Privacy Notice

How we handle your personal data on cloudbliss.co.uk

Version 1.0 · Effective: 11/05/2026 · Last reviewed: 11/05/2026

This Privacy Notice explains what personal data we collect through our website, our pricing Estimator, our enquiry forms and our wider marketing activities, why we collect it, what we do with it and the rights you have under UK data protection law. We have written it to be read alongside our Website Terms of Service and our Cookies Notice. It is the version that applies to anyone visiting cloudbliss.co.uk; a separate annex applies where we process personal data on a Customer’s behalf in the course of providing our Services.

1. About this Notice

1.1 Cloudbliss takes your privacy seriously. We are committed to handling your personal data lawfully, fairly and transparently in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

1.2 This Notice covers personal data we collect through cloudbliss.co.uk and any sub-domain (the Website), through our pricing Estimator (described in section 6), through our enquiry, demo, download, webinar and newsletter forms, through email and telephone contact with us, and through our wider sales, marketing, partner and recruitment activities.

1.3 Where we process personal data on a Customer’s behalf in the course of providing our consulting, implementation, AI/Copilot, OCR or managed-support Services (for example, when we view, configure or support content within a Customer’s Microsoft tenant), we do so as a processor on the Customer’s documented instructions. Those activities are governed by the data-processing terms in our Master Services Agreement (MSA) and not by this Notice. A copy of the MSA and its Schedule 1 (Data Processing Particulars) is available on request from privacy@cloudbliss.co.uk.

1.4 Capitalised terms used in this Notice (such as Customer, Services, MSA, AI Output and Microsoft Services) have the meanings given to them in our Website Terms of Service.

2. Who we are

2.1 Cloudbliss Ltd, a company registered in England and Wales under company number 16438393 with registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom (Cloudbliss, we, us or our) is the controller of the personal data described in sections 4 to 8 of this Notice.

2.2 We have not appointed a statutory Data Protection Officer because we are not required to under Article 37 UK GDPR. Day-to-day responsibility for data protection sits with our Privacy Lead, who can be contacted using the details in section 14.

2.3 We are registered with the Information Commissioner’s Office (ICO) as a data controller under registration reference ZC137045.

3. A quick summary

If you only read one section of this Notice, this is the one. The detail follows in sections 4 onwards.

  • We collect personal data from you when you visit the Website, use our Estimator, fill in a form, sign up to a newsletter, attend a webinar, email or phone us, accept a meeting invite, sign a contract or apply for a job.
  • We use that data to respond to you, provide Services to your organisation, run the Website, market our Services, manage our contracts, comply with our legal obligations and run our business.
  • Our lawful bases are usually contract performance, legitimate interests or compliance with a legal obligation. We rely on consent for non-essential cookies and for some marketing where the soft opt-in does not apply.
  • We share data with our IT and CRM providers (including Microsoft), our Sub-contractors, our professional advisers and our insurers, and we transfer data outside the UK where necessary, with appropriate safeguards in place.
  • We keep data only for as long as we need it. Indicative retention periods are set out in section 11.
  • You have rights — including access, correction, erasure, restriction, portability and objection. Section 12 explains how to exercise them. You can also complain to the ICO.

4. The personal data we collect

The categories of personal data we collect depend on how you interact with us. The list below is a complete inventory. The personal data is provided by you, generated by your interaction with the Website, or in some cases obtained from third parties (such as Microsoft partner programmes, LinkedIn, Companies House, professional networks and publicly available business directories).

