Skip to content
Meridian Consulting Group

Legal

Privacy Policy

How we collect, process and protect your personal data.

Last updated: 16 April 2026Contact: legal@meridiangroup.it.com

1. About this policy

This Privacy Policy explains how MERIDIAN CONSULTING GROUP LTD (“Meridian”, “we”, “our” or “us”) collects, uses, stores and protects personal data. It applies to our website at meridiangroup.it.com, our client workspace and any direct engagement you have with us.

We are committed to protecting your privacy and processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Data (Use and Access) Act 2025.

2. Who we are (data controller)

MERIDIAN CONSULTING GROUP LTD is a private limited company registered in England and Wales under company number 17101771.

  • Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
  • Company number: 17101771
  • SIC codes: 70229 (Management consultancy), 70210 (Public relations and communications)
  • Data protection contact: legal@meridiangroup.it.com

For the purposes of UK data protection law, Meridian is the controller of personal data collected through this website and during client engagements.

3. Personal data we collect

3.1 Data you provide directly

  • Contact enquiries: name, work email, company name and the content of your message when you use our contact form.
  • Account data: full name, email, hashed password (when you register for a client workspace account) or Google account identifier (if you sign in with Google).
  • Engagement data: business context, stakeholder details, materials and information shared during the scoping and delivery of a consulting engagement.
  • Billing data: information necessary to raise invoices, including company billing name, address and VAT number where applicable.

3.2 Data collected automatically

  • Technical data: IP address, browser type and version, operating system, device information, referrer URL.
  • Usage data: pages visited, time spent, navigation paths. Collected only with your consent through optional analytics cookies.
  • Security data: authentication tokens, session identifiers, Cloudflare Turnstile challenge results used to prevent automated abuse.

3.3 Data from third parties

  • Identity providers: when you sign in with Google, we receive your name and email address.
  • Public sources: we may review publicly available business information (for example, LinkedIn, Companies House) during engagement scoping.

3.4 Special category data

We do not ask for or knowingly process special category data (racial or ethnic origin, political opinions, religious beliefs, health, biometrics, sexual orientation). If such data is incidentally shared during an engagement, we will return or securely delete it.

4. How we use your personal data

  • To respond to your enquiries and proposal requests.
  • To create and manage your client workspace account and authenticate your sign-in.
  • To scope, deliver and invoice consulting engagements.
  • To send service communications, engagement updates and requested follow-ups.
  • To protect the security of our website, account systems and client data.
  • To improve our services and understand how our website is used (only with analytics consent).
  • To comply with our legal and regulatory obligations.

We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you, and we do not sell personal data to third parties.

5. Legal bases for processing

We rely on the following lawful bases under Article 6 UK GDPR:

  • Performance of a contract - to provide consulting services, operate your account and handle billing.
  • Legitimate interests - to run and secure our business, communicate with prospective clients who enquired about our services, and understand how our website performs.
  • Consent - for optional analytics and marketing cookies, and for any other processing where consent is the appropriate basis. Consent can be withdrawn at any time without affecting the lawfulness of processing before withdrawal.
  • Legal obligation - to comply with UK laws including tax, accounting, anti-money-laundering and data protection requirements.
  • Recognised legitimate interest - where applicable under the Data (Use and Access) Act 2025, including processing for network and information security.

6. How we share your data

We share personal data only where strictly necessary, and only with organisations bound by contractual data protection terms. Our processors include:

  • Supabase Inc. - authentication and database hosting. Data hosted in the EU region (Frankfurt).
  • Resend, Inc. - transactional email delivery (account emails, enquiry notifications).
  • Google Ireland Limited / Google LLC - Google Sign-In authentication (only if you choose to use Google to sign in).
  • Cloudflare, Inc. - DNS, content delivery network and Turnstile bot-protection service.
  • Professional advisers - accountants, auditors and legal counsel, bound by confidentiality.
  • Public authorities - where disclosure is required by law or legal process.

We do not sell, rent or trade personal data with any third party.

7. International data transfers

Some of our processors may transfer or store personal data outside the United Kingdom and the European Economic Area. Where this occurs, we rely on one or more of the following safeguards under UK GDPR Article 46:

  • UK adequacy regulations or a UK Government adequacy decision for the destination country.
  • The UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.
  • Other safeguards approved by the Information Commissioner.

A copy of the relevant safeguards is available on request to legal@meridiangroup.it.com.

8. Data retention

  • Contact form submissions: 24 months from the date of submission, or until the conclusion of a resulting engagement, whichever is later.
  • Client account data: while the account is active, plus 24 months following last activity. Accounts inactive for 36 months may be deleted after notice to the registered email.
  • Engagement records: six years from the end of the engagement, to comply with UK tax and company law.
  • Billing and financial records: six years from the end of the financial year to which they relate, per HMRC requirements.
  • Website analytics (when enabled): up to 14 months for event-level data.
  • Consent records: for the duration of the consent plus 12 months, as evidence of compliance.
  • Security and audit logs: up to 12 months unless retained longer to investigate an incident.

9. Your rights

Under UK GDPR you have the following rights:

  • Access - obtain a copy of personal data we hold about you.
  • Rectification - correct inaccurate or incomplete data.
  • Erasure - request deletion where the law allows.
  • Restriction - ask us to limit processing in certain circumstances.
  • Portability - receive certain data in a structured, commonly used, machine-readable format.
  • Object - to processing based on legitimate interests or for direct marketing.
  • Withdraw consent - where processing is based on consent.
  • Automated decisions - not to be subject to solely automated decisions that produce legal or similarly significant effects. We do not make such decisions.

To exercise any right, contact legal@meridiangroup.it.com. We may ask you to verify your identity before acting on a request. We will respond within one month; complex or numerous requests may take up to three months, and we will explain any delay.

10. Security

We take appropriate technical and organisational measures to protect personal data, including encrypted connections (HTTPS/TLS), secure password hashing, access controls limited to authorised personnel, principle-of-least-privilege role assignments, regular software updates, bot protection and logging. Despite these measures, no online system can be guaranteed entirely secure. You are responsible for keeping your account credentials confidential.

11. Children

Our services are directed to businesses and are not intended for anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact legal@meridiangroup.it.com and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our services, technologies, legal requirements or business practices. The “Last updated” date at the top of this page indicates when it was most recently revised. Material changes will be signalled on the website and, where appropriate, notified to registered account holders by email.

13. Contact and complaints

If you have questions, concerns or complaints about how we handle your personal data, please contact us first:

  • Email: legal@meridiangroup.it.com
  • Post: Data Protection, MERIDIAN CONSULTING GROUP LTD, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at any time:

  • ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

MERIDIAN CONSULTING GROUP LTD

71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

Company number: 17101771 · Registered in England and Wales

SIC 70210 · 70229

For legal enquiries: legal@meridiangroup.it.com

← Back to home