Privacy Policy

Last updated:

Effective Date: 4 March 2026  |  Last Updated: 4 March 2026  |  Document Reference: OVX-PP-001

1. Who We Are and Data Controller Identity

Orvexium (“Company”, “we”, “us”, “our”) is the data controller in respect of personal data collected through the Website at https://orvexium.com and through the provision of our Services. We are subject to the UK General Data Protection Regulation (“UK GDPR”) as implemented by the Data Protection Act 2018.

Data protection enquiries should be directed to: privacy@orvexium.com

2. Personal Data We Collect

2.1 Data You Provide Directly

  • Identity data: full name, job title, organisation;
  • Contact data: email address, telephone number, postal address;
  • Communication data: the content of enquiries, correspondence, and messages submitted via our contact forms or by email;
  • Professional data: information provided in the course of a client engagement, including technical requirements and security-related disclosures.

2.2 Data Collected Automatically

  • Technical data: IP address, browser type and version, operating system, referral source, and device identifiers;
  • Usage data: pages visited, time spent on pages, links clicked, and navigation paths;
  • Cookie data: as described in our Cookie Policy.

3. Legal Basis for Processing

We process personal data on the following lawful bases under Article 6 UK GDPR:

  • Contract (Art. 6(1)(b)): where processing is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract;
  • Legal obligation (Art. 6(1)(c)): where processing is required to comply with a legal obligation to which we are subject;
  • Legitimate interests (Art. 6(1)(f)): where processing is necessary for our legitimate interests (such as improving the Website, maintaining security, and preventing fraud), provided those interests are not overridden by your rights and freedoms;
  • Consent (Art. 6(1)(a)): where you have provided clear, affirmative consent to the processing of your data for a specific purpose, such as the receipt of marketing communications.

4. How We Use Personal Data

  • to respond to enquiries and provide information about our Services;
  • to negotiate, enter into, and perform contracts for the provision of Services;
  • to manage our client relationships and maintain client records;
  • to operate, maintain, and improve the Website;
  • to detect, prevent, and investigate security incidents and fraudulent or unlawful activity;
  • to comply with legal and regulatory obligations;
  • to send service-related communications and, where consent has been obtained, marketing communications.

5. Data Sharing

We do not sell personal data. We may share personal data with:

  • Service providers: third-party vendors who process data on our behalf pursuant to data processing agreements that meet UK GDPR requirements;
  • Professional advisers: solicitors, accountants, and insurers under obligations of professional confidentiality;
  • Regulatory and law enforcement authorities: where disclosure is required by applicable law, court order, or regulatory direction;
  • Prospective acquirers: in the context of a business reorganisation, merger, or acquisition, subject to appropriate confidentiality obligations.

6. International Transfers

Where we transfer personal data outside of the United Kingdom, we ensure that appropriate safeguards are in place in accordance with UK GDPR, including the use of the UK International Data Transfer Agreement (“IDTA”), standard contractual clauses approved by the Information Commissioner’s Office (“ICO”), or transfers to countries that benefit from UK adequacy regulations.

7. Retention

  • Client engagement data is retained for a minimum of seven (7) years following the conclusion of the engagement, consistent with our obligations under English law;
  • Website enquiry data is retained for a period of two (2) years from the date of the enquiry, unless an ongoing business relationship is established;
  • Technical and usage data is retained for up to twelve (12) months.

8. Your Rights Under UK GDPR

  • Right of access (Art. 15): to obtain confirmation of whether we process your personal data and, if so, to receive a copy;
  • Right to rectification (Art. 16): to require us to correct inaccurate or incomplete personal data;
  • Right to erasure (Art. 17): to require us to delete your personal data in certain circumstances;
  • Right to restriction of processing (Art. 18): to require us to restrict processing of your data in certain circumstances;
  • Right to data portability (Art. 20): to receive your personal data in a structured, commonly used, machine-readable format;
  • Right to object (Art. 21): to object to processing based on legitimate interests or for direct marketing purposes;
  • Rights in relation to automated decision-making (Art. 22): not to be subject to solely automated decisions that produce significant legal or similar effects.

To exercise any of these rights, please contact us at privacy@orvexium.com. We will respond within one calendar month of receipt. We may require verification of your identity before processing a request.

9. Cookies

The Website uses cookies and similar tracking technologies. For full details of the cookies we use and the choices available to you, please refer to our Cookie Policy.

10. Security Measures

We implement technical and organisational measures appropriate to the nature of the data and the risks presented by our processing activities. These include end-to-end encryption for sensitive communications, access controls enforcing the principle of least privilege, routine security assessments, and staff training on data protection obligations. Further detail is set out in our Security Policy (OVX-SP-001).

11. Changes to This Policy

We may revise this Privacy Policy from time to time. The revised policy will be posted on this page with an updated “Last Updated” date. Material changes will be notified to you where practicable.

12. Contact and Data Protection Enquiries

13. Supervisory Authority

If you are not satisfied with our response to a data protection concern, you have the right to lodge a complaint with the Information Commissioner’s Office (“ICO”):