Flag Communication Privacy Notice – September 2025

The following policy sets out how we, Flag Communication Ltd (company registration number 1783513) (hereafter referred to as ‘we’, ‘us’ or ‘our’), collect, use and store personal information in the course of our business activities, including through our website, flag.co.uk.

We are committed to handling your personal data responsibly and transparently, whether you are visiting our website, contacting us, applying for a role or working with us as a client, supplier or partner.

This policy applies to all personal information we collect and process, and it may be updated from time to time to reflect changes in our practices or applicable laws. We encourage you to review it periodically. For clarification of some of the terms used within this policy, please refer to Appendix 1 – Glossary.

How to contact us

If you wish to make an enquiry regarding your data, our data protection representative can be contacted via the following details:

info@flag.co.uk
+44 (0)20 4526 5959
31-35 Kirby Street, London EC1N 8TE, UK.

The type of personal information we collect

Contact information

When you communicate with us – whether through our website, by email, phone or other means – we may collect and retain personal information relevant to your enquiry or our working relationship. This can include your name, contact details, company name and any other information you choose to provide. We use this information to respond to your enquiry, manage our communications and support any ongoing business with you.

Job applications

If you choose to submit a CV to us, the personal information provided therein (such as, but not limited to, your contact information and address) will be retained in order to process your application.

CVs of unsuccessful candidates will be retained for six months from the date of application, unless you agree a different term with the hiring manager.

Business enquiries

All business enquiries will be forwarded to the relevant team and processed accordingly; your personal details will be retained to enable us to process your query.

Furthermore, these contact details may be used for future marketing purposes; you may opt out of these communications at any time by emailing info@flag.co.uk.

Client-provided data

In the course of delivering our services, clients may provide us with personal data. This information is used solely for the purposes of fulfilling our contractual obligations and delivering agreed services. We process such data in accordance with our clients’ instructions and applicable data protection laws, and we implement appropriate security measures to protect it.

Cookies

We use cookies on this website for the following purposes:

• Essential functionality: Some cookies are necessary to ensure the website operates correctly and provides you with core features.
• Analytics and performance: We use cookies to gather statistical and analytical information about how visitors use our site. This helps us understand user behaviour and improve our services.
• Business insights: Certain tools may collect limited information, such as IP address, pages visited, browser type, and, where available, business contact details. This data helps us analyse how businesses interact with our website.
• Personalisation: Cookies may also be used to enhance your browsing experience and tailor content to your preferences.

For a detailed list of the cookies we use, please refer to Appendix 2 at the end of this Privacy Notice.

Server logs

IP addresses associated with visits to this website are stored in server logs for fewer than 30 days and are only used for the purposes of detection and prevention of fraud, unauthorised access or other malicious activity.

How we use your information

We use your personal information to:

• respond to your enquiries and provide the information or services you request
• manage our communications with you and support any ongoing business relationship
• process and manage job applications and recruitment activities
• operate, manage and improve our website, services and business operations
• analyse website usage and engagement to help us better understand our audience
• maintain internal records and administration
• send relevant updates or marketing communications
• protect our systems and prevent fraud or unauthorised access
• comply with legal or regulatory obligations and manage legal claims where necessary.

Your information is never sold to third parties.

Lawful grounds for processing data

Please refer to the below table, in which we have determined the ways we plan to use your data, and the legal basis for doing so.

Who do we share your data with?

We only share your personal data where necessary for our business operations, to provide our services, comply with legal obligations or where you have given consent.

We may share your data with trusted third parties, including:

• technology and cloud service providers such as Google Workspace and Microsoft Azure, which we use for email, file storage, collaboration and infrastructure hosting
• analytics and business intelligence providers like ZoomInfo, which we use to better understand website activity and business prospects
• professional advisers, including technical, legal, financial and compliance consultants, where necessary for the provision of professional services
• regulatory authorities, law enforcement or other third parties when required to comply with applicable laws or respond to valid legal requests.

We require all third parties who process personal data on our behalf to handle it securely, use it only for specified purposes and act in accordance with data protection laws. We have agreements or safeguards in place to ensure they meet our standards for data protection and confidentiality.

International data transfers

As an international company with employees and operations in multiple countries, we may transfer and store your personal data outside of your country of residence, including to the United Kingdom (UK), European Union (EU), United States (US) and Canada, as part of our normal business operations.

These transfers may occur when we share information internally or use trusted service providers to support our operations, including cloud and data analytics platforms. For example, we use Google Workspace, Microsoft Azure (with servers in the UK and US) and ZoomInfo to help us manage business intelligence.

Where we transfer personal data internationally, we ensure appropriate safeguards are in place in line with applicable data protection laws. This may include:

• transferring data to countries with adequacy decisions in place (such as the EU and Canada)
• using Standard Contractual Clauses (SCCs) or equivalent safeguards for transfers to countries without an adequacy decision, such as the US
• implementing additional technical and organisational measures where appropriate to protect your data and rights.

If you would like more information about how we protect your data during international transfers, please contact us using the details at the top of this notice.

How we retain your information

We only retain your information for as long as is strictly necessary in line with our requirements and any applicable legal obligations.

There are appropriate safeguards in place to protect the integrity of your information; for example, storing it on secure servers, only granting access to it where necessary and only to authorised personnel.

Your rights

Under the UK Data Protection Act 2018 and UK GDPR (as amended by the Data Use and Access Act 2025), you have the following rights in relation to the personal information we hold about you:

1. Access – To request a copy of your personal information and details about how we use it (subject to reasonable and proportionate searches).
2. Correction – To have inaccurate or incomplete information corrected.
3. Erasure – To request that your personal information is deleted in certain circumstances.
4. Restriction – To limit how we use your information in specific situations.
5. Portability – To receive your information in a structured, commonly used and machine-readable format and transfer it to another controller.
6. Objection – To object to the use of your information, including for direct marketing purposes.
7. Withdraw consent – Where we rely on consent, you can withdraw it at any time.
8. Automated decisions – Not to be subject to decisions based solely on automated processing, including profiling, without appropriate safeguards and the ability to seek human review.
9. Complain – To lodge a complaint with the Information Commissioner’s Office (ICO) or another relevant supervisory authority.

Note: Some rights may be subject to limitations under applicable law.

Your right to complain

As a data subject, if you believe your data has been mismanaged, you have the right to make a complaint at any time to the UK supervisory authority for data protection, the Information Commissioner’s Office (ico.org.uk).

If you are based outside the UK, you may also have the right to raise your concerns with your local data protection authority.

We would, however, appreciate the opportunity to deal with any concerns prior to this, so please contact us in the first instance.

Links to third-party websites

This website may include links to third-party websites and applications. Clicking on those links may allow third parties to collect or share your data; we do not control these third-party websites and are not responsible for their privacy controls.

Appendix 1 - Glossary

Appendix 2 – Cookies

At present, the following cookies are collected: