Chromacity takes your privacy very seriously.

In this privacy policy we are going to tell you about

  • What personal data we collect about you
  • How we collect your personal data
  • The basis on which we use your personal data
  • Who we share your information with
  • How long your personal data will be kept
  • Transferring your data outside the European Union
  • The steps we take to protect personal data and
  • How to contact us about this policy
  • Cookies Policy

Our use of your personal data is subject to your instructions, the EU General Data Protection Regulation (GDPR), other relevant UK and EU legislation and our professional duties to clients.

Chromacity Limited, registered no SC442724, Registered Office 13 Melville Street, Edinburgh EH3 7PE

Our Head of Privacy oversees compliance with data protection laws and this policy and provides guidance and advice to the as company required.

Contact information for our Head of Privacy is provided below under the heading How to contact us about this policy.


What personal data we collect about you

We may collect information from you in the course of our business, including when you engage us to provide you with details of our products and/or services, when you contact or request information from us, when you use our website or as a result of your relationship with one or more of our staff and clients.

The personal information we may collect about you includes:

  • Contact information such as your name, title, address, telephone number, mobile phone number, job title, name of employer, fax number and email address. Address may include both business address and home address where you have provided that to us;
  • Information relating to the products which you may be considering purchasing from us;
  • Information processed for relationship management and file opening procedures such as name, business information, identification and your relationship to a person;
  • Information about your use of our IT, communication and other systems including your password(s), and other monitoring information, e.g. such as information relating to materials and communications we send to you electronically;
  • Information to enable us to check and verify your identity should it be required, e.g. your date of birth or passport details;
  • Payment data, such as data necessary for processing payments and fraud prevention, including bank and building society details.
  • Information collected from publicly available resources and credit agencies or any other information needed to enable us to undertake a credit or other financial checks on you;
  • Information provided to us for the purposes of attending meetings and events, including information about access or dietary requirements;
  • Details of your visits to our premises; and/or
  • Membership of a professional or trade association or union.

In general, you will be able to choose whether or not to provide us with your personal data. If you do not provide the personal data that we need to collect then this may affect our ability to provide products or services to you, for example because this personal data is required to process your instructions or and if you do not provide personal data we ask for, it may delay or prevent us from providing services to you.


How we collect your personal data

We collect most of this information from you:

  • When you or your organisation use or contact us to provide quotes or details of our products and services;
  • When you browse, provide information or use our website;
  • When you or your organisation make an enquiry for our services or otherwise engage with our staff for business related purposes;
  • When you attend a seminar or other event (including training) organised by Chromacity or where you are a guest of Chromacity;
  • Where you sign up to receive information from us;
  • Where you or your organisation provide services to us.
  • We may also collect information from third party sources including:
  • Publicly accessible sources such as Companies House or Registers of Scotland;
  • Credit reference agencies or government agencies;
  • Third party organisations that you have or have had dealings with.

We may also collect information via our website or via our information technology (IT) and other systems, for example:

  • Automated monitoring of our websites and other technical systems, such as our computer networks and connections, access control systems, communications systems, email and instant messaging systems.

We use cookies on our website (for more information on cookies, please see our cookies policy at the end of this page).


How and why we use your personal data

Under data protection law, we can only use your personal data if we have a proper reason for doing so.

This will be for one of the following reasons:

  • For the performance of our contract with you or to take steps at your request before entering into a contract, for example because processing is necessary for the performance of a customer instruction;
  • To comply with our legal and regulatory obligations;
  • For our legitimate interests or those of a third party;
  • Where you have given consent.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

We may process special category personal data for the following reasons:

  • Where you have given your explicit consent;
  • For compliance with a legal obligation;
  • Where it is in your vital interests;
  • Where you have made the personal data public; and/or
  • For compliance with an employment law obligation.

There may be additional reasons which will be notified to you where they apply.

In the next section The basis on which we use your personal data we give more information about the way in which your information is used.


The basis on which we use your personal data

We have explained our reasons for using your personal data. We set out below more detail on the ways in which we use your personal data. We use your data:

  • To provide products or other services to you, including technology solutions as requested by you or your organisation;
  • To ensure the confidentiality of commercially sensitive information;
  • To manage and administer your or your organisation’s business relationship with Chromacity including use for the purposes of processing payments, accounting, billing and collection and other support services;
  • To comply with professional, legal and regulatory obligations that apply to our business, e.g. rules issued by our professional regulators;
  • Where necessary to gather and provide information required by or relating to audits, enquiries or investigations by enforcement authorities, regulatory bodies, courts, tribunals and government agencies;
  • To deal with any complaints received;
  • To ensure business policies are adhered to, e.g. policies covering security and internet use and to prevent unauthorised access and modifications to systems;
  • For operational reasons, such as ensuring safe working practices, improving efficiency, risk management, training, staff assessment and quality control;
  • For statistical analysis to help us improve our services and communications to you or the strength of our relationship with you or to manage our practice, e.g. in relation to our financial performance, client base, work type or other efficiency measures;
  • For marketing our services to you;
  • For the purposes of external audits and quality checks, e.g. for ISO accreditation and the audit of our accounts;
  • For insurance purposes;
  • To identify those who are authorised to deal with Chromacity on behalf of our customers, suppliers and/or service providers;
  • To ensure your needs are catered for in connection with any event you may attend; and/or
  • For recruitment. Where you apply for a job we will give you further information about how your personal data will be used.

We will also process personal data which is provided to us by or on behalf of our clients for the purposes of services we provide to them.


Managing our business

In relation to a number of uses of personal data we refer to above we are using such personal data on the basis that it is in our legitimate interests or those of a third party for us to do so. These interests cover a number of aspects of our business operations, namely:

  • Ensuring that we are as efficient as we can be so we can deliver the best product and/or service for you;
  • To allow us to provide bespoke services where requested by you;
  • Protecting our commercially valuable information and also our intellectual property;
  • For credit control purposes and to make sure our customers can pay for the services we provide;
  • For the purposes of risk management and to maintain our accreditations so we can demonstrate we operate to the highest standards; and
  • Ensuring we are able to keep up to date with our clients and contacts and developments in their organisations.


Marketing communications

We have a legitimate interest in processing your personal data for promotional purposes (see above The basis on which we use your personal data). This means we do not usually need your consent to send you promotional communications. However, where consent is needed, we will ask for this consent separately and clearly.

We will always treat your personal data with the utmost respect.

We use personal data to look at whether you read the emails and other materials that we send to you. We also use it to look at whether you click on the links included in such materials and whether and how you visit our website after you click on that link (immediately and on future visits). We do this by using software that places a cookie on your device which tracks this activity and records it against your email address. Please see our cookie policy for more information about our use of cookies. If you remove this cookie it will not affect your use of our website.

You have the right to opt out of receiving promotional communications at any time by:

If you ask us to delete your information in accordance with your rights set out below, we will retain basic information on a suppression list to record your request and to avoid sending you unwanted materials in the future.

You can also update your marketing preferences and give us more detail of the type of information you would like to receive from us by contacting us on our preference centre.

We may ask you to confirm or update your marketing preferences if you instruct us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.


Use of website

At a number of points on our website you are asked to provide information, for example. our contact page. At the point at which information is requested it is clear what the purpose of providing the information is and we will only use the personal data you provide to us for that purpose.

Our website makes use of Google Analytics to look at how our website is used. This is done by placing small text files, known as session cookies, on your device to collect information about how visitors use our website. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. This information is transmitted to and stored by Google on servers in the US.

Further details of our use of cookies can be found in our cookie policy.


Who we share your personal data with

We share personal data on a confidential basis where required for the purpose of providing the best possible support for our products or services and for administrative, billing and other business purposes.

We also routinely share personal data with:

  • Our insurers and brokers, external auditors, banks and other third parties which provide services to us to allow us to fulfil our regulatory obligations and for risk management purposes;
  • Courts, law enforcement authorities, regulators or lawyers or other parties where it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process or to comply with our legal and regulatory obligations;
  • Third parties for the purposes of collecting your feedback our service provision, to help us measure our performance and to improve and promote our services;
  • External service suppliers, representatives and agents that we use to make our business more efficient, e.g. technology service suppliers, marketing agencies, document collation, translators or analysis suppliers;
  • Third parties involved in hosting or organising relevant events to which you have been invited.

