Privacy policy.

We may collect and use your data. We do this transparently, with appropriate safeguards and respect for your rights under UK law.

Last updated: January 2026

This Privacy Policy explains how Empact Transformation Ltd (“Empact”, “we”, “us”, “our”) collects, uses, stores and protects personal data when you visit our website, use our tools, or engage with our services.

We are committed to handling personal data responsibly, transparently and in accordance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Information we collect

Information you provide directly. We collect personal data when you interact with us directly, including when you:

- contact us via our website or email,

- request a consultation or assessment,

- engage with our advisory, diagnostic or assurance services.

This may include your name, email address, phone number, job title, organisation, and any other information you choose to provide.

If you use any of our online assessment tools we collect the responses you submit in order to assess organisational empathy capability and provide tailored insights and recommendations.

Information collected automatically. When you visit our website, we collect limited technical data, including:

- IP address,

- browser type and version,

- device and operating system information,

- pages visited and time spent on the site.

This information helps us understand how our website is used and improve its performance, usability and security.

Information relating to client engagements

As part of our discovery, transformation and assurance work, we may process data relating to organisations, employees, customers or stakeholders. This may include:

- organisational data,

- employee or customer feedback,

- experience insights,

- performance, service or outcome metrics.

Such data is collected and processed strictly for the purposes of the engagement and in accordance with contractual and legal obligations. We always engage with the information security teams of our clients before commencing with engagements.

2. How we use your data

We use personal data only where there is a lawful basis to do so, including performance of a contract, legitimate interests, consent, or legal obligation.

We use your data to:

- respond to enquiries and requests,

- deliver our services and tools,

- manage client and professional relationships,

- provide insights, assessments and recommendations,

- improve our website and digital services.

Use of online assessments:

Data collected through any online assessments on this website is used to:

- generate indicative assessment,

- support follow-up discussions where requested.

We may also use aggregated and anonymised insights derived from online responses to refine our methodology, inform research and support thought leadership. Individuals and organisations are not identifiable in such outputs.

Marketing and communications

We do not sell personal data.

We do not use your personal data for marketing communications unless you have explicitly consented to receive them. You can withdraw consent at any time.

3. Artificial intelligence and analytics

Empact may use analytics and artificial intelligence tools to support research, insight generation, diagnostics and product development.

Where AI or automated tools are used:

- they are intended to support human analysis and judgement,

- outputs are reviewed and interpreted by people,

- appropriate safeguards are applied to protect privacy and confidentiality.

We do not use personal data to train public or third-party AI models.

4. Data protection and security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse or disclosure.

These include:

- access controls and role-based permissions,

- secure systems and environments,

- regular reviews of data handling practices.

Access to personal data is limited to Empact team members and associates who require it to perform their roles and who are subject to confidentiality obligations.

5. Data retention

We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy, or as required by law or contract.

When data is no longer required, it is securely deleted or anonymised.

6. Your rights

Under the UK GDPR, you have the right to:

- access your personal data,

- request correction of inaccurate data,

- request deletion of your data in certain circumstances,

- restrict or object to processing,

- request data portability,

- withdraw consent where processing is based on consent.

If you believe your data has been mishandled, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

To exercise any of your rights, please contact us using the details below.

7. Third parties and data sharing

We do not share personal data with third parties except:

- where necessary to deliver our services,

- where required by law or regulation,

- where we engage trusted service providers acting as data processors.

All third-party processors are subject to appropriate data protection and confidentiality agreements and may only process data in accordance with our instructions.

8. Cookies and tracking

Our website may use essential cookies required for security and core functionality.

We do not use non-essential cookies, analytics or tracking technologies without your consent. Where analytics are enabled, data is used solely to understand website performance and improve user experience.

You can manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect access to core website functionality.

9. International transfers

We primarily process data within the United Kingdom. Where data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements.

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations.

The “Last updated” date at the top of this policy will be amended accordingly. Continued use of our website or services after changes are made constitutes acceptance of the updated policy.

11. Contact us

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about how your data is handled, please contact us:

Email: privacy@empact.uk

We aim to respond to all data protection enquiries within 30 days.

Information we collectHow we use your dataArtificial intelligence and analyticsData protection and securityYour rightsThird parties and data sharingCookies and trackingInternational transfersChanges to this policyContact us