Privacy Policy

1. Who We Are

iTO.London (“we”, “our”, “us”) is a professional IT Services and Managed Service Provider based in London, United Kingdom.
We deliver IT support, cloud management, and consultancy to businesses in the UK and internationally.

For the purpose of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the Data Controller for personal data collected through our website and marketing systems.
When providing IT support or managed services on behalf of our clients, we act as a Data Processor, processing data only under the written instructions of the client, who remains the Data Controller.

Our contact details are:
📍 ITO.London
📧 privacy [@] ito [DOT] london

---

2. Scope of This Policy

This Privacy Policy explains how we collect, use, share, and protect personal data across our websites, communications, and managed services.
It applies to:

• • • Visitors to our website ito.london and related subdomains.
    • Clients and their authorised users.
    • Suppliers, partners, and other business contacts.

---

3. Information We Collect

We collect the following categories of data depending on your interaction with us:

a. Information You Provide

• • • • Name, job title, company, and contact details (email, phone, address).
      • Account registration or service subscription information.
      • Billing and payment details.
      • Support tickets, email correspondence, and feedback.

b. Information Collected Automatically

• • • • IP address, browser type, operating system, and device identifiers.
      • Usage logs from our website or client portals.
      • Cookies and analytics data (see Section 11).

c. Information Processed During Service Delivery

In the course of managed IT support or cloud administration, we may process:

• • • • System and device identifiers, usernames, and access logs.
      • Diagnostic, network, and monitoring data from servers or endpoints.
      • Backup metadata, email headers, and service tickets.

We only process this data as necessary to deliver contracted services or comply with legal obligations.

---

4. How We Collect Data

• • • Directly from you via contact forms, email, or contractual engagement.
    • Automatically when you browse our website or use our tools.
    • From trusted third parties, such as vendors or referral partners, where lawful to do so.

---

5. Purpose and Lawful Basis for Processing

We process personal data under the following lawful bases:

---

6. Data Sharing and Sub-Processors

We do not sell personal data.
We may share data only with trusted partners who assist us in delivering our services, including:

• • • Cloud & Infrastructure Providers: Microsoft (Azure, 365), Amazon Web Services, Google Cloud.
    • Support & Monitoring Tools: ConnectWise, MeshCentral, Zabbix, or equivalent RMM and ticketing systems.
    • CRM & Marketing Platforms: Amazon SES, SendGrid, MailerLite (for opted-in contacts only).
    • Accounting & Payment Providers: Square, Stripe, Xero, or similar.

All such third parties act as Data Processors under strict contracts, ensuring compliance with GDPR.
A current list of our key sub-processors can be provided upon request.

---

7. International Data Transfers

Some of our partners may store or process data outside the UK or European Economic Area (EEA).
Where this occurs, we ensure equivalent protection through:

• • • UK Addendum to EU Standard Contractual Clauses (SCCs), or
    • Adequacy decisions approved by the UK Government.

---

8. Data Retention

We retain data only for as long as necessary to fulfil its purpose, or as required by law:

---

9. Data Security

We apply appropriate technical and organisational measures to protect personal data, including:

• • • Encryption of data in transit and at rest.
    • Multi-factor authentication and role-based access controls.
    • Staff background screening and ongoing data protection training.
    • Secure data deletion and disposal procedures.
    • Regular security audits, patching, and vulnerability monitoring.

---

10. Data Breach Notification

In the unlikely event of a personal data breach, we will:

• • • Assess and document the incident promptly.
    • Notify affected clients and the Information Commissioner’s Office (ICO) within the required statutory timeframe.
    • Take remedial measures to minimise impact and prevent recurrence.

---

11. Cookies and Analytics

Our website uses cookies and similar technologies for:

• • • Essential functionality (e.g. secure login, session management).
    • Performance and analytics (e.g. Google Analytics).
    • Marketing (only with consent).

You can manage or withdraw your cookie preferences at any time using the cookie banner or browser settings.
See our separate Cookie Policy for details.

---

12. Your Rights

Under UK GDPR, you have the right to:

• • • Access your data (Subject Access Request).
    • Rectify inaccuracies.
    • Erase your data (“right to be forgotten”).
    • Restrict or object to processing.
    • Withdraw consent at any time.
    • Data portability (receive a copy in a machine-readable format).

Requests should be sent to privacy [@] iTO [DOT] London
We will respond within one month as required by law.

If you believe we have mishandled your data, you also have the right to lodge a complaint with the Information Commissioner’s Office (ICO): www.ico.org.uk

---

13. Children’s Data

Our services are intended for business use and are not directed at children under 16.
We do not knowingly collect data from minors.

---

14. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements.
The “Last updated” date at the top indicates when the latest revision took place.
Material changes will be notified through our website or by direct communication.

---

15. Contact Us

For any questions about this Privacy Policy or how we handle your data, please contact:
📧 privacy [@] iTO [DOT] London
📍 iTO.London, London, United Kingdom