Konve Ltd · Legal & Compliance
Privacy Policy
How Konve Ltd collects, uses, and protects your personal information.
This Privacy Policy explains how Konve Ltd (“Konve”, “we”, “us”, “our”) collects, uses, stores, and shares your personal data when you interact with our website at konvegroup.com or engage any of our services across Konve Advisory, Konve IT, Konve People, Konve Shop, and the forthcoming Konve Legal. We are committed to handling your personal data lawfully, fairly, and transparently in accordance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. Please read this policy carefully.
At a glance
Data Controller: Konve Ltd
Company No.: 15826814
ICO Registration No.: [ICO Registration Number]
Data Protection Contact: privacy@konvegroup.com
Lawful Bases Used: Contract, Legitimate interests, Legal obligation, Consent
Standard Retention: 7 years (client files); 2 years post-opt-out (marketing)
International Transfers: UK processors only; no routine transfers outside the UK
Automated Decision-Making: EquHire services use AI-assisted generation; no solely automated decisions with legal effect
Konve Ltd is a professional practice registered in England and Wales providing technology, compliance, governance, and people-focused services to businesses and individuals across the United Kingdom. The practice operates across four active service lines — Konve Advisory, Konve IT, Konve People, and Konve Shop — and is preparing to open Konve Legal as an authorised legal practice upon the principal’s qualification as a solicitor.
As the data controller for the purposes of the UK GDPR, Konve Ltd determines how and why your personal data is processed. Where we engage third-party suppliers or sub-processors who process data on our behalf, they do so only under written data processing agreements that impose equivalent obligations to those we hold ourselves.
| Detail | Information |
|---|---|
| Legal entity | Konve Ltd |
| Company registration | England and Wales, No. 15826814 |
| Registered address | 7 Mells Crescent, SE9 4NF, London, UK |
| ICO registration number | To be confirmed |
| Data Protection contact | privacy@konvegroup.com |
| General enquiries | hello@konvegroup.com |
| Website | konvegroup.com |
We collect different categories of personal data depending on how you interact with us and which service line you engage. The categories below describe the full scope of what we may hold across all of our services:
| Category | Examples | Collected when |
|---|---|---|
| Identity data | Full name, job title, organisation name | Enquiry, purchase, or client onboarding |
| Contact data | Email address, telephone number, postal address | Enquiry, purchase, or client onboarding |
| Engagement data | Details of your technology environment, compliance obligations, governance requirements, or business context shared in connection with an advisory or IT engagement | During service delivery (Advisory, IT) |
| Employment and legal data | Job application details, employer names, recruitment correspondence, Employment Tribunal case references, application outcome information | EquHire and McKenzie Friend services (People) |
| Financial data | Billing address, invoice records, transaction records. Card data is processed solely by our payment processor; Konve does not store card numbers or bank details. | When you purchase any service or product |
| Account data | Username, hashed password, purchase history, generated correspondence accessible via your account portal | When you create an account on konvegroup.com |
| Communications data | Emails, enquiry form submissions, call notes, and any written correspondence between you and Konve | Throughout any interaction with us |
| Technical and usage data | IP address, browser type and version, pages visited, session duration, referring URL, device type | Automatically when you use our website |
| Marketing preference data | Opt-in or opt-out status for marketing communications, subscription preferences | At point of purchase or via website |
| Special category data | Health information, disability status, or other sensitive characteristics that may be relevant to an Employment Tribunal matter supported through McKenzie Friend services | Only where strictly necessary — see notice below |
⚠ Special Category Data — Article 9 UK GDPR
Employment Tribunal matters supported through Konve People (McKenzie Friend services) may, by their nature, involve sensitive personal data relating to protected characteristics, health, or similar matters. We process such data only where strictly necessary for the service and where we have either your explicit written consent or another lawful basis under Article 9(2) UK GDPR. You may withdraw consent at any time without affecting the lawfulness of prior processing.
We collect personal data through the following channels:
- Directly from you — when you complete an enquiry or contact form on our website; when you arrange or attend an introductory call; when you purchase a service or product from Konve IT, Konve People, or Konve Shop; when you create an account on konvegroup.com; when you provide documents or information in connection with an Advisory, IT, People, or Shop engagement; or when you correspond with us by email or other means.
