Last updated:
1st December 2025
Introduction
Ithaca Partners Limited (“Ithaca”, “we”, “us”, “our”), of Nightingale House, 46-48 East Street, Epsom, Surrey, KT17 1HQ, a company registered in England and Wales, registration number 06410279, is committed to protecting the privacy and security of the Personal Data we collect about website visitors and end customers (“you”, “your”).
The purpose of this privacy policy is to explain what Personal Data we collect about you when you visit our website. When we do this, we are the Controller of the Personal Data we process, registered in the UK with the Information Commission (“IC”), registration number Z1411382.
Please read this privacy policy carefully as it provides important information about how we handle your Personal Data and your rights. If you have any questions about any aspect of this privacy policy, you can contact us using the information provided below in the ‘Contact us’ section.
We update this privacy policy from time to time in response to changes in applicable laws and regulations, to our processing practices and to the products and services we offer. When changes are made, we will update the date at the top of this document. Please review this privacy policy periodically to check for updates.
Personal Data we collect
When you visit our website, we may collect the following categories of Personal Data:
- First and last name;
- Email address;
- CV or other documentation containing Personal Data (if uploaded); and
- Any Personal Data you choose to provide in our free-text box.
Information about our use of cookies
Our website uses cookies, which are a string of information that a website stores on a visitor’s computer, and that the visitor’s browser provides to the website each time the visitor returns.
We use cookies to help identify and track visitors and their website access preferences. Website visitors can control which types of cookies are placed on their browser by adjusting your browser settings. To learn more about cookies, please visit https://www.allaboutcookies.org/.
Purposes for which we use Personal Data and the legal bases
We may use your Personal Data for the following purposes and on the following lawful bases:
| Purpose | Lawful basis for processing |
|---|---|
| Responding to correspondence from you | It is in our legitimate interest to respond to enquiries made via our website, through our social channels or any other means |
| Analyse and track use of the website for reporting and analytical purposes | It is our legitimate interest to monitor website usage to continually improve the user experience |
| Improving our website and the overall visitor and user website experience | We use cookies on our website with your consent. Cookies can be managed using your browser settings |
Artificial Intelligence (“AI”)
We use AI technologies to drive efficiencies within Ithaca. We use AI in line with our internal policies and procedures (including human oversight where applicable). For example, we use AI for client assignment related mapping and data analytics.
Your Personal Data may be processed by providers of AI either directly sourced by us or via third party AI tools embedded in systems providing IT services to us. Any use of AI technologies by us will be in accordance with technical and operational safeguards appropriate for data types.
Sharing your data
It is unlikely we will ever share the Personal Data of website visitors outside the UK. If this becomes necessary for the purposes of providing our services to you, we will only share it where appropriate safeguards are in place or have been entered into, such as an Adequacy Regulation (UK) or Adequacy Decision (EU), the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) with supplementary measures, or another approved transfer mechanism, to ensure your Personal Data is protected to the same standard expected within the UK and EEA. Prior to transferring any Personal Data out of the UK or EEA, we will conduct either a Transfer Risk Assessment (UK Personal Data) or a Transfer Impact Assessment (EU Personal Data) to ensure the risks associated with the processing are identified and addressed.
How long we keep your data
We will retain your Personal Data for as long as is necessary to satisfy the purpose of collection and for a reasonable period thereafter.
At the end of the retention period, your Personal Data will be securely deleted. Retention periods are detailed within our Personal Data Retention Policy. This information is available upon request.
How we protect your data
We implement appropriate technical and organisational measures to protect data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Your data protection rights
There are certain fundamental rights that you have in respect of your Personal Data:
| Rights | Description |
|---|---|
| Right to be informed | Individuals have the right to be informed about the collection and use of their Personal Data. |
| Right of access | Individuals have the right to receive a copy of their Personal Data, and other supplementary information. |
| Right to rectification | Individuals have the right to have inaccurate Personal Data rectified or completed if it is incomplete. |
| Right to erasure | Individuals have the right to request their personal information to be erased, in certain circumstances. |
| Right to restrict processing | Individuals have the right to request the restriction or suppression of their Personal Data, in certain circumstances, in particular:
|
| Right to data portability | Individuals have the right to obtain and reuse their Personal Data, in a machine-readable format, for their own purposes across different services, in certain circumstances. |
| Right to object | Individuals have the right to object to the processing of their Personal Data, in certain circumstances.
Where we are using your Personal Data because it is in our legitimate interests to do so, you can object to us using it this way. Where we are using your Personal Data for direct marketing, including profiling for direct marketing purposes, you have an absolute right to ask us to stop doing so. |
| Rights with respect to automated decision-making and profiling | Individuals have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you. |
In addition to the above, an individual also has the following rights:
| Rights | Description |
|---|---|
| Right to withdraw consent | Where we are using your Personal Data based on your consent, you can withdraw your consent at any time. |
| Right to register a complaint with the Controller | You have the right to raise a complaint about how we handle your Personal Data if you feel we are infringing data protection law. |
| Right to lodge a complaint with a supervisory authority | You have the right to raise a complaint with the IC if you have exhausted all internal complaint channels. |
Exercising your data protection rights
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Contact us
If you would like to exercise your statutory data protection rights, or if you have any concerns or questions about how we handle Personal Data, please contact us at dataprotection@ithacapartners.co.uk.
Raising a complaint with the UK data protection supervisory authority
If you believe you have exhausted all possible avenues for resolving your data protection concerns with us, you may lodge a complaint with the IC by calling their Helpline on 0303 123 1113.
You can also send your postal correspondence to:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Alternatively, you can contact them at https://ico.org.uk/make-a-complaint/.
Data Protection Officer
We do not have a statutory requirement to appoint a Data Protection Officer (“DPO”) under the UK GDPR. However, for the purposes of compliance and accountability, we have appointed Evalian Limited, a company specialising in data protection, cyber security and information security, as our DPO. Evalian Limited can be reached at dpo@evalian.co.uk.
