Privacy policy

Last updated:

Sep 11, 2025

Altu Leader Ltd 

Privacy & Security Policy - Last updated: 11/09/2025 

1. Introduction 

Altu Leader Ltd (“Altu”, “we”, “us”, “our”) is committed to protecting the privacy, security, and integrity of personal data. We recognise that our clients operate in business environments, and we take our responsibilities under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 very seriously. 

This Privacy & Security Policy sets out: 

  • How we collect, use, and protect personal data. 

  • The rights of individuals whose data we process. 

  • The technical and organisational measures we use to safeguard information. 

  • How this Policy fits within our wider compliance framework. 


This Policy should be read in conjunction with our other governance documents, which together form Altu’s compliance pack: 

  • Terms & Conditions – the core agreement governing use of our Services. 

  • Data Processing Agreement (DPA) – where we act as a Data Processor on behalf of a client organisation. 

  • Acceptable Use Policy (AUP) – setting out rules for safe and appropriate use of our Services by end users. 


In the event of any inconsistency between these documents, the order of precedence is set out in our Terms & Conditions. 

By using our Services, or by engaging with us as a client organisation, you acknowledge that you have read and understood this Policy. 

2. Who We Are 

Altu Leader Ltd (“Altu”) is a UK-based artificial intelligence company that provides digital platforms and services to support leadership development and team performance. 

Company name: Altu Leader Ltd 

Company number: 16578525 

Registered office address: 30 Thomas Rider Way, Boughton Monchelsea, Maidstone, ME17 4GA, England. 

Jurisdiction: Incorporated in England & Wales 

ICO Registration No: CSN9187091 – Altu is registered with the UK Information Commissioner’s Office (ICO) as a data controller under the Data Protection Act 2018. 

Privacy enquiries contact: hello@altuleader.co.uk 

Altu may act as either a Data Controller or Data Processor depending on the context in which we handle personal data. Further details of our role are set out in Section 3 (Our Role in Data Protection). 

Our commitment is to handle all personal data in compliance with the UK GDPR, the Data Protection Act 2018, and guidance issued by the ICO. 

3. Our Role in Data Protection 

Altu operates in different capacities depending on the nature of the Services being provided and the context in which personal data is handled. Understanding this distinction is important for clients, end users, and data subjects. 

Data Controller – Altu acts as a Data Controller when we determine the purposes (“why”) and essential means (“how”) of processing personal data. Typical examples include: 

  • Visitors to our websites. 

  • Individuals creating demo or trial accounts directly with Altu. 

  • Direct subscribers to our Services where no separate client organisation is involved. 

  • Marketing, communications, and business development activities carried out by Altu. 


In these situations, we are responsible for ensuring that a lawful basis exists under UK GDPR, for providing privacy notices, and for fulfilling data subject rights requests directly. 

Data Processor – Altu acts as a Data Processor when we process personal data strictly on the documented instructions of a client organisation. Examples include: 

  • Employee or user data entered into Altu’s platforms. 

  • Staff or mentor accounts created by a client organisation for its users. 

  • performance, or coaching data managed within our systems. 


In these cases, the client organisation is the Data Controller and remains responsible for establishing a lawful basis for processing, providing privacy notices to individuals, and determining retention periods. Altu only processes data as instructed by the Controller, in accordance with our Data Processing Agreement (DPA). 

Regardless of whether we act as Controller or Processor, we apply the same high standards of security and privacy protection across all personal data entrusted to us. 

4. Categories of Data We Process 

The types of personal data Altu may process depend on the nature of our relationship with you and whether we are acting as a Data Controller or Data Processor. 

4.1 Identification and contact details 

  • Examples: name, email address, telephone number, postal address, job title, organisation. 

  • Context: collected when individuals create accounts, sign up for updates, participate in demos, or are registered by a client organisation. 


4.2 Account and authentication data 

  • Examples: usernames, login credentials, authentication tokens, security questions, and access permissions. 

  • Context: required to provide secure access to Altu’s platforms and services. 