- Via your use of EquHire — when you complete a questionnaire through the EquHire portal in connection with a DSAR submission, automated decision challenge, recruitment agency follow-up, or formal feedback request, we collect the information you provide in order to generate personalised correspondence on your behalf.
- Through your account portal — when you register and log in to your account on konvegroup.com, we collect account credentials and store the correspondence generated for you through EquHire services.
- Automatically — when you visit our website, we collect standard technical and usage data through cookies and similar technologies. Please see Section 11 for full details of our cookie practices.
- From referral partners — where a third party (such as a professional association, trade union, or legal support network) refers you to Konve, we collect only the information provided as part of that referral and only where you have consented to the referral being made.
The UK GDPR requires us to identify a lawful basis for each purpose for which we process your personal data. The table below sets out our purposes and the corresponding lawful bases across all service lines.
| Purpose | Description | Lawful Basis (UK GDPR Art. 6) |
|---|---|---|
| Delivering contracted services | Providing Advisory retainers (Fractional DPO, Fractional CTO, ISO 27001, Governance Advisory), IT services (Microsoft 365, Azure, Intune, Cyber Essentials, Email Security), People services (EquHire, McKenzie Friend), and Shop procurement | Art. 6(1)(b) — performance of a contract |
| Client onboarding and account management | Processing enquiries, arranging introductory calls, setting up client records, and managing your account on konvegroup.com | Art. 6(1)(b) — performance of a contract |
| Processing payments | Processing fees, issuing invoices, managing refunds, and maintaining billing records for all service lines | Art. 6(1)(b) — performance of a contract |
| Legal and regulatory compliance | Compliance with data protection law, tax and accounting obligations, anti-money laundering obligations, and any court or regulatory order requiring disclosure | Art. 6(1)(c) — legal obligation |
| Service quality and practice management | Maintaining records of engagements, managing complaints, conducting quality review of work product, and supervising AI-assisted output under the Konve operating model | Art. 6(1)(f) — legitimate interests |
| Business development and administration | Managing the client relationship, maintaining accounting records, general business operations, and professional indemnity insurance claims handling | Art. 6(1)(f) — legitimate interests |
| Security and access control | Protecting our systems, client data, and website from unauthorised access, abuse, and security incidents | Art. 6(1)(f) — legitimate interests |
| Marketing communications | Sending updates about our services, insight content, regulatory alerts, and new offerings to individuals who have opted in | Art. 6(1)(a) — consent (withdraw any time) |
| Website analytics | Understanding how visitors navigate konvegroup.com in order to improve the site and our services | Art. 6(1)(a) — consent (via cookie preference) |
| EquHire AI-assisted correspondence generation | Using the information you provide in questionnaires to generate personalised correspondence through AI-assisted tools under our supervision. The output is reviewed before delivery; no purely automated decision with legal effect is made about you. | Art. 6(1)(b) — performance of a contract |
Where we rely on legitimate interests as our lawful basis, we have conducted a balancing test to confirm that our interests do not override your rights and freedoms. You may request a copy of any legitimate interests assessment by writing to privacy@konvegroup.com.
We share your personal data only where necessary and only on a need-to-know basis. We do not sell, rent, or trade your personal data to any third party for their own commercial purposes.
| Recipient | Reason for sharing |
|---|---|
| Cloud infrastructure and storage providers | Secure storage of client files, account data, and operational records. Providers are contractually bound by data processing agreements and operate within the UK or EEA, or are subject to appropriate transfer safeguards. |
| Payment processor (e.g. Stripe, WooCommerce Payments) | Processing payments for services and Shop purchases. Card data is handled exclusively by the processor; Konve does not receive or store card numbers. Processors are PCI-DSS certified. |
| AI platform providers (supervised generation) | The Konve operating model uses AI platforms to assist in the production of work product, correspondence generation (including EquHire), and document drafting. All AI-assisted output is reviewed by the principal before delivery. Providers are bound by data processing agreements. No personal data is used to train third-party models. |
| Website and CRM platform (WordPress / WooCommerce) | Hosting and managing konvegroup.com, the client account portal, and EquHire purchase and delivery workflows. |
| Email delivery provider | Sending transactional emails (purchase confirmations, account notifications) and, where consented, marketing communications. |
| Professional indemnity insurer | Managing any claim made against our professional indemnity insurance policy. The insurer is bound by its own data protection obligations. |
| Legal and professional advisers | Our solicitors, accountants, or auditors where necessary for legal or regulatory purposes. All are subject to professional confidentiality duties. |
| Regulatory and public authorities | Where required by law, court order, or legitimate regulatory enquiry. We will notify you where it is lawful to do so. |
| Business successors | In the event that Konve Ltd is subject to a merger, acquisition, or restructuring, your data may transfer to the successor entity. You will be notified in advance and, where required, your consent will be sought. |
The Konve operating model is built around the supervised use of AI to extend the capacity of a qualified senior practitioner. This means that some of our work product — including correspondence generated through EquHire services and first-pass review of documentation in Advisory and IT engagements — is produced or assisted by AI systems before being reviewed and approved by the principal.
