Privacy Notice

Ordonis Limited · Version 1.1 · 9 July 2026

Who we are

Ordonis Limited ("Ordonis", "we", "us") is the data controller for the personal data described in this notice.

Contact for data protection: privacy@ordonis.com
Company details: registered office, company number and VAT number are on our Legal & Terms page

Ordonis is registered with the Information Commissioner's Office (ICO). Registration reference: ZC176318.

What this notice covers

Ordonis is an independent cyber risk advisory practice working with firms and their boards, principally in regulated financial services. We do not sell personal data, and we do not use it for automated decision-making or profiling.

The personal data we process, and why

We hold a limited amount of personal data to run the practice and deliver our work: business and client contact details; individuals named in materials a client asks us to review (for example directors and executives); contacts at our suppliers and professional advisers; billing and payment records; and enquiries people send us. We use it to develop and manage professional relationships, deliver the engagements we are retained for, meet our legal, accounting and tax obligations, and respond to you. Depending on the data, we rely on legitimate interests (running and developing the practice), the performance of a contract, or a legal obligation. Where we rely on legitimate interests, we have satisfied ourselves that this does not override your rights, and you can ask us for more detail.

Information we receive about you from others

For some engagements, a client asks us to review documents that name individuals, such as board members or senior executives. We receive that information from the client, not from you, and use it only for that work. We treat it as confidential and keep it only as long as the engagement and our professional obligations require. Where the law requires individuals to be told we hold information about them, that is ordinarily done by the client through its own privacy information; in limited cases an exemption applies, such as where telling you directly would be impossible or disproportionate, or the information is confidential.

Who we share it with

We use a small number of trusted service providers who help us run the practice and who process personal data only under contract and on our instructions. We share personal data with the following categories of recipient:

We can tell you the specific providers we use on request.

Storing and transferring data outside the UK

Some of our providers are based in, or process data in, the United States or other countries outside the UK. Where personal data is transferred outside the UK, we rely on the safeguards those providers have in place, such as the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, so that your data continues to be protected.

How long we keep it

We keep personal data only as long as we need it for the purpose we collected it, and to meet our legal and professional obligations. Our retention periods are set out in our retention schedule and summarised on request. In general, prospect contact details are reviewed and deleted if a relationship does not develop, client engagement records are kept for the period in which a claim could be made, and accounting records are kept for six years.

How we protect it

We apply technical and organisational security measures appropriate to the data, including access controls, multi-factor authentication, encryption, and managed, backed-up systems.

Cookies and analytics

Our website does not use cookies, and it does not track you or build a profile of you. We use privacy-friendly, server-side analytics provided by our website host to understand how the site is used, for example which pages are visited. This is measured from our server's own logs and produces aggregate statistics only. It sets no cookies, does not follow you across other websites, and is not used to identify you, so no cookie banner or consent is required. The data processed includes IP addresses; we rely on our legitimate interest in understanding and improving the site, and our host processes this data as our provider, under the transfer safeguards described above.

Your rights

You have the right to ask us to: give you a copy of the personal data we hold about you; correct it if it is wrong; delete it; restrict or object to how we use it; and, where applicable, provide it in a portable format. To exercise any of these, contact us at the address above. We will respond within one month.

If you are unhappy with how we have handled your personal data, you can complain to the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113. We would ask you to raise it with us first so we can try to put it right.

Changes to this notice

We may update this notice from time to time. This version is dated at the top.