  • Identity data — Full name, job title, employer, professional qualifications, role within your organisation.
  • Contact data — Work email address, work telephone number, work postal address; in some cases mobile number for Teams or scheduling purposes.
  • Estimator data — Selections you make in our pricing Estimator: chosen challenges, current Microsoft 365 plan, whether you currently have an IT provider, user count, industry sector, number of office locations, in-house IT resource, data-quality and infrastructure indicators, average staff hourly cost, intended timeline, services of interest and service-specific responses. When you complete the contact gate at step 3, we additionally collect your full name, work email and company name.
  • Account and sign-up data — Username, password (stored hashed), preferences and any profile picture you choose to provide; webinar and event registration details.
  • Communications data — The content of any email, chat message, support ticket, contact-form submission, voicemail, call recording (where notified), meeting note or feedback you send to us, together with metadata such as date, time and recipient.
  • Technical data — IP address, device type, operating system, browser type and version, screen size, referring URL, time zone, time and date of visit, and similar telemetry generated by your interaction with the Website.
  • Usage data — Information about how you use the Website, including pages visited, links clicked, scroll depth, time spent on pages, downloads, video views, Estimator paths and webinar attendance.
  • Marketing and preferences data — Your preferences in receiving marketing from us, your communication preferences, and your unsubscribe history.
  • Commercial data — Information about your organisation’s interest in our Services, the proposals and quotes we have provided, the calls you have attended, the documents you have downloaded, and your buying-cycle stage as recorded in our customer-relationship-management (CRM) system.
  • Contract and finance data — Where you become a Customer or Customer representative: signatory details, billing contact, purchase order references, bank account name and sort code/IBAN for invoice payments, and tax identifiers (e.g. VAT number).
  • Recruitment data — Where you apply for a role with us: CV, covering letter, employment history, qualifications, references, right-to-work documentation, and (only where role-relevant) DBS or screening results.

We do not knowingly or routinely collect special category data (such as health, racial, religious or biometric data) or criminal-conviction data through the Website or the Estimator, and we ask that you do not provide such data unless you are responding to a recruitment process where we have expressly asked for it for a lawful and proportionate purpose.

5. Why we use your data and on what lawful basis

We will only use your personal data where we have a valid lawful basis to do so under Article 6 UK GDPR (and, where relevant, an Article 9 condition for special category data). The list below sets out each purpose for which we use personal data, the categories of data involved and our lawful basis.

Operating, securing and improving the Website. Categories used: Technical, Usage. Lawful basis: Legitimate interests (running and securing our Website, preventing abuse, understanding what content is useful).

Providing the Estimator and emailing you a copy of the result. Categories used: Estimator, Identity, Contact, Communications. Lawful basis: Performance of pre-contractual steps you have requested; legitimate interests (helping prospective customers self-assess our Services).

Responding to enquiries, demo requests and quote requests. Categories used: Identity, Contact, Communications, Commercial. Lawful basis: Performance of pre-contractual steps; legitimate interests (responding to inbound business enquiries).

Sending you marketing about our Services (where the soft opt-in or your consent applies). Categories used: Identity, Contact, Marketing, Usage. Lawful basis: Legitimate interests (B2B marketing under PECR reg 22(3) soft opt-in); consent (where the soft opt-in does not apply).

Delivering webinars, events and downloadable content (whitepapers, recordings). Categories used: Identity, Contact, Account, Usage, Marketing. Lawful basis: Performance of contract (delivering the resource you signed up for); legitimate interests (event measurement).

Managing customer and prospect relationships in our CRM. Categories used: Identity, Contact, Commercial, Communications, Marketing. Lawful basis: Legitimate interests (running our sales and account-management process); performance of contract.

Negotiating, signing and performing the MSA, an Order or other engagement. Categories used: Identity, Contact, Contract and finance, Communications. Lawful basis: Performance of contract; legitimate interests (where you are an individual signatory or representative of a corporate Customer).

Invoicing, payment, credit control and accounting. Categories used: Identity, Contact, Contract and finance. Lawful basis: Performance of contract; legal obligation (tax, accounting, anti-money-laundering record-keeping); legitimate interests (debt recovery).

Microsoft partner-programme reporting and CSP administration. Categories used: Identity, Contact, Commercial, Contract and finance. Lawful basis: Legitimate interests (maintaining our Microsoft partner status and our CSP licensing arrangement).

Information security, fraud and abuse prevention, business continuity. Categories used: All categories as relevant. Lawful basis: Legitimate interests (protecting our systems, our personnel and our other customers); legal obligation.

Recruitment, onboarding and personnel management. Categories used: Recruitment, Identity, Contact, Communications. Lawful basis: Legitimate interests (assessing fit for the role); performance of pre-contractual steps; legal obligation (right-to-work checks); consent (sensitive screening, where required).

Complying with our legal obligations (court orders, regulatory requests, audit, sanctions screening). Categories used: All categories as relevant. Lawful basis: Legal obligation; legitimate interests.

