Privacy Notice
Who we are
At Sircle (“we”, “us”, or “our”), we are committed to protecting your privacy and ensuring you understand how we use and safeguard your personal data.
Our use of your personal information is governed by this Privacy Notice and relates to the following businesses and trading names:
Topscan (UK) Limited registered in England (04513312) and trading as “Sircle”
This notice explains what information we collect, how we use it, your rights, and how we protect your data in compliance with the UK Data Protection Act 2018 and the UK GDPR.
We also comply with the Data (Use and Access) Act 2025 (DUAA), which updates UK GDPR, DPA 2018 and PECR (Privacy and Electronic Communication Regulations). This Notice reflects these updates including legitimate interests, automated decision-making safeguards and cookie rules.
Who does this Privacy Notice relate to?
This Privacy Notice relates to all Sircle clients and potential clients, who are a businesses (and individuals associated with them) or individuals, all 3rd party businesses and individuals who work with Sircle to provide a service or whom may be a supplier, contractor, sub-contractor or referrer of business as well as any visitors to Sircle’s offices or other sites.
The notice applies to all products and services offered and provided by Sircle. A table setting out the information collected and processed by Sircle and the basis under which we do so is included at the end of this notice.
Where individuals apply for roles with Sircle, additional information about how we collect and use personal data during recruitment is set out in our Recruitment Privacy Notice. That notice should be read alongside this Privacy Notice and applies specifically to job applicants and candidates.
How this Privacy Notice applies
We’ve published this Privacy Notice to make it easier for you to find out how we collect, store, use and protect your personal information and information about individuals who may be connected to your business. You should read this notice, so you know what personal data we collect about you, what we do with it and how you can exercise your rights in connection with it.
This includes what you tell us about yourself, what we learn by having you as a client or working with you as a service provider, your interactions with us on social media, and the preferences you make about what type of marketing you want us to send you.
This Notice will provide you with information such as:
- The types of information Sircle collects about you and individuals connected to your business, and how we use it.
- The legal grounds for how we use personal information.
- The rights which individuals have in relation to the information we hold about them.
- How we keep information secure.
When providing you with our services we will collect information on individuals connected to your business. This information may be collected from you or other independent sources. All relevant individuals will have access to this Privacy Notice and if you, or anyone else on your behalf, has provided or provides personal information to us about an individual connected to your business, you or they must first ensure that you or they have the authority to do so, and that you have provided access to this Privacy Notice to ensure that they are informed.
This Privacy Notice explains how we collect, use and protect personal data. It is provided for information purposes and does not form part of any contract unless expressly stated otherwise.
What type of personal information does the Privacy Notice relate to?
Personal data: this is any information that tells us something about you as a natural person. This could include information such as name, contact details, date of birth, bank account details or any information about your needs or circumstances which would allow us to identify you.
Special Categories of personal data: We typically do not collect special categories of personal data about individuals other than our own employees. This is classified as “sensitive” under data protection legislation and examples include health data, religion or sexual orientation.
However, we may need to process limited special category data in specific situations (for example dietary/accessibility requirements for events or information relating to accidents/emergencies). There are also restrictions when we can collect and use criminal conviction data which will be set out to you should this be requested. Where we do so, we apply an additional condition under the Data Protection Act 2018 alongside an appropriate lawful basis under UK GDPR, and we limit access and retention.
Children’s data: Our services are not directed to children. Enhanced protections apply if children access services, consistent with DUAA and UK GDPR.
We will process all personal data in accordance with the following principles:
1. all personal data will be processed lawfully, fairly and in a transparent manner
2. all personal data will be collected for one or more specified, explicit and legitimate purposes and not processed in a manner incompatible with those purposes,
3. all personal data collected will be restricted to what is adequate, relevant and limited for those purposes,
4. all personal data will be kept accurate and up to date (and reasonable steps will be taken to erase or rectify inaccurate personal data),
5. all personal data will not be kept for longer than is necessary for those purposes,
6. all personal data will be protected by appropriate technical and organisational security measures to prevent unauthorised or unlawful processing and accidental loss, destruction or damage.
