Member of International Association of Privacy Professionals



This policy is effective as of 15th Feb 2024


GDPR Statement

The General Data Protection Regulation (GDPR) is a European Union regulation which protects the rights of data subjects in the European Economic Area (EEA), with respect to the processing of their “personal data,” as such term is defined in the GDPR.

Table of contents:

  • Compliance
  • What Personal Data is collected and how it is Collected
  • How long is Personal Data Retained
  • Children's Privacy
  • Legal Basis for Processing
  • Controller and Processor
  • Subprocessors
  • International Data Transfers
  • Your Data Protection Rights Under GDPR
  • Direct Marketing
  • How to Contact Us
  • Changes to this GDPR Statement


The GreenArrow Consultancy Ltd website is designed to meet the principles of the GDPR.Here are some of the actions we’ve taken to ensure our compliance with GDPR:

  • We limit the personal data we collect;
  • We have established a legal basis for the processing of that data;
  • the Green Arrow Consultancy Privacy Policy, which describes the categories of information we process, the purposes for which we process We only retain personal data for a limited time period, normally 90 days, after which the data is deleted

What Personal Data is Collected and How it is Collected

Please see the Green Arrow Consultancy Privacy Policy, which describes the categories of information we process, the purposes for which we process personal data, and how we collect that personal data.

How Long is Personal Data Retained

If you provide information to us as part of any demo of SaaS service, we will keepthat information for up to twelve months after your last communication with us.
We will keep personal information provided by customers for up to three monthsafter the end of our business relationship and subject to our SaaSagreement.  All payment information will be deleted 36 months afterprocessing unless we are required by law to keep it longer.

If youcontact us directly using the contact information provided on the Green ArrowConsultancy website or social media pages, we will retain your contactinformation for a period of up to three months after we respond to yourinquiry. After that, the communications will be deleted from our system unlesswe are required by law to retain it longer.

Children's Privacy

The GreenArrow Consultancy website and platform were not developed or intended forindividuals deemed to be children under applicable data protection or privacylaws, and we do not knowingly collect information from children. If you are theparent or guardian of any minor that may have contacted Green Arrow ConsultancyLtd, please alert us as soon as possible so that we can make sure we have nodata on them, on being notified or learning the age of a minor we willendeavour to delete all data within 72 hours.

Legal Basis for Processing

If you usethe Green Arrow Consultancy website or any related platform located in the EEA,we rely on legitimate interest as the legal basis for processing the personaldata we collect via the website and platform.

Controller and Processor

Dependingon which features you choose to use, Green Arrow Consultancy Ltd is both a Controllerand Processor of personal data covered by the Privacy Policy for purposes ofEuropean data protection legislation.

If youchoose to use our Vendor Risk Monitoring, Policy Change Detection, VendorLawsuit Alerts, Privacy Law Alerts, and Ask the Privacy Expert feature, GreenArrow Consultancy is a Controller when the GDPR applies.

If youchoose to use the Consent Management or Subject Rights Management features, GreenArrow Consultancy is Processor when the GDPR applies. Green Arrow Consultancy’sData Processing Addendum applies only when required under the GDPRand does not apply to Customers who are currently in a trial evaluationperiod or who are using a free tier of service.


Inconnection with the operation of our website, Green Arrow Consultancy mayengage third parties (each a “Subprocessor”) to process your personal data. Asa condition of permitting a Subprocessor to process your personal data, GreenArrow Consultancy will enter into a written agreement with each Subprocessorcontaining data protection obligations at least as protective as the technicaland organizational measures Green Arrow Consultancy has put into place toprotect your personal data from accidental or unlawful destruction, loss,alteration, or unauthorized disclosure or access.

We use thefollowing Subprocessors to operate our website and provide our services:


Subprocessing  Activity

Country  of Origin

Amazon  Cloud Services

Cloud  Service Provider

United  States and Ireland

Nexcess  Cloud Services

Cloud  Service Provider

United  States


Content  Management System

United  States


Subscription  & Billing

United  Kingdom  Inc

Collaboration,  Productivity, and CRM

United  Kingdom

Microsoft  Corporation

Collaboration  Tool

United  States and Ireland

UserWay  Inc

Website  Accessibility Platform

United  States


Security  Posture and Breach alert Platform

United  States

Google  Cloud Services

Email and  Data Storage


International Data Transfers

If you arelocated within the EEA when you visit the Green Arrow Consultancy website orlog in to the Green Arrow Consultancy Software as a Service platform, we maytransfer your personal data outside of the EEA. When we do, we will ensure thatan adequate level of protection is provided for the information by usingindustry-standard encryption at rest and in transit.
For visitor facing components of the platform such as Green Arrow Consultancy’sconsent manager, all personal data is stored in Dublin, Ireland, within theEEA.
Visit our Privacy Policy to learn more about the technical andoperational measures we implement and our compliance with the EU-U.S. PrivacyShield Framework and Swiss-U.S. Privacy Shield Framework.

Your Data Protection Rights Under GDPR

If you area resident of the European Union, you have certain data protection rights underthe GDPR. Green Arrow Consultancy Ltd will take reasonable steps to allow youto access, review, update, rectify, or delete any personal data we hold aboutyou. 
In certain circumstances, you have the following data protection rights:

  • Right     of access. The right to obtain access to your     personal data.
  • Right     to rectification. The right to erase or rectify     inaccurate or incomplete data.
  • Right     to erasure. The right to obtain the erasure of your     personal data in certain circumstances.
  • Right     to portability. The right to move, copy, or transfer     personal data.
  • Right     to restrict processing. The right to restrict the processing of     personal data.
  • Right     to object to processing. The right to object to the processing     of personal data for certain purposes.

If you wishto exercise one of these rights, please contact us by using the contact detailsbelow. We may ask you to verify your identity before responding to theserequests.

Direct Marketing

You mayopt-out of receiving marketing communications at any time by unsubscribing fromemail marketing, by changing your notification settings in the Green ArrowConsultancy application or by opting-out of any emails we may send to you.

How to Contact Us

If you haveany questions about this GDPR Statement, you may contact us online, or you can send correspondence to thefollowing addresses:


Green Arrow Consultancy Ltd
Sophia House, 28 Cathedral Road,
Cardiff, CF11 9LJ, Wales, UK

Our DataPrivacy Office:

Ifcontacting us does not provide you with an adequate resolution and your inquiryis related to information collected about you in the European Union/EuropeanEconomic Area, please contact the applicable EU Data Protection Authority.

Changes to this GDPR Statement

Pleasevisit this page periodically to stay aware of any changes to this GDPRStatement, which we may update from time to time. If we modify this GDPRStatement, we will make the revised overview available at the URL of this pageand indicate the date of the latest revision.

This page waslast updated on 16th Feb 2024



designated Data Protection Officer: Darren Tyler (Director of Green Arrow Consultancy Ltd