Establishing, exercising or defending legal claims. Categories used: All categories as relevant. Lawful basis: Legitimate interests (protecting our legal position); for special category data, Article 9(2)(f) (legal claims).

5.1 Where we rely on legitimate interests, we have carried out a balancing test in each case. We have concluded that our interest in operating, marketing and protecting our business does not override your fundamental rights and freedoms, particularly because (a) we operate in a B2B context; (b) the data we process is, in most cases, work-context data; (c) we honour all opt-out and objection requests promptly; and (d) we apply appropriate technical and organisational measures. We will share a copy of our balancing assessment on reasonable request.

5.2 We do not use your personal data for any solely automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 UK GDPR. The Estimator produces an indicative figure but it is not a decision; any commercial proposal we issue follows human review.

6. The Estimator (pricing calculator)

Because the Estimator collects information about your organisation’s IT estate and produces a shareable result, we treat it as a distinct privacy event and explain it in full here.

6.1 The Estimator is the interactive pricing tool published on the Website (currently at cloudbliss.co.uk/estimator). It is intended for prospective Customers (or their advisers) to obtain an indicative estimate of the cost, savings and return on investment associated with our Services.

6.2 Steps 1 and 2 of the Estimator can be completed without giving us any directly identifying information about you. The information you provide at those steps (challenges selected, current Microsoft 365 plan, current IT provider status, user count, industry sector, locations, in-house IT resource, data quality, infrastructure, hourly staff cost, timeline and service preferences) is not, on its own, personal data, but it may become personal data when combined with the contact details you provide at step 3.

6.3 At step 3, we ask for your full name, work email address and company name in order to (a) display your full result, (b) email a copy of the result to that address, and (c) follow up with you about our Services. By submitting those details, you are asking us to take pre-contractual steps; we will also rely on legitimate interests to keep your record in our CRM and to send you related marketing where the PECR soft opt-in applies. You can object or unsubscribe at any time.

6.4 Sharing the result. The Estimator generates a shareable URL that encodes your selections (such as services chosen, user count, industry sector, current plan and managed-services tier) as parameters in the URL. Anyone you give that URL to will see your selections when they open it. We do not embed your name, email address or company name in the URL, but you should not share the URL with anyone you do not want to see your inputs.

6.5 Email-to-colleague. The Estimator also provides an option to email the result to a colleague using your own email client. When you use that option, the email is sent from your device using the email address you choose; the email does not pass through Cloudbliss systems and we do not retain a copy of the recipient’s email address.

6.6 Indicative only. The figures produced by the Estimator are indicative estimates only, generated from formulae and assumptions we set out in the tool. They are not a quotation or a contractual offer, and any binding pricing requires a written proposal or Order. The Estimator does not make any decision about you; it is a calculator.

6.7 Retention. We keep Estimator submissions for thirty-six (36) months from the last interaction, in line with our broader CRM retention rules in section 11, unless you ask us to delete them earlier. Anonymous, aggregated insights derived from Estimator usage may be kept for longer to improve the tool itself.

7. Cookies and similar technologies

7.1 We use cookies and similar technologies (including pixels, local storage and SDKs) on the Website. Some cookies are strictly necessary for the Website to function (for example, to remember your consent choices, to keep you signed in, or to load-balance traffic). Others are used for analytics, performance, functionality, advertising and personalisation.

7.2 Strictly necessary cookies are set on the basis of legitimate interests and our obligation under regulation 6 PECR to provide the service you have asked for. All other cookies are set only with your consent, which you give through the cookie banner displayed when you first visit the Website. You can change your preferences at any time using the Cookie Preferences link in the Website footer.

7.3 Our Cookies Notice sets out a full list of the cookies we use, their purposes, the third parties involved and how long they last. The Cookies Notice is incorporated into this Notice by reference.

8. Marketing communications

8.1 We may send you marketing communications about our Services where (a) you have given us your express consent (for example, by ticking a marketing opt-in on a form), or (b) you have provided us with your business contact details in the course of a sale or negotiation, the marketing relates to similar Services, and you have not opted out (the soft opt-in under regulation 22(3) PECR).

8.2 Every marketing email we send will include an easy way to opt out — by clicking the unsubscribe link in the email, by replying STOP, or by emailing privacy@cloudbliss.co.uk. Once you opt out, we will stop sending you marketing as soon as is reasonably practicable, and in any event within five Business Days. We will keep a minimal record of your opt-out so that we do not contact you again in error.