We will only allow our service providers to handle your personal data if we are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on service providers to ensure they can only use your personal data to provide services to us and to you and to ensure compliance with data protection laws.

We may also, should the need arise, need to share some personal data with other parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, information will be anonymised but this may not always be possible.

The recipient of the information will be bound by confidentiality obligations.

We may also use aggregated personal data and statistics for the purpose of monitoring website usage in order to help us develop our website and our services.

Other than as set out above, we will only disclose your personal data when you direct us or give us permission, when we are required by applicable law or regulations or judicial or official request to do so, or as required to investigate actual or suspected fraudulent or criminal activities.

Personal data about other people which you provide to us

If you provide personal data to us about someone else (such as one of your directors or employees, a member of your family or someone with whom you have business dealings) you should ensure that you are entitled to disclose that personal data to us and that, without our taking any further steps, we may collect, use and disclose that personal data as described in this privacy policy.


How long your personal data will be kept

We will hold your data for as long as is necessary for the purposes set out in this privacy policy. Different retention periods apply for different types of data. We have in place a retention policy which sets out the different retention periods for the types of information we hold.

The retention periods we apply take account of:

  • Legal and regulatory requirements and guidance;
  • Limitation periods that apply in respect of taking legal action;
  • Our ability to defend ourselves against legal claims and complaints;
  • Good practice; and
  • The operational requirements of our business.

When it is no longer necessary to retain your personal data, we will delete or anonymise it.


Updating personal data about you

We also need to know that your information is accurate and up to date so please advise of any changes or You should also use this email address if you want to cancel any request you have made to us or you become aware of any inaccuracy in the data we hold about you.


Transferring your personal data out of the European Union

To deliver services to our clients, it is sometimes necessary for us to share your personal data outside the European Union (EU), e.g.:

  • Where your, or our, service providers are located outside the EU;
  • If you are based outside the EU.

These transfers are subject to special rules under European and UK data protection law.

We will, however, implement appropriate safeguards to ensure the transfer complies with European and UK data protection law and all personal data will be secure. If you would like further information on these safeguards please contact our Head of Privacy (see How to contact us about this policy below).


The steps we take to protect your personal data

We will take appropriate technical and organisational measures to keep your personal data confidential and secure. We have appropriate security measures in place which take account, in particular, of the risks arising from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.


The rights you have in relation to your personal data

You have the following rights, which you can exercise free of charge:

You can ask us to:

  • Provide a copy of your personal data;
  • Correct any mistakes in your personal data;
  • Delete your personal data – in certain situations;
  • Restrict processing of your personal data – in certain circumstances, e.g. if you contest the accuracy of the data; and
  • Provide you with a copy of the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party – in certain situations.

You can object:

  • At any time to your personal data being processed for direct marketing (including profiling);
  • In certain other situations to our continued processing of your personal data, e.g. processing carried out for the purpose of our legitimate interests.

If you would like to exercise any of those rights, please email us at

Your objection (or withdrawal of consent) may mean we cannot perform the services you have requested of us or you may not be able to use the services we offer. We will advise you where this is the case. In certain circumstances even if you withdraw your consent we may still be able to process your personal information if required or permitted by law or for the purpose of exercising or defending our legal rights or meeting our legal and regulatory obligations.

You also have the right to complain to the supervisory authority in the part of the European Union where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at We would, however, appreciate the chance to deal with your concerns before you approach the Information Commissioner so please contact us in the first instance.

Our contact details can be found in the section below How to contact us about this policy.


How to contact us about this policy

Please contact us if you have any questions about this privacy policy or the information we hold about you.

Our contact details are shown below:

Head of Privacy, Chromacity Limited, 13 Melville Street, Edinburgh, EH3 7PE




When you enter the Site, we create your profile, assign a personal identification number, then send this personal identification number back to your hard drive in the form of a cookie, which is a very small bit of code (a few kilobytes) that contains no personal information. This code is uniquely yours and allows you to navigate the Site without having to fill out registration forms with information you have already provided as long as you are using the same computer from which you initially supplied the information. We do not engage in list selling or “cookie swapping” with other companies.