Data Protection Policy

Last updated:

Effective Date: 4 March 2026  |  Last Updated: 4 March 2026  |  Document Reference: OVX-DPP-001

1. Purpose and Scope

This Data Protection Policy sets out the framework by which Orvexium (“Company”, “we”, “us”, “our”) ensures compliance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”), and all other applicable data protection legislation in force in England and Wales.

This Policy applies to all personal data processed by Orvexium in connection with the operation of the Website at https://orvexium.com, the provision of Services to clients, and our internal business operations. It applies to all data subjects whose personal data we process, including Website visitors, clients, prospective clients, and business contacts.

2. Data Protection Principles

In accordance with Article 5 of the UK GDPR, Orvexium commits to processing personal data in adherence to the following principles:

  • Lawfulness, fairness, and transparency: Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject;
  • Purpose limitation: Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • Data minimisation: Personal data collected shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
  • Accuracy: Personal data shall be accurate and, where necessary, kept up to date; every reasonable step shall be taken to ensure inaccurate data is erased or rectified without delay;
  • Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is processed;
  • Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organisational measures;
  • Accountability: Orvexium, as data controller, is responsible for and able to demonstrate compliance with all of the above principles.

3. Lawful Basis for Processing

Orvexium processes personal data only where a lawful basis exists under Article 6 UK GDPR. Where processing involves special category data as defined under Article 9 UK GDPR, an additional condition under Article 9(2) must also be satisfied. The applicable lawful bases for our processing activities are documented in our Records of Processing Activities (“ROPA”), maintained pursuant to Article 30 UK GDPR.

4. Data Minimisation

We collect only the personal data that is strictly necessary for the identified purpose. All data collection forms, intake processes, and service delivery procedures are designed to request the minimum data required. We conduct periodic reviews to identify and remove data fields that are no longer necessary.

5. Accuracy

We maintain procedures to ensure that personal data held by us remains accurate and current. Data subjects are encouraged to notify us of any changes to their personal data. Where we become aware that personal data held is inaccurate or out of date, we take reasonable steps to correct or delete it promptly.

6. Storage Limitation and Retention

Personal data is retained only for as long as is necessary for the purpose for which it was collected or as required by applicable law. Our data retention schedule specifies retention periods for each category of personal data. Data is securely deleted or anonymised upon expiry of the applicable retention period.

7. Security Measures

Orvexium implements technical and organisational security measures commensurate with the risks presented by our processing activities and the nature of the personal data processed. These measures include:

  • end-to-end encryption for personal data transmitted over public networks;
  • encryption of personal data at rest using industry-standard algorithms;
  • role-based access controls implementing the principle of least privilege;
  • multi-factor authentication for all systems that store or process personal data;
  • routine vulnerability assessments, penetration testing, and security audits;
  • staff training and awareness programmes covering data protection obligations;
  • incident response and breach management procedures.

8. Data Subject Rights

Orvexium is committed to facilitating the exercise of data subject rights as provided under Articles 15 to 22 of the UK GDPR, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object. Rights requests should be submitted to privacy@orvexium.com. We will respond within one calendar month, extendable by a further two months in cases of complexity or volume, with written notice of any extension.

9. Personal Data Breach Notification

In the event of a personal data breach as defined under Article 4(12) UK GDPR, Orvexium shall:

  • assess the breach and document the facts, effects, and remedial action taken in accordance with Article 33(5);
  • notify the Information Commissioner’s Office (“ICO”) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of natural persons;
  • notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 UK GDPR.

10. Third-Party Processors

Where Orvexium engages third-party data processors, we ensure that appropriate data processing agreements are in place that meet the requirements of Article 28 UK GDPR. We conduct due diligence assessments of prospective processors prior to engagement and undertake periodic reviews to ensure continued compliance. Processors are permitted to process personal data only on our documented instructions.

11. International Data Transfers

Any transfer of personal data to a third country or international organisation is conducted only in compliance with Chapter V UK GDPR. Where no UK adequacy regulation applies, transfers are made pursuant to appropriate safeguards, including UK International Data Transfer Agreements (“IDTA”) or equivalent mechanisms approved by the ICO.

12. Accountability and Governance

Orvexium maintains Records of Processing Activities in accordance with Article 30 UK GDPR. We conduct data protection impact assessments (“DPIAs”) for processing activities likely to result in a high risk to data subjects, consistent with Article 35 UK GDPR. This Policy is reviewed on an annual basis or following any significant change to our processing activities or applicable law.

13. Contact