Privacy & Data Protection

Privacy & Data Protection Policy

Last updated: 9 June 2026
ICO Registration Number: Z2878338

Background

Midgard IT Ltd understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who interacts with us, including website visitors, clients, and their staff, and we will only collect and use personal data in ways that are described here and in a way that is consistent with our legal obligations and your rights.

By using our website or services, you agree to the processing of your personal data as described in this policy.

1. Definitions

  • Account — An account used to access our portals, systems, or services
  • Cookie — A small text file placed on your device when you use our website
  • Personal Data — Any information that can identify a living person

2. Who We Are

Midgard IT Ltd
Rainbow Business Centre, Phoenix Way, Swansea SA7 9FP
Company No: 7616487
VAT No: GB111835737
ICO Registration: Z2878338

Data Controller: Kristian Williams
Email: info@midgard.co.uk
Phone: 01792 477800

3. What This Policy Covers

This policy applies to:

  • Website visitors
  • Clients and their staff
  • Users of our portals, VoIP systems, and support platforms
  • Anyone who contacts us by phone, email, or support ticket

4. What Personal Data We Collect

We may collect and process:

  • Name, company, job title
  • Email address and telephone number
  • Support tickets and emails
  • Call logs, call recordings, and voicemail
  • Portal and system access details
  • IP addresses and login history
  • Billing and contract information
  • Communications and service notes

5. How We Use Personal Data

We process personal data to:

  • Deliver managed IT, VoIP, and cybersecurity services
  • Provide technical support
  • Manage client accounts
  • Maintain audit and security logs
  • Meet legal and contractual obligations
  • Improve our services

6. Client Service & Support Data

When providing services, we process personal data relating to client staff and contacts, including names, contact details, support tickets, emails, call logs, call recordings, account notes, system access records, and communications created during service delivery. This data is processed to deliver contracted services, ensure system security, maintain audit trails, comply with legal obligations, and improve service quality.

7. Internal Business & Staff Data

We also process personal data relating to employees, contractors, and internal users, including contact details, system access credentials, project assignments, communications, audit logs, security events, and operational records. This data is processed to operate the business, deliver services, secure systems, and meet legal and contractual obligations.

8. Legal Basis for Processing

We process personal data under the following lawful bases:

  • Contractual necessity — to deliver contracted IT and VoIP services
  • Legal obligation — to comply with HMRC, employment law, and other regulatory requirements
  • Legitimate business interests — for website operation, security monitoring, and business administration
  • Consent — where required, for example marketing emails

9. Data Storage & Security

All data is stored in the UK or EU, or in GDPR-compliant environments where an adequacy decision or appropriate safeguard applies. We use encryption, access controls, monitoring, and security tooling to protect personal data.

10. Who We Share Your Data With

We do not sell your personal data. We share data only with:

  • Atera Networks (IT monitoring and remote support) — Israel, UK adequacy decision
  • Microsoft Corporation (email and file storage via Microsoft 365) — EU data centres
  • Gradwell Communications (VoIP and telephony services, including call recordings) — United Kingdom
  • Xero Ltd (billing, invoicing, and payroll) — United Kingdom
  • Google LLC (website analytics via Google Analytics) — USA, UK-US Data Bridge
  • Mailchimp / Intuit Inc. (marketing emails to newsletter subscribers) — USA, UK-US Data Bridge
  • Hetzner Online GmbH (hosting for our MyMidgard portal and website) — Germany, EU
  • Regulators and law enforcement where legally required

All third-party processors are bound by data processing agreements and are required to process data only as instructed.

11. International Transfers

Some service providers are based outside the UK. Where this occurs, we ensure appropriate safeguards are in place:

  • Israel — UK adequacy decision in place
  • EU/EEA — covered by the UK’s adequacy decisions for EU/EEA countries
  • USA — transfers to Google and Mailchimp are covered by the UK-US Data Bridge

12. Data Retention

We retain personal data only as long as required for legal, contractual, and operational purposes.

Data TypeRetention Period
Client contact and service recordsDuration of relationship + 6 years
Support ticket records6 years from ticket close
Call recordings6 months (unless required longer for legal or contractual reasons)
Financial and billing records6 years from end of financial year (HMRC)
Website enquiries (no business relationship)2 years from last contact
Staff recordsDuration of employment + 6 years
Portal user accountsDuration of client relationship + 1 year
Website analytics dataUp to 14 months

13. Your Rights

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — ask us to delete your data (where no legal obligation to retain it exists)
  • Restriction — ask us to limit how we use your data
  • Portability — receive your data in a machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent, you may withdraw at any time

14. How to Make a Request

Email: info@midgard.co.uk
We will respond within 30 days.

15. Data Breaches

In the event of a personal data breach, we will:

  • Notify the ICO within 72 hours of becoming aware of the breach, where required under Article 33 UK GDPR
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required under Article 34 UK GDPR
  • Maintain an internal record of all breaches, whether or not they meet the reporting threshold

16. Cookies

We use cookies for functionality, security, and analytics. For full details, see our Cookie Policy. You can control cookies through your browser or our cookie consent tool.

17. Complaints

If you have concerns about how we handle your data, please contact us first at info@midgard.co.uk. If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office:

ICO: ico.org.uk | 0303 123 1113

18. Changes

We review this policy annually and when our processing activities change significantly. The “Last updated” date at the top of this page reflects the most recent revision.

Contact

Midgard Short Logo In White