Privacy Policy

This privacy policy applies to citizens and legal permanent residents of the United Kingdom and all individuals whose personal data is processed by Orion Data Analytics Ltd. It was last updated on 6 March 2026.

Orion Data Analytics Ltd (“we”, “our” or “us”) is committed to protecting your privacy and handling your personal information with transparency, integrity and care. This privacy policy explains how we collect, use, store and safeguard your personal information when you:

• Visit our website at oriondata.co.uk (“Website”).
• Complete any online assessment, quiz, diagnostic tool or calculator hosted on our Website, including our AI Maturity Assessment, Data Governance Checklist, AI Use Case Prioritisation Matrix, ROI Calculator or any similar interactive tool (“Assessment Tools”).
• Engage with our consulting services in data analytics, artificial intelligence strategy, Microsoft Fabric, Power Platform and Azure cloud implementations.
• Use any software application, assessment tool or analytics platform published by us, including any offers listed on the Microsoft Commercial Marketplace (“Marketplace Offers”).
• Subscribe to our newsletter or marketing communications.
• Interact with us in any other professional or commercial capacity.

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and the Data Use and Access Act 2025. We are registered with the Information Commissioner’s Office (ICO) under registration number C1591283.

For the purposes of UK and EU data protection laws, Orion Data Analytics Ltd is the “data controller” of your personal information. Cloudflare, MailerLite, Google and Microsoft act as “data processors” and process your personal data on our behalf as described in this policy.

Orion Data Analytics Ltd
The Long Barn, Cobham Park Road, Cobham, Surrey, KT11 3NE, United Kingdom
Companies House Registration Number: 15464691
ICO Registration: C1591283
Email: enquiries@oriondata.co.uk
Telephone: +44 (0)7795 467 284
Website: oriondata.co.uk

Trading names: Orion Data, Orion, Orion Data Analytics.

3.1 Information You Provide Directly

• Identity data such as your full name, professional title and company name, provided when you enquire about our services, subscribe to our newsletter, complete a contact form or register for a Marketplace Offer.
• Contact data including your professional email address, telephone number and business address.
• Assessment data including your responses, selections and input to our online Assessment Tools. This may include information about your organisation’s technology maturity, data governance practices, AI readiness, business priorities and infrastructure details that you voluntarily provide during the assessment process.
• Contractual information required to deliver our consulting services, including project-related data shared during engagements under a separate Statement of Work or Data Processing Agreement.
• Marketplace customer information shared with us by Microsoft when you purchase or subscribe to our Marketplace Offers, including your contact details and transaction information, as permitted under the Microsoft Publisher Agreement.

3.2 Information Collected Automatically

• Technical data including your internet protocol (IP) address, browser type and version, time zone setting, operating system and platform, collected via server logs and analytics services.
• Usage data such as pages visited, time spent on pages, navigation paths and referring URLs, collected through analytics cookies where you have provided consent.
• Assessment analytics data including completion rates, time spent on assessment sections, result categories and aggregate scoring data from our Assessment Tools, used to improve assessment quality and relevance. Individual assessment results are not shared with third parties without your consent.
• Security data including IP addresses, request timestamps and browser fingerprints, collected by Cloudflare for security and performance optimisation purposes.
• Log file data including IP addresses, timestamps, HTTP request details and browser data, collected for security monitoring, service interruption detection and infrastructure performance analysis.
• Application usage data from our software products and Marketplace Offers, including feature interaction patterns, error logs and performance metrics, collected to improve service delivery and product quality.

3.3 Information from Third Parties

We may receive information from publicly available sources such as Companies House, LinkedIn or industry directories to support our business development activities, always in accordance with applicable data protection legislation. We may also receive customer contact information from Microsoft in connection with Marketplace transactions, which we process solely for transactional purposes or to respond to customer enquiries about our offers.

We process your personal information for the following purposes, each supported by a lawful basis under UK GDPR:

Purpose	Description	Lawful Basis
Service Delivery	To respond to enquiries, deliver consulting engagements, and provide data strategy, AI and cloud services.	Contractual necessity; Legitimate interest
Assessment Tools	To process your assessment responses, generate personalised results, recommendations and reports, and to improve the quality and relevance of our Assessment Tools.	Consent; Legitimate interest
Marketplace Fulfilment	To process subscriptions, deliver and support Marketplace Offers, and manage the customer relationship.	Contractual necessity
Marketing	To send newsletters, insights and updates via MailerLite where you have provided explicit consent.	Consent
Website Analytics	To monitor website performance and understand user behaviour using Google Analytics, only when you have accepted analytics cookies.	Consent
Security	To protect our website and infrastructure from malicious activity using Cloudflare and Microsoft Defender for Cloud.	Legitimate interest
Log File Analysis	To collect IP addresses, timestamps and browser data for security monitoring and service interruption detection.	Legitimate interest
Legal and Regulatory	To comply with legal obligations, regulatory requirements, court orders or governmental authority.	Legal obligation
Product Improvement	To analyse usage patterns and performance data from our software products and Assessment Tools to improve functionality.	Legitimate interest

