Trust Is Built on Clarity, Not Promises

Customers are asked to share personal data with companies they barely know, while those same companies struggle to clearly explain how that data is handled, protected, and respected.

Urvantis bridges that gap.

We create clear, documented, plain-English privacy practices that show, not just claim, how your business meets its data protection responsibilities. No legal theatre. No vague assurances. Just transparency that stands up to scrutiny.Because trust shouldn’t live in the small print. It should be visible in how your business operates every day.

Aftercare & Ongoing Support

Your privacy compliance doesn’t stop once the paperwork is done, and neither do we.

As an Urvantis client, you’ll have ongoing access to our Aftercare Support, designed to keep your compliance current and your team confident.We provide flexible, pay-as-you-go help for: Responding to Subject Access Requests (SARs). Managing data breaches or regulator contact. Reviewing vendors and risk exposure. Updating policies as your business evolvesAlways-on peace of mind. Expert help when you need it, only for existing clients.

Privacy isn’t just something we advise clients on, it’s something we apply to our own business every day.This guide explains how Urvantis operates as a privacy-first business, what principles guide our decisions, and what clients can expect when working with us.

The short answer

We deliberately design our business to collect as little personal data as possible, use it only where necessary, and keep our systems simple, transparent, and secure. We are advocates of data minimisation.

This makes our own compliance easier and ensures the guidance we give clients is grounded in real practice, not theory.

Why we take a privacy-first approach

Many organisations treat data protection as something layered on top of existing systems. We take a different view.From the outset, we aim to:

Less data means:

This is the same approach we recommend to clients wherever possible.

How Urvantis works as a privacy company

We are advocates for data minimisation. Here is everything we do.

1. How we design our website and online presence

Our website is intentionally simple and built using Carrd. We avoid:

The site exists to explain what we do and allow people to contact us, not to monitor or profile visitors. Where functionality isn’t essential, we don’t include it.

2. How we handle payments and transactions

When payments are required, we use Stripe to process transactions rather than handling card data ourselves.

This means:

We retain only the information necessary for accounting, tax, and contractual purposes, nothing more.

3. How we communicate with clients

Client communication often contains sensitive information, so we’re deliberate about how it’s handled.We use Tuta for business email, which prioritises privacy and encryption by design.In practice, this means we:

Clear communication doesn’t require excessive data collection or complex tooling. Notice we don't use third-party contact forms on our site for this very reason.

4. How we store and manage documents

Client documentation is stored securely using Filen, with access tightly controlled.Our approach focuses on:

We avoid spreading documents across multiple platforms or keeping copies 'just in case'. This reduces exposure and makes it easier to understand exactly where data lives.

What we deliberately avoid

As a privacy consultancy, it would be inconsistent to run a data-heavy operation ourselves.Where possible, we deliberately avoid:

This includes avoiding products from large data-driven providers such as Amazon, Google, Meta, and Microsoft, where privacy-respecting alternatives are available.Not every business can avoid these platforms entirely, but in our own case, they aren’t necessary.

Choosing simpler, privacy-centric tools keeps our own compliance straightforward and aligns with the advice we give clients.

How this benefits our clients

Running our own business this way has practical benefits for clients:

Privacy-first doesn’t mean anti-business. It means making deliberate, informed choices.

What clients can expect from us

When working with Urvantis, clients can expect:

We focus on helping businesses understand and manage privacy sensibly, not overwhelming them with unnecessary complexity.

If you’re curious about your own setup

Many businesses are surprised by how much data their systems collect simply because 'that’s how things were set up'.If you’re interested in reducing risk by simplifying your own data practices, reviewing how data flows through your business is often a useful first step.

This guide explains UK data protection requirements in plain English. It does not constitute legal advice.

Data protection obligations don’t suddenly appear when a business becomes 'large'. Instead, they tend to grow quietly alongside the business, becoming more complex as teams, systems, and customer numbers increase.This guide explains what typically changes as UK SMEs grow, why early structure matters, and when it’s time to revisit privacy and compliance arrangements.

The short answer

As your business grows, the amount of personal data you process usually increases, along with the risk attached to it.

Growth doesn’t mean compliance has to become burdensome, but it does mean informal or ad-hoc approaches often stop being sufficient.

Why growth changes the privacy picture

Many small businesses start out with simple, easy-to-track data practices:

Over time, growth introduces complexity. This might include:

Each of these increases the chance of inconsistency, misunderstanding, or error, even where intentions are good.

What usually changes first

While every business grows differently, certain changes tend to appear early. The most common changes are:

1. Hiring staff or contractors

Employing people introduces a new category of personal data, including:

Employee data is often more sensitive than customer data and usually requires clearer internal processes.

2. Adding tools and systems

Growing businesses commonly add:

Each tool becomes a new location where personal data is stored, accessed, or shared. Without documentation, it becomes harder to explain where data lives.

3. Sharing data with more third parties

As operations expand, data is often shared with:

Each third party introduces additional obligations around transparency and accountability.

Why early documentation makes growth easier

Without clear documentation, growth can lead to:

Documenting data flows and responsibilities early doesn’t slow growth; it usually prevents problems later.

This is where tools like data mapping and RoPA documentation become increasingly valuable.

Common trigger points for SMEs

Many businesses only revisit data protection when something specific happens, such as:

At that point, gaps are more visible and often harder to fix under time pressure.

What 'proportionate compliance' looks like as you scale

Growing SMEs don’t need enterprise frameworks or full-time compliance teams.A proportionate approach usually includes:

The goal is clarity and consistency, not bureaucracy.

Why waiting often makes things harder

Leaving compliance until later often results in:

Building structure gradually, as the business grows, is usually simpler and more cost-effective.

If you’re unsure

If your business has grown significantly since your privacy documentation was created, or if you’ve added people, tools, or servicesm it’s worth checking whether your current approach still reflects reality.Growth is usually the point where informal compliance stops being reliable.

This guide explains UK data protection requirements in plain English. It does not constitute legal advice.

Cookies and website tracking are one of the most confusing areas of data protection for UK businesses. Advice online is often contradictory, overly technical, or based on what other websites happen to be doing, rather than what the law actually requires.This guide explains when consent is needed, how cookies and analytics are treated under UK law, and what a sensible, proportionate approach looks like for small businesses.

The short answer

Not all cookies require consent, but many do.

If your website uses cookies or similar technologies for analytics, tracking, or marketing, UK law usually requires you to provide clear information and obtain valid consent before those cookies are set.

Why cookies cause so much confusion

Cookie compliance sits across two legal frameworks:

This leads to several problems in practice:

As a result, businesses often implement cookie banners without fully understanding what their website is actually doing or why.

What cookies and tracking actually are

Cookies are small files placed on a user’s device when they visit a website. Some are essential for basic functionality, while others are used to analyse behaviour or support marketing.In practice, cookies are commonly used for:

It’s not the word 'cookie' that matters legally, it’s what the technology does and whether it accesses information on a user’s device.

When consent is usually required

Under UK law, consent is generally required for cookies and similar technologies that are not strictly necessary for the website to function.

This commonly includes:

Cookies that are strictly necessary, for example, those required for security or core functionality, usually don’t require consent, but they still need to be explained clearly.

Common misunderstandings

“Analytics cookies are always exempt.”

Analytics cookies often still require consent, particularly where they involve tracking user behaviour or sharing data with third parties.

“If we show a banner, we’re compliant.”

A banner alone isn’t enough. Consent must be meaningful, informed, and freely given, not assumed.

“Everyone else does it this way.”

Other websites’ practices don’t determine compliance. Many sites are non-compliant, even if they look polished.

“We don’t collect personal data through cookies.”

Cookies and tracking technologies can still involve personal data or identifiers, even if names aren’t collected.

What regulators actually care about

Regulators focus less on how flashy your cookie banner is and more on whether your approach is fair and transparent.They typically look for:

They are generally less interested in:

A calm, honest approach is usually more effective than an intrusive one.

What a proportionate approach looks like for SMEs

For most UK small businesses, a sensible approach to cookies and analytics includes:

Cookie compliance does not have to be aggressive or conversion-damaging if it’s designed thoughtfully.

Why copying cookie banners is risky

Many cookie banners are copied from templates or competitors without review. This often leads to:

A banner that looks compliant but doesn’t match what the site is doing can create more risk than having no banner at all.

When this usually becomes a problem

Cookie and consent issues tend to surface when:

At that point, businesses often realise they’re not sure what’s running on their own website.

If you’re unsure

Cookie and consent issues are rarely about the banner itself, they usually stem from a lack of clarity about what a website is actually doing behind the scenes.That’s why a proportionate approach often starts with understanding how personal data is collected and used across the site, and then documenting that clearly before making changes.

This guide explains UK data protection requirements in plain English. It does not constitute legal advice.

Receiving an email or letter from the Information Commissioner’s Office (ICO) can be unsettling, especially for small businesses that don’t have in-house legal or compliance support.This guide explains why the ICO contacts businesses, what an enquiry usually involves, and how to respond calmly and appropriately.

The short answer

An ICO enquiry does not automatically mean you’ve done something wrong, and it does not mean a fine is imminent.

In most cases, the ICO is seeking clarification, documentation, or reassurance that your business understands its data protection responsibilities.

Why the ICO contacts businesses

The ICO usually contacts organisations for one of three reasons:

For small businesses, the most common trigger is a complaint, often about transparency, marketing communications, or access to personal data.Importantly, many complaints arise from misunderstandings rather than serious misconduct.

What an ICO enquiry typically looks like

Most initial contact from the ICO is:

You are usually asked to explain:

In many cases, the ICO is assessing whether the issue can be resolved informally rather than escalated.

What the ICO usually asks for first

While every enquiry is different, the ICO commonly asks to see:

This is why documentation matters.

The ICO often starts by checking whether a business understands and can explain its own data processing.

Common mistakes businesses make

When contacted by the ICO, small businesses sometimes make the situation harder than it needs to be.Common issues include:

A calm, accurate response is usually more effective than a defensive or overly technical one.

What the ICO actually cares about

The ICO’s primary concern is whether a business is acting responsibly and transparently.They typically look for evidence that you:

They are generally less interested in:

Demonstrating awareness and cooperation often goes a long way.

When to respond yourself, and when to get help

Some enquiries can be handled internally, particularly where:

It’s often sensible to seek support where:

Getting clarity early can prevent misunderstandings from escalating.

If you’ve been contacted

If you’re unsure how an ICO enquiry relates to your own data practices, it’s often helpful to step back and look at how your personal data is documented and explained internally.Having a clear understanding of what data you process, where it flows, and why it’s used makes responding accurately and proportionately much easier.

This guide explains UK data protection requirements in plain English. It does not constitute legal advice.

This collection of guides explains UK data protection in practical, plain English.

Do I Need a Privacy Policy for My UK Small Business?

What Happens If the ICO Contacts Your Business?

What Is a RoPA and Do Small Businesses Need One?

Is My Privacy Policy Actually GDPR-Compliant

Cookies, Analytics, and Consent: What UK Businesses Actually Need to Do

Data Protection for Growing SMEs: What Changes as You Scale

How We Run Urvantis as a Privacy-First Business

These guides explain UK data protection requirements in plain English. They does not constitute legal advice.

Many UK small businesses come across the term 'RoPA' when reading about GDPR compliance or responding to an enquiry, often without any clear explanation of what it actually means or whether it applies to them.This guide explains what a RoPA is, when it’s required, and why it matters in practice for small businesses.

The short answer

A RoPA (Record of Processing Activities) is a document that records how your business uses personal data.

Many small businesses are legally required to have one, and even where it isn’t strictly mandatory, having a RoPA is often the simplest way to demonstrate compliance if questions arise.

What a RoPA actually is (in plain English)

A RoPA is essentially an organised inventory of your personal data processing.It documents things like:

Rather than being a policy written for customers, a RoPA is an internal document designed to help you understand, and explain, your own data practices.Think of it as a map of how data moves through your business.

Common misunderstandings about RoPA

“We’re too small for this to apply.”

Size alone doesn’t remove the requirement. Regular data processing is usually the deciding factor.

“This is just a spreadsheet for regulators.”

While it can be a table or spreadsheet, its real value is operational; helping you understand and manage data.

“Our privacy policy already covers this.”

Privacy policies explain data use to individuals. A RoPA documents it internally. They serve different purposes.

“We can create this quickly if asked.”

Reconstructing data flows under pressure is difficult and often leads to inaccuracies.

When small businesses are required to have a RoPA

Under UK GDPR, organisations with fewer than 250 employees may still be required to keep a RoPA if their processing:

In practice, most small businesses process personal data regularly, for example through client management, invoicing, marketing, or staffing, which means the exemption often doesn’t apply.This is why the ICO frequently expects SMEs to be able to produce a RoPA on request.

Why the ICO asks for this document first

When the ICO contacts a business, one of the first questions is usually:

“Can you explain what personal data you process and why?”

A RoPA answers that question clearly and efficiently.Without one, businesses often struggle to:

A well-prepared RoPA shows that a business understands its data environment, even if improvements are still needed elsewhere.

What a sensible RoPA looks like for SMEs

For small businesses, a practical RoPA should be:

It doesn’t need to be complex or overly technical, but it does need to reflect reality.The most effective RoPAs are built from a clear understanding of day-to-day business processes, not copied from templates.

When not having a RoPA becomes a problem

A missing or outdated RoPA usually causes issues when:

At that point, businesses often realise they don’t have a clear overview of their own data.

If you’re unsure

When personal data hasn’t been clearly documented, uncertainty tends to surface at exactly the wrong moment, during enquiries, complaints, or periods of change.That’s why many businesses start by mapping how personal data actually flows through their operations, and then documenting it in a structured, practical way.

This guide explains UK data protection requirements in plain English. It does not constitute legal advice.

A lot of UK small businesses already have a privacy policy in place, usually because they know they’re supposed to. The problem is that 'having a privacy policy' and 'being compliant' are not the same thing.This guide explains what 'GDPR-compliant' means in real life, how to spot common issues, and what a sensible, proportionate privacy policy looks like for a small business.

The short answer

A privacy policy is only GDPR-compliant if it’s accurate, clear, and matches what your business actually does with personal data.

Many policies fail not because they’re missing legal phrases, but because they don’t reflect reality, especially when they were copied from templates or haven’t been updated as the business changed.

Why this causes confusion for small businesses

Privacy policies are often treated as a box-ticking exercise:

But businesses don’t stay still. Over time you might:

If your privacy policy doesn’t change alongside the business, it quietly becomes inaccurate. And accuracy is the core issue because under UK GDPR, you’re expected to tell people what you do with their data truthfully and transparently.

What 'GDPR-compliant' actually means (in plain English)

In practice, a compliant privacy policy should do three things:1. Explain what personal data you collect
Names, email addresses, phone numbers, invoices, website data; whatever applies to your business.2. Explain why you collect it and what you do with it
Not in vague terms, but in a way that maps to your real processes.3. Explain people’s rights and how they can contact you
So someone can understand what options they have without needing legal knowledge.That’s it. A privacy policy isn’t meant to be a legal novel. It’s meant to be an honest explanation.

Common misunderstandings

“If I have a privacy policy, I’m compliant.”

A privacy policy is only one part of compliance. It’s important, but it doesn’t automatically mean the underlying processes are correct, and if the policy is inaccurate, it can create risk rather than reduce it.