Unless otherwise agreed in writing, we act as the ‘controller’ (as such term is construed from the UK’s Data Protection Act (2018), the General Data Protection Regulation (GDPR) or the applicable local law) for the purposes described in this Privacy Notice. Sircle as the data controller will be responsible for compliance with these principles at all times.
In some engagements, we may process personal data on a client’s documented instructions (for example, where we input or manage data within a client’s system). In those cases, the client is the ‘controller’ and their privacy notice will apply. Where we act as a processor, we will only process personal data in accordance with the client’s instructions, our contract and applicable data protection law, and we will put in place appropriate processor terms in line with UK GDPR Article 28.
Lawful processing basis
Under the GDPR, we must justify a lawful basis for processing your personal data. There are six lawful bases for processing data as summarised below:
- Performance of a contract – this is where the collection and processing of your personal information is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract (e.g. provide a quote).
- Legal obligation – this is where the collection and processing of your personal information is necessary for compliance with a legal or statutory obligation, for example verification of identity and fraud prevention, or retaining invoices based on tax legislation.
- Consent – where we process personal information under consent, we will seek your clear and unambiguous consent before processing your data for example to send and/or receive marketing information from Sircle. You can withdraw your consent at any time If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know.
- Legitimate interest – some personal information is processed by Sircle as part of its legitimate interests which using people’s data in ways they would reasonably expect in the context of our business, and which have a minimal privacy impact, or where there is a compelling justification for the processing which outweighs the potential privacy interests of the data subject. Examples include network and information security, web analytics, updating customer details. In addition, the DUAA introduces certain recognised legitimate interests for defined processing activities. Where applicable, we will still ensure processing is necessary and that appropriate safeguards are in place.
- Vital interests – the processing is necessary to protect someone’s life
- Public task – the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
Where we may process special categories of personal information and criminal conviction information, we do so under additional lawful bases of the Data Protection Act. These may include, but are not limited to:
- Where you have provided explicit consent
- Where processing is necessary for the establishment, exercise, or defence of legal claims.
What types of personal data do we collect and where do we get it from?
We will only collect and process data when this is permissible in line with applicable law and depending on the purpose the data is being used for, the type and sensitivity of the data that is being collected. It isn’t possible to list all circumstances and exceptions applicable to the collection of personal data. Personal data we collect process and retain may include:
- Name and contact details including mobile/landline numbers, email address and business address,
- Role title, position and responsibility details, and additional information around the nature of your role, this may include qualifications and experience that you wish to tell us about,
- Sex / gender
- Photographs taken at events, or site visits to conduct surveys
- CCTV footage if you attend our premises, which is maintained for security purposes.
- Hobbies and interests where relevant for marketing purposes,
- Personal preferences including dietary requirements, personal details linked to an event (e.g. shoe size for a bowling evening), details around physical ability (e.g. ability to swim for a sailing event), or travel preferences,
- Open data / public records which includes data that you have made freely available in a public domain such as via social media or publications and news articles,
- Permissions – so we can record how you would like to receive information from us, or if you would prefer not to,
- Technical data such as your IP address, browser type, operating system, time zone, log-in information, clickstream data (pages you visited, time spent, links clicked), phone numbers used to contact us, and error messages via cookies and similar technologies.
- Extra information that you choose to tell us.
We collect and process personal data about you in the following ways:
Directly:
- We obtain personal data directly from individuals in a variety of ways, including obtaining personal data from individuals who provide us with their business card(s), complete our online forms, subscribe to our newsletters, register for webinars, attend meetings or events we host or visit our offices. We may also obtain personal data directly when, for example, we are establishing a business relationship, performing professional services through a contract, or through our hosted software applications.