Orion Data Analytics Ltd utilises Microsoft Azure and Microsoft 365 cloud computing platforms to host our applications, store professional data and deliver our consulting services and software products. As a result, your personal information may be processed by Microsoft Corporation as a sub-processor on our behalf. These services are essential for providing our data analytics, artificial intelligence and cloud solutions, and for ensuring high levels of security, availability and compliance.

5.1 Data Residency

Our primary data residency is within the United Kingdom (UK South region). All Azure resources provisioned for our products and consulting engagements default to UK South unless a specific client requirement dictates otherwise.

5.2 International Data Transfers

The use of Microsoft’s global infrastructure may involve the transfer of data to servers located outside the United Kingdom or the European Economic Area. In such instances, we rely on the following safeguards to ensure your information receives a level of protection equivalent to that provided under UK data protection law:

• Standard Contractual Clauses (SCCs) approved by the Information Commissioner’s Office.
• The UK Extension to the EU–US Data Privacy Framework, where applicable.
• Adequacy decisions issued by the UK Secretary of State, where the receiving country has been assessed as providing an adequate level of data protection.
• Binding Corporate Rules, where adopted by the receiving organisation.
• Microsoft’s Data Protection Addendum (DPA), which contractually commits Microsoft to comprehensive data protection standards.

You may request further information about the safeguards we apply to international transfers by contacting us at the details provided in Section 19.

5.3 Technical and Organisational Security Measures

In alignment with Microsoft’s security standards and the Microsoft Cloud Security Benchmark, we implement comprehensive technical and organisational measures to protect your data from unauthorised access or manipulation. These include:

• Multi-factor authentication (MFA) enforced across all administrative and user accounts via Microsoft Entra ID Conditional Access policies.
• Advanced encryption for data at rest (AES-256) and data in transit (TLS 1.2 or higher) across all systems and communications.
• Role-based access control (RBAC) ensuring that access to personal data is limited to authorised personnel with a legitimate business need.
• Continuous security monitoring through Microsoft Defender for Cloud, with automated threat detection and incident alerting.
• Regular security assessments, vulnerability scanning and penetration testing of our infrastructure.
• Secure development practices aligned with the Microsoft Security Development Lifecycle (SDL) and OWASP guidelines.
• Cloudflare Web Application Firewall (WAF) and DDoS protection for our public-facing web infrastructure.
• Data loss prevention (DLP) policies applied across Microsoft 365 to prevent unauthorised data exfiltration.
• A minimum Partner Centre Security Score of 80 or above, maintained and monitored as part of our ongoing Microsoft partnership compliance.

In line with current regulatory standards and our commitment to transparency, we disclose that our analytics platform, consulting deliverables, Assessment Tools and Marketplace Offers may utilise Artificial Intelligence (AI) and automated processing to generate insights from provided datasets. This includes the use of Azure OpenAI Service, machine learning models and AI-powered assessment and diagnostic tools.

These systems are designed to assist professional decision-making and do not produce legal or similarly significant effects on individuals without human oversight. We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you without human intervention.

You have the right to request a manual review of any automated output that affects your professional standing. To exercise this right, please contact us using the details in Section 19.

Where our AI systems process personal data, we apply the following safeguards:

• All AI processing is conducted within Microsoft Azure’s secure infrastructure, subject to the same data residency and encryption standards described in Section 5.
• We apply the principles of data minimisation, ensuring that AI systems process only the data necessary for the intended purpose.
• Human oversight is maintained for all AI-generated outputs that inform consequential business decisions.
• We conduct regular reviews of AI system outputs for accuracy, bias and fairness, in alignment with Microsoft’s Responsible AI principles.

We share your personal data only with trusted service providers who process data on our behalf under appropriate contractual safeguards, including data processing agreements. We do not sell your personal information to any third party.

7.1 Cloudflare

Our website is hosted and protected by Cloudflare. Cloudflare acts as a data processor on our behalf and processes the following data to ensure the security, stability and performance of our platform:

• Your IP address, for the purpose of routing requests and preventing malicious activity.
• HTTP request headers, including browser type, referring URL and request timestamps.
• Browser fingerprint data used for bot detection and DDoS mitigation.
• TLS connection metadata for encrypted communication.

