Privacy and Security
How Bigfoot Networks collects, uses, and protects your data. Our commitments to privacy, transparency, and information security.
We take the protection of your data seriously. This page explains what we collect, why we collect it, and how we keep it safe.
Bigfoot Networks provides managed IT services to businesses across the UK. In delivering those services, we collect and process personal data. This page sets out how we handle that data, what rights you have, and the security measures we apply to protect it.
We comply with UK GDPR and the Data Protection Act 2018. We are registered with the Information Commissioner’s Office. We maintain ISO 27001 certification and Cyber Essentials Plus accreditation. These are not just credentials on a wall; they reflect the standards we apply every day to the way we handle data.
This page covers our privacy policy and security practices. For our Terms of Service, Service Level Agreement, Acceptable Use Policy, and Data Processing Agreement, please see our Legal page.
What data we collect
We collect personal data only where it is necessary to deliver our services, operate our business, or meet a legal obligation. We do not collect data speculatively or for purposes unrelated to our services.
Contact information
Your name, email address, phone number, company name, and job title. We collect this when you enquire about our services, submit a contact form, book a call, or become a client. This information is necessary to communicate with you and deliver our services.
Technical and monitoring data
System logs, performance metrics, device information, network configuration data, and security event data. We collect this as part of our managed service delivery to monitor, maintain, and secure the IT environments we support. This data relates to your organisation’s systems, not to individuals.
Support and service data
Support ticket history, service requests, communication records, resolution details, and feedback. We collect this through our service desk and communication channels to deliver support, track issues, and maintain a record of the services we have provided.
Website and analytics data
IP address, browser type, device type, pages visited, time on page, and referral source. We collect this through our website analytics to understand how visitors use our site and to improve the experience. This data is processed in aggregate and is not used to identify individuals.
Cookie data
We use functional cookies that are necessary for our website to operate correctly and analytics cookies to understand site usage. We do not use advertising cookies, tracking cookies, or any cookies that profile visitors for marketing purposes.
Financial and billing data
Billing address, purchase order numbers, payment references, and invoice history. We collect this to process payments and maintain accurate financial records. We do not store credit card or bank account details directly; payment processing is handled by our payment provider.
“We never sell your data. We never share it for marketing purposes. We process personal data only as necessary to deliver our services and meet our legal obligations.”
How we use your data
Every use of personal data has a defined purpose and a lawful basis under UK GDPR. We rely on contract performance, legitimate interest, legal obligation, and consent, depending on the nature of the processing.
Service delivery
Processing your data as necessary to provide IT support, monitoring, and management services under our contract with you. This is our primary purpose for processing personal data and is based on the lawful basis of contract performance.
Communication
Contacting you about service updates, support tickets, scheduled maintenance, security alerts, and account matters. We communicate through email, phone, and our service desk platform based on legitimate interest and contractual necessity.
Security and monitoring
Processing technical data to detect threats, investigate security incidents, and maintain the integrity of managed environments. This processing is essential to our service delivery and is based on both contractual obligation and legitimate interest in protecting your systems.
Legal and regulatory compliance
Processing required to meet our obligations under UK GDPR, the Data Protection Act 2018, and other applicable legislation. This includes maintaining records of processing activities, responding to data subject requests, and cooperating with regulatory authorities.
Service improvement
Analysing aggregated, anonymised usage patterns to improve our service quality, efficiency, and processes. This processing does not involve identifying individual users and is based on our legitimate interest in continuously improving the services we deliver.
Website operation
Using analytics data to understand how visitors use our website, identify areas for improvement, and ensure the site functions correctly. This processing is based on legitimate interest and, where applicable, your consent to non-essential cookies.
Data sharing and third parties
We use a limited number of sub-processors to deliver our services. These include cloud platform providers such as Microsoft, monitoring and management tools, and service desk platforms. Each sub-processor is vetted for security and compliance before we engage them, and we maintain data processing agreements with all of them.
We do not sell personal data to any third party. We do not share personal data for marketing, advertising, or profiling purposes. We do not allow our sub-processors to use your data for any purpose other than delivering the services we have engaged them to provide.
Your data is primarily stored and processed in the United Kingdom and the European Economic Area. Where transfers outside these areas are necessary (for example, to a cloud service with global infrastructure), we ensure that appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK Information Commissioner.
We may disclose personal data where required to do so by law, regulatory obligation, or a valid legal process such as a court order.
Data retention
We retain personal data only for as long as it is needed to fulfil the purpose for which it was collected, or as required by law. Retention periods are tied to the nature of the data and the purpose of processing.
