Revision date: 28 October 2025
1. About this Privacy Notice
We are CloudRock Group Holdings Ltd, trading as CloudRock.
We are a global digital transformation consultancy with offices in London, Lisbon, Mumbai, Sydney & New York
Our head office location is Salisbury House, Unit 744-750 (5th Floor), 29 Finsbury Circus, London, EC2M 5QQ.
This Privacy Notice (“Notice”) explains how we will collect, handle, store and protect personal data. Throughout this Notice, the following definitions apply:
“we”, “us”, “our” and “ours” refers to CloudRock, which includes all of our legal entities:
CloudRock Group Holdings Ltd (UK)
CloudRock Partners Ltd (UK)
CloudRock Asia Pacific Pty Ltd (Australia)
CloudRock Partners Unipessoal Lda (Portugal)
CloudRock Partners India Pvt Limited (India)
CloudRock Partners LLC (USA)
“personal data” means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (i.e., anonymous data).
“Data Protection Legislation” means the EU General Data Protection Regulation 2016/679, the retained UK GDPR; together with all other applicable legislation relating to privacy or data protection (including the UK Data Protection Act 2018, Privacy and Electronic Communications (EC Directive) Regulations 2003, Data (Use and Access) Act 2025) and any successor or amending legislation from time to time.
‘Corporate Subscriber’ covers subscribers that are employees of a company, limited liability partnership, Scottish partnership, corporation sole, any other body corporate, any entity which is a legal person distinct from its members, or some government bodies.
‘Individual Subscriber’ covers those who have subscribed to marketing communications in a personal capacity or are considered sole traders.
“Website” means the CloudRock website (www.wearecloudrock.com)
“you” refers to our Website Users, our Suppliers (including Contractors) and Creditors, as well as our prospective, past and existing Customers or Partners and their representatives/employees.
We value and respect your privacy. We take all reasonable steps to comply with our legal duties and ethical responsibilities to manage, protect and account for your personal information, and to inform and deliver upon your data protection rights.
This Privacy Notice explains how we will collect, handle, store and protect information about you when:
discussing possible services we might provide to you;
providing our services to you;
you use our Website; or
performing any other activities that form part of the operation of our business and relationship with you.
We are both a data controller & data processor, and this Privacy Notice applies to our processing of personal data, in both our roles under Data Protection Legislation.
3. What personal data we collect?
We may collect, record and use your personal data in physical and electronic form, and will hold, use and otherwise process that data in line with Data Protection Legislation and as set out below. When we process your data in the course of delivering services to your employer, we act as the Data Processor and handle your personal data strictly under the explicit instruction of our customer, who operate as the Controllers. Our customers are also responsible for complying with all Data Protection Legislation, including providing notice, disclosure, and obtaining consent before sharing personal data to use our services.
We process your personal data as follows:
| Purpose | Personal Data | Source | Lawful Basis |
|---|---|---|---|
| Outreach to and management of prospective/existing customers and business leads | First Name, Last Name, Email Address, Job Title, Phone Number, Social Media Tag Name (i.e. the handle which identifies you along with your social media account) |
You Third Parties Contact Lists or Social Media Websites |
Our legitimate interest in providing you with information: about similar products and services that you have previously purchased or enquired about, and where you are classified as an Individual Subscriber about our products and services, and where you are classified as a Corporate Subscriber Where applicable and you have requested information about our products and services and classified as an Individual Subscriber, your consent. |
| Agreeing to service contracts and onboarding activities with customers | First Name, Last Name, Email Address, Job Title, Phone Number, Social Media Tag Name, Signature. | You |
Contractual Obligation Our legitimate interest (where there isn’t a contractual relationship and obligation with the data subject) to ensure adequate and compliant contracts are agreed and customers are onboarded adequately to provide CloudRock services. |
| Processing Invoices with Customers and Suppliers | Company Name, First Name, Last Name, Bank Details, Financial Information, Salary, Email Address, Job Title, Phone Number. | You | Contractual Obligation |
| Paying Supplier Expenses | Company Name, First Name, Last Name, Bank Details, Financial Information, Email Address. | You | Contractual Obligation |
| Attending and Hosting Events | First Name, Last Name, Job Title, Company Name, Phone Number, Email, Dietary Requirements (i.e. allergies or other requirements to be met when catering for your attendance to the event.) |
You Event Partners CloudRock Employees Third Party Contact Lists |
Our legitimate interest to cater to attendees at events. Where applicable, your consent. |
| Digital Marketing (Google Ads, LinkedIn, etc.) | First Name, Last Name, Job Title, Company Name, Phone Number, Email. | Third Parties Contact Lists or Social Media Websites |
Our legitimate interest to market our services. Where applicable, your consent. |
| Website Webforms (‘Contact us’) | First Name, Last Name, Job Title, Company Name, Phone Number, Email, Free-Text Box Data. | You |
Our legitimate interest to respond to requests and queries on our Webforms. Where applicable, your consent. |
| Surveys (TypeForm) | First Name, Last Name, Job Title, Company Name, Opinions and views on CloudRock services and employees. | You |
Our legitimate interest to ascertain feedback on our services. Where applicable, your consent. |
| Attending or Hosting Webinars | First Name, Last Name, Job Title, Company Name, Email Address, Phone Number. |
You Event Partners CloudRock Employees Third Party Contact Lists |
Your consent |
| Advisory, Delivery and Optimisation Services to CloudRock Customers |
The types of Personal Data processed by CloudRock may include, but are not limited to the following: Personal details, including any information that identifies the data subject and their personal characteristics, including: name, address, contact details, age, date of birth, sex, and physical description. Personal details issued as an identifier by a public authority, including passport details, national insurance numbers, identity card numbers, driving licence details. Family, lifestyle and social circumstances, including any information relating to the family of the data subject and the data subject’s lifestyle and social circumstances, including current marriage and partnerships, marital history, details of family and other household members, habits, housing, travel details, leisure activities, and membership of charitable or voluntary organisations. Education and training details, including information which relates to the education and any professional training of the data subject, including academic records, qualifications, skills, training records, professional expertise, student and pupil records. Employment details, including information relating to the employment of the data subject, including employment and career history, recruitment and termination details, attendance records, health and safety records, performance appraisals, training records, and security records. Financial details, including information relating to the financial affairs of the data subject, including income, salary, assets and investments, payments, creditworthiness, loans, benefits, grants, insurance details, and pension information. In addition, CloudRock may process sensitive data including: - Racial or ethnic origin; - Religious or philosophical beliefs; - Data concerning the health of a data subject; - Data concerning the sex life of a data subject; and - Sexual orientation. |
Our customers and customer’s employees. | To be determined by our customers. |
3. Data Sharing
CloudRock may share your personal data with the following recipients:
Intra-group to other CloudRock entities to support in the provision of services or to facilitate CloudRock’s business.
Service providers who support CloudRock with financial duties e.g. Accountancies, Legal Counsel, Banks.
Service providers who support CloudRock with marketing activities e.g. Digital Marketing Agencies, Third Party Contact Lists.
Providers of Tools and Services used in the day-to-day business of CloudRock e.g. sales and marketing tools or platforms, time management tools, communication tools, finance solutions, contract solutions, webinar and events solutions.
Consultants and Contractors who support CloudRock e.g. IT consultants.
· Event Partners e.g. events or webinars you have attended where CloudRock is listed as a vendor or partner who will receive your personal data.
Where we use external service providers and third parties who process personal data on our behalf, we ensure to undertake adequate due diligence, establish contractual responsibilities where required by Data Protection Legislation and request those providers to implement and apply appropriate security safeguards to ensure the privacy and security of your personal data.
4. International Data Transfers
CloudRock is a global business which means that personal data may be transferred to, stored in, or processed at, a destination outside the United Kingdom (‘UK’) and/or the European Economic Area (‘EEA’). Whenever we transfer personal data to countries outside of the UK or EEA, we are required to comply with all applicable legal requirements and ensure all necessary safeguards are in place to protect your personal data, including your rights and the ability to exercise those rights.
