Privacy Notice
Last updated: April 2026
Who we are
Marentis Labs Ltd is a governance and risk advisory consultancy registered in England and Wales (Company Number: 16600357). Our registered address is 167–169 Great Portland Street, 5th Floor, London, W1W 5PF, UK.
We are the data controller for the personal data described in this notice, which means we determine the purposes and means by which it is processed.
Contact for data protection matters: [email protected]
We are registered with the Information Commissioner's Office (ICO) as a data controller.
What data we collect and why
Website visits
When you visit marentislabs.com, our hosting provider (GitHub Pages, operated by GitHub, Inc.) automatically records standard technical data: your IP address, browser type, operating system, the pages you visit, and the date and time of your visit. We use this data to maintain and improve the website and to monitor its security. GitHub's handling of this data is governed by its own privacy statement, available at docs.github.com.
We also use Google Analytics to understand how visitors use our website. Google Analytics collects data about your browsing behaviour through cookies and similar technologies, including pages visited, time spent, and approximate location derived from your IP address. This data is processed by Google LLC in the United States (see International transfers below).
Legal basis: Legitimate interests (hosting and server logs). Consent (Google Analytics, set only where you accept cookies through the consent banner displayed on your first visit).
White paper and content downloads
When you download a white paper or other gated content, we collect your name, email address, organisation, and job title. We use this information to deliver the content you requested and, where you consent to it, to send you further relevant communications about our work.
Legal basis: Pre-contractual steps (delivering the requested content). Consent (where we send subsequent marketing communications).
Contact and enquiry forms
When you contact us through our website or by email, we collect your name, email address, organisation, and the content of your message. We use this to respond to your enquiry and, where appropriate, to manage the resulting business relationship.
Legal basis: Legitimate interests. We have a legitimate interest in responding to enquiries and managing prospective commercial relationships.
Client engagements
When you engage Marentis Labs, we process the business contact details of the individuals involved in the engagement, together with the governance, risk, and operational data you share with us in the course of our work. We process this data to deliver the services described in our engagement letter and to fulfil our obligations under it.
Legal basis: Contract performance. Where we process data to comply with legal or regulatory requirements (for example, retaining financial records), the legal basis is legal obligation.
Business contacts and CRM
We maintain records of business contacts including prospects, referrers, and professional network contacts. These records include names, job titles, organisations, professional email addresses, and notes on professional interactions. We use this data to manage commercial relationships and to communicate about services relevant to your professional role.
Legal basis: Legitimate interests. We have a legitimate interest in maintaining business relationships and in marketing our services to relevant professionals. You have the right to object to this processing at any time (see Your rights below), and we will cease processing on receipt of a valid objection unless we have a compelling reason to continue.
Supplier and contractor relationships
We process business contact details and financial information (such as invoice records) for suppliers and contractors to manage those relationships and to comply with our financial and tax obligations.
Legal basis: Contract performance and legal obligation.
Cookies
Our website uses cookies. Strictly necessary cookies operate the website and are set without your consent. We set analytics and functional cookies only where you consent to them through our cookie preference tool when you first visit the site.
| Cookie | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
| _ga | Google Analytics | Analytics | Distinguishes individual users | 2 years |
| _ga_[ID] | Google Analytics | Analytics | Maintains session state | 2 years |
| _gid | Google Analytics | Analytics | Distinguishes users across sessions | 24 hours |
You can withdraw your consent to non-essential cookies at any time by adjusting your browser settings to block or delete cookies. Withdrawing consent does not affect the lawfulness of processing that took place before withdrawal.
We comply with the Privacy and Electronic Communications Regulations 2003 (PECR) in our use of cookies and electronic marketing. For more detail on how we use cookies, see our Cookies Policy.
Who we share your data with
We do not sell personal data. We share data only in the following circumstances.
Service providers. We use a small number of third-party processors to operate our business. Each processor is bound by a data processing agreement and processes data only on our documented instructions. Our current third-party processors are:
| Processor | Role | Location |
|---|---|---|
| GitHub, Inc. (GitHub Pages) | Website hosting | United States |
| Google LLC (Google Analytics) | Website analytics | United States |
| Proton AG (Proton Mail) | Email communications | Switzerland |
| Proton AG (Proton Drive) | Cloud document storage | Switzerland |
Legal and regulatory requirements. We disclose personal data where required by law or by a competent authority, for example in response to a valid court order, regulatory request, or statutory obligation.
Professional advisors. We share data with legal advisors, accountants, or insurers where necessary to obtain professional advice or to manage a legal matter. These advisors are bound by confidentiality obligations.
International transfers
Some of our processors operate outside the United Kingdom, and the following transfer safeguards apply.
| Processor | Country | Safeguard |
|---|---|---|
| GitHub, Inc. | United States | UK International Data Transfer Agreement (IDTA) / Standard Contractual Clauses |
| Google LLC | United States | UK International Data Transfer Agreement (IDTA) / Standard Contractual Clauses |
| Proton AG (Proton Mail & Proton Drive) | Switzerland | UK adequacy regulations (Switzerland is recognised as providing adequate protection) |
You may request a copy of the relevant transfer safeguards by contacting us at [email protected].
How long we keep your data
We keep personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law.
| Data type | Retention period |
|---|---|
| Client engagement records | Duration of the engagement, plus 6 years from the date of final delivery |
| Financial records (invoices, expenses, contracts) | 6 years from the end of the relevant financial year, as required by HMRC |
| Enquiry and contact records | 2 years from the date of last contact, unless a commercial relationship develops |
| Marketing and content download records | Until you withdraw consent, or 2 years of inactivity, whichever is earlier |
| Website analytics data (Google Analytics) | 14 months (configurable in Google Analytics settings) |
At the end of the applicable retention period, we securely delete or anonymise the relevant data.
Your rights
Under UK GDPR you have the following rights in relation to your personal data.
Access. You may request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one month.
Rectification. You may ask us to correct personal data that is inaccurate or incomplete.
Erasure. You may ask us to delete your personal data in certain circumstances, including where we no longer need it for the purpose for which it was collected, or where you have withdrawn consent and no other legal basis applies.
Restriction. You may ask us to restrict processing of your data in certain circumstances, for example while we verify a rectification request or while we consider an objection.
Portability. Where processing is based on consent or contract and is carried out by automated means, you may request that we provide your data in a structured, commonly used, machine-readable format.
Objection. You may object at any time to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless we need to continue for the establishment, exercise, or defence of legal claims.
Withdrawal of consent. Where processing is based on your consent, you may withdraw that consent at any time by contacting us or using any unsubscribe mechanism in our communications. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Automated decision-making. We do not use automated decision-making or profiling that produces legal or similarly significant effects.
To exercise any of these rights, contact us at [email protected]. We will respond within one month of receiving your request. We may need to verify your identity before processing the request.
Right to complain
If you have concerns about how we handle your personal data, please contact us in the first instance. You also have the right to lodge a complaint directly with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
www.ico.org.uk
Changes to this notice
We review this notice periodically and update it when our processing activities change or when required by law. The date at the top of this page shows when it was last updated. Where we hold your contact details and make a material change, we will notify you directly.
Questions about this notice? Contact us at [email protected] or visit our contact page.