Privacy Policy

Ebury Ltd (“Ebury”, “we” or “us”) holds personal data on its clients, prospects, and their employees, to provide its services. The Privacy Policy details the personal data Ebury may retain, process, and share with third parties relating to you, your business and its employees. Ebury is committed to ensuring that your information is secure, accurate and relevant. To prevent unauthorised access or disclosure, we have implemented suitable physical, electronic, and managerial procedures to safeguard and secure personal data we hold.

We respect the privacy rights of individuals and are committed to handling personal data responsibly and in accordance with applicable law. This notice sets out the personal information that we collect and process as a data controller and/or a data processor, the purposes of the processing and the rights connected with it.

If you have any comments or questions about this notice, please contact the Data Protection Officer (details included within this notice).

What is a Data Controller?

For general data protection regulation purposes, the “data controller” means the person or organisation who decides the purposes for which and the way in which any personal data is processed.

The data controller is:

  • Ebury Ltd T/A Peak Envelopes
  • Aspect Gate
  • 1 Olds Approach
  • Watford
  • WD18 9RF

What is a Data Processor?

A “data processor” is a person or organisation which processes personal data for the controller.

Ebury may act as data processors in the following situations:

  • Communicating marketing material
  • Providing you with a quotation
  • Carrying out projects or providing advice, where personal data is required to fulfil this request.
  • To perform an order or contract


What is personal data and what data do we collect?

Personal data relates to any information about a natural person that makes you identifiable. The personal data we may collect includes the following:

  • Identification data – such as name, gender, title etc.
  • Contact details – such as home and business address, telephone numbers, email addresses, emergency contact details
  • Employment details – such as job title/position..
  • Financial information – such as banking details, tax information
  • IT information – information required to facilitate access to our clients’ website or automated systems where needed.

What is sensitive personal data?

Sensitive personal data refers to the above but includes genetic data and biometric data. For example:

  • Medical conditions
  • Religious or philosophical beliefs and political opinions
  • Racial or ethnic origin
  • Convictions
  • Biometric data (eg photo in an electronic passport)

Normally, we will not collect or process any sensitive personal data relating to our clients, unless authorised by law or where it may affect when or how we communicate e.g. religious holidays.

What is Data Processing?

Data processing is any operation or set of operations performed upon personal data, or sets of it, be it by automated systems or not. Examples of data processing explicitly listed in the text of the GDPR are: collection, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or making available, aligning or combining, restricting, erasure or destruction.



Why do we collect your personal data?

Ebury, as a Data Controller and/or a Data Processor, is bound by the requirements of the General Data Protection Regulations (GDPR).

You agree that we are entitled to obtain, use and process the information you provide to us to enable us to discharge our services and for other related purposes including;

  • Updating and enhancing client records
  • Analysis for management purposes
  • Statutory returns
  • Legal and regulatory compliance
  • Crime prevention

We collect information about you when you fill in any of the forms on our website i.e. sending an enquiry, signing up for an event, filling in a survey, giving feedback etc. Website usage information is collected using cookies (please see section below).

When submitting forms on our website we may use a third-party software provider for automated data collection and processing purposes, they will not use your data for any purposes and will only hold the data in line with our policies.

How will we use the information about you and why?

Our legal basis for collecting and using the personal data described above will depend on the personal information concerned and the specific context in which we collect it.

However, we will normally collect personal data from you where we need the personal information to perform a contract with you, your business or your employer (i.e. provision of services or goods), where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms or where we have your consent to do so. In some cases, we may also have a legal obligation to collect personal data from you or may other otherwise need the personal information to protect your vital interests or those of another person. Further information on this is set out below.

Contractual purposes– We use this personal information when it is necessary for the provision of our goods or services. This also includes steps taken at your request before entering into a contract.

Legal obligation– We may use personal information where we consider it necessary for complying with laws and regulations, including collecting and disclosing staff member or individual personal information as required by law (e.g. for tax purposes), for meeting our legal responsibilities in terms of money laundering, and crime prevention regulations, under judicial authorisation, or to exercise or defend the legal rights of our firm.

Legitimate interests– We may also collect and use personal information when it is necessary for other legitimate purposes (if we have a genuine reason and we are not harming any of your rights and interests), such as to help us conduct our business more effectively and efficiently or for marketing or prospecting purposes. We may also process your personal data to investigate violations of law or breaches of our own internal policies.

We have policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, is not accessed without authorisation, and only accessed or used for specific legal purposes.

Who we share personal information with

We take care to allow access to personal information only to those who require such access to perform their tasks and duties in relation to the provision of our services, and to third parties who have a legitimate interest purpose for accessing it to support these purposes. Whenever we permit a third party to access personal information, we will implement appropriate measures to ensure the information is used in a manner consistent with this notice and that the security and confidentiality of the information is maintained.

Transfers to other third parties

We may also disclose personal information to third parties on other lawful grounds, including:

  • To perform an order or contract including, but not limited to delivery contact details.
  • To carry out projects or providing advice where this transfer is necessary
  • For the purpose of collecting monies due.
  • To comply with our legal obligations, including where necessary to abide by law, regulation or contract, or to respond to a court order, administrative or judicial process, including, but not limited to, a subpoena, government audit or search warrant
  • In response to lawful requests by public authorities (including for national security or law enforcement purposes)
  • As necessary to establish, exercise or defend against potential, threatened or actual litigation
  • Where necessary to protect the vital interests of our employees or another person
  • In connection with the sale, assignment or other transfer of all or part of our business; or
  • With your expressed consent

We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information. Our appointed data processors include:

(i)Prospect Global Ltd (trading as Sopro) Reg. UK Co. 09648733. You can contact Sopro and view their privacy policy here: Sopro are registered with the ICO Reg: ZA346877 their Data Protection Officer can be emailed at:”

Transferring your information outside of Europe

As part of the services offered to you through this website, the information which you give to us may be transferred to countries outside the European Economic Area. For example, some of our third-party providers may be located outside of the EU. Where this is the case we will take steps to make sure the right security measures are taken so that your privacy rights continue to be protected as outlined in this policy. By submitting your personal data, you’re agreeing to this transfer, storing or processing. Where our third-party supplies are in the US we have ensured that their services fall under the “Privacy Shield” whereby participating companies are deemed to have adequate protection and therefore facilitate the transfer of information from the EU to the US.

If you use our services while you are outside the EU, your information may be transferred outside the EU to give you those services.



We would like to send you useful articles, advice, information about our services and events which may be of interest to you. If you receive marketing, you may opt out at any point by emailing, or by clicking on the ‘unsubscribe’ button on any marketing email.

We may collect information on our website to process your enquiry, deal with your event registration, give advice based on survey data and improve our services. If you agree, we will also use this information to share updates with you about our services which we believe may be of interest to you.

We will not share your information for marketing purposes with companies so that they may offer you their products and services.


Cookies are used on our website.

How long will we hold your data for?

  • Marketing: We will hold your data for a period of 6 years from the last communication to the organisation of which you are part. You will have the opportunity to opt out or update or delete data at any point should you need to do so and details are set out in this policy as to how to do that.
  • Pre-contractual and Contracted Services: We will hold your data for 7 years in line with our regulatory requirements.


Your data privacy rights

The following rights are available under applicable data protection law:


  • Access, correct, update or request deletion of personal information
  • Object to processing of personal information, ask us to restrict processing of personal information or request portability of personal information.
  • If we have collected and process personal information using a person’s consent, then this can be withdrawn at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to withdrawal, nor will it affect processing of personal information conducted in reliance on lawful processing grounds other than consent.
  • You have the right to complain to a data protection authority about our collection and use of personal information. For more information, please contact your local data protection authority. In the United Kingdom, the data protection authority is the Information Commissioner’s Office whose website is

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. You can read more about these rights at:

Please note, our ability to facilitate aspects of any of the above rights will depend on whether we are a Data Processor or a Data Controller in relation to any specific data. Any requests received relating to data processed on behalf of clients should be referred to the Data Controller (the client company).

Access to your information, correction, portability and deletion

What is a Subject Access Request?

This is your right to request a copy of the information that we hold about you. If you would like a copy of some or all your personal information, please email or write to us using the contact details at the bottom of this notice. We will respond to your request within one month of receipt of the request.

We want to make sure your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate by emailing or writing to us using the contact details at the bottom of this notice.

Objections to processing of personal data

It is your right to lodge an objection to the processing of your personal data if you feel the “ground relating to your particular situation” apply. The only reasons we will be able to deny your request is if we can show compelling legitimate grounds for the processing, which override your interest, rights and freedoms, or the processing is for the establishment, exercise or defence of a legal claim.

Data Portability

It is also your right to receive the personal data which you have given to us, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without delay from the current controller if:

(a) The processing is based on consent or on a contract, and

(b) The processing is carried out by automated means

Your Right to be Forgotten

Should you wish for us to completely delete all information that we hold about you please let us know by emailing or writing to us using the contact details at the bottom of this notice

Other websites

Our website may contain links to other websites. This privacy policy only applies to our website so when you link to other websites you should read their own privacy policies.


If you feel that your personal data has been processed in a way that does not meet the GDPR, please contact our Data Protection Officer in the first instance. You do have a right to lodge a complaint with the relevant supervisory authority. The supervisory authority in the UK is the Information Commissioner’s Office.

Changes to our Privacy Policy

We keep our privacy policy under regular review and we will place any updates on this web page.

Contact details

Please address any questions or requests relating to this Notice to our Data Protection Officer at or write to:

  • Ebury Ltd T/A Peak Envelopes
  • Aspect Gate
  • 1 Olds Approach
  • Watford
  • WD18 9RF