Contract and service data is retained for the duration of our engagement with you, plus a defined period after the end of the contract to allow for any follow-up queries, legal obligations, or regulatory requirements. Support ticket data is retained for service improvement and to maintain a record of the support we have provided.
Website analytics data is anonymised or deleted within 26 months. Cookie data expires according to the lifespans defined for each cookie type. Financial records are retained in accordance with HMRC requirements.
If you request deletion of your personal data, we will action this promptly unless we are required by law to retain certain records. We will inform you if any exemption applies.
Your rights under UK GDPR
You have a number of rights regarding the personal data we hold about you. To exercise any of these rights, contact us at privacy@bigfootnetworks.co.uk. We will respond within one month.
Right of access
You can request a copy of the personal data we hold about you. We will respond within one month and provide the data in a commonly used, machine-readable format.
Right to rectification
If any personal data we hold is inaccurate or incomplete, you can request that we correct or update it. We will action rectification requests without undue delay.
Right to erasure
You can request that we delete your personal data where there is no compelling reason for us to continue processing it. This right is not absolute and is subject to legal obligations that may require us to retain certain records.
Right to restrict processing
You can request that we limit how we use your data in certain circumstances, for example while we verify the accuracy of data you have challenged or while we consider an objection you have raised.
Right to data portability
Where processing is based on consent or contract performance, you can request to receive your personal data in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.
Right to object
You can object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Automated decision-making
We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals. All decisions that affect our clients are made by people.
Cookies and website tracking
Our website uses a small number of cookies. Functional cookies are necessary for the website to operate correctly and cannot be disabled. Analytics cookies help us understand how visitors use the site so we can improve it.
We do not use advertising cookies, social media tracking pixels, or any third-party cookies that profile visitors for marketing purposes. We do not participate in advertising networks or retargeting programmes.
You can control cookie preferences through your browser settings. Disabling analytics cookies will not affect your ability to use our website.
Certified information security management system
Cyber Essentials Plus accredited
Registered with the Information Commissioner’s Office
How we protect your data
Security is fundamental to everything we do. The measures below describe how we protect the data we hold. For a detailed overview of our security architecture and design principles, see our Security page.
Encryption
All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Encryption keys are managed through established key management procedures with regular rotation and access controls.
Access control
Role-based access controls are enforced on all systems. The principle of least privilege determines what each team member can access. Multi-factor authentication is required for all administrative access. Access rights are reviewed regularly and revoked promptly when no longer needed.
Monitoring and detection
We maintain continuous monitoring of managed environments for security events and anomalous activity. Automated alerting surfaces potential threats for investigation. Security logs and audit trails are reviewed regularly and retained for a defined period.
Incident response
We maintain documented incident response procedures with defined roles, escalation paths, and communication templates. In the event of a personal data breach, we will notify the ICO within 72 hours where required by UK GDPR and inform affected individuals without undue delay.
Data separation
Client environments are logically separated with strict access controls preventing cross-client data access. Administrative access is logged and auditable. No client data is used for purposes other than the delivery of services to that client.
Backup and recovery
Regular automated backups are performed with tested recovery procedures. Backups are stored in geographically separate UK data centres. Recovery procedures are tested periodically to ensure data can be restored within defined recovery time objectives.
“Security is not a product we sell. It is a principle we build into every environment we manage. The same controls we apply to client systems, we apply to our own.”
Incident response and breach notification
We maintain documented incident response procedures with defined roles, escalation paths, and communication protocols. Our team is trained to identify, contain, and remediate security incidents promptly.
In the event of a personal data breach, we will notify the Information Commissioner’s Office within 72 hours where required by UK GDPR. We will inform affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
For detailed information about our compliance and advisory services, see our Advise page.
Supply chain security
We recognise that the security of your data depends not only on our own practices but on the practices of the suppliers and sub-processors we work with. We take a structured approach to supply chain security.
All sub-processors are vetted before engagement for appropriate security certifications, data protection practices, and compliance posture. We require data processing agreements with every sub-processor that handles personal data on our behalf.
We review supplier security posture regularly and monitor for changes that could affect the security of the data we process. Where a sub-processor no longer meets our requirements, we take steps to migrate to an alternative provider.
Children’s data
Our services are provided to businesses and are not directed at children under 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly.
Questions about privacy or security?
For any questions about how we handle your data, to exercise your rights, or to raise a concern, contact us at privacy@bigfootnetworks.co.uk.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. ico.org.uk
Last updated: February 2026