Privacy Policy
Effective Date: 27 May 2026
Scope
This privacy policy applies to individuals ("you") whose personal data is processed through the Ovation platform when an organisation ("the Client") uses Ovation to provide services.
Where more than one Client uses Ovation in relation to you, this policy applies separately to each, and references to "the Client" mean the Client responsible for the relevant processing.
It explains what categories of your data are processed, why, on what legal basis, who processes it, and what rights you have.
1. Who We Are and Our Role
Ovation is operated by Ovation Tech Ltd, a company registered in England and Wales (Company No. 17226100).
Our role in relation to your data:
- For the services the Client enables through the platform, the Client is the data controller — they decide that the service should be offered and for what purpose. Ovation Tech Ltd acts as a data processor, processing your data on the Client's behalf and on their instructions.
- For a limited set of purposes that we determine ourselves — maintaining the security and integrity of our platform, preventing misuse, operating the service reliably, and retaining records to defend potential legal claims — Ovation Tech Ltd acts as an independent data controller. These purposes are described in Sections 4 and 6.
Contact details:
- Company: Ovation Tech Ltd
- Address: 124-128 City Road, London, EC1V 2NX, United Kingdom
- Data protection contact: Tom Stayte | data-officer@ovation.ac
For questions about the Client's own handling of your data, please also refer to the Client's privacy notice.
2. What Personal Data We Process
Ovation is a platform that processes personal data to provide services configured by the Client. The following categories of personal data may be processed:
- Registration data — such as your name and details about the event or programme you are associated with.
- Responses — answers to any questions the Client chooses to ask you. These questions are set and controlled by the Client.
- Content — text and media you send and receive as part of the service.
- Profile and contact information — such as your display name and phone number.
- Metadata — such as timestamps, identifiers, and delivery statuses.
You provide your information upon registering with us, usually via a link or code distributed by the Client. The Client does not transfer any data to us in order to set up the service.
3. How Your Data Is Collected
We process personal data that you provide when you register for and interact with the platform, together with material provided by the Client to operate the service. We do not collect personal data about you from other sources.
4. Why We Process Your Data (Legal Bases)
- Performance of the service (on the Client's behalf): We process your data to deliver the services the Client has commissioned. The Client, as controller, relies on its own legal basis for this processing.
- Legitimate interests (Ovation Tech Ltd): As an independent controller, we process limited data to operate the platform reliably, maintain its security, prevent misuse, and retain records necessary to defend potential legal claims.
- Consent: Where the Client asks for your consent for a specific optional purpose, that processing is carried out on the basis of your consent.
5. How We Use Your Data
We use your personal data to:
- Register you for the service
- Provide and deliver the services the Client has enabled
- Operate, maintain, and troubleshoot the platform
- Maintain security and prevent misuse
- Maintain records as described in Section 6
We do not use your data for our own marketing or advertising.
6. How Long We Keep Your Data
We retain data for up to 7 years in order to maintain proper business and security records. This is necessary to protect against potential legal action (the limitation period for contract and tort claims in England and Wales is 6 years; we retain for a further year to allow for claims brought near the end of that period).
You may request deletion of your data, and we will comply where this does not conflict with our legitimate interests in maintaining records for potential legal proceedings or platform security.
Requests relating to data we process on the Client's behalf may be made to the Client or to us; where appropriate we will direct your request to, or coordinate with, the Client.
7. Data Storage and Security
- Access is strictly restricted to authorised personnel only.
- Data in transit is encrypted.
- Media and files are encrypted at rest.
- Access to systems is strictly controlled through authentication, restricted network access, and firewalling.
- Application-level access controls ensure each Client can only access its own data.
- Our infrastructure is regularly updated and continuously monitored.
Our primary data storage is located within the UK/EEA. Some processing carried out by our sub-processors may take place outside the UK/EEA, subject to appropriate safeguards under UK data protection law.
8. Data Sharing and Sub-processors
We share your personal data only with:
- The Client — who accesses service data via the platform. If the Client downloads or exports data, they become responsible for that data under their own privacy policy.
- Our sub-processors — we use third-party providers for purposes such as email, messaging, hosting, and cloud processing, in order to operate the platform. These providers process data under appropriate data processing agreements. Our current list of sub-processors is available at https://ovation.ac/sub-processors.
- Where our service is delivered via WhatsApp, operated by Meta Platforms Ireland Limited, messages, media, and metadata sent and received through the service are processed by Meta as part of WhatsApp's infrastructure. Meta is listed as a sub-processor on our sub-processor page.
We do not sell or rent your personal data.
9. Your Rights
Under UK data protection law, you have the right to:
- Access your personal data and receive a copy
- Correct inaccurate or incomplete data
- Delete your data (subject to our legitimate interests in record-keeping and security)
- Restrict processing in certain circumstances
- Object to processing based on legitimate interests
- Withdraw consent where processing is based on consent
To exercise these rights, contact us at data-officer@ovation.ac. Because the Client is the controller for much of this data, we may direct you to the Client, or coordinate with them, to fulfil your request.
10. Changes to This Policy
We may update this privacy policy from time to time. Any significant changes will be communicated through our website.
11. Complaints
If you have concerns about how your personal data is handled, you can:
- Contact us at data-officer@ovation.ac
- Contact the Client's data protection team
- Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk
12. Data Breaches
In the event of a data breach that poses a risk to your privacy, we will notify the relevant authorities and, where required, affected individuals in accordance with UK data protection requirements. Where we act as a processor, we will notify the relevant Client without undue delay.
13. Children's Data
The service is intended for adults and is not directed at children under 13. We do not knowingly process data from children under 13 without parental consent.
14. Contact Us
For any questions about this privacy policy, please contact:
Tom Stayte | data-officer@ovation.ac | +44 207 112 8599