Privacy & Cookie Policy
This Privacy Policy:
- explains how Sedex Information Exchange Limited and the Sedex group companies collect and use your personal information.
- applies to any individual who uses the Sedex Platform or website or interacts with Sedex in any capacity, including customers, website visitors or individuals who interact with Sedex via events, conferences, webinars or otherwise.
- explains how Sedex Information Exchange Limited and the Sedex group companies collect and use your personal information.
Where applicable, Sedex may provide links to third party sites within our services or website or in our communications to you. This Privacy Policy does not apply to those sites or any other third parties. We encourage you to read any third party’s privacy notice before providing any personal information to them.
1. General
1.1 In this Privacy Policy, references to “Sedex”, “our” and “we” mean Sedex Information Exchange Limited, a company incorporated and registered in England and Wales (No. 05015443), whose registered office is 5 Old Bailey, London, England, EC4M 7BA.
1.2 We are part of a group of companies (the “Sedex Group”) and operate in the United Kingdom. We are the controller of your personal data (an “independent controller” under GDPR).
1.3 References to “you” or “your” mean any individual whose personal data we process in connection with the users of this website and provision of the Sedex Platform. This includes individuals employed by our users and affiliate audit companies, and individuals whose personal data is processed in connection with the provision of information to users.
1.4 This Privacy Policy (together with any other documents referred to in it) sets out the basis on which we collect and use personal data about you.
1.5 It describes who is responsible for the personal data that we collect about you, the nature of the personal data we collect, how we will use it, who we disclose it to, and your rights and choices in relation to your personal data.
1.6 The term “personal data” refers to information about you that identifies you.
1.7 The personal data we process includes:
- Name and contact details of individuals who use our website.
- Names and contact details of individuals employed or engaged by our users (“Users”) and affiliate audit companies (“Auditors”).
- Personal data about other individuals we interact with, such as site contacts and auditor team names collected through SMETA Audits and Reporting processes.
1.8 Personal data may be submitted directly by you or indirectly via your employer or organisation in connection with our services.
1.9 Sedex is committed to protecting your privacy and will use any personal data submitted to us in accordance with this Privacy Policy.
1.10 This Privacy Policy sets out how we apply the seven data protection principles of:
(1) Lawfulness, fairness and transparency
(2) Purpose Limitation
(3) Data Minimisation
(4) Accuracy
(5) Storage Limitation
(6) Integrity and Confidentiality (Security)
(7) Accountability
1.11 You have the right to object to our use of your personal information in certain circumstances. See Section 10 for more details.
2. Who Can You Contact for Privacy Questions or Concerns?
2.1 We have appointed a Data Protection Officer (DPO), whose role includes informing and advising us and our staff on data protection obligations.
2.2 For questions or concerns or to exercise your rights as a data subject and make a Data Subject Access Request, please contact the DPO at: DPO@Sedex.com
- The Data Protection Officer, Sedex Information Exchange Limited, 2nd Floor, 5 Old Bailey, London EC4M 7BA, United Kingdom.
2.3 When you contact us we will need to verify your identity and confirm that you are entitled to make a Data Subject Access Request or authorised to ask such questions or raise such concerns.
2.4 If you have a complaint about our collection and use of your personal data you may also complain to the Information Commissioner’s Office (ICO) by calling 0303 123 1113 or visiting www.ico.org.uk.
3. How Do We Collect Personal Data?
3.1 Directly:
- From individuals providing business cards, completing online forms, subscribing to newsletters, registering for webinars, attending meetings/events, visiting our offices, or applying for roles.
- During business relationships or service provision via our hosted software.
3.2 Indirectly:
- From recruitment services, Members, or through our CRM system for better service and legal compliance.
- From Auditors and Members (employee details).
- From recruitment services (CVs, references).
- From third-party sources like ZoomInfo, Gainsight etc (public business contact information for marketing).
