top of page

Privacy Policy

​Effective date: 10 September 2025

​

Who we are: Arcwell is a brand of Nevrast Consulting Ltd (“we”, “us”, “our”). We provide consulting services to SMEs and private equity firms.

​

  • Controller: Nevrast Consulting Ltd, trading as Arcwell

  • Company number: 15924692

  • Registered office: 4th Floor Radius House, 51 Clarendon Road, Watford, Hertfordshire, England, WD17 1HP

  • Website: https://arcwell.consulting

  • Privacy contact: info@arcwell.consulting

 

This policy explains how we process personal data when you visit our website, contact us, or engage our services. Where we handle personal data on behalf of clients (e.g., during discovery/pilots), we act as a processor and our Data Processing Addendum (DPA) governs.

​

1) The data we collect
 
1.1 Data you provide directly
​

  • Contact and identity — name, work email, phone, job title, company.

  • Enquiries — messages you send via forms or email, meeting notes, preferences.

  • Bookings — availability/slots and related metadata (if you use our scheduling tool).

  • Contract & billing — correspondence, POs, invoicing details (if you become a client).

  • Recruitment — CV, cover letter, interview notes (if you apply).

​​

1.2 Data collected automatically
​

  • Technical/usage — IP address, device/browser type, pages viewed, referrers, session duration.

  • Cookies — see our Cookie Policy for categories and choices.

​​

1.3 Data from third parties
​

  • Lead data from referrals, networking sites, or public registers.

  • Scheduling metadata from our booking tool (if used).

 

We do not intentionally collect special category data (e.g., health, ethnicity) via our website or sales channels. Please do not include it in forms.

​

2) Why we use your data (purposes & legal bases)

 

We use your personal data for the following purposes:

​

  • To provide our services: To respond to your inquiries, provide consulting services, and manage our business relationship with you.

  • To improve our website and services: To understand how you use our website and make improvements, and to develop new services.

  • For marketing purposes: To send you updates, newsletters, and information about our services that we believe may be of interest to you. You can opt-out of these communications at any time.

  • To comply with legal obligations: To meet our legal and regulatory requirements.

​

You may object to processing based on legitimate interests at any time. Where we rely on consent, you can withdraw it at any time.

​

3) Cookies and analytics

 

We use essential cookies for site operation and (with your consent) analytics cookies to understand site usage. Manage preferences via our cookie banner at any time. See our Cookie Policy for details.

​

4) Who we share data with (recipients)

 

We use third-party providers as processors to operate the website and deliver services. Typical categories:

​​

  • Website & hosting: Wix.com Ltd (site hosting and forms).

  • Analytics: Google Analytics (GA4) (pseudonymous usage statistics; consent-based).

  • Scheduling: Calendly LLC.

  • Email & productivity: Google Workspace.

  • File storage / collaboration: Google Drive.

  • Advisers (accounting/legal): where necessary to run our company.

 

We require processors to protect data appropriately and process it only under our instructions. We do not sell personal data.

​

5) International transfers

Some providers may process data outside the UK/EEA. Where they do, we rely on UK adequacy regulations (if applicable) or implement appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs) with any required supplementary measures.

​

6) Security

 

We apply proportionate technical and organisational measures, including MFA on core systems, role-based access, encryption in transit and at rest (as provided by vendors), least-privilege administration, device hardening, logging/alerts, and regular access reviews. Access is limited to personnel with a need to know.

​

7) Retention

 

We keep data only as long as necessary for the purpose collected, including legal, accounting, and defence purposes. Typical retention periods are as follows:

​

  • Responding to enquiries and providing quotes - 24 months after last contract. Example data: contact details, enquiry text. Legal basis (UK GDPR): legitimate interests (B2B sales) or steps to contract.

  • Providing and managing services - 7 years after project close. Example data: contact details, work product, contracts. Legal basis (UK GDPR): performance of a contract.

  • Booking meetings or events - 24 months after last activity. Example data: name, email, availability, notes. Legal basis (UK GDPR): legitimate interests.

  • Improving sites and services (analytics) - 26 months (or tool default). Example data: pseudonymous usage data. Legal basis (UK GDPR): consent (for non-essential cookies).

  • Sending B2B update and marketing - until you opt-out. Example data: name, work email, role. Legal basis (UK GDPR): legitimate interests (PECR corporate subscribers) or consent.

  • Compliance and record-keeping - 6-7 years. Example data: Invoices, contracts, controller logs. Legal basis (UK GDPR): legal obligation.

  • Security and fraud prevention - up to 24 months. Example data: IP, event logs. Legal basis (UK GDPR): legitimate interests.

​

If you unsubscribe from marketing, we retain your contact in a suppression list to honour opt-outs.

​

8) Your rights (UK GDPR)

 

You have the right to access, rectify, erase, restrict, object (including to B2B direct marketing), and port your data in certain cases, and to withdraw consent where we rely on consent.

​

To exercise rights, email info@arcwell.consulting. We will respond within one month (extendable by two months for complex requests).

 

Supervisory authority (UK): Information Commissioner’s Office (ICO) — Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Website: www.ico.org.uk. Contact Number: +44 303 123 1113.


You can complain to the ICO, but please contact us first so we can try to resolve your concern.

​

9) B2B marketing and PECR

 

We may contact corporate subscribers (work email addresses) about relevant services under legitimate interests, with an easy way to opt out. Non-B2B marketing is sent only with consent. Every marketing email includes an unsubscribe link.

​

10) Children

 

Our website and services are intended for adults in a business context. We do not knowingly collect children’s data.

​

11) Third-party links

Our site may contain links to third-party sites/services. Those sites have their own privacy practices. We are not responsible for their content or policies.

​

12) Changes to this policy

We may update this policy from time to time. The latest version will always be available at /privacy with the effective date at the top. Material changes will be signposted on the site.

​

13) Contact

 

Questions or requests about this policy or your data rights:

​

Email: info@arcwell.consulting


Post: Data Protection, Nevrast Consulting Ltd (trading as Arcwell), 4th Floor Radius House, 51 Clarendon Road, Watford, Hertfordshire, England, WD17 1HP

​

Notes for clients
​

Where we process personal data on your behalf, we do so under a Data Processing Addendum (DPA) that sets out roles, security measures, sub-processors, and international transfer mechanisms. We will align with your security questionnaires and vendor due diligence as needed.

 

This policy is provided for general information and is not legal advice. Please consult your legal counsel for obligations specific to your organisation.

bottom of page