1. Purpose

To ensure transparency and compliance with data-protection legislation, outlining how personal information is processed, safeguarded, and retained by Ostrel Group.

2. Scope

Applies to all personal data processed by Ostrel Group in connection with its business activities, websites, and application reviews.

3. Definitions

  • Personal Data – any information relating to an identifiable individual.
  • Processing – any operation performed on personal data.
  • Data Subject – an identified or identifiable natural person.
  • Controller – Ostrel Group Ltd.
  • Processor – any third party handling data on our behalf (e.g. Microsoft, Typeform).

4. Data We Collect

We may collect and process:

  • Identification data (name, company, position, email, telephone).
  • Application or enquiry information submitted through online forms.
  • Technical data (IP address, browser type, analytics cookies).
  • Communication records (emails, messages, meeting notes).

We do not intentionally collect special-category data unless required by law.

5. How We Use Personal Data

We use personal data to:

  1. Respond to enquiries and provide requested information.
  2. Evaluate applications for investment, partnership, or funding.
  3. Manage supplier, client, and partner relationships.
  4. Maintain lawful business, tax, and compliance records.
  5. Improve our services and website performance.

6. Lawful Bases for Processing

Ostrel Group relies on:

  • Contractual necessity – to provide requested services.
  • Legitimate interests – to manage relationships and prevent fraud.
  • Legal obligation – to comply with UK regulations.
  • Consent – where marketing communications are sent.

7. Automated and AI-Assisted Processing (Microsoft Copilot & Typeform)

7.1 Ostrel Group uses Microsoft Copilot within Microsoft 365 to assist in reviewing and summarising applications submitted via Typeform.
7.2 Copilot may temporarily access textual content of applications stored in our secure Microsoft tenant. Data is not used to train any external AI models.
7.3 Processing occurs solely within Microsoft’s UK/EU data boundaries under its Data Processing Addendum.
7.4 The lawful basis is legitimate interest, ensuring efficient and consistent assessment of applications.
7.5 Applicants are informed of AI-assisted review at the point of submission and may request manual review instead.

8. Data Sharing

We may share limited personal data with:

  • Trusted suppliers (e.g. Microsoft, Typeform, Azure OpenAI) under binding processing agreements.
  • Legal, financial, or regulatory authorities where required by law.
  • Subsidiaries and associated entities of Ostrel Group for administrative purposes.
    Data is never sold to third parties.

9. International Transfers

Where data is transferred outside the UK or EEA, we ensure appropriate safeguards, such as Standard Contractual Clauses and adequacy decisions recognised by the ICO.

10. Data Retention

Personal data is kept only as long as necessary:

  • Website enquiries – 12 months.
  • Application and investment records – 7 years.
  • Contractual and financial data – 7 years.
    Upon expiry, data is securely deleted or anonymised in accordance with the Data Retention and Deletion Policy.

11. Security Measures

  • Encrypted cloud storage within Microsoft 365.
  • Multi-factor authentication for all staff.
  • Access limited to authorised personnel.
  • Regular review of security policies under IT and Cybersecurity Policy.

12. Data Subject Rights

Individuals have the right to:

  • Access their data.
  • Rectify inaccuracies.
  • Request erasure (“right to be forgotten”).
  • Restrict or object to processing.
  • Data portability.
    Requests should be sent to: privacy@ostrelgroup.com.
    We will respond within one month as required by law.

13. Cookies

Cookies are used only for site functionality and anonymised analytics. Full details are available in Cookie Policy.

14. Marketing Communications

Email marketing is permission-based. Individuals may withdraw consent at any time by using the unsubscribe link in our emails.

15. Changes to This Policy

We may update this Privacy Policy periodically. The latest version will always appear on our website, with the issue date clearly shown.

16. Governing Law

This Privacy Policy is governed by the laws of England and Wales, and disputes are subject to the exclusive jurisdiction of those courts.