4. What Categories of Personal Data Do We Collect?
4.1 We commonly collect:
- Contact information: Name, company name, job title, work/mobile number, email, postal address.
- Professional details: Job title.
- Video information: if you visit the Sedex office or participate in a Sedex recorded event, webinar or meeting, we may record your image and where you participate in an event we may record your voice too.
Other information collected which may not necessarily amount to Personal Data:
- Subscription and usage information – such as information about the products or Services you subscribe to or use and how you use them, preferences, browsing history, support services, feedback, and other information about activity on our Services.
- Device and network information: such as IP address, location, internet service provider, unique advertising identifier and mobile device type, cookies and other trackers, non-cookie identifiers, browser data
4.2 We do not knowingly collect personal data of minors.
5. How Do We Process Your Personal Data?
5.1 We only use your personal data where we have a legal basis, including:
- Contract: To perform contractual obligations.
- Consent: Where freely given.
- Legitimate interests:
- Delivering services.
- Direct marketing.
- Legal compliance.
- Business improvement and protection.
- Market research and competition analysis.
- Legal obligations/public interest: For regulatory compliance.
5.2 Where we rely on legitimate interests, we balance them against your rights and freedoms
5.3 Failure to provide certain personal data may prevent us from delivering membership services or other interactions.
5.4 To change your marketing preferences, you can unsubscribe from any particular communication or campaign by unsubscribing and/ or can contact us as in Section 2.
6. Why Do We Need Personal Data?
We use personal data for purposes including:
- Providing services and reports.
- Promoting services to current and potential Members.
- Event/webinar management.
- Personalising communications and web content.
- Ensuring IT and site security.
- Authenticating users.
- Managing recruitment.
- Responding to requests.
- Media engagement.
- Legal and regulatory compliance.
7. Do We Share Personal Data with Third Parties?
7.1 Yes, we may share Personal Data with trusted parties, only where absolutely necessary, including:
- IT, telecoms, email, hosting archiving, document and cloud service providers.
- Payment, sales administration, and marketing or analytics providers.
- Business operational and professional service providers
- Business partners
- Government and regulatory bodies (e.g., HMRC)
- Recruitment services
7.2 Other scenarios include:
- Business sales or asset transfers: If we or our affiliates or subsidiaries are or may be acquired by, merged with, or invested in by another company, or if any of our assets are or may be transferred to another company, whether as part of a bankruptcy or insolvency proceeding or otherwise, we may disclose the personal information we have collected from you with or to the other company. We may also disclose certain personal information as necessary prior to the completion of such a transaction or other corporate transaction such as a financing or restructuring, to lenders, auditors, and third-party advisors, including lawyers and other third-party advisors or consultants.
- Legal and compliance obligations or contract enforcement: We may disclose personal information to comply with our legal and compliance obligations and to respond to the legal process. For example, we may disclose information in response to court orders, and other lawful requests by regulators and law enforcement, including responding to national security or law enforcement disclosure requirements
- Security and Protection of Rights: We may disclose personal information where we believe doing so is necessary to protect the Services, our rights and property, or the rights, property, and safety of others. For example, we may disclose personal information to (i) prevent, detect, investigate, and respond to fraud, unauthorized activities and access, illegal activities, and misuse of the Services, (ii) prevent, detect, investigate, and respond to situations involving potential threats to you, us, or any other party, or (iii) enforce, detect, investigate, and act in response to violations of our terms, agreements, or policies. We may also disclose personal information related to litigation and other legal claims or proceedings in which we are involved, as well as for our internal accounting, auditing, compliance, recordkeeping, and legal functions.
- Aggregated and Anonymised information: Notwithstanding anything else in this Privacy Policy, we may use, disclose, and otherwise process aggregate and anonymised information related to our business and our services to or with third parties for quality control, analytics, research, development, and other business purposes.
7.3 Some Sedex Group companies may also act as independent controllers of your personal data and will be bound by this policy.
