Privacy notice
How VulaPri Limited processes personal data, in line with the UK GDPR and the Data Protection Act 2018.
Last updated: 9 June 2026 · Version 2.1
1. Who we are
VulaPri Limited is the controller for personal data we process for our own business purposes — including website enquiries, business development, client relationship management, engagement administration, billing, legal compliance, and our own records. Where we process personal data on behalf of a client as part of a client engagement, we do so under the relevant contract and data processing terms; in those cases the client remains responsible for its own privacy information unless otherwise agreed.
- Registered in England & Wales
- Company number: 16827529
- Registered office: 86-90 Paul Street, London, EC2A 4NE, United Kingdom
- ICO registration number: ZC080376
- Privacy contact: privacy@vulapri.com
References to "we", "us", and "our" mean VulaPri Limited.
2. What personal data we collect
We collect personal data that you choose to provide, and we also collect limited technical data automatically when you use the website:
- Information you provide through the contact form — your name, work email, organisation, role (optional), the nature of your enquiry, and any free-text detail you choose to share.
- Information you provide by email or during meetings — whatever you choose to share.
- Information generated during a client engagement — for clients only: contact details for your privacy / legal / IT teams, meeting notes, advisory deliverables, and the operational context required to perform the engagement.
- Website and server data — limited technical data such as IP address, browser type, device information, timestamps, pages requested, and security logs, processed to operate and secure the website.
- Analytics data — where optional analytics are enabled, we use analytics cookies or similar technologies only in accordance with our cookies notice and your consent choices. No analytics are currently enabled.
3. Why we process your personal data and our lawful basis
Our purposes and the lawful basis we rely on for each are set out below.
| Purpose | Lawful basis |
|---|---|
| Responding to business enquiries and exploring potential engagements | Art. 6(1)(f) — legitimate interests in responding to professional enquiries and developing client relationships |
| Taking steps at an individual's request before entering into a contract with that individual | Art. 6(1)(b) — pre-contract steps |
| Delivering services to a corporate client and managing client contacts | Art. 6(1)(f) — legitimate interests in delivering and administering professional services |
| Delivering services under a contract with an individual | Art. 6(1)(b) — performance of a contract |
| Website security, server logs and basic site operation | Art. 6(1)(f) — legitimate interests in operating and securing the website |
| Optional analytics cookies and associated analytics data | PECR reg. 6 consent for storage/access on your device, and Art. 6(1)(a) UK GDPR consent where personal data is processed |
| Sending newsletters or marketing updates where you have subscribed | Art. 6(1)(a) — consent; unsubscribe at any time |
| Sending relevant business updates to existing corporate clients or business contacts | Art. 6(1)(f) — legitimate interests, where permitted by applicable electronic-marketing rules; object or unsubscribe at any time |
| Service- or engagement-related communications | Art. 6(1)(b) or Art. 6(1)(f), depending on the context |
| Legal, tax and accounting obligations | Art. 6(1)(c) — legal obligation |
Where we rely on legitimate interests, we balance that interest against your rights and freedoms, and you can object at any time.
We do not seek to collect special-category personal data through this website. During some client engagements we may encounter special-category personal data — for example when supporting a DPIA, DSAR, breach assessment or compliance review. Where we act as a processor, the client is responsible for identifying the relevant Art. 6 lawful basis and Art. 9 condition, and we process the data under the applicable data processing terms. Where we act as a controller, we will identify an appropriate Art. 6 lawful basis and, where required, an Art. 9 condition and any applicable Data Protection Act 2018 Schedule 1 condition.
4. Who we share your personal data with
We share personal data only where necessary, and under appropriate contractual safeguards. Recipients may include:
- Cloud and hosting providers — Netlify, Inc. (website hosting and form processing) and Microsoft Corporation (email, calendar, document storage via Microsoft 365), each acting as our processor.
- CRM provider — HubSpot, Inc., acting as our processor for business communications and pipeline management.
- Accounting and finance providers — Xero Limited (bookkeeping) and our accountant (when retained), each acting as our processor.
- Group entities — we may share an enquiry with Just DSARs Limited or Vula Capability Systems Limited where your enquiry clearly relates to that entity's services, where you ask us to, or where it is otherwise appropriate and consistent with your expectations.
- Sub-contracting partners — named partners (e.g. UK DataSecure for certain Genestack engagements), who may act as our processor, an independent controller, or a separate professional adviser depending on the engagement.
- Professional advisers — legal, insurance, and accounting advisers, under duties of confidence.
- Regulators, courts, and law enforcement — where required by law.
We do not sell your personal data and we do not share it for third-party marketing.
5. International transfers
Some processors are based outside the UK. Where personal data is transferred outside the UK we rely on either an adequacy decision (e.g. the UK adequacy regulations for the EEA) or an appropriate safeguard such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, in line with UK GDPR Art. 46. For transfers to the United States, we may rely on the UK Extension to the EU-US Data Privacy Framework where the recipient is actively certified and the transfer is covered by that certification; otherwise we use appropriate safeguards such as the UK IDTA or the UK Addendum.
6. How long we keep your personal data
- Enquiry data where no engagement results — up to 12 months, then deleted, unless we are required to retain it longer.
- Client engagement records — for the duration of the engagement and normally up to 6 years after the end of the relevant engagement or financial year, unless a longer period is required or justified for legal, regulatory, insurance or claims-handling purposes.
- Records required by HMRC and Companies House — for the periods set by statute (typically 6 years).
- Insurance records (PI / Cyber / PL) — retained for the duration of the policy plus the relevant limitation period for claims arising out of advice given during the policy period.
- Newsletter subscriber data — until you unsubscribe, plus 12 months thereafter.
- Website analytics — as detailed in our cookies notice.
7. Your rights
Under UK GDPR you have the following rights, exercisable free of charge in most cases:
- Access (Art. 15)
- Rectification (Art. 16)
- Erasure (Art. 17)
- Restriction (Art. 18)
- Portability (Art. 20)
- Object (Art. 21)
- Withdraw consent (Art. 7(3))
- Not to be subject to solely automated decisions (Art. 22). We do not make any decisions about you using solely automated processing.
Your rights are not absolute and may depend on the circumstances and the lawful basis for proces