For personal data transfers from the UK or EEA to another country without an Adequacy Decision, we will ensure that:
i. an appropriate data processing agreement (including the relevant Standard Contractual Clauses) is in place and have established a means for data subjects to obtain a copy of these (see 7. Your Rights) and
ii. we have implemented appropriate technical and organizational measures.
5. Protecting your personal data
We use a range of measures to ensure we keep your personal data secure, accurate and up to date. These include:
education and training to relevant staff to ensure they are aware of our privacy obligations when handling personal data;
administrative and technical controls to restrict access to personal data to a ‘need to know’ basis;
technological security measures, including fire walls, encryption and anti- virus software; and
physical security measures, such as security passes to access our premises.
6. Retention
We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any regulatory, accounting, or reporting requirements or until the end of the relevant retention period set by our customers.
Where applicable as a Data Processor, we act under our customers’ instructions to set the appropriate retention period. Where we are the Data Controller, we consider the potential risk of harm from unauthorised processing or disclosure of the personal data. We also consider the purposes for which it was collected and whether we can achieve the same goal through other means.
If you want to learn more about our specific retention periods for your personal data established in our retention policy, you may contact us at dpo@cloudrock.global.
Upon expiry of the applicable retention period, we will securely return it to our customers if requested, however, normally we destroy your personal data in accordance with applicable laws and regulations.
7. Your Rights
Data Protection Legislation provides you with rights with respect to our use of your personal data:
Access: You have the right to request a copy of the personal data that we hold about you. There are exceptions to this right, for example, we may need to refuse your request if making the information available to you would reveal personal data about another person, or if we are legally prevented from disclosing such information.
Accuracy: We aim to keep your personal data accurate, current, and complete. We encourage you to contact us by emailing us at the contact details provided below to let us know if any of your personal data is not accurate, incomplete or changes, so that we can keep your personal data up to date.
Objecting: In certain circumstances, such as when we rely on Legitimate Interests to process your personal data, you also have the right to object to our processing of your personal data.
Withdrawing your Consent: When we collect and rely on your consent to use your personal data, you also have the right to withdraw that consent at any time.
Restrict Processing: You are entitled to ask us to block or restrict your personal data for the purpose we are processing it for.
Porting: You have the right to request that some of your personal data is provided to you, or to another data controller, in a commonly used, machine-readable format.
Erasure: You have the right to erase your personal data when the personal data is no longer necessary for the purposes for which it was collected, or when, among other things, your personal data have been unlawfully processed.
Automated Decision Making: You have the right to request that we review any decisions made about you that produce legal or similarly significant effects concerning you, which are made solely through automated means; receive certain additional explanatory information about the logic involved in the decision-making; and contest any decision reached.
If you would like to exercise any of the above rights, please contact us using the details provided in 7.1 Making a Request or raising a concern to us.
These rights may vary for those outside of the UK and EEA; please contact us for more information.
7.1 Making a request or raising a concern to us.
Please contact us at dpo@cloudrock.global if you have any questions about the protection of your personal data, or if you wish to exercise your legal rights.
If you make a request, we will let you know we have received it and inform you if we need any additional information from you such as to verify your identity.
We usually provide an outcome within one month, however if we need any extra time, we will let you know and provide you with an explanation.
7.2 Raise a concern to the regulator.
If you are unhappy about how we have managed your information or dissatisfied about how we have responded to your information request or compliant, please do not hesitate to raise a complaint directly with: dpo@cloudrock.global.
If you still remain dissatisfied, you have the option to raise concerns directly with the information regulator.
Each of our office locations may be subject to one or more data protection authority; the relevant authority will depend on your location and where the processing takes place.
If you are making a complaint about our UK operations. please contact the Information Commissioner’s Office (ICO).
If you are making a complaint about our Australian operations, please contact the Office of the Australian Information Commissioner (OAIC).
If you are making a complaint about our Portuguese operations, please contact the National Commission for Data Protection (CNPD).
If you are making a complaint about our India operations, please contact the Data Protection Board of India (DPB).
7.3 Revision of our privacy notice
We keep our privacy notice under regular review and thus the privacy notice may be subject to changes. The latest version can always be found at www.wearecloudrock.com/privacy-policy , and the revision date is shown at the top of the page.