Privacy Policy (UK GDPR & ISO/IEC 27001:2022 Aligned)

Last updated: April 2026

This Privacy Policy explains how LevelUp Networks Ltd (“we”, “us”) processes personal data when acting as a data processor and, where applicable, a data controller. This version has been updated to reflect current UK GDPR, ICO guidance, international access safeguards, and our ISO/IEC 27001:2022‑certified Information Security Management System (ISMS).

 

1. Controller and Processor Roles

For the purposes of UK GDPR:

• Data Controller: LevelUp Networks Ltd, 30b Wilds Rents, London, SE1 4QG (for our own business contacts, marketing, and website data).
• Data Processor: LevelUp Networks Ltd, acting on documented instructions from its customers when providing managed IT and support services.

Processing as a processor is governed by contractual terms aligned to UK GDPR Article 28 and enforced through our ISMS.

 

2. Personal Data We Process

We may process the following categories of personal data, depending on the service provided:

• Identification and contact details (names, email addresses, telephone numbers)
• User account and authentication data
• Support communications (emails, tickets, call records)
• Technical logs, audit records, and access metadata

We do not process personal data beyond what is necessary for service delivery, support, legal compliance, and security assurance.

 

3. Lawful Basis for Processing

When acting as controller, we process personal data under the following lawful bases:

• Performance of a contract
• Legitimate interests (service delivery, security, fraud prevention)
• Legal and regulatory obligations
• Consent, where required (e.g. marketing communications)

When acting as processor, we process data strictly in accordance with the instructions of the relevant data controller.

 

4. International Access and Safeguards

Personal data remains hosted within UK or EU‑based systems.

Authorised support staff may access customer systems remotely from the UK, EU, South Africa, and Serbia strictly for support and maintenance purposes.

This access model includes the following safeguards:

• Named, individually authorised user accounts
• Mandatory multi‑factor authentication (MFA)
• Encrypted connections for all remote sessions
• No routine local storage or bulk data transfer
• Logging and monitoring of access activity
• Contractual confidentiality and data‑protection obligations

International access is assessed under a risk‑based approach consistent with UK GDPR Chapter V, ICO guidance, and the Data Protection and Digital Information framework.

 

5. Use of Sub‑Processors

We may use carefully selected sub‑processors where necessary for service delivery (e.g. cloud platforms, security tooling).

All sub‑processors:

• Are subject to contractual data‑protection obligations
• Are assessed for security and compliance risk
• Are governed by our ISO 27001 supplier‑management controls

A sub‑processor register is maintained and available upon request.

 

6. Technical and Organisational Security Measures

We implement appropriate technical and organisational measures in line with UK GDPR Article 32 and ISO/IEC 27001:2022, including:

• Role‑based access control and least‑privilege principles
• Multi‑factor authentication
• Encryption of data in transit
• Centralised logging and security monitoring
• Segregation of duties
• Regular vulnerability management and audits

 

7. Data Subject Rights

Data subjects have rights under UK GDPR, including rights of access, rectification, erasure, restriction, and objection.

Where we act as a processor, requests should be directed to the relevant data controller. We will provide reasonable assistance to controllers responding to such requests.

 

8. Data Retention

Personal data is retained only for as long as necessary to fulfil contractual, legal, and operational requirements, after which it is securely deleted or anonymised.

 

9. Changes to This Policy

We may update this Privacy Policy from time to time. Any material changes will be published and, where appropriate, notified to relevant parties.

 

10. Contact Details

Questions, comments, or requests regarding this Privacy Policy should be addressed to:

LevelUp Networks Ltd

30b Wilds Rents, London, SE1 4QG

Email: [email protected]

 

This policy is aligned with UK GDPR, ICO guidance, and ISO/IEC 27001:2022 Annex A controls and applies to all LevelUp Networks customers.