4.3 Performance and coaching data (Processor role) 

  • Examples: employee or user profiles, performance data, leadership assessments, coaching goals, progress updates, and feedback. 

  • Context: processed only when instructed by a client organisation. Altu has no independent purpose for this data and acts solely on the Controller’s instructions. 


4.4 Technical and device data 

  • Examples: IP address, device identifiers, browser type and version, operating system, diagnostic logs, crash reports. 

  • Context: collected automatically to maintain system security, performance, and reliability. 


4.5 Communications data 

  • Examples: enquiries, support requests, chat transcripts, messages submitted through the Services. 

  • Context: processed when users contact Altu for assistance or interact within our platforms. 


4.6 Feedback, analytics, and usage data 

  • Examples: product feedback, anonymised usage metrics, performance logs, aggregated statistical data. 

  • Context: used to improve functionality and user experience. Identifiable data is anonymised or aggregated before analysis, in line with ICO guidance. 


4.7 Cookies and similar technologies 

  • We use cookies and similar technologies on our websites to ensure they function properly, improve performance, and provide insights into how our Services are used. Some cookies are strictly necessary, while others (such as analytics or preference cookies) are optional and used only with your consent. 

  • For full details of the cookies we use, the purposes they serve, and how you can manage your preferences, please see our [Cookies Policy] available on our website. 


5. Purposes of Processing 

We only process personal data where it is necessary, lawful, and proportionate to deliver our Services or meet our legal obligations. Depending on the context and whether we act as Controller or Processor, we may process personal data for the following purposes: 

5.1 Service provision and configuration 

  • To enable authorised users to access and use Altu’s platforms and features. 

  • To configure accounts, dashboards, workflows, and integrations in line with client requirements. 

  • To host, store, and transmit data securely. 


5.2 User authentication and access management 

  • To verify the identity of users and provide secure logins. 

  • To administer role-based permissions and access controls. 

  • To prevent unauthorised access, misuse, or fraud. 


5.3 Performance and leadership development (Processor role) 

  • To support leadership development and team performance initiatives as instructed by client organisations. 

  • To process employee or user data for coaching plans, performance reviews, or progress tracking. 

  • Altu does not determine independent purposes for this processing. 


5.4 Technical support and troubleshooting 

  • To respond to user support requests and resolve technical issues. 

  • To manage helpdesk tickets, bug reports, and feature queries. 

  • To train staff in providing effective support. 


5.5 System stability, security, and performance monitoring 

  • To monitor service uptime, performance, and load. 

  • To conduct testing, upgrades, and quality assurance. 

  • To detect, investigate, and prevent security threats or misuse. 

  • To implement backup and disaster recovery procedures. 


5.6 Analytics and service improvement 

  • To analyse anonymised and/or aggregated usage data to improve features, enhance functionality, and optimise user experience. 

  • Identifiable data is anonymised or aggregated before analysis in line with ICO guidance on anonymisation and pseudonymisation. 

  • Altu will not use personal data for unrelated profiling, marketing, or resale. 


5.7 Legal, regulatory, and safeguarding compliance 

  • To meet obligations under data protection, employment law, and other applicable regulations. 

  • To respond to lawful requests from regulators, authorities, or courts. 

  • To maintain statutory records (e.g., financial or audit records). 


6. Legal Basis for Processing (when acting as Controller) 

When Altu determines the purposes and means of processing personal data, we act as a Data Controller under the UK GDPR and the Data Protection Act 2018. In these circumstances, we rely on the following lawful bases: 

6.1 Contractual necessity 

  • Where processing is required to deliver services that you subscribe to or request (e.g., account creation, platform access, support). 

  • Without this processing, we would be unable to fulfil our contractual obligations. 


6.2 Legitimate interests 

  • Where processing is necessary to operate, maintain, and improve our services, provided such interests are not overridden by the rights and freedoms of data subjects. 

  • Examples include service analytics (in anonymised/aggregated form), fraud prevention, system monitoring, and ensuring network security. 