8.3 Opting out of marketing does not stop us from sending you service-related messages that we are required to send (for example, security alerts, billing reminders, scheduled-maintenance notices, or updates to this Notice or our Terms).

9. Who we share your personal data with

We share your personal data only where it is necessary for the purposes set out in section 5, and only with recipients who are subject to appropriate confidentiality and data-protection obligations. The categories of recipient are:

  • Our personnel and Sub-contractors. Our employees, contractors, freelancers and Sub-contractors who need access to the personal data to do their jobs.
  • IT, communications and infrastructure providers. Microsoft (including Microsoft 365, Azure, Dynamics 365, Power Platform and Microsoft Copilot, and their respective sub-processors), our website host, our email-marketing platform, our analytics provider, our ticketing system, our customer-relationship-management system, our document-management platform, our identity-management provider, our endpoint-protection provider and our backup provider. A current list of named sub-processors is available on request.
  • Professional advisers. Our lawyers, accountants, auditors, tax advisers, insurers and brokers.
  • Acquirers and successors. If we are involved in a merger, acquisition, group reorganisation or asset sale, we may share your personal data with the prospective buyer, their advisers and the eventual successor entity, subject to appropriate confidentiality undertakings.
  • Government, law enforcement and regulators. Where we are required by law, by court order, by a binding request from a regulator (including the ICO, HMRC, the FCA or a sectoral body), or where disclosure is necessary to establish, exercise or defend legal claims, prevent fraud, or protect the safety or rights of any person.
  • Microsoft, where you take CSP licensing. Where you procure Microsoft licensing through us under a Cloud Solution Provider arrangement, we share the data Microsoft requires for licensing administration, support and partner reporting.

9.1 We do not sell your personal data, and we do not share it with third parties for those parties to use for their own marketing purposes.

10. International transfers

10.1 Some of the recipients listed in section 9 are located outside the United Kingdom, including in the European Economic Area (EEA), the United States, India and other jurisdictions where Microsoft, our Sub-contractors or our advisers operate. Where we transfer your personal data outside the UK, we do so only where one of the following applies:

  • Adequacy. The destination country is the subject of an adequacy regulation made by the UK Government (this currently includes EEA countries and certain other countries listed by the ICO);
  • Appropriate safeguards. We have entered into the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, with the recipient, supplemented by additional measures (such as encryption in transit and at rest, restricted-access controls and contractual audit rights) where the destination country presents heightened risk; or
  • Derogations. The transfer is necessary for the performance of a contract with you, for pre-contractual steps you have requested, for the establishment, exercise or defence of legal claims, or otherwise on a basis permitted by Article 49 UK GDPR.

10.2 If you would like more information about the safeguards we have in place for any particular transfer (including a copy of the relevant clauses, with confidential information redacted), please contact privacy@cloudbliss.co.uk.

11. How long we keep your personal data

We keep your personal data only for as long as we need it for the purposes for which it was collected, taking into account any applicable legal, accounting, tax, regulatory or contractual requirement. The headline retention periods are:

  • Website server, security and analytics logs — up to 13 months from collection (or longer where required for security investigations).
  • Cookie consent records — 12 months from the date consent was given or last refreshed.
  • Estimator submissions and CRM records (prospects) — 36 months from your last interaction with us, after which the record is deleted or fully anonymised.
  • Newsletter and webinar registrations — until you unsubscribe, plus a minimal suppression record kept indefinitely so that we do not contact you again.
  • Customer contracts, signed Orders and related correspondence — for the duration of the engagement and for 7 years after termination or expiry (to align with our limitation-of-actions and tax-record-keeping requirements).
  • Invoices, payment records and accounting records — 7 years from the end of the financial year to which they relate (Companies Act 2006, HMRC rules).
  • Recruitment records (unsuccessful applicants) — 12 months from the close of the recruitment process, unless you consent to us keeping you on file for longer.
  • Marketing suppression records — indefinitely, in the minimum form needed to ensure we do not market to you again.
  • Records relating to legal claims, complaints or incidents — until the matter is concluded plus the applicable limitation period (typically 6 years; 12 years for documents executed as deeds).

