Privacy Notice
Velstar Ltd — Version 2.0 — May 2026
This notice explains how Velstar Ltd collects, uses, stores and protects personal data. It applies to all individuals whose data we process, including website visitors, prospective clients, existing clients and their contacts, and suppliers.
Velstar Ltd acts as a data controller in respect of personal data we collect and use for our own purposes. We also act as a data processor when we handle personal data on behalf of our clients. This notice covers both roles.
Velstar Ltd is a registered company in England and Wales. Our registered address is:
Velstar Ltd, Units 43–46, Ground Floor, Exchange Station, Tithebarn Street, Liverpool, L2 2QP
We are registered with the Information Commissioner's Office (ICO) as a data controller. For all data protection enquiries, contact us at [email protected].
Data Controller
We act as a data controller when we process personal data for our own purposes. This includes data collected through our website, data held about prospective and existing clients, and data relating to our own staff and suppliers.
Data Processor
We act as a data processor when we handle personal data on behalf of a client, for example when building or operating ecommerce platforms, running marketing campaigns, or providing data and analytics services. In these cases, the client is the data controller and we process data only on their documented instructions. Where we act as a processor, a separate Data Processing Agreement governs that relationship.
Depending on how you interact with us, we may collect and process the following categories of personal data:
- —Identity data: name, job title, company name
- —Contact data: email address, telephone number, postal address
- —Technical data: IP address, browser type, device identifiers, pages visited
- —Usage data: how you interact with our website and communications
- —Communications data: records of correspondence, enquiry details, call notes
- —Financial data: billing contact details and invoice records (not payment card data)
- —Marketing preferences: opt-in or opt-out status for marketing communications
We do not knowingly collect special category data (such as health, racial or ethnic origin, or biometric data) through our standard channels. If a client engagement requires us to process special category data on their behalf, this is governed by a separate Data Processing Agreement.
We collect personal data through the following means:
- —Direct contact: enquiry forms, emails, telephone calls, and meetings
- —Our website: contact forms, newsletter sign-ups, and analytics tools
- —Cookies and tracking: see Section 5 for full details
- —Third-party sources: publicly available professional profiles (such as LinkedIn) and, on occasion, data purchased from list providers on behalf of clients
Our website uses cookies and similar tracking technologies to identify visitors, analyse traffic, and remember preferences. Cookies are small text files stored on your device by your browser.
We use the following categories of cookies:
- —Strictly necessary: required for the website to function. These cannot be disabled.
- —Analytics: help us understand how visitors use our website. These are only set with your consent.
- —Marketing: used to deliver relevant communications. These are only set with your consent.
You can control cookies through your browser settings at any time. Disabling non-essential cookies will not affect your ability to use the website. For a full list of cookies we use and their purposes, contact [email protected].
We process personal data only where we have a valid lawful basis under UK GDPR. The basis we rely on depends on the nature of the processing:
| Lawful Basis | When We Rely on It |
|---|---|
| Contractual necessity | Processing required to enter into or perform a contract with you or your organisation. |
| Legitimate interests | Marketing to prospective and existing clients, improving our services, and maintaining business records where our interests are not overridden by your rights. |
| Consent | Sending direct marketing where we do not have an existing relationship, and setting non-essential cookies. |
| Legal obligation | Retaining records required by law, responding to lawful regulatory or governmental requests. |
Where we rely on legitimate interests, you have the right to object. See Section 11 for details.
We use personal data for the following purposes:
- —To respond to enquiries and provide quotations
- —To deliver services under contract
- —To send marketing communications about our services (where lawful to do so)
- —To maintain and improve our website and digital properties
- —To manage our supplier and partner relationships
- —To comply with legal and regulatory obligations
- —To investigate and respond to complaints or disputes
We do not sell, rent, or broker personal data to third parties.
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law.
| Data Category | Retention Period |
|---|---|
| Client and prospect contact data | Duration of relationship plus 5 years |
| Contract and commercial records | 7 years from contract end (legal obligation) |
| Website analytics and technical data | Up to 26 months |
| Marketing opt-out records | Indefinitely (to honour your preference) |
| Job applications (unsuccessful) | 6 months from decision |
On expiry of a retention period, personal data is securely deleted or anonymised. We review our retention schedules annually.
Personal data is stored on servers located within the UK or European Economic Area (EEA). Where data is transferred to a country outside the UK or EEA, we ensure that transfer is governed by appropriate safeguards, such as UK adequacy regulations or Standard Contractual Clauses.
We use a number of third-party service providers (subprocessors) to operate our business. These include providers of cloud infrastructure, project management, communication, and marketing tools. A list of our current subprocessors is available on request from [email protected].
We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or disclosure. These include:
- —Encryption of data in transit and at rest
- —Role-based access controls and the principle of least privilege
- —Multi-factor authentication for access to internal systems
- —Regular security assessments and patching procedures
- —Staff training on data protection and information security
- —Incident response and breach notification procedures
- —Contractual data protection obligations imposed on all subprocessors
Our information security practices are aligned with ISO 27001 principles. In the event of a personal data breach that poses a risk to individuals, we will notify the ICO within 72 hours and affected individuals without undue delay where required.
Under UK GDPR you have the following rights in relation to your personal data:
| Right | What It Means |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Ask us to correct inaccurate or incomplete data. |
| Erasure | Ask us to delete your data in certain circumstances. |
| Restriction | Ask us to restrict processing while a dispute is resolved. |
| Portability | Receive your data in a structured, machine-readable format. |
| Object | Object to processing based on legitimate interests or for direct marketing. |
| Withdraw consent | Where processing is based on consent, withdraw it at any time without affecting prior processing. |
| Automated decisions | Not be subject to decisions made solely by automated processing that produce legal or significant effects. |
To exercise any of these rights, contact us at [email protected]. We will respond within one calendar month. We may ask you to verify your identity before acting on a request.
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
We take reasonable steps to keep personal data accurate and up to date. You can help us maintain data quality by notifying us of any changes to your personal information. Contact us at [email protected] to update your details at any time.
Where personal data is provided to us by a third party (for example, a client providing their customer data for us to process), that third party is responsible for the accuracy and lawfulness of the data provided.
We review this notice and our underlying data protection practices at least annually, or sooner following significant changes to our business, technology, or applicable legislation.
Compliance with this notice is the responsibility of all Velstar staff. Breaches of this notice may result in disciplinary action. We maintain records of processing activities as required by UK GDPR Article 30.
All subprocessors are contractually required to comply with applicable data protection law and our instructions. We conduct due diligence on subprocessors before engagement and review their compliance periodically.
We may update this notice from time to time. The current version will always be available at velstar.agency/privacy. Material changes will be communicated by email where we hold your contact details.
This notice was last updated in May 2026.
For any questions, requests, or concerns about this notice or how we handle your personal data:
Email: [email protected]
Post: Velstar Ltd, Units 43–46, Ground Floor, Exchange Station, Tithebarn Street, Liverpool, L2 2QP
Telephone: +44 (0) 151 708 4567