Cloudflare may set essential cookies for security purposes regardless of your cookie preferences. These cookies are strictly necessary for the legitimate purpose of enabling the use of our Website and ensuring protection against cyberattacks. Cloudflare’s data processing is governed by their Data Processing Addendum and their infrastructure operates across a global network, which may involve processing in locations outside the UK. We rely on the safeguards described in Section 5.2 for such transfers.

7.2 MailerLite

We use MailerLite to manage our newsletter subscriptions and email marketing communications. MailerLite processes the following data only where you have provided explicit consent:

• Your email address and name, provided when you subscribe to our newsletter.
• Email engagement data including open rates, click-through rates and subscription preferences.
• Technical data such as your IP address and browser type at the time of subscription and engagement.

MailerLite may set cookies in connection with newsletter sign-up forms embedded on our Website where you have consented. You may unsubscribe from our marketing communications at any time by clicking the unsubscribe link in any email or by contacting us directly. Upon unsubscription, your data is deleted from MailerLite within 30 days.

7.3 Google Analytics

We use Google Analytics to understand how visitors interact with our Website. This service is only activated when you have accepted analytics cookies via our cookie consent banner. Data collected includes anonymised usage statistics, page views and navigation paths. We have concluded a data processing agreement with Google. The inclusion of full IP addresses is blocked by us.

7.4 Microsoft

Microsoft acts as a sub-processor for our consulting services, Assessment Tools and software products hosted on Azure and Microsoft 365. Microsoft also facilitates transactions for our Marketplace Offers and may share customer contact information with us in accordance with the Microsoft Publisher Agreement. We process such information solely for transactional purposes or to respond to customer enquiries.

7.5 Legal Disclosure

We may disclose your personal information where required to do so by law, regulation, court order or governmental authority, or where disclosure is necessary to protect our rights, safety or property, or the rights, safety or property of others. If our business or organisation is acquired, merged or sold, your details may be disclosed to our advisers and any prospective purchasers and will be passed on to the new owners.

Where we publish software products, assessment tools or services on the Microsoft Commercial Marketplace (AppSource or Azure Marketplace), additional privacy provisions apply:

• Marketplace customer contact information provided to us by Microsoft is used solely for transactional purposes or to respond to customer enquiries about our offers. We do not use this information to direct customers to purchase offers on competing marketplaces.
• You may be required to agree to our End User Licence Agreement (EULA) or terms of service in addition to this privacy policy when subscribing to a Marketplace Offer.
• Data processed through Marketplace Offers is subject to the same technical and organisational security measures described in Section 5 of this policy.
• We are responsible for informing customers of this privacy policy in connection with Marketplace Offers and for ensuring that our data processing complies with all applicable data protection legislation.
• The privacy policy URL submitted to the Marketplace listing corresponds to the live version of this policy at oriondata.co.uk/privacy-policy.

Our Website hosts interactive Assessment Tools including the AI Maturity Assessment, Data Governance Checklist, AI Use Case Prioritisation Matrix, ROI Calculator and other diagnostic or benchmarking tools. When you use these tools:

• Your assessment responses and input data are processed to generate personalised results, recommendations and reports.
• If you provide your email address to receive your results, that address is processed for the sole purpose of delivering your assessment report. It is not added to our marketing list without your separate, explicit consent.
• Aggregate and anonymised assessment data (such as average scores, common maturity levels and sector-level trends) may be used to improve our Assessment Tools and to produce industry benchmarking content. This aggregate data cannot be used to identify you.
• Assessment results are not shared with any third party without your explicit consent.
• Where an Assessment Tool uses AI or automated scoring to generate results, this is disclosed within the tool itself and the safeguards described in Section 6 apply.

In the course of delivering our consulting services in data analytics, artificial intelligence strategy, Microsoft Fabric, Power Platform and Azure cloud implementations, we may process personal data belonging to our clients or their employees.

Where we act as a data processor on behalf of a client, the terms of data processing are governed by a separate Data Processing Agreement (DPA) or Statement of Work (SOW), which defines the scope, purpose and duration of processing, as well as the technical and organisational measures applied.

Client data processed during engagements is handled in accordance with the principle of data minimisation. We access only the data necessary to deliver the agreed services, and we do not retain client data beyond the duration required by the engagement unless otherwise agreed in writing.

Our Website uses a cookie consent banner so you can choose whether to allow non-essential cookies. We categorise cookies as follows:

• Essential (Functional) cookies: Set by Cloudflare for security and performance. These are always active and do not require your consent, as they are strictly necessary for the legitimate purpose of enabling the use of our Website. Cloudflare may set cookies such as __cf_bm and cf_clearance for bot management and security challenge purposes.
• Preference cookies: Used to store settings and preferences that are not requested by default. These require your consent.
• Statistics (Analytics) cookies: Set by Google Analytics to help us understand how visitors use our site. These are only activated after you have provided consent by clicking “Accept All” on our cookie consent banner. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
• Marketing cookies: Set by MailerLite in connection with newsletter sign-up and marketing, where you have provided consent. These may be used to create user profiles for the purpose of sending relevant communications.

You can manage or withdraw your cookie preferences at any time through our cookie consent banner or by adjusting your browser settings. For third-party cookies, you may need to follow the opt-out instructions provided by the respective third-party services. Please refer to our Cookie Policy for full details about the types of cookies we use and how to manage them.

We retain your personal information only for as long as is necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

Data Category	Retention Period	Basis
Client engagement data	Duration of engagement plus six years.	HMRC and contractual requirements.
Marketplace subscription data	Duration of the subscription plus a 90-day grace period for data portability.	Contractual necessity.
Assessment Tool data	Individual results retained for 12 months. Anonymised aggregate data retained indefinitely.	Legitimate interest.
Marketing data	Until you withdraw consent or unsubscribe. Deleted within 30 days of withdrawal.	Consent.
Website analytics data	Maximum of 26 months.	Google Analytics default retention.
Security log data	Maximum of 12 months.	Legitimate interest in security monitoring.
Enquiry data	24 months from last interaction. Securely deleted if no engagement results.	Legitimate interest.
Application usage data	Maximum of 24 months in anonymised form.	Legitimate interest in product improvement.

When personal data is no longer required, it is securely deleted or anonymised in accordance with our data retention schedule. Deletion is confirmed once the legitimate interest or service provision ends.

You have the right to request the permanent erasure of your data from our systems and, where technically feasible, from our sub-processors’ environments. We will process such requests within one calendar month, provided there is no overriding legal or contractual requirement to retain the information.

Under the UK General Data Protection Regulation, the Data Protection Act 2018 and the Data Use and Access Act 2025, you have the following rights in relation to your personal data:

• Right of access: You may submit a Subject Access Request to obtain a copy of the personal data we hold about you, and to know why it is needed, what will happen to it, and how long it will be retained for.
• Right to rectification: You may request that we correct any inaccurate or incomplete personal data.
• Right to erasure (Right to be Forgotten): You may request that we delete your personal data where there is no compelling reason for us to continue processing it.
• Right to restrict processing: You may request that we limit the processing of your personal data in certain circumstances.
• Right to data portability: You may request that we provide your personal data in a structured, commonly used and machine-readable format, or transfer it to another controller.
• Right to object: You may object to the processing of your personal data where we rely on legitimate interest as the lawful basis.
• Right to withdraw consent: Where we process your data based on consent, you have the right to revoke that consent at any time and to have your personal data deleted.
• Rights related to automated decision-making: You have the right to request a manual review of any automated output that affects your professional standing.

To exercise any of these rights, please contact us at privacy@oriondata.co.uk or enquiries@oriondata.co.uk. We will respond within one calendar month of receiving your request, or as required by applicable law. Please ensure you clearly state who you are so that we can verify your identity.

If you are not satisfied with how we handle your personal data or your complaint about our processing practices, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Report a concern: ico.org.uk/make-a-complaint

Our Data Protection Lead is responsible for overseeing compliance with this privacy policy and applicable data protection legislation.

Data Protection Lead: Sibylle Moller-Sherwood, Director
Privacy contact email: privacy@oriondata.co.uk
General enquiries: enquiries@oriondata.co.uk

This is the designated privacy contact for the purposes of Microsoft Entra ID tenant configuration and Microsoft Partner Centre compliance.

Our website and services are not designed to attract children and it is not our intent to collect personal data from children under the age of consent in their country of residence. We therefore request that children under the age of consent do not submit any personal data to us. If we become aware that we have inadvertently collected personal data from a child, we will take immediate steps to delete that information.

Our Website and Marketplace Offers may contain links to external websites operated by third parties. This privacy policy does not apply to those third-party websites. We cannot guarantee that these third parties handle your personal data in a reliable or secure manner and recommend that you read the privacy statements of those websites prior to making use of them.

We reserve the right to make amendments to this privacy policy from time to time to reflect changes in our practices, legal requirements or business operations. It is recommended that you consult this privacy policy regularly to be aware of any changes. In addition, we will actively inform you wherever possible. The latest version will always be available on our Website with the effective date clearly stated.