This notice describes how STO Consulting collects and uses limited personal data about clients, potential clients, suppliers, and research respondents which is either done via consent or for the normal exercise of a contract between us.

All data is collected, processed, and stored in accordance with the General Data Protection Regulation (GDPR).

What data do we collect?

STO Consulting Ltd will be the ‘Controller’ of the personal data you provide to us. We only collect basic personal data about you which does not include any special categories of personal information about you (known as Special Category Data). It can include name, address, e-mail address, telephone numbers, and in the case of suppliers only financial information (payment information).

Why we need it

We need to know your basic personal data to respond to enquiries that you may make (via telephone, email or the website) and to deliver our service, issue appropriate invoices, and collect payments.  In appropriate cases, we will very occasionally contact existing and previous customers to tell them about other of our services that we believe are useful to them. For example, if you have bought a service that needs to be renewed, or repeated, or if a new service is related to what you have previously bought.

For market research respondents, our principle will be to conduct research anonymously if at all possible. That means not collecting any personal data. Limited occasions when we will collect personal data (optionally and with informed consent) will be for awarding of a prize in a prize draw as a reward for participation, or for quality checking, or if you choose to opt into any further research. The personal details in these cases will be limited to name, address, telephone number, and / or email address. Importantly, your answers to the research questions will never be linked to your personal data. No one but the interviewer will know who said what and they do not retain any data. The data goes straight into the company system.

We will not collect any personal data from you other than what we need for the reasons outlined above.

Website cookies

Like most websites, our website uses cookies, but we do not use these in a way that can identify any individual. Their purpose is to improve your experience while you navigate through the website. Only cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies known as analytics cookies that help us analyse and understand for example, how many visitors we have, which pages they view, and for how long. These cookies will be stored in your browser only with your consent. You also have the option to opt out of these cookies. But opting out of some of these cookies may affect your browsing experience.

What we do with your personal data

We only ever use your personal data with your consent, or where it is necessary for contractual purposes:

  • To enter into, or perform, a contract with you.
  • To comply with a legal duty.
  • To protect your vital interests.
  • For our own (or a third party’s) lawful interests, provided your rights don’t override these.

In any event, we’ll only use your information for the purpose or purposes it was collected (or for closely related purposes).

We may process personal information for certain legitimate business purposes, which include some or all of the following:

  • Where the processing enables us to enhance, modify, personalise or otherwise improve our services / communications for the benefit of our customers.
  • To identify and prevent fraud.
  • To enhance the security of our network and information systems.
  • To provide communications which we think will be of interest to you.
  • To get paid for services that we provide.

Whenever we process data for these purposes, we will ensure that we always keep your personal data rights in high regard and take account of these rights at all times.

When we process your personal data for our legitimate interests, we will make sure that we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. Our legitimate business interests do not automatically override your interests. We will not use your personal data for activities in which our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You have the right to object to this processing if you wish, and if you wish to do so please email Please bear in mind that if you object this may affect our ability to carry out the tasks above for your benefit.

Where we keep it

We are based in the UK. Our registered address is: Clavering House, Clavering Place, Newcastle upon Tyne, NE1 3NG.

Some organisations which provide services to us may transfer personal data outside of the EU (where the same GDPR regulations apply), but we will only allow them to do if your data is adequately protected.

For example, some of our systems use Microsoft products. As a US company, it may be that using their products results in personal data being transferred to, or accessible from the US. The same applies to our survey platform and our file storage system. However, we will allow this as we are certain personal data will still be adequately protected (as Microsoft is certified under the USA’s Privacy Shield scheme). Other providers enter into contracts with us that specifically state that they will comply with GDPR standards.

Data Security

We have put in place security measures to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed without authorisation. We allow access to your personal data only to those employees and partners who have a business need to know such data. They will only process your personal data on our instructions and they must keep it confidential. A GDPR policy is part of our Staff Handbook.

We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach if we are legally required to.

How long we keep it

We will only use and store information for so long as it is required for the purposes for which it was collected. How long information will be stored depends on the information in question, and for what it is being used. For example, if you ask us not to send you marketing e-mails, we will stop storing your e-mails for marketing purposes (though we’ll keep a record of your preference not to be e-mailed).

We continually review what information we hold and delete what is no longer required. We never store payment card information except for suppliers whom we are paying. This is stored in a secure banking application. We will not retain your data for any longer than necessary, and the longest time that we will hold your data will be six years.

What are your rights?

We want to ensure that you remain in control of your personal data. Part of this is making sure you understand your legal rights, which are as follows:

  • The right to confirmation as to whether or not we have your personal data and, if we do, to obtain a copy of the personal information we hold (this is known as a data subject access request).
  • The right to have your data erased (though this will not apply where we must continue to use the data for a lawful reason).
  • The right to have inaccurate data rectified.
  • The right to object to your data being used for marketing or profiling.
  • Where technically feasible, you have the right to personal data you have provided to us which we process automatically based on your consent or the performance of a contract. This information will be provided in a common electronic format.

Please keep in mind that there are exceptions to the rights above, and, though we will always try to respond to your satisfaction, there may be situations where we are unable to do so.

If you wish to raise a complaint regarding how we have handled your personal data, you can contact who will investigate the matter.

If you are not satisfied with our response or believe we are processing your personal data in a way that is not in accordance with the law, you can complain to the Information Commissioner’s Office, the UK supervisory authority for data protection issues.