  • We apply a legitimate interest assessment (LIA) where appropriate to balance our interests against individual rights. 


6.3 Legal obligations 

  • Where processing is necessary to comply with laws or regulations that apply to Altu. 

  • This may include financial record-keeping, employment law, or responding to lawful requests from regulators or courts. 


6.4 Consent 

  • In limited cases, we may rely on consent as the lawful basis for processing (e.g., sending marketing communications, collecting optional feedback, or participation in beta testing). 

  • Where consent is used, individuals have the right to withdraw consent at any time without detriment. 


7. Sharing and Sub-Processors 

7.1 Use of trusted providers 

We may share personal data with carefully selected third-party service providers who help us deliver, secure, and maintain our Services. These may include hosting providers, cloud infrastructure platforms, support and helpdesk systems, analytics providers, and cybersecurity services. 

7.2 Sub-processor obligations 

Where we act as a Data Processor, any third-party providers we engage as Sub-Processors are bound by written agreements that impose obligations no less protective than those set out in our Data Processing Agreement (DPA). This includes requirements on: 

  • Confidentiality. 

  • Security standards. 

  • Breach notification. 

  • Returning or deleting personal data at the end of the service. 


7.3 Transparency of Sub-Processors 

We maintain an up-to-date list of our Sub-Processors. This list is available to client organisations on request and is updated whenever a new Sub-Processor is appointed or an existing one is replaced. Clients will be notified in advance of material changes in accordance with our DPA. 

7.4 No sale of personal data 

Altu does not sell, rent, or trade personal data to third parties under any circumstances. Any sharing of data is solely for the purposes set out in this Policy, our Terms & Conditions, and (where relevant) our Data Processing Agreement. 

8. International Data Transfers 

8.1 General approach 

Altu primarily seeks to process and store personal data within the United Kingdom or European Economic Area (EEA) wherever possible. However, some of our trusted service providers may operate outside these regions. In such cases, we ensure that appropriate safeguards are in place to protect personal data in line with the UK GDPR and the Data Protection Act 2018. 

8.2 Safeguards used 

Where personal data is transferred outside the UK/EEA, we rely on one or more of the following safeguards: 

  • UK adequacy regulations – where the UK Government has recognised that the destination country provides an adequate level of data protection. 

  • International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs) – approved contractual safeguards that impose equivalent data protection obligations on the recipient. 

  • Other lawful transfer mechanisms – such as explicit consent from the data subject (where appropriate), or transfers necessary for the performance of a contract or the establishment, exercise, or defence of legal claims. 


8.3 Rights and remedies 

Where we rely on safeguards, we ensure that data subjects have enforceable rights and effective legal remedies in relation to their personal data. 

8.4 Transparency 

Details of international transfers (and the safeguards used) are included in our Data Processing Agreement (when acting as Processor) and can also be made available to clients on request. 

9. Data Retention 

9.1 General principle 

Altu retains personal data only for as long as it is necessary to fulfil the purposes for which it was collected, or as required by law, regulation, or client instructions. 

9.2 Adult users 

For adult users (e.g., staff, professionals, or direct subscribers), personal data is retained only for the minimum period necessary to provide services and meet legal obligations (such as financial record-keeping). 

9.3 End of processing 

When personal data is no longer required, we ensure it is securely deleted or anonymised in accordance with recognised industry standards. Where deletion is not technically feasible, the data is placed beyond further use and protected from any unauthorised access or processing. 

10. Data Subject Rights 

10.1 Rights under UK GDPR 

Individuals whose personal data we process (“Data Subjects”) have the following rights under the UK GDPR: 

  • Right of access – to obtain a copy of their personal data and details of how it is processed. 

  • Right to rectification – to request correction of inaccurate or incomplete personal data. 

  • Right to erasure (“right to be forgotten”) – to request deletion of personal data in certain circumstances (e.g., where it is no longer necessary for the purposes for which it was collected, or consent is withdrawn). 

  • Right to restriction – to request that processing is limited in certain circumstances (e.g., while a data accuracy challenge is resolved). 

