placed by our consent management platform (Cookieyes) is used to remember your preferences. 

For the full list of cookies in use – name, purpose, duration, and provider – click the cookie preferences link in our website footer to open the consent panel. Cookieyes maintains the inventory there. You can change your preferences at any time from the same panel. 

12. Children 

Cressive’s website and services are directed at business users, not children. We do not knowingly collect personal data from children under the age of 16. If you believe a child has submitted personal data to us, please email [email protected] and we will delete it promptly. 

13. Automated decision-making and profiling 

We do not make any decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you (as defined in UK GDPR Article 22). Our website assessments generate reports based on technical checks of the URLs you submit; these reports are informational and do not make decisions about individuals. 

14. Changes to this notice 

We review this notice at least annually, and whenever our practices change or applicable law requires. When we make material changes, we will: 

  • Update the version number and effective date at the top of this notice; 
  • Publish a short summary of what has changed on this page; 
  • Notify existing newsletter subscribers and active contacts by email where the change materially affects them. 

Minor clarifications and typographical corrections may be made without notice. 

15. Complaints 

If you are unhappy with how we have handled your personal data, we ask that you contact [email protected] first so we can try to resolve the issue directly. 

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (“ICO”): 

  • Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF 
  • Telephone: 0303 123 1113 
  • Website: https://ico.org.uk/make-a-complaint/ 

Cressive’s ICO registration number is ZA315879. 

If you are located in the European Economic Area and consider that the processing of your personal data infringes EU GDPR, you may also have the right to lodge a complaint with the supervisory authority in your EU country of residence, place of work, or the place of the alleged infringement.