“If it looks professional and mentions GDPR, it’s fine.”

Design and wording don’t make it compliant. Accuracy does.

“I used a template, so it must cover everything.”

Templates are generic. Your business isn’t. A template can easily say you do things you don’t do, or miss things you do every day.

“I only collect basic data, so it doesn’t really matter.”

Basic personal data still counts. Names and emails are personal data, and transparency rules still apply.

What the ICO actually cares about

The ICO is generally less interested in whether you’ve used perfect legal language and more interested in whether you can demonstrate that you’re handling personal data responsibly.In plain terms, they care about:

A short, plain-English privacy policy that matches your real data practices is often a better sign of compliance than a long policy filled with jargon.

Practical signs your policy might not be compliant

You don’t need to 'panic audit' your business to get a sense of whether your policy is doing its job. Here are common red flags we see:

1. It doesn’t match how enquiries actually work

For example, your policy may mention a contact form, but you only take enquiries by email, or vice versa.

2. It doesn’t mention the tools you actually use

Many policies don’t mention key third parties such as:

3. It makes promises you can’t realistically keep

Common examples:

A compliant policy should be realistic, not aspirational.

4) It hasn’t been reviewed since your business changed

If you’ve added services, hired staff, changed systems, or started marketing since the policy was created, it’s worth checking whether it still reflects reality.

What 'good enough' looks like for UK SMEs

For most small businesses, a compliant privacy policy should be:

A sensible SME policy typically includes:

It should also be easy to locate; usually linked clearly in your website footer.

When this usually causes issues

Privacy policy problems tend to surface when:

In these moments, businesses often discover that their policy doesn’t reflect how data actually flows through the business, and fixing it under time pressure is harder than fixing it calmly upfront.

At that point, businesses often discover their policy hasn’t been reviewed in years, or was never accurate to begin with.

If you’re unsure

When a privacy policy doesn’t match how a business actually operates, the issue is rarely just the wording.It usually reflects a lack of clear documentation underneath, which is why many businesses start by mapping how personal data is used day to day, and then building their privacy documentation from that foundation.

This guide explains UK data protection requirements in plain English. It does not constitute legal advice.

Many UK small businesses know they’re supposed to have a privacy policy, but aren’t sure whether the rules actually apply to them, or what 'having one' really means in practice.This guide explains when a privacy policy is legally required, who it applies to, and what a sensible, proportionate privacy policy looks like for a small business.

The short answer

If your business collects or uses personal data about customers, clients, staff, or website visitors, you almost certainly need a privacy policy.

This applies to sole traders, limited companies, charities, and partnerships, regardless of size.

Why this applies to most UK businesses

Under UK data protection law, organisations must be transparent about how they handle personal data. A privacy policy is the main way you do that.In practical terms, this means you need a privacy policy if your business does things like:

Even if you only collect basic information such as names and email addresses; that still counts as personal data.The size of your business doesn’t remove the obligation. What does matter is what data you collect, why you collect it, and how you use it.

Common misunderstandings

There are a few assumptions we hear regularly from small businesses. They’re understandable but not quite right.

“I’m a sole trader, so this doesn’t apply to me.”

Sole traders are still required to comply with UK data protection law if they process personal data.

“I don’t sell online.”

You don’t need to sell products online for this to apply. A simple contact form or email enquiry is enough.

“I copied a template, so I’m covered.”

Templates can be a starting point, but they often don’t reflect how a business actually operates.
A privacy policy needs to match your real data practices.

“I only collect email addresses.”

Email addresses are personal data. Even minimal data collection triggers transparency requirements.

What the ICO actually looks for

Many businesses worry that their privacy policy needs to be long, legalistic, or written in complex language. In reality, that’s not what regulators focus on.What matters most is that your privacy policy is:

The ICO is far more concerned with whether your documentation matches your real-world behaviour than with perfect wording or length.A short, clear policy that accurately describes your processes is usually better than a long, generic one copied from elsewhere.

What 'good enough' looks like for small businesses

For most UK SMEs, a sensible privacy policy:

It does not need to:

Proportionate, accurate, and understandable is the goal.

When this usually causes problems

Privacy policies tend to become an issue when:

At that point, businesses often discover their policy hasn’t been reviewed in years, or was never accurate to begin with.

If you’re unsure

If you’re not confident that your privacy documentation reflects how your business actually operates, the most effective way to address that is to map your data properly and document it clearly.For many small businesses, that’s the point where having structured support makes the difference between 'having a policy' and genuinely understanding their compliance position.

This guide explains UK data protection requirements in plain English. It does not constitute legal advice.

What does Urvantis actually do?

We create clear, audit-ready privacy documentation for UK businesses, including your Privacy Policy, RoPA (Article 30), and supporting compliance materials.Everything is written in plain English and tailored to how your business actually handles personal data, not generic templates.

How much does it cost?

Our Privacy Foundations Package is £595 (introductory price).This is a fixed price for the full package as described.No hidden fees. No required upsells.

Is this really bespoke, or based on templates?

Every engagement is bespoke.We use structured frameworks to ensure compliance, but every document is written and adapted specifically for your systems, tools, data flows, and business practices. Nothing is copy-pasted or generic.

Do I need a call to get started?

No.Our process is designed to work entirely via email and structured questionnaires. This keeps things efficient, clear, and documented.Calls are only used where genuinely necessary and agreed in advance.

What exactly do I receive?

You’ll receive:A bespoke Privacy Policy.
Your Record of Processing Activities (Article 30).
A Privacy Confidence Summary (plain-English overview).
Cookie & Tracking Compliance Overview.
An ICO-ready file structure.
Privacy Action Checklist.
DSAR Handling Guide (Data Subject Access Requests).
Breach Response Playbook.
Direct access to a named Privacy Architect.
12 months of post-delivery email support.Delivery is typically 2–5 business days once onboarding information is complete.

What is the 12 months support?

12 months of email support is included with the Privacy Foundations Package.This covers clarification questions, guidance on using the delivered documents, and regulatory questions directly related to the Privacy Policy and RoPA we’ve created for your business.Support is designed to help you understand and confidently use your documentation as your business operates day to day.This does not include major business changes, such as introducing new services, processing new categories of personal data, significant changes to business structure, or new processing activities.Where changes fall outside the original scope, we offer clear, pay-as-you-go aftercare services so support remains proportionate and predictable.

Can I use the documents straight away?

Yes.All documents are delivered ready to publish and use. We recommend reading them carefully and ensuring your day-to-day practices match what’s documented. Compliance works best when reality and paperwork align.

Do you provide legal advice?

No.Urvantis is not a law firm and does not provide legal advice or representation. We provide practical compliance documentation and guidance based on UK GDPR requirements and regulator guidance.If you need formal legal opinion, we’ll always recommend a qualified solicitor.

Am I still responsible for GDPR compliance?

Yes.You remain the data controller responsible for how your business handles personal data. Our role is to give you the documentation, structure, and clarity needed to meet those responsibilities properly.

What if the ICO contacts me?

If contacted by a regulator, you’ll be expected to show:That you understand your data responsibilities.
That you have appropriate documentation.
That your practices match what’s written.The materials we provide are designed to help you evidence good-faith compliance.
Additional support is available for existing clients if needed.

What happens if my business changes later?

Privacy compliance evolves as your business evolves.During your support window, we can update documents to reflect changes. After that, existing clients can access pay-as-you-go updates and aftercare services as needed.

Is this service right for my business?

Our service is designed for UK businesses that process customer, client, or employee personal data and want GDPR done properly, without inflated legal fees or unnecessary meetings.If you’re unsure, email us and we’ll confirm whether this package is the right fit.

How do I get started?

Email us to get started.We’ll reply with a short set of questions to confirm scope, then send over the agreement pack and payment details. No calls required.

At Urvantis, privacy isn’t just something we do; it’s how we operate.

We aim to reply to all enquiries within 12 business hours.
Messages are handled confidentially and never shared with external providers.
No third-party data-harvesting contact forms.

We don’t use contact forms that send your information through third-party systems. Just direct communication with someone who understands your business.Email security matters to us. Urvantis uses Tuta for all email communication, it is a privacy-focused provider based in Europe. If you also use Tuta, our emails are end-to-end encrypted by default.

Below you’ll find every policy that governs how we handle information and deliver services.

• Privacy Policy
• Terms & Conditions
• Cookie Notice
• Disclaimer
• DPA/CSA Summary

Urvantis Website Terms v1.4

Last Updated: January 2026
Effective Date: January 2026

Welcome to urvantis.comThese Terms and Conditions ('Terms') govern your use of this website. By accessing or using our site, you agree to be bound by these Terms.

1. Use of Our Website

Permitted Use: You may use this website for informational purposes and to learn about or enquire about our services. You agree to use the site lawfully, ethically, and in accordance with these Terms.Prohibited Use: You may not use this website to distribute spam, malicious software, or unlawful content. You must not attempt to breach our security or copy, reproduce, or resell any part of the website content without written permission from Urvantis Privacy Limited.

2. Intellectual Property

All content on this website, including text, graphics, logos, and our unique frameworks and methodologies, is the exclusive property of Urvantis Privacy Limited and is protected by UK and international copyright laws.

3. Disclaimers

No Legal Advice: The information on this website is for general informational purposes only. It does not constitute legal, financial, or technical advice.No Guarantees: While we strive to keep content accurate and up-to-date, we make no warranties as to its completeness or reliability. Use of the website is at your own risk.

4. External Links and References

This website currently does not include links to external or third-party websites.If external links are added in future, they will only point to trusted services that align with our privacy and security standards.Urvantis Privacy Limited is not responsible for the content or privacy practices of any third-party websites and encourages users to review the terms and privacy notices of those sites if visited.

5. Limitation of Liability

To the fullest extent permitted by law, Urvantis Privacy Limited will not be liable for any direct or indirect damages resulting from your use of, or inability to use, this website or its content.

6. Relationship to Client Agreements

These Terms apply only to use of this public website.Formal engagements with Urvantis are governed by separate written agreements, including our Client Service Agreement (CSA) and Data Processing Agreement (DPA), provided prior to payment or onboarding.