11.1 Where personal data falls within more than one category above, we apply the longest applicable period. We may shorten any of these periods on request, where we can do so without breaching a legal obligation. We periodically review our holdings and delete or anonymise records that have reached the end of their retention period.

12. Your rights under UK data protection law

Subject to certain exceptions, you have the following rights in relation to your personal data:

  • Right of access. You can ask us for a copy of the personal data we hold about you and information about how we are processing it (a data subject access request).
  • Right to rectification. You can ask us to correct inaccurate personal data and complete incomplete personal data.
  • Right to erasure (right to be forgotten). You can ask us to delete personal data where there is no good reason for us to continue processing it. This right is not absolute; we may need to retain some data for legal, regulatory, accounting or contract-record-keeping reasons.
  • Right to restrict processing. You can ask us to suspend processing of your personal data — for example, while we verify its accuracy or while we consider an objection.
  • Right to data portability. Where we process personal data on the basis of consent or performance of a contract, by automated means, you can ask us to provide that data in a structured, commonly used and machine-readable format, and (where technically feasible) to transmit it to another controller.
  • Right to object. You can object to our processing of personal data on the basis of legitimate interests, including profiling. You can object to direct marketing at any time, and we will stop without question.
  • Right to withdraw consent. Where we rely on your consent (for example, for non-essential cookies or certain marketing), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Rights in relation to automated decision-making. You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. As noted in section 5.2, we do not carry out such processing.

12.1 How to exercise your rights. Send your request to privacy@cloudbliss.co.uk, or write to our registered office (marked for the attention of the Privacy Lead). Please tell us which right you are exercising and provide enough information for us to identify you and the data concerned. We will normally respond within one calendar month; complex or numerous requests may take up to a further two months, and where this applies we will let you know within the first month.

12.2 Identity verification. We will only ask for proof of your identity where we have a reasonable doubt about who you are. Where verification is needed, we will ordinarily ask you to confirm details that you have already provided to us (for example, the email address from which you contacted us, your company and a recent transaction reference), and we will not require you to send copies of passports, driving licences or birth certificates unless this is genuinely necessary.

12.3 Fees. There is no fee for exercising your rights. We may charge a reasonable administrative fee, or refuse to act, where a request is manifestly unfounded or excessive (for example, if it is repetitive).

12.4 Right to complain to the ICO. You have the right to lodge a complaint with the Information Commissioner’s Office at any time. The ICO’s contact details are: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; helpline 0303 123 1113; website ico.org.uk. We would, however, appreciate the chance to address your concerns first, so please consider contacting us before approaching the ICO.

13. Security, children and changes to this Notice

13.1 Security. We have implemented technical and organisational measures appropriate to the risk, including encryption in transit, role-based access control, multi-factor authentication on administrative accounts, hardened endpoint configuration, secure development practices, vulnerability management, logging and monitoring, supplier-security due diligence, mandatory data-protection training and a documented incident-response process. We are aligned with Cyber Essentials and update our controls regularly. No system is perfectly secure; if you become aware of a security concern, please email security@cloudbliss.co.uk.

13.2 Children. The Website is not directed at children. We do not knowingly collect personal data from anyone under the age of 18. If you become aware that a child has provided us with personal data, please contact privacy@cloudbliss.co.uk and we will take steps to delete it.

13.3 Changes. We may update this Notice from time to time to reflect changes in law, in our practices, in our supplier ecosystem or in our Services. The version in force is the version published on the Website. We will indicate at the top of the page when the Notice was last updated. Where the change is material (for example, a new processing purpose or a new category of recipient), we will give reasonable advance notice by a banner on the Website or, where you have given us your contact details and the change affects your data, by email.

14. How to contact us

If you have any question, request, complaint or notice in relation to this Notice or to our handling of your personal data, you can reach us using the following details. Email is the fastest route.

  • Controller: Cloudbliss Ltd
  • Company number: 16438393 (England and Wales)
  • ICO registration: ZC137045
  • Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
  • Privacy Lead: privacy@cloudbliss.co.uk
  • Security incidents: security@cloudbliss.co.uk
  • Marketing opt-out: Click “unsubscribe” in any marketing email, or email privacy@cloudbliss.co.uk
  • Information Commissioner: ico.org.uk · Tel 0303 123 1113

— End of Privacy Notice —