ⓘ Our position on automated decisions
Konve does not make solely automated decisions about you that produce legal or similarly significant effects in the sense of Article 22 UK GDPR. All AI-generated output is reviewed by a qualified human practitioner before delivery. Where you use EquHire to exercise your rights under data protection law against a third party, the correspondence is generated for your use — Konve is not making a decision about you; we are assisting you in asserting your own rights.
If you have any questions about how AI is used in connection with your engagement, or if you wish to request human review of any work product, please contact us at privacy@konvegroup.com.
Personal data provided through EquHire questionnaires is used solely to generate the correspondence you have purchased. It is not used to train AI models, build profiles, or make inferences about you beyond the immediate delivery of the service. Questionnaire data is retained in your account for the period described in Section 8.
Our primary processing and storage of personal data takes place within the United Kingdom. Where we engage cloud or AI platform providers whose servers are located outside the UK, we ensure that any international transfer is protected by an appropriate safeguard, including:
- An adequacy decision made by the UK Secretary of State in respect of the recipient country; or
- A UK International Data Transfer Agreement (IDTA) or equivalent contractual clauses approved for use under UK law.
You may request information about the specific safeguards in place for any international transfer by writing to privacy@konvegroup.com. We will update this policy and notify existing clients in advance of any material change to our transfer arrangements.
We retain personal data only for as long as is necessary for the purpose for which it was collected, taking into account our legal obligations, the limitation periods applicable to any potential dispute, and good record-keeping practice. Our standard retention periods are set out below.
| Data type | Retention period and rationale |
|---|---|
| Advisory and IT engagement files (documents, correspondence, deliverables, work product) | 7 years from conclusion of the engagement, consistent with the limitation period under the Limitation Act 1980 and standard professional services practice. |
| McKenzie Friend and People engagement files | 7 years from conclusion of the engagement. Special category data within these files is reviewed at file closure and deleted where no longer required. |
| Financial and accounting records (invoices, payment records, contracts) | 7 years from the end of the relevant financial year, in accordance with HMRC requirements for business accounting records. |
| EquHire account data and generated correspondence | Retained in your account for 2 years from the date of purchase, after which you will be notified and given the opportunity to export your correspondence before deletion. Account credentials are deleted upon account closure. |
| Enquiries and pre-engagement correspondence (where no engagement follows) | 12 months from the last interaction, then deleted unless you have consented to marketing communications. |
| Complaints records | 7 years from resolution of the complaint. |
| Marketing consent records and email list | For as long as you remain subscribed, plus 2 years after opt-out (to maintain a suppression record and prevent inadvertent re-subscription). |
| Website analytics data | 26 months, after which it is anonymised or deleted. |
| Job applicant data (unsuccessful applicants) | 12 months from the date of the decision, then deleted unless you consent to retention for future opportunities. |
At the end of any applicable retention period, personal data is securely deleted or rendered permanently anonymous. You may request early deletion of your data, subject to the limitations described in Section 9.
You have the following rights in relation to your personal data under the UK GDPR and the Data Protection Act 2018. These rights are not absolute — some are subject to conditions and exemptions — but we will always respond promptly and explain our position clearly where we are unable to comply in full.
✓ How to exercise your rights
Please submit a written request by email to privacy@konvegroup.com or by post to our registered address, including your full name, contact details, and a description of the right you wish to exercise. We will acknowledge receipt within 5 working days and respond fully within one calendar month. This period may be extended by a further two months for complex or numerous requests, in which case we will notify you before the initial period expires.