7. Governing Law and Jurisdiction

These Terms are governed by the laws of England and Wales.Any disputes arising from or related to the use of this website will be resolved under the exclusive jurisdiction of the courts of England and Wales.Visitors from the European Union are welcome to use this site, and their rights under applicable data protection law (UK or EU GDPR) remain unaffected.

8. Changes to These Terms

We may update these Terms from time to time. Any significant changes will be posted on this page, and the 'Last Updated' date will reflect the revision.

9. Contact Us

For questions about these Terms, please contact: [email protected]

Building trust, one transparent policy at a time.
All Urvantis policies are maintained internally and version-controlled.
The most recent updates are listed at the top of each page.
© 2025 Urvantis Privacy Limited. All Rights Reserved.

Below you’ll find every policy that governs how we handle information and deliver services.

• Privacy Policy
• Terms & Conditions
• Cookie Notice
• Disclaimer
• DPA/CSA Summary

Data Processing & Client Service Agreements

Last Updated: January 2026
Effective Date: January 2026

Clients who engage Urvantis for services receive two formal documents before any work begins:Client Service Agreement (CSA): outlines the project scope, deliverables, timelines, fees, and mutual confidentiality obligations.Data Processing Agreement (DPA): required under UK GDPR Article 28, defining our roles, responsibilities, and technical and organisational measures when handling personal data on behalf of a client.These agreements are provided individually prior to payment or onboarding.
They are not publicly available to avoid misuse, but you may request a redacted sample for review.Both documents are governed by the laws of England and Wales and align with the UK and EU GDPR frameworks.

Building trust, one transparent policy at a time.
All Urvantis policies are maintained internally and version-controlled.
The most recent updates are listed at the top of each page.
© 2025 Urvantis Privacy Limited. All Rights Reserved.

Below you’ll find every policy that governs how we handle information and deliver services.

• Privacy Policy
• Terms & Conditions
• Cookie Notice
• Disclaimer
• DPA/CSA Summary

Urvantis Cookie Notice

Last Updated: January 2026
Effective Date: January 2026

This website does not use analytics, tracking, or advertising cookies.Urvantis respects your right to privacy and transparency.Only minimal, strictly necessary cookies are set by our website host (Carrd) to ensure basic site operation; these do not store personal data and do not require consent under the UK GDPR and PECR.

Why No Cookie Banner

Under UK & EU cookie law, strictly necessary cookies do not require consent.Because we have nothing to track, you won’t see a cookie banner here.If you’re a client, we’ll advise you on whether your own website does require a consent mechanism and how to implement it correctly.

Building trust, one transparent policy at a time.
All Urvantis policies are maintained internally and version-controlled.
The most recent updates are listed at the top of each page.
© 2025 Urvantis Privacy Limited. All Rights Reserved.

Below you’ll find every policy that governs how we handle information and deliver services.

• Privacy Policy
• Terms & Conditions
• Cookie Notice
• Disclaimer
• DPA/CSA Summary

Urvantis Disclaimer

Last Updated: January 2026
Effective Date: January 2026

The information on this website is provided for general informational purposes only and does not constitute legal or professional advice.Urvantis Privacy Limited accepts no liability for actions taken based on this information. For specific guidance, please contact us directly.References to legislation or best practice are current as of the date published and may change without notice.

Building trust, one transparent policy at a time.
All Urvantis policies are maintained internally and version-controlled.
The most recent updates are listed at the top of each page.
© 2025 Urvantis Privacy Limited. All Rights Reserved.

Below you’ll find every policy that governs how we handle information and deliver services.

• Privacy Policy
• Terms & Conditions
• Cookie Notice
• Disclaimer
• DPA/CSA Summary

Urvantis Privacy Policy v2.4

Last Updated: January 2026
Effective Date: January 2026

Our Commitment to Privacy

At Urvantis, privacy isn't just our business, it's our architecture. Every decision we've made about our infrastructure reflects an uncompromising commitment to data protection that goes far beyond legal requirements. We operate under a simple principle: We cannot misuse data we cannot access.

Our Privacy-First Stack

Unlike most businesses that build on convenience and then add privacy as an afterthought, we've deliberately chosen a technology stack that makes meaningful data collection technically impossible:

*Messages to other providers are encrypted in transit and can be further secured via password-protected messages on request.

This policy explains exactly what that means in practice.As a UK-based company, we operate under the jurisdiction of the Information Commissioner's Office (ICO) and adhere to the UK General Data Protection Regulation (UK GDPR). But our standards exceed mere compliance, they represent our values.

Who We Are

Company Name: Urvantis Ltd.
Registration: England and Wales
Data Controller: Urvantis Limited.
Address: Suite A, 82 James Carter Road, Mildenhall, Bury St Edmunds, IP28 7DE, UK
Privacy Contact: Ben Oakley, CEO
Email: [email protected]
Data Rights Requests: [email protected]

What We Collect (And What We Don't)

When You Browse Our Website

What we collect: Nothing.Your IP address passes through our hosting provider's servers for the technical necessity of delivering web pages. We don't log it, we don't store it, we don't process it.What we don't collect:
• No cookies (except strictly necessary session cookies)
• No tracking pixels
• No analytics
• No fingerprinting
• No behavioural data
• No advertising IDs
• No social media trackingWhy: Because understanding how many people clicked which button is not worth compromising your privacy.Legal Basis: Not applicable; we're not processing your personal data.

When You Contact Us

What we collect:
• Your name
• Your email address
• Whatever information you choose to share in your messageWhy: To respond to your enquiry and provide you with the information or services you've requested.How we protect it: All communications are handled through our end-to-end encrypted email provider (Tuta, Germany). Your enquiry is encrypted from the moment it leaves your device until we read it in our encrypted inbox.Retention: 12 months from our last communication, then permanently deleted, unless you become a client.Legal Basis: Legitimate Interest (responding to your direct business enquiry).

When You Become a Client

What we collect:
Business Information:
• Business contact details (name, email, address, phone number)
• Company name and registration details
• Billing information (processed by Stripe, see below)
• Communication recordsYour Data Processing Activities:
As part of our consultancy, we document information about how your company processes personal data. This is necessary to provide our service and is processed under strict confidentiality.Why: To fulfil our contractual obligations, manage our client relationship, process payments, and deliver expert compliance services.How we protect it:
1. Storage: All client files are stored securely using Filen, a zero-knowledge, end-to-end-encrypted storage provider based in Germany. Filen never has access to our encryption keys, only we can decrypt the files. In addition, we maintain separate encrypted local backups held offline under our direct control. No public cloud platforms. No shared infrastructure.Encryption:
– Zero-access encryption for all files stored through Filen
– Encrypted in transit (TLS 1.3) and at rest (AES-256)
– Even Filen’s administrators cannot read client dataBackups:
Regular encrypted, offline backups are maintained on physically isolated media. These backups are disconnected from the internet, ransomware can’t encrypt what isn’t connected.Access Controls:
Access to client data is strictly limited to authorised personnel. All accounts use strong authentication and mandatory 2FA across systems.Retention: We retain project materials for the duration of our relationship + six years to comply with UK tax and company-law obligations.Legal Basis: Processing is necessary for the performance of a contract under UK GDPR Article 6(1)(b).

How We Protect Your Data

Our Security Architecture

Infrastructure
• Encrypted European storage: Client data is stored via Filen, a zero-knowledge provider operating its own EU-based servers.
• Offline encrypted backups: Copies are held on isolated drives that never connect to the internet.
• Independent infrastructure: We don’t use AWS, Google Cloud, or Azure; our providers run their own secure environments.
• End-to-end encryption: Filen’s zero-access design ensures that only Urvantis holds the keys to decrypt stored content.Communications:
• Encrypted email: Tuta (Germany), zero-access, end-to-end encrypted.
• No phone call recording: We don't record calls unless you explicitly consent for a specific purpose (e.g., training session recording).
• Secure file transfer: All files encrypted before leaving our deviceAccess Controls:
• Principle of Least Privilege: Personnel only access what they need.
• Mandatory 2FA: On all internal systems and external services.
• Strong authentication: No weak passwords tolerated.
• Regular access reviews: Quarterly audits of who can access whatData Minimisation:
• We collect only what's essential for our service.
• We don't 'collect now, decide the use later'.
• We don't build profiles or analyse behaviour
• We don't data mine for 'insights'Secure Disposal:
• Cryptographic erasure when data is no longer needed.
• Verification of deletion completion.
• Physical destruction of retired storage media.

Who We Share Your Data With

Simple answer: Almost no one.We don't sell your data. We don't rent it. We don't 'partner' with data brokers. We don't share it with advertisers. We don't feed it to AI training models.

Our Subprocessors

We use exactly four external services, chosen for their exceptional privacy and security standards:1. Carrd (USA): Website Hosting
Purpose: Hosts our website and processes visitor IP addresses for the technical necessity of delivering web pages.
What they process: Transient IP addresses of website visitors.
Why we chose them: Simple, secure, minimal data processing.
Safeguard: UK Adequacy Decision for EU-US Data Privacy Framework.2. Tuta (Germany): Encrypted Email
Purpose: Secure, zero-access business communications.
What they process: Encrypted email metadata (from/to addresses, timestamps). Email content is end-to-end encrypted; Tuta cannot read it.
Why we chose them: Open-source, zero-access architecture, based in Germany, quantum-resistant encryption planned.
Location: Germany (EEA); no international transfer.3. Filen (Germany): Encrypted Cloud Storage
Purpose: Zero-knowledge encrypted file storage for client deliverables and backups.
What they process: Encrypted files, encrypted filenames. Due to zero-knowledge encryption, Filen cannot access file contents.
Why we chose them: True zero-knowledge architecture, German-based, open-source clients, no data mining.
Location: Germany (EEA); no international transfer.4. Stripe (USA): Payment Processing
Purpose: Secure payment processing and subscription management.
What they process: Payment information, billing details, transaction history.
What we never see: Your complete credit card number. Stripe uses tokenisation, we only see 'card ending in 1234.'
Why we chose them: PCI DSS Service Provider Level 1 certification (the highest security standard in payment processing), global leader in secure payments, extensive fraud protection.
Safeguard: UK Adequacy Decision for EU-US Data Privacy Framework.
Important: When you enter payment details, you're communicating directly with Stripe's secure environment, not our servers.

