Privacy Policy

1. Introduction

Opus Compliance (“we”, “our”, “us”) provides subcontractor security mobilisation services, including NDA management, BPSS coordination and mobilisation readiness reporting.
This Privacy Policy explains how we collect, use, store and protect personal data in accordance with UK GDPR and the Data Protection Act 2018.

By using our website or contacting us, you agree to the practices described in this policy.

2. What Personal Data We Collect

We may collect and process the following types of personal data:

From website visitors

  • Name
  • Email address
  • Company details
  • IP address and device information
  • Any information submitted via our contact form

From clients and subcontractors (through project operations)

  • Name and contact details
  • Identity documentation (e.g., passport, driving licence)
  • Right-to-work evidence
  • BPSS documentation required by your employer or vetting provider
  • NDA-related information
  • Project mobilisation details
  • Clearance status updates (as provided by your employer or vetting provider)

3. How We Use Personal Data

We use personal data to:

  • Coordinate NDA distribution and tracking
  • Support security checks e.g. BPSS
  • Liaise with client-approved vetting providers
  • Provide mobilisation readiness reporting
  • Respond to enquiries
  • Manage client relationships
  • Ensure secure access to sensitive project environments

We do not use personal data for marketing.

4. Lawful Basis for Processing

We process personal data under the following lawful bases:

  • Contractual necessity – required to deliver services to clients
  • Legitimate interests – ensuring secure, compliant subcontractor mobilisation
  • Legal obligations – maintaining required records and compliance
  • Consent – where explicitly given (e.g., website enquiries)

5. How We Share Personal Data

We may share personal data with:

  • Client organisations requiring mobilisation evidence
  • Approved security vetting providers
  • Subcontractor employers
  • Secure IT and cloud service providers

We do not sell personal data.
We only share what is necessary to fulfil our contractual role.

6. Data Storage & Security

We take appropriate technical and organisational measures to protect personal data, including:

  • Restricted access controls
  • Secure document storage
  • Encrypted communication channels
  • Limited data retention
  • Role-based access for sensitive information

7. Data Retention

We retain personal data only as long as necessary for:

  • Project requirements
  • Legal and audit obligations
  • Contractual agreements

Standard retention is 12–24 months, unless otherwise required by the client. After which your data will be deleted

8. Your Rights

Under UK GDPR, you have the right to:

  • Access your data
  • Correct inaccurate information
  • Request deletion where appropriate
  • Restrict processing
  • Object to processing
  • Request data portability

To exercise these rights, contact:
info@opuscompliance.com

9. International Transfers

We primarily process data within the UK.
If data must be transferred outside the UK, we ensure adequate safeguards (e.g., Standard Contractual Clauses).

10. Updates to This Policy

We may update this policy periodically. Changes will be posted on this page with a new “Last updated” date.

11. Contact Us

For privacy enquiries or requests:
info@opuscompliance.com