Privacy Notice

Version 1.0 · Effective June 2026

This notice covers the Website only. If you use the Merlin platform (at merlin.apolloiq.co.uk), our separate Merlin Platform Privacy Policy governs your use of the platform and any patient data processed through it — including the detail on clinical services, sub-processors and data-protection roles.

1. Who we are

ApolloIQ Ltd is a company registered in England and Wales (company number 14643224), with registered office at Goodwood House — Albert Goodman, Blackbrook Park Avenue, Taunton, Somerset, TA1 2PX. For the personal data described in this notice, ApolloIQ is the Data Controller.

We are registered with the Information Commissioner's Office (ICO) under registration number ZB541448.

Our Data Protection Officer is Vlad Repede, contactable at vlad.repede@apolloiq.co.uk (general enquiries: contact@apolloiq.co.uk).

2. The personal data we collect

Enquiry & form data — when you contact us, use one of our calculators or readiness audits, request safety or assurance documentation, or make a service enquiry: your name, email address, organisation, role, and the content of your message (plus any other details you choose to include).
Newsletter & marketing sign-up — your name, email address, and your consent preferences, where you opt in to receive updates about events, products and our business.
Technical & usage data — IP address, browser type and version, device and operating system, the page that referred you, and the pages you view. This is collected through our hosting provider's server logs (see section 5). We do not use website analytics.

We do not intentionally collect special-category (for example health) data through the Website. Please do not include clinical or patient information in a Website enquiry — use the Merlin platform or another secure channel for that.

Providing this information is voluntary — you are under no statutory or contractual obligation to give it — but we need your contact details to reply to an enquiry or to send the updates you have asked for. Without them we may be unable to help.

3. How we use your data, and our lawful bases

Purpose	Lawful basis (UK GDPR)
Responding to your enquiry or preparing a proposal	Legitimate interests (Art. 6(1)(f)) in handling enquiries about our services, or steps prior to a contract (Art. 6(1)(b))
Operating, maintaining and securing the Website	Legitimate interests (Art. 6(1)(f)) in running a safe, functioning site
Sending you marketing updates	Consent (Art. 6(1)(a)) where you opt in, or the "soft opt-in" under PECR for existing customers about similar services
Keeping business and tax records	Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we have balanced those against your rights; our assessment is available on request.

We do not make decisions about you by solely automated means (including profiling) that produce legal or similarly significant effects.

4. Who we share it with

We do not sell your personal data and we do not share it for third-party advertising. The Website is a self-built static site hosted on Microsoft Azure — it does not use a third-party content-management system, and it carries no advertising or analytics tools. We share personal data only with:

Our website and tooling providers (processors) — each acting only on our instructions under a data-processing agreement:

Provider	What they do for us	Where data is processed
Microsoft Azure (Microsoft Corporation) — Static Web Apps	Hosts and serves the Website and keeps server / access logs	United Kingdom
Google LLC — Google Fonts	Serves the typefaces used across the Website; receives your IP address and browser type when a page loads	United States
Google LLC — Apps Script	Receives your form and calculator submissions and routes them to us and to our email provider; it does not store them in a spreadsheet	United States
Brevo (Sendinblue SAS)	Sends the confirmation / result email you receive after using a form or calculator, and manages our marketing newsletter list	European Union (France)

Professional advisers (such as lawyers and accountants) bound by confidentiality.
Regulators or authorities where required by law.
A successor in the event of a sale, merger or reorganisation, under equivalent data-protection commitments.

5. Cookies and analytics

The Website does not set any cookies, and we do not use website analytics. A scan of the live site confirmed it stores nothing on your device — no cookies, and no local or session storage — and runs no analytics, advertising, tracking, behavioural-profiling or session-recording technologies. Because we set no non-essential cookies, the Website shows no cookie banner and none is required.

No tracking — we do not build advertising profiles, and we do not track you across other websites or use third-party measurement tools.
Web fonts — pages load their typefaces from Google Fonts. To deliver the fonts, your browser contacts Google, which receives your IP address and browser type. Google Fonts sets no cookies. This is the only third party your browser contacts when simply viewing the Website (see section 6 on international transfers).

This Website is separate from the Merlin platform, which sets no cookies.

6. International transfers

The Website is hosted in the United Kingdom on Microsoft Azure, so the hosting of the site itself involves no overseas transfer. Two parts of the service do involve transfers outside the UK:

Google LLC (United States) — for the web fonts loaded on each page, and for receiving and routing form / calculator submissions. Transfers to Google rely on the UK Extension to the EU–US Data Privacy Framework where it applies, and otherwise on the UK International Data Transfer Agreement (IDTA) / Standard Contractual Clauses with appropriate additional safeguards.
Brevo / Sendinblue SAS (France, European Union) — for sending form / calculator result emails and managing our newsletter list. The EU benefits from the UK's "adequacy" regulations, so no additional transfer safeguards are required.

Details of the safeguards we rely on are available on request.

7. How long we keep it

Data	Retention
Enquiry & form data	Up to 24 months from your last contact, then deleted — unless we enter a customer relationship, when it is kept under that relationship
Newsletter / marketing data	Until you unsubscribe, then suppressed from mailings
Server logs	90 days

8. Your rights

Under UK data-protection law you have the right to access, rectify, erase, restrict or object to the processing of your personal data, to data portability, and to withdraw consent at any time where we rely on it (withdrawing consent does not affect the lawfulness of any processing carried out before you withdrew it). To exercise any of these, contact our DPO at vlad.repede@apolloiq.co.uk. We respond to verified requests within one calendar month; there is no fee unless a request is manifestly unfounded or excessive.

If you are unhappy with how we have handled your personal data, you can complain to the Information Commissioner's Office (ICO): ico.org.uk · 0303 123 1113 · Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

9. Marketing choices

Every marketing email contains an unsubscribe link, and you can email vlad.repede@apolloiq.co.uk at any time to opt out of all marketing. We will never share your contact details with third parties for their own marketing purposes.

10. Children

The Website is intended for healthcare professionals and business contacts and is not directed at children.

11. Changes to this notice

We may update this notice from time to time. The current version number and effective date are shown at the top of this page, and material changes will be highlighted here.

12. Contact

Data Protection Officer: Vlad Repede

Email: vlad.repede@apolloiq.co.uk

General contact: contact@apolloiq.co.uk

Post: ApolloIQ Ltd, Goodwood House, Albert Goodman, Blackbrook Park Avenue, Taunton, Somerset, TA1 2PX

ApolloIQ Ltd is a company registered in England and Wales (company number 14643224). ICO registration ZB541448.

Website Privacy Notice