The security of your personal data is of fundamental importance to us. Given the nature of our engagements — which regularly involve confidential business information, compliance data, and sensitive employment matters — we apply a standard of security informed by both the CISSP and our work delivering Cyber Essentials and Microsoft security certifications to our clients. Our measures include:
- All client and engagement data is stored on encrypted cloud infrastructure with access controls restricted to authorised personnel on a need-to-know basis.
- Access to systems holding personal data requires strong authentication, including multi-factor authentication (MFA) across all platforms.
- Sensitive client correspondence is conducted via encrypted channels. We do not transmit sensitive documents through unencrypted email.
- AI platforms used in service delivery are engaged under data processing agreements that prohibit use of client data for model training or any purpose outside the contracted service.
- We maintain an internal information security policy and conduct periodic reviews of our security controls, consistent with the standards we advise our clients to adopt.
- In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it and will notify affected individuals without undue delay, in accordance with our obligations under Article 33 and 34 UK GDPR.
No method of electronic transmission or storage is entirely without risk. If you have a security concern relating to your personal data, please contact us immediately at privacy@konvegroup.com.
Our website uses cookies and similar tracking technologies to enable core functionality, improve your experience, and, where you consent, to help us understand how visitors use the site. A cookie is a small data file stored on your device by your browser.
| Cookie type | Purpose and lawful basis |
|---|---|
| Strictly necessary | Essential for the website to function: session management, security tokens, shopping cart persistence, and account login. These cookies cannot be disabled without disrupting core functionality. Lawful basis: legitimate interests. |
| Functional | Remember your preferences, such as cookie banner settings and account display options. Lawful basis: consent. |
| Analytics and performance | Collect anonymised data about how visitors navigate and interact with the site (pages visited, session duration, referral source). We use this data to improve the site and our services. Lawful basis: consent. |
| Marketing and targeting | Not currently deployed on konvegroup.com. If marketing cookies are introduced in future, we will update this policy and obtain your consent before setting them. |
You can manage or withdraw your cookie consent at any time through the cookie preference centre accessible from the banner on our website, or through your browser settings. For more information about cookies and how to manage them, visit www.aboutcookies.org or www.allaboutcookies.org.
Our website may use third-party pixels or tracking scripts (including Meta Pixel) for the purpose of analytics. These are subject to your cookie consent and are governed by the respective third-party privacy policies.
Our website and our communications may contain links to third-party websites, including government and regulatory portals (GOV.UK, ICO, HMCTS), professional bodies, and partner organisations. This Privacy Policy does not apply to those websites. We have no control over, and accept no responsibility for, the data practices of third-party websites. We encourage you to read the privacy notice of any external site you visit via a link from our website.
Our services are directed at and provided to adults aged 18 and over. We do not knowingly collect personal data from individuals under the age of 18. If you believe that we have inadvertently collected personal data from a child, please contact us at privacy@konvegroup.com and we will delete it promptly.
Where a McKenzie Friend engagement involves proceedings in which a child is a subject (for example, Employment Tribunal matters with a family-related dimension), any incidental reference to a child within the case file is processed only as necessary for service delivery, treated with the highest degree of confidentiality, and not used for any other purpose.
We hope to resolve any concern about our use of your personal data quickly and informally. If you are unhappy with how we have handled your information, please contact us in the first instance:
By email
We will acknowledge within 5 working days and aim to resolve within one calendar month.
By post
Data Protection Contact
Konve Ltd
[Registered Address]
England
Information Commissioner’s Office (ICO)
If you are not satisfied with our response, or consider that we are processing your personal data unlawfully, you have the right to lodge a complaint with the ICO — the UK’s independent supervisory authority for data protection. There is no charge to make a complaint to the ICO.
Website: www.ico.org.uk ·
Helpline: 0303 123 1113
Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We may update this Privacy Policy from time to time to reflect changes in our data practices, the law, or our services. The version number and effective date at the top of this document will always indicate the current version.
Where a change is material — for example, a new processing purpose, a new category of data collected, or a new category of third-party recipient — we will notify active clients and account holders by email at least 30 days before the change takes effect. For minor or administrative updates, we will update this policy on our website without separate notification.
The current version of this Privacy Policy is always available at konvegroup.com/privacy. Continued use of our services or website after the effective date of a material change constitutes your acknowledgement of the updated policy.
Document control