8. Do We Transfer Personal Data Outside the UK?
8.1 Yes, to service providers and to our subsidiaries subject to appropriate safeguards
8.2 Safeguards include:
- Reviewing the adequacy of security and controls available in the transferee.
- Risk assessment and Data Privacy Impact Assessments identifying the security and other controls required to secure personal data.
- Ensuring contracts with third parties contain adequate security and controls.
- Ensuring transmission controls are in place for transfer.
8.3 Internet transmissions are not completely secure; transmission is at your own risk.
9. Do We Use Cookies or other tracking mechanisms?
Yes, for more details, see our cookie policy we also monitor logins on the Sedex Platform to track usage and compliance
10. What Are Your Data Protection Rights?
10.1 Access: Request a copy of your personal data.
10.2 Rectification: Request corrections.
10.3 Erasure: Request deletion in certain cases.
10.4 Processing restrictions: Request suspension of use in specific scenarios.
10.5 Data portability: Obtain and reuse your data in a machine-readable format (limited to consent or contract-based processing by automated means).
10.6 Object: Object to processing for legitimate interests or direct marketing.
10.7 Withdraw consent: At any time where consent was given.
Contact our Data Protection Officer at the contact details in Section 2 above to exercise any of your Data Protection Rights.
11. What About Personal Data Security?
11.1 We maintain appropriate technical and organisational safeguards.
11.2 Only authorised individuals access your personal data.
11.3 If you use our services, you are responsible for keeping your credentials secure.
11.4 Internet data transmissions are not fully secure; any transmission is at your own risk.
12. How Long Do We Retain Personal Data?
12.1 Personal data is generally retained only for as long as is needed or permitted based in the purposes for which we collected it, consistent with applicable law. When deciding how long to keep your personal information, we consider whether we are subject to any legal obligations, such as laws and regulations that require us to keep records for a certain period of time before we can delete them.
12.2 Secure disposal follows once data is no longer needed.
13. Do We Link to Other Websites?
Yes. These include the Sedex Platform and partner organisations.
14. Do we consider privacy and data protection in the design of our systems, processes and products?
14.1 Yes, we consider privacy and data protection during the initial planning and development of any project, system or process, or upgrades thereto, that involves personal data.
14.2 We ensure that personal data is only collected and used as necessary in line with this policy and all applicable laws.
14.3 We apply technical and organisational measures to protect personal data
14.4 We periodically review our policies and Data Privacy impact assessments to ensure we continue to meet privacy requirements.
15. Do We Change This Privacy Policy?
15.1 This Privacy Policy is regularly reviewed and updated on this webpage.
15.2 We will provide reasonable advance notice, by posting a prominent notice on our website and within the Platform of significant changes that materially affect our practices regarding our use of the personal data we collect from you.
Last updated June 2025
Cookie Policy
Click here to view the cookies we collect on our websites.
We use cookies to enhance your user experience, collect analytical information about your use of our site, and to personalise content and ads.
While on Sedex.com you can view and change your cookies at any time by clicking on the Cookie icon presented on screen.
Access to personal information
In accordance with the General Data Protection Regulation (GDPR), you are entitled to request a copy of any personal information we hold about you.
If you become aware that any personal information we hold about you is inaccurate, you may request that we amend it. Any requests should be made by email.
Third party data processors
Our information technology systems are operated by Sedex and by a third party on our behalf. We endeavour to ensure appropriate security measures are in place to prevent unauthorised disclosure of personal information.
Changes to this statement
Sedex reserves the right to change this statement at any time by posting revisions on the website. This privacy policy is not intended to, and does not, create any contractual or other legal rights.
Other terms of use
Whilst we endeavour to ensure that this site is normally available 24 hours a day, we will not be liable if for any reason the site is unavailable at any time or for any period.
By accessing any part of this site, you shall be deemed to have accepted these terms in full.
These terms shall be governed by and construed in accordance with English Law.