Legal

Privacy Policy

This policy explains what personal data Apefo Ltd collects through this website, why we collect it, how long we keep it, and the rights you have over it under UK data protection law.

Who we are

This website, apefo.ltd, is operated by APEFO LTD (“Apefo”, “we”, “us”), a private company registered in England and Wales under company number 16610465.

Apefo Ltd is the data controller for the personal data described in this policy. That means we decide what data is collected through this site, why it is collected and how it is handled. This policy covers the corporate website only. The brands operated by Apefo run their own products and services, and where those products process personal data they do so under their own terms and notices.

We have not appointed a Data Protection Officer, as we are not required to under UK data protection law. Questions about this policy are handled by the company directly, through the contact page.

What personal data we collect

We collect personal data in two ways: when you send us an enquiry, and automatically when your browser requests a page from our server.

If you complete the enquiry form on our contact page, we collect:

  • your name;
  • your work email address;
  • the company or organisation you represent;
  • the enquiry type you select;
  • the content of your message, including anything else you choose to tell us in it; and
  • your confirmation that you have read this privacy policy, together with the time it was given.

Please send us only the information needed to deal with your enquiry. Do not include special category data — such as information about health, race, religion, political opinions, trade union membership, sex life or sexual orientation — or details of criminal offences. We do not ask for that data and we have no reason to process it.

Separately, our web server records a log entry for each request it receives. A log entry typically contains the IP address the request came from, the date and time, the page or file requested, the response the server gave, the referring page where one is sent, and the browser and operating system your device reports. An IP address can be personal data, so we treat these logs accordingly.

We do not buy personal data from third parties, we do not build marketing profiles, and we do not use your data to make automated decisions that produce legal or similarly significant effects.

Why we use it, and our lawful basis

Under the UK GDPR we must have a lawful basis for each use of personal data. Ours are as follows.

  • To read, route and respond to your enquiry, and to hold the correspondence that follows from it. Our lawful basis is legitimate interests: we have a business interest in receiving and answering correspondence addressed to the company, and if you contact us you would expect a reply. The processing is limited to what answering you requires.
  • To record that you agreed to this policy when submitting the form. Our lawful basis is consent, given by ticking the box on the form. You can withdraw that consent at any time; withdrawal does not affect processing carried out before you withdrew it, and if you withdraw it we may no longer be able to progress your enquiry.
  • To keep the site available and secure, using server logs to diagnose faults, investigate suspicious traffic and prevent abuse of our infrastructure. Our lawful basis is legitimate interests: running a site that works and is not misused.
  • To meet legal and regulatory obligations, where we are required to retain records or respond to a lawful request. Our lawful basis is compliance with a legal obligation.

We do not send marketing email from this website, and submitting an enquiry does not add you to a mailing list.

How long we keep it

We keep personal data only for as long as it is needed for the purpose it was collected for, and then delete it.

Enquiries that do not lead to a business relationship are deleted once the exchange is closed and there is no realistic prospect of it being needed again. Where an enquiry does lead to a contract or an ongoing commercial relationship, the correspondence is retained as a record of that relationship, and afterwards for as long as we may need it to deal with a claim or to meet a statutory record-keeping requirement. Server logs are held on a rolling basis for the short period needed to investigate faults and security incidents, and are then overwritten.

If you ask us to erase your data sooner, we will do so unless we have a legal reason to keep it, and we will tell you which reason applies.

Who we share it with

We do not sell personal data, we do not rent or trade it, and we do not share it with third parties for their own marketing.

Your data is seen inside Apefo only by the people who need it to deal with your enquiry. Beyond that, it is shared only with the service providers that make this site work — hosting and infrastructure, email delivery, and security and maintenance tooling. These providers act as our processors: they handle the data on our written instructions, for us and not for themselves, under contracts that require appropriate security and the return or deletion of the data when the service ends.

We may also disclose personal data to our professional advisers, or to a public authority, court or regulator, where we are required or permitted to do so by law. If the company or part of its business were reorganised or transferred, data could pass to the receiving entity, which would remain bound by this policy.

International transfers

We prefer to keep personal data within the United Kingdom or the European Economic Area. Some of the providers we rely on may nevertheless store or access data outside those areas.

Where that happens, we make the transfer only if a safeguard recognised by UK data protection law is in place — that the destination is covered by UK adequacy regulations, or that the transfer is made under an approved mechanism such as the International Data Transfer Agreement or the UK Addendum to the European Commission’s Standard Contractual Clauses, with additional measures where they are needed. The aim is that your data keeps a level of protection essentially equivalent to the one it has in the UK.

Your rights

Under the UK GDPR you have the following rights over your personal data:

  • Access — to be told whether we hold data about you and to receive a copy of it, along with an explanation of how it is used.
  • Rectification — to have inaccurate data corrected and incomplete data completed.
  • Erasure — to have your data deleted where we no longer need it, where you withdraw consent we relied on, or where you object and we have no overriding grounds to continue.
  • Restriction — to have us pause our use of your data, for example while we check its accuracy or consider an objection.
  • Objection — to object to processing we base on legitimate interests. We will stop unless we can show compelling grounds that override your rights.
  • Portability — to receive the data you gave us in a structured, commonly used, machine-readable format, and to have it sent to another controller where that is technically feasible.
  • Withdrawal of consent — to withdraw, at any time, consent you have given.

To exercise any of these rights, contact us through the contact page. Using them is free, and we will respond within one month. If a request is particularly complex we may extend that period, and we will tell you if we do and why. We may need to confirm your identity before we act, so that we do not disclose your data to somebody else.

If you are not satisfied with how we have handled your data or your request, you have the right to complain to the Information Commissioner’s Office, the UK’s independent supervisory authority for data protection. We would ask you to raise the matter with us first so that we have the opportunity to put it right, but you are not obliged to.

Cookies

Cookies and similar technologies are dealt with separately. Our cookie policy sets out what this site places on your device, what each item is for, and how to control or remove them through your browser.

Security

We take appropriate technical and organisational measures to protect personal data against loss, misuse and unauthorised access. Traffic to this site is encrypted in transit, access to enquiry correspondence is limited to those who need it, and the platform is kept up to date and monitored. No website or system can be guaranteed completely secure, but where we identify a breach that presents a risk to your rights we will act on it and, where the law requires, report it to the Information Commissioner’s Office and tell those affected.

Changes to this policy

We review this policy periodically, and we will update it when our practices change, when we begin using a new provider that affects how data is handled, or when the law changes. The current version is always the one published on this page. Where a change materially affects how we use data we already hold, we will take reasonable steps to bring it to the attention of the people concerned.

How to contact us

For any question about this policy, about the data we hold, or to make a request about your rights, use the contact page and select the relevant enquiry type. Please tell us what you are asking for and give us enough detail to find the correspondence you are referring to.

APEFO LTD is registered in England and Wales, company number 16610465. Further detail about the company is on the company information page.