SYS · PRIVACY

1.1 In this Policy, the following terms have the meanings set out below:

“Data Protection Legislation” means, as applicable: the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018; the EU General Data Protection Regulation (Regulation (EU) 2016/679) (EU GDPR) to the extent it applies; the Data Protection Act 2018 (DPA 2018); the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003); the Data (Use and Access) Act 2025 (DUAA 2025); and any subordinate legislation, guidance, or codes of practice issued thereunder, each as amended or replaced from time to time.

“EEA” means the European Economic Area, comprising the member states of the European Union together with Iceland, Liechtenstein, and Norway.

“Data Subject” means an identified or identifiable natural person to whom personal data relates.

“Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) UK GDPR.

“Processing” means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

“Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person which processes personal data on behalf of the Controller.

“Special Category Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

2.1 Where a Data Subject provides the Company with personal data relating to another individual, the Data Subject is responsible for ensuring that the individual concerned is aware of the contents of this Policy and, where required, has provided any necessary consent to the disclosure and processing of their personal data.

2.2 The Company will process such third-party personal data in accordance with this Policy and the applicable Data Protection Legislation, including the information obligations set out in Articles 13 and 14 UK GDPR.

2.3 Where the Company collects personal data other than directly from the Data Subject, it will provide the information required under Article 14 UK GDPR within a reasonable period of obtaining the data and, in any event, no later than one month thereafter, unless an exemption applies.

3.1 The Company facilitates the exercise of Data Subject rights under: (i) Articles 15 to 21 UK GDPR (and, where applicable, the equivalent provisions of EU GDPR); and (ii) Articles 22A to 22D UK GDPR (as substituted by the Data (Use and Access) Act 2025, which replaced Article 22 UK GDPR — noting that Article 22 EU GDPR continues to apply for any processing subject to EU GDPR jurisdiction), including the rights of access, rectification, erasure, restriction, portability, objection, and rights in relation to automated decision-making.

3.2 Requests to exercise any Data Subject right should be directed to the Company’s designated contact for data protection matters at info@infiniverde.com. The Company will respond within one calendar month of receipt of a valid request, subject to any permitted extension under applicable Data Protection Legislation.

3.3 Where the Company acts as a Processor on behalf of a third-party Controller, it will promptly refer any Data Subject rights requests to the relevant Controller and will provide such assistance as is reasonably required to enable the Controller to fulfil its obligations.

1.1 This Privacy Policy (the “Policy”) describes how INFINIVERDE LTD (registered in England & Wales, Company No. 14895243), trading as InfiniVerde (“the Company”, “we”, “us”, “our”), collects, uses, stores, and shares personal data in connection with the operation of its website at infiniverde.com and the provision of its services.

1.2 The Company is the sole Data Controller in respect of personal data collected through infiniverde.com and in connection with the services described herein.

1.3 This Policy is issued in accordance with the UK GDPR, the DPA 2018, and all other applicable Data Protection Legislation. It should be read alongside any supplementary privacy notices provided at the point of data collection.

1.4 This Policy applies to all Data Subjects whose personal data is processed by the Company, including website visitors, prospective clients, research subscribers, and other individuals who interact with the Company.

1.5 The Company reserves the right to amend this Policy from time to time. Any material changes will be communicated in accordance with §11 below.

2.1 The Company’s registered address and principal contact details for data protection matters are as follows:

INFINIVERDE LTD
164 New Cavendish Street, London W1W 6YT
England
2.2 For all data protection enquiries, including requests to exercise Data Subject rights, please contact:

Email: info@infiniverde.com
2.3 The Company does not operate a dedicated telephone line for data protection enquiries. All requests should be submitted in writing to the email address set out above.

3.1 The Company collects and processes the following categories of personal data, depending on the nature of the interaction:

(a) Identity and Contact Data
Full name; email address; organisation or employer name; job title (where provided).

(b) Enquiry and Communications Data
The content of any message submitted through the contact form on infiniverde.com, and any subsequent correspondence between the Data Subject and the Company.

(c) Technical and Usage Data
IP address; browser type and version; device identifiers; pages visited on infiniverde.com; time and date of access; referring URLs; cookie data, subject to the Company’s Cookie Policy.

3.2 The Company does not collect Special Category Data through infiniverde.com.

3.3 The Company does not collect financial data, identity verification documents, or tax-related information through infiniverde.com.

