Privacy & Data Protection Policy
Last updated: 9 June 2026
ICO Registration Number: Z2878338
Background
Midgard IT Ltd understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who interacts with us, including website visitors, clients, and their staff, and we will only collect and use personal data in ways that are described here and in a way that is consistent with our legal obligations and your rights.
By using our website or services, you agree to the processing of your personal data as described in this policy.
1. Definitions
- Account — An account used to access our portals, systems, or services
- Cookie — A small text file placed on your device when you use our website
- Personal Data — Any information that can identify a living person
2. Who We Are
Midgard IT Ltd
Rainbow Business Centre, Phoenix Way, Swansea SA7 9FP
Company No: 7616487
VAT No: GB111835737
ICO Registration: Z2878338
Data Controller: Kristian Williams
Email: info@midgard.co.uk
Phone: 01792 477800
3. What This Policy Covers
This policy applies to:
- Website visitors
- Clients and their staff
- Users of our portals, VoIP systems, and support platforms
- Anyone who contacts us by phone, email, or support ticket
4. What Personal Data We Collect
We may collect and process:
- Name, company, job title
- Email address and telephone number
- Support tickets and emails
- Call logs, call recordings, and voicemail
- Portal and system access details
- IP addresses and login history
- Billing and contract information
- Communications and service notes
5. How We Use Personal Data
We process personal data to:
- Deliver managed IT, VoIP, and cybersecurity services
- Provide technical support
- Manage client accounts
- Maintain audit and security logs
- Meet legal and contractual obligations
- Improve our services
6. Client Service & Support Data
When providing services, we process personal data relating to client staff and contacts, including names, contact details, support tickets, emails, call logs, call recordings, account notes, system access records, and communications created during service delivery. This data is processed to deliver contracted services, ensure system security, maintain audit trails, comply with legal obligations, and improve service quality.
7. Internal Business & Staff Data
We also process personal data relating to employees, contractors, and internal users, including contact details, system access credentials, project assignments, communications, audit logs, security events, and operational records. This data is processed to operate the business, deliver services, secure systems, and meet legal and contractual obligations.
8. Legal Basis for Processing
We process personal data under the following lawful bases:
- Contractual necessity — to deliver contracted IT and VoIP services
- Legal obligation — to comply with HMRC, employment law, and other regulatory requirements
- Legitimate business interests — for website operation, security monitoring, and business administration
- Consent — where required, for example marketing emails
9. Data Storage & Security
All data is stored in the UK or EU, or in GDPR-compliant environments where an adequacy decision or appropriate safeguard applies. We use encryption, access controls, monitoring, and security tooling to protect personal data.
10. Who We Share Your Data With
We do not sell your personal data. We share data only with:
- Atera Networks (IT monitoring and remote support) — Israel, UK adequacy decision
- Microsoft Corporation (email and file storage via Microsoft 365) — EU data centres
- Gradwell Communications (VoIP and telephony services, including call recordings) — United Kingdom
- Xero Ltd (billing, invoicing, and payroll) — United Kingdom
- Google LLC (website analytics via Google Analytics) — USA, UK-US Data Bridge
- Mailchimp / Intuit Inc. (marketing emails to newsletter subscribers) — USA, UK-US Data Bridge
- Hetzner Online GmbH (hosting for our MyMidgard portal and website) — Germany, EU
- Regulators and law enforcement where legally required
All third-party processors are bound by data processing agreements and are required to process data only as instructed.
11. International Transfers
Some service providers are based outside the UK. Where this occurs, we ensure appropriate safeguards are in place:
- Israel — UK adequacy decision in place
- EU/EEA — covered by the UK’s adequacy decisions for EU/EEA countries
- USA — transfers to Google and Mailchimp are covered by the UK-US Data Bridge
12. Data Retention
We retain personal data only as long as required for legal, contractual, and operational purposes.
| Data Type | Retention Period |
|---|---|
| Client contact and service records | Duration of relationship + 6 years |
| Support ticket records | 6 years from ticket close |
| Call recordings | 6 months (unless required longer for legal or contractual reasons) |
| Financial and billing records | 6 years from end of financial year (HMRC) |
| Website enquiries (no business relationship) | 2 years from last contact |
| Staff records | Duration of employment + 6 years |
| Portal user accounts | Duration of client relationship + 1 year |
| Website analytics data | Up to 14 months |
13. Your Rights
You have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your data (where no legal obligation to retain it exists)
- Restriction — ask us to limit how we use your data
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, you may withdraw at any time
14. How to Make a Request
Email: info@midgard.co.uk
We will respond within 30 days.
15. Data Breaches
In the event of a personal data breach, we will:
- Notify the ICO within 72 hours of becoming aware of the breach, where required under Article 33 UK GDPR
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required under Article 34 UK GDPR
- Maintain an internal record of all breaches, whether or not they meet the reporting threshold
16. Cookies
We use cookies for functionality, security, and analytics. For full details, see our Cookie Policy. You can control cookies through your browser or our cookie consent tool.
17. Complaints
If you have concerns about how we handle your data, please contact us first at info@midgard.co.uk. If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office:
ICO: ico.org.uk | 0303 123 1113
18. Changes
We review this policy annually and when our processing activities change significantly. The “Last updated” date at the top of this page reflects the most recent revision.