What We Don't Use

For transparency, here's what we've deliberately chosen NOT to use:❌ Google Analytics (or any analytics)
❌ Facebook Pixel
❌ Social media tracking
❌ Advertising networks
❌ CRM systems that mine data
❌ 'Free' tools that monetise your data
❌ AI services that train on your content
❌ Public cloud storage (AWS, Azure, Google Cloud)
❌ Amazon, Microsoft, or Google products

Cookies and Tracking

We don't use cookies for tracking, analytics, or advertising.The only cookies on our site are those strictly necessary for security and basic functionality (session management, CSRF protection). These are provided by our hosting platform and expire when you close your browser.No consent banner needed because we're not tracking you.

How Long We Keep Your Data

We retain personal data only as long as necessary for the purpose collected:Contact Enquiries
Retention: 12 months from last communication.
Why: To maintain a record of our conversation in case you follow up.
Deletion: Automatic after 12 months unless you become a client.Client Data
Retention: Duration of our relationship plus 6 years.
Why: UK legal requirements for tax records and business documents (HMRC, Companies Act).
What happens: After this period, cryptographic erasure of all data.Technical Logs
Retention: None; we don't keep logs of website visitors.

Your Rights Under Data Protection Law

Urvantis operates under the UK GDPR and, where applicable, the EU GDPR for clients and data subjects within the European Union.You have the following rights regarding your personal data:Right of Access: You can request a copy of the personal data we hold about you. We’ll provide it in a clear, human-readable format.Right to Rectification: You can ask us to correct inaccurate or incomplete information, and we’ll update it promptly.Right to Erasure (Right to be Forgotten): You can request that we delete your data, unless we’re legally required to keep it (for example, tax or contractual obligations).Right to Restrict Processing: You can request that we temporarily limit how we use your data while you contest its accuracy or our legal basis for processing.Right to Data Portability: You can request your data in a machine-readable format (e.g. CSV or JSON) to transfer to another service.Right to Object: You can object to processing based on legitimate interests. We’ll stop unless we can demonstrate compelling legitimate grounds.No Automated Decisions: Urvantis does not use automated decision-making or profiling that produces legal or significant effects.If you’re based in the UK, you can contact the Information Commissioner’s Office (ICO) for further information or to raise a concern. If you’re in the EU, you can contact your national data protection authority.

How to Exercise Your Rights

Email: [email protected]
Response time: We'll respond within one month (UK GDPR requirement).
Identity verification: We may need to verify your identity before fulfilling requests (to protect your data from unauthorised access).
Free of charge: Exercising your rights is free, unless requests are manifestly unfounded or excessive.

Data Breaches

While our security architecture makes breaches highly unlikely, we have comprehensive incident response procedures:If a breach occurs:
1. Immediate containment and assessment.
2. Notification to you within 24 hours (faster than the 72-hour legal requirement).
3. Full investigation and detailed report.
4. Notification to ICO or relevant EU authority if required by law.
5. Implementation of additional safeguards to prevent recurrenceYour assurance: Our zero-access encryption architecture means even in the worst-case scenario of a server compromise, your encrypted files remain unreadable.

International Data Transfers

For most of our infrastructure: None.Your data stays in the UK and Germany (EEA). We've deliberately chosen European providers to avoid the complexity and risks of international data transfers.Exceptions:
• Website hosting (Carrd, USA): Transient IP address processing only, safeguarded by UK Adequacy Decision for the EU-US Data Privacy Framework.
• Payment processing (Stripe, USA): Payment data only, safeguarded by UK Adequacy Decision and Stripe's PCI DSS Level 1 certification.

Children's Privacy

Our services are not directed at children under 16. We do not knowingly collect data from children. If you believe we've inadvertently collected data from a child, contact us immediately at [email protected].

Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements.How we'll notify you:
• Update the 'Last Updated' date at the top.
• For material changes: Email notification to clients and prominent notice on our website.
• Previous versions: Available upon request.Your responsibility: Review this policy periodically. Continued use of our services after changes constitutes acceptance.

Complaints and Concerns

Talk to us first: If you're unhappy with how we've handled your personal data, please contact us at [email protected]. We take complaints seriously and will investigate thoroughly.Escalate if needed: If you're not satisfied with our response, you have the right to lodge a complaint with the UK's supervisory authority:Information Commissioner's Office (ICO)
Website: https://ico.org.uk/make-a-complaint/
Phone: 0303 123 1113If you’re in the EU, you can escalate to your national data protection authority.

Legal Basis Summary

For transparency, here's a summary of our legal basis for processing:

Questions?

Privacy inquiries: [email protected]
Data rights requests: [email protected]
Legal matters: [email protected]
General questions: [email protected]We're here to help. Privacy is what we do.

Transparency Commitment

This policy is written to be understood by humans, not just lawyers. We've deliberately avoided:• Unnecessarily complex legal jargon.
• Vague language that obscures our practices.
• Clauses that reserve excessive rights we don't need.
• Terms that require a law degree to interpret.If anything is unclear, ask us. If we can't explain it simply, we shouldn't be doing it.

Building trust, one transparent policy at a time.
All Urvantis policies are maintained internally and version-controlled.
The most recent updates are listed at the top of each page.
© 2025 Urvantis Privacy Limited. All Rights Reserved.