Indirectly:
- To the extent permitted by applicable law, we may collect and process personal data indirectly about individuals and our clients from a variety of sources. We may receive information about you from our business partners, suppliers, advertising networks, data subscription or analytics providers, and credit reference agencies to enhance our services, comply with legal obligations, or detect fraud. We may also obtain information from public registers (such as companies house, news articles, social media and professional networking sites and web searches.
Consequences of not providing us with certain data
Providing Sircle with certain levels of personal data is the choice of the individual of which that data belongs. You may choose not to give us certain information we ask for, or ask us to delete or stop using information that we already hold on you, and this is your right to do so.
However, we may have overriding interests or obligations concerning certain data and we must also highlight some possible consequences of us not be able to process certain data belonging to you.
- We may not be able to keep you informed about our new products and services or any relevant changes.
- We may not be able to keep you up to date with industry or regulatory changes, news and market reports.
- We may not be able to keep you informed around any upcoming events or invite you to our events, or as a guest to accompany us to 3rd party events.
- We may not be able to fulfil our contractual obligations to you in order to provide our service.
- We may not be able to continue using your products or services.
- We may not be able to consider new business with you or arrange networking opportunities to benefit both you and us.q1
Purposes for processing your personal data
We use your personal data for a number of different purposes. We must always have a “lawful basis” (i.e. a reason, prescribed by law) for processing your personal data. The Personal data purposes table below sets out the purposes for which we process the different categories of your personal data and the corresponding lawful basis for that processing. For some processing activities, we consider that more than one legal basis may be relevant – depending on the circumstances.
| Processing Activity | Justification for Processing | Primary Lawful Processing Basis |
|---|---|---|
| Collecting personal data for new clients/3rd parties e.g. receiving a business card, exchanging details at events | We conclude that data has been given to Sircle in order to update you about our services and events | Legitimate Interest |
| Buying in mail lists | To offer our services and invite clients to events where there is a balanced business interest (and providing such activity is permitted under local law). We only use third-party marketing lists where we are satisfied that the data has been collected lawfully, that appropriate consents or soft opt-in conditions apply under PECR, and that individuals are provided with a clear and easy way to opt out of further marketing. | Legitimate Interest/Consent |
| Responding to requests for work, quotes and tenders | Necessary in order to commence with a business prospect, processing would be expected by the client or 3rd party | Legitimate Interest /Contractual |
| Carrying out work and deliver consultancy services and survey activities in line with an existing contract/agreement | To carry out duties in line with contractual/agreement related obligations. To give relevant updates to clients/3rd parties and conduct billing activities. | Contractual |
| Adding or amending contact details in our management systems | In order to keep records up to date, fulfil contractual obligations, carry out data cleansing activities | Legitimate Interest/Legal Obligation |
| Maintaining purchase and financial history on client records | In order to continue offering relevant services, ensuring records are kept up to date | Legitimate Interest / Legal obligations |
| Conduct marketing activities to prospective and existing clients, including direct marketing emails | To carry out marketing activities, inform clients of relevant services available, attend relevant events and give company and industry updates | Consent / Legitimate Interest |
| Analysing how our electronic marketing communications and website interactions are used by you | To carry out marketing activities, inform clients/3rd parties of relevant services available, attend relevant events and give company and industry updates | Legitimate Interest |
| Create and Update attendance records for events | Assist with future marketing activities and identify which events are of interest to clients and 3rd parties | Legitimate Interest |
| Record responses to questionnaires | To maintain business relationships and monitor the quality and relevance of our services or carry out research activities | Consent / Legitimate Interest |
| Address any requests from clients or 3rd parties | To ensure clients/3rd parties receive the appropriate level of information requested. To identify trends linked to repeated issues and improve our service and relationship with contacts | Legitimate Interest /Contractual |
| To address complaints from clients or 3rd parties under our Complaints Handling Procedure (CHP) >https://sircleuk.com/complaintshandlingprocedure/ | To comply with legal and regulatory requirements To resolve dissatisfaction and assess redress. To identify trends and improve services. |
Legal / Contractual / Legitimate Interest |
| To obtain credit checks and/or references | Comply with applicable legislation and statutory requirements for the prevention of money laundering | Legal obligation/Legitimate interest |
| Process invoices and collect payment | To take payment and maintain adequate accounting and financial records | To perform contract |
| Collect CCTV, system, security, event and usage data | Monitoring systems to prevent fraudulent or illegal activity and ensure safety | Legitimate interests/ Legal obligation |
| Share data with 3rd parties | To make data available to third parties who provide products or services to us | Contractual / Legitimate interest / Legal obligation |
| Sharing information with law enforcement | Complying with instructions, orders and requests from law enforcement agencies, any court or otherwise as required by law | Legal obligation |
There may be on occasion a need to process special categories of personal data as indicated below:
| Processing Activity | Justification for Processing | Primary Lawful Processing Basis |
|---|---|---|
| Hosting you at our offices and/or providing hospitality or entertainment services | Dietary requirements, accidents and emergencies | Consent, necessary to protect vital interest or incapable of giving consent |
| Complying with our general regulatory and statutory obligations or obtaining legal advice | Requirements to establish the existence of any unlawful act, dishonesty, malpractice or seriously improper conduct | Public interest, legal defence |
Will Sircle make use of automated decision-making?
Automated decisions are defined as decisions about individuals that are based solely on the automated processing of data and that produce legal effects that significantly affect the individuals involved. As a rule, Sircle does not make use of the automated decision-making as described above, and any decisions are based on meaningful human intervention.
If automated decision-making with legal or significant effects is introduced, Sircle will ensure appropriate DUAA safeguards apply: information, human intervention, ability to contest. No use of special category data will be processed unless a lawful basis exists.
This position applies notwithstanding our use of AI‑enabled tools as described below, which are subject to appropriate human oversight.
Use of Artificial Intelligence (AI)
We may use artificial intelligence‑enabled tools and systems (“AI”) to support certain internal business functions and, where appropriate, aspects of our professional services. These tools are used to assist our staff, improve efficiency, support analysis, and enhance quality assurance, and are not used as a substitute for professional judgement. Our approach aligns with the RICS Professional Standard: Use of Artificial Intelligence (AI), which promotes responsible, transparent, and ethical adoption of AI within surveying and related professional practice see https://www.rics.org/content/dam/ricsglobal/documents/standards/Responsible-use-of-artificial-intelligence-in-surveying-practice_September-2025.pdf
Where AI tools are used, we apply appropriate human oversight and ensure that decisions which have legal or similarly significant effects on individuals are not made solely by automated means. Our professionals remain responsible for the review, interpretation and use of any outputs generated by AI tools.
Where the use of AI involves the processing of personal data, we take steps to ensure that such processing complies with applicable data protection laws, confidentiality obligations and professional standards. This includes applying appropriate safeguards to protect privacy, security and data minimisation, and ensuring that personal data is not used inappropriately to train or develop AI systems without a lawful basis. We do not use your confidential information or personal data to train public AI models, and any use of AI tools is subject to contractual and professional confidentiality obligations.
We do not generally use AI to carry out automated decision‑making as defined under data protection law. If this position changes, or where AI is used in a way that materially affects individuals or the delivery of professional services, further information will be provided as required by law and through relevant client communications or terms of engagement.
Who we share your personal information with
We may share your data only with trusted partners and service providers who help us operate our business, including:
- Regulators and other government authorities or law enforcement agencies,
- Any party linked with you or your business’s product or service,
- Companies we have a joint venture or agreement to co-operate with, where appropriate to do so,
- Parties providing services to Sircle (whether working on a matter for your benefit or otherwise) such as contractors, sub-consultants and consultants,
- Our external advisors, such as auditors, accountants or lawyers where they are under a duty of confidentiality,
- Banks and Insurers where such disclosure is necessary,
- Credit reference agencies for financial services and fraud prevention,
- Organisations that introduce you to us,
- Companies that we introduce you to, where appropriate to do so,
- Companies you ask us to share your data with,
- Advertising and analytics providers for marketing and website optimisation.
- In case of business sale or asset transfer, personal data may be part of the transferred assets.
Where we share your personal data with the parties above we will ensure that your personal data is subject to controls at least as stringent as those that apply to Sircle when it collects processes or stores your personal data.
We also have to share information or data in order to:
- Comply with any applicable law, regulation, legal process or enforceable governmental request,
- Meet our contractual obligations for the purpose of legally required audits,
- Enforce our policies, including investigations into potential violations of those policies,
- Detect, prevent, or otherwise address fraud, security or technical issues,
- Protect against harm to the rights, property or safety of our users, the public or to Sircle and/or as required or permitted by law.
Transfers outside the UK or EEA
We will only transfer personal data outside of the UK or the EEA subject to appropriate data transfer mechanisms that include adequate safeguards. These international transfers may be permitted where the non-EEA country provides adequate protection and is not materially lower than the UK’s (the EU has already made such a determination in respect of data transfers to the UK).
International transfers may rely on adequacy regulations including the UK–US Data Bridge, IDTA, UK Addendum to EU SCCs and supplementary measures approved by the Information Commissioner’s Office (ICO) which we will adopt and implement with the relevant data processor or third-party service provider. We will inform you in advance if other safeguards are to apply.
Your rights under GDPR
Under the UK GDPR and Data Protection Act 2018, you have the following rights regarding your personal data:
- Asking us to tell you what data we hold about you and requesting a copy. This is called a Subject Access Request (SAR) and provide a copy subject to the request being based on a reasonable and proportionate search. We will not charge for this unless a request is manifestly unfounded or excessive, particularly if it is repetitive, or if further copies are requested. We will have 1 month to comply with your request unless circumstances allow for an extension based on the complexity or number of requests. When responding to SARs, we will conduct searches that are reasonable and proportionate under DUAA. We may refuse or charge a fee for manifestly unfounded or excessive requests.
- Objecting to your personal information being processed. You may also ask us to delete it (known as ‘the right to be forgotten’) and we will consider all such requests. If there are legal reasons for us keeping your data despite your request, we will notify you of this. These rights are not absolute rights and there may be reasons for retaining the data.
- Asking us to amend or stop using your information because it’s inaccurate, incomplete or you want to restrict how we process it.
- You have a right to object at any time to the processing of your personal data for direct marketing purposes, and we will stop such processing immediately.
- You have the right to be informed about the collection and use of your data.
- Asking us to move, copy or transfer your personal data easily from one IT environment to another, in a safe and secure way, without hindrance to usability when you have provided to us your personal information.
Please contact us using the contact details below if you wish to speak to us about this or want to exercise any of these rights.
Withdrawing consent
If we have asked for your consent at any time and you now wish to withdraw it, please contact us and we will update our records accordingly.
Some of our services are dependent on the use of Personal Data. If you withdraw your consent to use this data we may no longer be able to continue to provide certain products and services, however, if this is the case we will discuss this with you.
If we are processing your data using the lawful processing basis of ‘legitimate interest’ you will not have given us ‘consent’ to process this data, however, you still have the right to object.
If you have any questions please contact us.
How long will we keep your data for?
Whilst you are still an active client of Sircle, we still have regular contact with you and you haven’t instructed us to delete your data, we will continue to retain your data in a secure environment.