  • Right to data portability – to receive personal data in a structured, commonly used, machine-readable format and, where feasible, to transmit that data to another controller. 

  • Right to object – to object to processing based on legitimate interests or to direct marketing. 

  • Rights relating to automated decision-making – to not be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects. 


10.2 How rights are exercised 

  • Where Altu is a Data Controller – Data Subjects may exercise their rights by contacting us directly at: hello@altuleader.co.uk. We will respond in line with UK GDPR timescales (normally within one month). 

  • Where Altu is a Data Processor – requests must be directed to the relevant Data Controller (e.g., the client organisation). Altu will assist the Controller in fulfilling such requests, as required by our Data Processing Agreement. 


10.3 Identification 

To protect privacy, we may require individuals to verify their identity before responding to a rights request. 

10.4 Limitations 

Some rights may be subject to legal or contractual restrictions. For example, requests may be refused where data must be retained by law, for safeguarding purposes, or for the establishment, exercise, or defence of legal claims. 

11. Security Measures 

11.1 Commitment to security 

Altu takes the security of personal data seriously. We implement technical and organisational measures designed to ensure a level of security appropriate to the risk, in line with the UK GDPR, the Data Protection Act 2018, and industry standards. Our approach is informed by best practices. 

11.2 Key measures in place 

Our security framework includes (but is not limited to): 

  • Encryption – personal data is encrypted in transit (TLS) and at rest (AES or equivalent) where applicable. 

  • Access controls – strict role-based permissions and the principle of least privilege are applied. 

  • Authentication – multi-factor authentication (MFA) is required for all administrator and privileged accounts. 

  • Hosting security – data is hosted with trusted providers that meet recognised security standards and are subject to regular independent audits. 

  • Vulnerability management – regular scanning, patching, and penetration testing to identify and remediate potential risks. 

  • Logging and monitoring – continuous monitoring of system access, activity, and anomalies, with alerts for suspicious or unauthorised activity. 

  • Training and awareness – staff receive regular training on data protection and secure handling of personal data. 

  • Business continuity and disaster recovery – tested plans in place to maintain or restore services in the event of an outage, cyberattack, or other disruption. 

  • Incident response – a documented process to detect, report, and respond to security incidents, including compliance with breach notification obligations under UK GDPR. 


11.3 Continuous improvement 

We regularly review and update our security measures in light of technological developments, emerging threats, and evolving regulatory requirements. 

12. Data Breaches 

12.1 Commitment 

Altu maintains procedures for detecting, investigating, and responding to actual or suspected personal data breaches. We treat all potential breaches with urgency and transparency. 

12.2 Where Altu acts as a Data Processor 

We will notify the relevant Data Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach. 

Our notification will include, where possible: 

  • The nature of the breach and categories of data affected. 

  • The likely consequences of the breach. 

  • Measures taken or proposed to address and mitigate the breach. 

  • A contact point for further information. 


We will cooperate fully with the Controller to investigate, contain, and remediate the breach, and to support the Controller in meeting its notification obligations to regulators and/or affected Data Subjects. 

12.3 Where Altu acts as a Data Controller 

  • We will assess the severity of any breach and notify the Information Commissioner’s Office (ICO) without undue delay, and within 72 hours where required by law. 

  • Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify affected Data Subjects promptly and in clear, plain language. 


12.4 Record-keeping 

We maintain an internal breach log documenting the facts, effects, and remedial action taken for all breaches, whether or not notification is required. 

13. Contact 

13.1 Altu contact details 

For any questions, concerns, or requests regarding this Privacy & Security Policy, or the way Altu handles personal data, please contact us: 

  • Postal address: 30 Thomas Rider Way, Boughton Monchelsea, Maidstone, ME17 4GA, England. 

  • General enquiries: hello@altuleader.co.uk 


13.2 Right to escalate 

If you are not satisfied with how we handle your enquiry, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO): 

  • Website: https://ico.org.uk 

  • Telephone: 0303 123 1113 

  • Postal: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF