Skip to content

Privacy Policy

How we collect, use, and protect your personal data.

Last updated: 21 March 2026

The Fig Group Limited ("Fig", "we", "us") is committed to protecting your privacy. This policy explains how we collect, use, and protect your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller

The Fig Group Limited, registered at 167-169 Great Portland Street, London, W1W 5PF. For data protection enquiries, contact: enquiries@figgroup.co.uk

What We Collect

We collect the following categories of personal data:

  • Contact information: name, email address, phone number, company name, and job title - provided when you request a demo, purchase certification, or contact us.
  • Enquiry content: any message content you include in contact forms.
  • Technical data: IP address, browser type, and pages visited - collected automatically through essential cookies.
  • Certification data: information submitted as part of Cyber Essentials assessments, including organisational details and control evidence.

Lawful Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

  • Contract performance (Article 6(1)(b)): to deliver certification services, provide platform access, and fulfil our contractual obligations.
  • Legitimate interests (Article 6(1)(f)): to respond to enquiries, improve our services, and send relevant communications about our products. You can object to this processing at any time.
  • Legal obligation (Article 6(1)(c)): to comply with regulatory requirements, including IASME certification obligations.

How We Use Your Data

We use your personal data to:

  • Respond to enquiries and provide requested information.
  • Deliver Cyber Essentials certification and compliance services.
  • Provide and maintain platform access.
  • Send relevant communications about our products and services.
  • Improve our website and services.

We do not sell your personal data to third parties.

Data Sharing

We may share your data with:

  • IASME: as required for Cyber Essentials certification processing.
  • Payment processors: Stripe processes payment data for certification purchases. Stripe acts as an independent data controller for payment information.
  • Hosting providers: our infrastructure is hosted on Microsoft Azure (UK data centres).

International Transfers

Your data is primarily stored and processed in the United Kingdom. Where data is transferred outside the UK (for example, to service providers), we ensure appropriate safeguards are in place, including UK International Data Transfer Agreements or adequacy decisions.

Data Retention

We retain your personal data for the following periods:

  • Enquiry data: 24 months from last contact, unless a business relationship is established.
  • Customer data: for the duration of the business relationship plus 6 years, as required for legal and regulatory purposes.
  • Certification records: 6 years from the date of certification, in line with IASME requirements.
  • Technical data: 12 months.

After these periods, data is securely deleted or anonymised.

Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data (Subject Access Request).
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten"), where there is no legal basis for continued processing.
  • Restrict processing in certain circumstances.
  • Port your data to another provider in a structured, machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, contact enquiries@figgroup.co.uk. We will respond within one month.

Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Cookies

We use essential cookies only, required for the website to function correctly. We do not use advertising, analytics, or tracking cookies. No cookie consent banner is required as we only use strictly necessary cookies.

Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically.