Privacy policy.

The data controller is The Fig Group Limited, registered in England and Wales (Company No. 16845978), registered office 167–169 Great Portland Street, 5th Floor, London W1W 5PF. ICO registration number: ZC072182. Contact: enquiries@figgroup.co.uk.

For Cyber Essentials and related IASME certification services, the contracting entity is Fig Compliance Ltd (Company No. 16857592, VAT No. 506692774), as set out in the service terms. Platform delivery may be provided by Fig Technology Ltd (Company No. 16869280, VAT No. 508676562). The website and broader group operations are managed by The Fig Group Limited.

• The Fig Group Limited acts as controller for website operations, enquiries, analytics preferences, and marketing interactions.
• Fig Compliance Ltd acts as controller for Cyber Essentials and IASME certification delivery records, service administration, and contractual communications.
• Fig Technology Ltd may act as processor for platform service delivery on documented instructions from The Fig Group Limited and/or Fig Compliance Ltd.
• Where one entity processes data on behalf of the other, processing is restricted to documented service purposes and contract controls.

Rahul Kumar is Fig Group's Data Protection Officer. For all issues relating to the Data Protection Officer, customers should contact dpo@figgroup.co.uk.

• Contact and account data: name, email, phone, job title, organisation details.
• Service and certification data: assessment submissions, evidence, order and checkout context.
• Communication records: contact forms, support requests, and service correspondence.
• Technical data: security, anti-abuse, and optional analytics identifiers where consent is granted.

• Contract performance (Article 6(1)(b)): delivering certification and platform services.
• Legal obligation (Article 6(1)(c)): meeting regulatory and statutory recordkeeping requirements.
• Legitimate interests (Article 6(1)(f)): operating, securing, and improving services.
• Consent (Article 6(1)(a)): non-essential analytics and advertising cookies/tags.

Non-essential cookies and tags are blocked by default and only enabled after explicit consent. Consent can be withdrawn any time via “Cookie settings” in the footer. We retain consent records for 12 months.

• IASME: where required for Cyber Essentials scheme administration.
• Stripe: payment processing as an independent controller for payment data.
• Microsoft Azure: hosting and infrastructure operations.
• Google reCAPTCHA: anti-abuse verification on web forms.
• Trustpilot widget: optional third-party review embed only after optional consent.
• Google and Microsoft: only for optional analytics/advertising where consent is granted.

Where personal data is transferred outside the UK, we use lawful transfer safeguards such as adequacy regulations or International Data Transfer Agreement (IDTA) / SCC-based mechanisms as appropriate for the processor.

• Enquiry data: up to 24 months from last meaningful contact.
• Customer and contract records: contract term plus 6 years.
• Certification records: 6 years, aligned to scheme obligations.
• Consent records: 12 months from the latest consent action.

Under UK GDPR, you have rights to:

• Access your data.
• Rectify inaccurate data.
• Request erasure where applicable.
• Restrict or object to processing in applicable circumstances.
• Data portability.
• Withdraw consent for consent-based processing at any time.

To exercise rights, email enquiries@figgroup.co.uk. We aim to respond within one month.

If you are unhappy with how we process personal data, you can complain to the Information Commissioner’s Office (ICO):

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

The Fig Group Limited ICO registration number is ZC072182.

This policy is reviewed at least annually and whenever material changes occur in processing, vendors, or applicable legal obligations. Version: v2026-04-26.