4.1 The Company processes personal data for the following purposes:

(a) Responding to Enquiries
To respond to messages and enquiries submitted through the contact form on infiniverde.com and to manage any subsequent correspondence.

(b) Service Improvement
To analyse usage of infiniverde.com in order to improve functionality, content, and user experience.

(c) Legal and Regulatory Compliance
To comply with applicable legal and regulatory obligations, including record-keeping and responding to lawful requests from competent authorities.

(d) Prevention and Detection of Fraud or Crime
To assist in the prevention and detection of fraud or other criminal activity where required or permitted by applicable law.

(e) Defence of Legal Claims
To establish, exercise, or defend legal claims in connection with the Company’s activities.

(f) Geographic Region Detection
We use a first-party cookie (iv-corridor) to determine the geographic region from which you access infiniverde.com. This information is used solely to optimise content delivery and is not shared with third parties. The cookie is set by our hosting provider’s edge network and expires after 7 days. Further details are set out in our Cookie Policy.

5.1 The Company processes personal data on the following legal bases under Article 6 UK GDPR:

(a) Legitimate Interests (Article 6(1)(f))
Processing is necessary for the purposes of the Company’s legitimate interests, provided those interests are not overridden by the interests or fundamental rights and freedoms of the Data Subject. This basis applies to: (i) responding to enquiries submitted through the contact form (§4.1(a)), where the Data Subject has voluntarily initiated contact; (ii) analysis of website usage for service improvement purposes (§4.1(b)); and (iii) the establishment, exercise, or defence of legal claims (§4.1(e)). In all such cases the Company has assessed that its legitimate interests are proportionate and do not unduly prejudice Data Subjects.

(b) Compliance with a Legal Obligation (Article 6(1)(c))
Processing is necessary for compliance with a legal obligation to which the Company is subject. This basis applies to regulatory compliance and record-keeping obligations (§4.1(c)) and to the prevention and detection of fraud or other criminal activity where required or permitted by applicable law (§4.1(d)).

(c) Consent (Article 6(1)(a))
Where the Company relies on consent as the legal basis for processing, including in connection with any future marketing communications, the Data Subject’s consent will be obtained prior to processing. Data Subjects may withdraw consent at any time in accordance with §9.1(h) below.

6.1 The Company may transfer personal data to recipients located outside the United Kingdom or the EEA. Where such transfers occur, the Company takes reasonable steps to ensure that appropriate safeguards are in place in accordance with Chapter V UK GDPR and, where applicable, Chapter V EU GDPR. The transfer mechanisms used include the following:

(a) Adequacy Decisions
Transfers to countries or territories that have received an adequacy decision from the UK Secretary of State (under UK GDPR) or the European Commission (under EU GDPR), confirming that the recipient country provides an equivalent level of data protection.

(b) Binding Corporate Rules (BCRs)
Transfers to organisations that have adopted Binding Corporate Rules approved by a competent supervisory authority.

(c) EU–US Data Privacy Framework (DPF) and UK Extension
Transfers to US-based organisations that are certified under the EU–US Data Privacy Framework (adopted by the European Commission on 10 July 2023) or, for transfers from the United Kingdom, the UK Extension to the EU–US Data Privacy Framework (adopted by the UK Secretary of State in October 2023). Where transfers are made under the DPF or UK Extension, the Company periodically verifies the recipient’s certification status.

(d) UK International Data Transfer Agreement (IDTA) and UK Addendum to EU Standard Contractual Clauses
Transfers to third countries where the Company has entered into a UK International Data Transfer Agreement (IDTA) as approved by the Information Commissioner’s Office, or where the Company has incorporated the UK Addendum to the EU Standard Contractual Clauses (SCCs) as approved by the ICO under Section 119A DPA 2018.

(e) Contractual Necessity (Article 49(1)(b) UK GDPR — derogation)
In limited circumstances, where no other appropriate safeguard applies, transfers that are strictly necessary for the performance of a contract between the Data Subject and the Company, or for the implementation of pre-contractual measures taken at the request of the Data Subject. This derogation is used only for occasional, non-repetitive transfers.

(f) Legal Claims (Article 49(1)(e) UK GDPR — derogation)
In limited circumstances, where no other appropriate safeguard applies, transfers that are strictly necessary for the establishment, exercise, or defence of legal claims. This derogation is used only for occasional, non-repetitive transfers.

6.2 Data Subjects may request further information regarding the specific safeguards applicable to any international transfer by contacting info@infiniverde.com.

7.1 The Company may share personal data with the following categories of recipients:

(a) Service Providers and Data Processors
Third-party organisations engaged by the Company to provide services on its behalf, including IT and hosting providers, analytics service providers, and professional advisers. Such parties are engaged under written data processing agreements and are permitted to process personal data only in accordance with the Company’s instructions. Current principal data processors include: Vercel Inc (hosting infrastructure, United States) and Google LLC (analytics via Google Analytics 4, United States). International transfers are protected by the UK Extension to the EU-US Data Privacy Framework.

(b) Group Members
Other entities within the REinfinite group of companies, where necessary for the purposes described in §4 above and subject to appropriate intra-group data sharing arrangements.

(c) Corporate Transactions
In connection with any merger, acquisition, restructuring, or sale of all or part of the Company’s business or assets, personal data may be disclosed to prospective or actual purchasers, subject to appropriate confidentiality obligations.

(d) Regulatory and Legal Authorities
Competent authorities, regulators, law enforcement agencies, courts, and other public bodies where the Company is required or permitted to do so by applicable law, including for the prevention and detection of fraud or other criminal activity.

7.2 The Company does not sell personal data to third parties. The Company does not share personal data with third parties for their own marketing purposes without the prior consent of the Data Subject.

8.1 The Company retains personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law or regulation.

8.2 In particular:

(a) Contact form submissions and associated correspondence are retained for a period of two years following the last interaction, after which they are securely deleted or anonymised, unless a longer retention period is required for the establishment, exercise, or defence of legal claims.

(b) Where a legal claim has been brought or is reasonably anticipated, the Company will retain relevant personal data for such longer period as is necessary to establish, exercise, or defend that claim.

(c) Personal data processed for other purposes is retained for such period as is necessary for those purposes, taking into account applicable limitation periods for legal claims and any other legal obligations.

8.3 Where the Company is required to retain personal data beyond the periods set out above by reason of a legal obligation, regulatory requirement, or ongoing legal proceedings, it will retain such data until the relevant obligation or proceedings are concluded.

8.4 At the end of the applicable retention period, personal data will be securely deleted or anonymised in accordance with the Company’s data retention and disposal procedures.

8.5 Data Subjects may request further information regarding the Company’s retention periods by contacting info@infiniverde.com.

9.1 Under applicable Data Protection Legislation, Data Subjects have the following rights in respect of their personal data:

(a) Right of Access (Article 15 UK GDPR)
The right to obtain confirmation as to whether the Company processes personal data relating to the Data Subject and, if so, to receive a copy of that data together with supplementary information about the processing.

(b) Right to Rectification (Article 16 UK GDPR)
The right to require the Company to correct inaccurate personal data and to complete incomplete personal data without undue delay.

(c) Right to Erasure (Article 17 UK GDPR)
The right to request the deletion of personal data where it is no longer necessary for the purposes for which it was collected, where consent has been withdrawn and no other legal basis applies, or where the data has been unlawfully processed, subject to applicable exemptions.

(d) Right to Restriction of Processing (Article 18 UK GDPR)
The right to request that the Company restricts the processing of personal data in specified circumstances, including where the accuracy of the data is contested or where the Data Subject has objected to processing pending verification of the Company’s grounds.

(e) Right to Data Portability (Article 20 UK GDPR)
The right to receive personal data provided to the Company in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where processing is based on consent or contract and is carried out by automated means.

(f) Right to Object (Article 21 UK GDPR)
The right to object to the processing of personal data on grounds relating to the Data Subject’s particular situation, where processing is based on a lawful basis that permits objection. The Company will cease processing unless it can demonstrate compelling grounds that override the Data Subject’s interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.

(g) Rights in Relation to Automated Decision-Making (Articles 22A to 22D UK GDPR, as substituted by the Data (Use and Access) Act 2025)
The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects. See §15 for further information.

(h) Right to Withdraw Consent
Where processing is based on consent, the Data Subject has the right to withdraw that consent at any time by contacting info@infiniverde.com. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

9.2 To exercise any of the rights set out in this section, Data Subjects should submit a written request to info@infiniverde.com. The Company will respond within one calendar month of receipt of a valid request. Where a request is complex or numerous requests have been received, the Company may extend this period by a further two months, in which case the Data Subject will be notified of the extension and the reasons for it within the initial one-month period. In accordance with Article 12A UK GDPR (as inserted by the Data (Use and Access) Act 2025), the one-month response period is paused where the Company requests clarification of the scope of the request or verification of the Data Subject’s identity; the period resumes upon receipt of the required information.

9.3 The Company will not charge a fee for responding to a Data Subject rights request unless the request is manifestly unfounded or excessive, in which case a reasonable fee may be charged or the request refused, in accordance with applicable Data Protection Legislation.

9.4 The Company may request proof of identity before processing a Data Subject rights request in order to verify that the request is made by or on behalf of the Data Subject concerned.

10.1 If a Data Subject considers that the Company has not complied with its obligations under applicable Data Protection Legislation, the Data Subject has the right to lodge a complaint with the relevant supervisory authority.

10.2 For Data Subjects located in the United Kingdom, the supervisory authority is:

Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: https://ico.org.uk
Telephone: 0303 123 1113
10.3 The right to lodge a complaint does not affect any other administrative or judicial remedy available to the Data Subject under applicable law.

10.4 For Data Subjects located within the EEA, the right to lodge a complaint may be exercised with the supervisory authority in the EU member state of the Data Subject’s habitual residence, place of work, or the place of the alleged infringement. A list of EU supervisory authorities is available at https://edpb.europa.eu.

10.5 In accordance with the Data (Use and Access) Act 2025, the Company has established a formal data protection complaints procedure. Data Subjects who consider that their personal data has been handled in breach of applicable Data Protection Legislation may submit a complaint directly to the Company at info@infiniverde.com. The Company will:

(a) acknowledge receipt of any complaint within 30 days; and(b) respond to the complaint without undue delay and in any event within a reasonable period, providing reasons for any decision reached.
10.6 The Company encourages Data Subjects to raise concerns with the Company in the first instance before escalating to the ICO or another supervisory authority, so that issues may be resolved promptly where possible.

11.1 The Company aims to review this Policy at least once every twelve months and may update it from time to time to reflect changes in applicable law, regulatory guidance, or the Company’s data processing activities.

11.2 Where material changes are made to this Policy, the Company will use reasonable efforts to notify affected Data Subjects by email or by posting a prominent notice on infiniverde.com, using the contact details held on record.

11.3 The “Last Updated” date at the top of this Policy indicates when it was most recently revised. Data Subjects are encouraged to review this Policy periodically.

12.1 The Company has designated a compliance contact responsible for data protection matters. All Data Subject rights requests, data breach reports, and general enquiries should be directed to:

Data Protection Contact
INFINIVERDE LTD
164 New Cavendish Street, London W1W 6YT
Email: info@infiniverde.com
12.2 The designated contact is responsible for:

(a) monitoring the Company’s compliance with applicable Data Protection Legislation;(b) providing advice and guidance on data protection obligations;(c) acting as the primary point of contact for Data Subjects and supervisory authorities in relation to data protection matters;(d) maintaining records of processing activities in accordance with Article 30 UK GDPR.
12.3 Data protection matters are handled by the compliance function. There is no requirement under Article 37 UK GDPR to appoint a formal Data Protection Officer at this time; the Company will appoint one should its processing activities reach the thresholds specified in Article 37(1) UK GDPR.

13.1 The Company maintains internal procedures for detecting, reporting, and investigating personal data breaches in accordance with Articles 33 and 34 UK GDPR.

13.2 Where the Company becomes aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, it will notify the Information Commissioner’s Office without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 UK GDPR. Where notification is not made within 72 hours, the Company will provide the reasons for the delay.

13.3 Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Company will notify the affected Data Subjects without undue delay, in accordance with Article 34 UK GDPR, unless one of the exemptions set out in Article 34(3) applies.

13.4 All suspected or confirmed personal data breaches should be reported immediately to info@infiniverde.com.

14.1 The Company carries out Data Protection Impact Assessments (DPIAs) in respect of processing activities that are likely to result in a high risk to the rights and freedoms of natural persons, in accordance with Article 35 UK GDPR and the ICO’s published guidance on DPIAs.

14.2 DPIAs are conducted prior to commencing any new high-risk processing activity and are reviewed periodically or whenever there is a material change to the relevant processing.

14.3 Where a DPIA indicates a high residual risk that cannot be mitigated, the Company will consult the ICO prior to commencing the relevant processing, in accordance with Article 36 UK GDPR.

14.4 Data Subjects or other interested parties may request further information regarding the Company’s DPIA process by contacting info@infiniverde.com. The provision of any DPIA documentation in response to such a request is subject to applicable exemptions and the Company’s discretion.

15.1 The Company does not carry out automated decision-making, including profiling, that produces legal or similarly significant effects concerning Data Subjects, within the meaning of Articles 22A to 22D UK GDPR (as substituted by the Data (Use and Access) Act 2025, which replaced the original Article 22 with a revised regime).

15.2 All decisions that materially affect Data Subjects are subject to human review and are not made solely by automated means.

15.3 Should the Company introduce any significant automated decision-making processes in the future, it will update this Policy accordingly, implement the mandatory safeguards required under Articles 22A to 22D UK GDPR (including informing affected Data Subjects, providing the right to make representations, and enabling human review), and rely on an appropriate lawful basis.

16.1 The Company implements appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, alteration, or disclosure, in accordance with Article 32 UK GDPR.

16.2 The technical security measures employed by the Company include, without limitation:

(a) SSL/HTTPS encryption for all data transmitted via infiniverde.com;(b) Malware detection and anti-virus software on all systems used to process personal data;(c) Vulnerability scanning to identify and remediate security weaknesses on a regular basis;(d) Web Application Firewall (WAF) to protect against common web-based threats;(e) Network firewall controls to restrict unauthorised access to the Company’s systems;(f) Self-hosted assets — all fonts and static assets served from infiniverde.com are hosted on the Company’s own infrastructure, minimising data exposure to third-party content delivery networks.
16.3 The Company also implements organisational measures including access controls limiting personal data to employees and contractors with a business need to know, staff training on data protection obligations, duties of confidentiality binding all persons with access to personal data, and contractual requirements imposed on third-party processors.

16.4 No method of electronic transmission or storage is entirely secure. The Company cannot guarantee the absolute security of personal data transmitted to or from infiniverde.com. Data Subjects transmit personal data at their own risk and are encouraged to take appropriate precautions.

16.5 In the event of a suspected security incident, Data Subjects should contact info@infiniverde.com without delay.

17.1 The Company’s website at infiniverde.com uses cookies and similar tracking technologies to enhance user experience and to collect Technical and Usage Data as described in §3.1(c) above.

17.2 Further information regarding the types of cookies used, their purposes, and how Data Subjects may manage their cookie preferences is set out in the Company’s Cookie Policy.

17.3 Analytics cookies on infiniverde.com are configured in consent mode, meaning no analytics data is collected until the Data Subject has provided consent via the cookie banner. Full details of the cookies used, their purposes, and how to manage preferences are set out in the Company’s Cookie Policy.

18.1 The Company will not share personal data with any third party without the consent of the Data Subject, save as expressly set out in this Policy or as required by applicable law.

18.2 The Company is not responsible for the privacy practices of third-party websites linked from infiniverde.com. Data Subjects are advised to review the privacy policies of any third-party websites they visit.

19.1 To the fullest extent permitted by applicable law, the Company’s liability arising from or in connection with this Policy is limited to its obligations under the Data Protection Legislation. Nothing in this Policy creates any right, remedy, or cause of action beyond those provided by applicable law.

19.2 Nothing in this Policy excludes or limits liability for death or personal injury caused by negligence, for fraud or fraudulent misrepresentation, or for any other liability that cannot be excluded or limited by applicable law.

20.1 This Policy and any dispute arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales.

20.2 The courts of England and Wales shall have exclusive jurisdiction in relation to any dispute arising out of or in connection with this Policy.

21.1 The Company aims to review this Policy at least once every twelve months to ensure that it remains accurate, complete, and compliant with applicable Data Protection Legislation.

21.2 The “Last Updated” date displayed at the top of this Policy reflects the date on which it was most recently reviewed and, where applicable, revised.

21.3 Any questions regarding this Policy or the Company’s data protection practices should be directed to info@infiniverde.com.

This Policy is issued by INFINIVERDE LTD (Company No. 14895243), registered in England & Wales, whose registered office is at 164 New Cavendish Street, London W1W 6YT.