We retain your personal data only for as long as necessary to fulfil the purposes outlined above, including to meet legal or accounting requirements. Typical retention periods are:
| Document Type | Retention Period |
|---|---|
| Marketing data | Until consent withdrawal or objection |
| Risk Assessments | 3 years from last review date |
| Documents of External Origin | 6 years |
| Emails and other electronic information | Relevant client or supplier related data – 6 years |
| Property documents such as leases and lease termination agreements | 6 years after lease termination |
| Client/3rd party feedback/complaints | 7 years |
| Invoices | 7 years |
| Client project related records | 15 years |
Unless the circumstances so require it your personal data will be deleted or anonymised at the end of the retention period. Circumstances that will result in us keeping your data outside of these retention periods includes legal and regulatory requirements and other commercial reasons (including ongoing contractual disputes).
How we keep your data secure
Security of your personal data is vitally important to Sircle and we strive to maintain security in many ways:
- Testing and reviewing our systems, networks and locations that process data,
- Maintaining security policies and procedures which are tested and reviewed periodically,
- Ensuring employees are given the tools and training to handle data responsibly,
- Ensuring employees are under a statutory or contractual obligation of confidentiality,
- Controlling access to data across various levels including system and application access, physical access and 3rd party access, robust password management procedures,
- Access, at all levels, is role-based and only granted on a ‘need to know’ basis,
- Ensuring data is periodically cleansed, archived or deleted in line with policy,
- Employees undergo screening upon joining Sircle and mandatory training for topics such as information security and data protection,
- Ensuring data is encrypted both in transit and at rest,
- Information assets are logged and equipped with up-to-date antivirus software,
- Data is regularly backed up and stored in a secure environment,
- Data breaches and security incidents are reported in line with policy and are followed up with analysis, risk assessments and corrective action where necessary.
However please note that, in relation to any personal data you submit to us online, we cannot guarantee the security of data sent to us in this way. Transmission of data over the internet is at your own risk.
What we mean by marketing
- Using your personal information by way of contact details in order to inform you and your business about new services, events and conduct campaigns
- Profiling your data in order for us to justify why we have previously processed your data and why we would continue to do so
- To identify what type of marketing information we believe may be of use to you and what you may be interested in
- We will only use your information for marketing purposes when we justify our reasons to be a lawful basis using either ‘legitimate interest’ or ‘consent’
- We will only use your information for marketing purposes in accordance with applicable law and where you have not indicated a preference not to hear from us
- We may periodically ask you to review your preferences about how we contact you and will make it easy for you to change your mind
Use of Cookies
We comply with PECR as amended by DUAA. Low-risk cookies may be set without consent in limited cases. Non-essential cookies require prior consent. Where we rely on a cookie consent exemption (e.g. for certain low-risk analytics or functionality purposes), we will provide clear information and an easy way for you to object/opt out, and we will not use these exemptions for advertising-related tracking.
Our website uses cookies to distinguish you from other users, enhance your experience, and analyse site traffic. You have control over cookie settings and may choose to disable cookies via your browser preferences. Personal data may be collected when individuals fill in forms on our websites or by corresponding with us by phone, e-mail or otherwise. This includes information provided when an individual registers to use our websites, subscribes to our service, or makes an enquiry.
Please refer to our separate Cookie Policy for detailed information. We comply with the UK Privacy and Electronic Communications Regulations (PECR).
Changes to our Privacy Notice
We may need to make changes to our policies and notices from time to time, where the processing of personal data is impacted, within the limitation set out by GDPR and the applicable data protection legislation. When we have made changes we will update the Privacy Notice on our website for you to read. Changes to this Privacy Notice will not materially alter any contractual data protection obligations without agreement where required by law.
How to contact us
If you have questions, concerns about how we use your personal data, you can make a data protection complaint to us using the following contact details
Data Privacy Officer at [email protected] or call 0800 999 3747.
We will acknowledge receipt and investigate, keep you informed, and provide an outcome without undue delay.
If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO). Should you wish to pursue a complaint via the ICO, they can be contacted at; Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Tel: 0303 123 1113 www.ico.org.uk
Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to Chad Coombes on 0800 999 3747 or by completing the contact form.
