Privacy Notice




The Hertfordshire Growth Hub consists of local public and private sector partnerships led by the Hertfordshire Local Enterprise Partnership (LEP), represented by Hertfordshire County Council as the accountable body. Exemplas Holdings Limited (Exemplas) is contracted by the Hertfordshire County Council, the data controller, to undertake the data processing of personal data on behalf of the Hertfordshire LEP.  


The Exemplas Privacy Notice (Notice) below gives you further information about the way Exemplas collects and uses personal information about you (which is known as “personal data” under data protection legislation).

The Exemplas Group of Companies means Exemplas Holdings Limited; Exemplas Limited; Exemplas Trade Services Limited; and Enterprise Growth Solutions Limited (“Exemplas Group”). References in this Notice to “we” or “us” are to the entities listed.


You should read through this Privacy Notice to fully understand how we may collect and use information that we obtain about you, and your rights in relation to that information. Your use of our online services or your provision of information to us constitutes your acknowledgment of the terms of this Privacy Policy. Please do not send us any of your information if you do not want it to be used in the ways described in this Privacy Policy.


Commitment to privacy
We are committed to protecting your personal data and right to privacy. We will always keep your personal data safe and comply with applicable data protection legislation in place from time to time.


Our data protection policy
The Exemplas Group understands the importance of protecting personal data and is committed to complying with the General Data Protection Regulation 2016/679 (GDPR). We are committed to fostering a culture of transparency and accountability by demonstrating compliance with the principles set out in the Regulation – as laid out in our data protection policy (available to you when you request this by email from our Data Protection Officer). This privacy notice lets you know what happens to any personal data that you give to us, or any that we may collect from or about you.
When we ask you for personal data, we will:
• tell you why we need it
• only ask for relevant information
• look after it and make sure it is only accessible to those within the Exemplas Group and its partners who need to see it
• only keep it for as long there is a business, statutory or legal obligation (according to our retention policy)
• not make your personal data available to third parties without your permission.

In return, we ask you to:
• give us accurate information, and
• tell us as soon as possible if there are any changes.



This Privacy Notice applies in the following circumstances:

  • when you request information from us or provide information to us;
  • when you or the organisation you work for engages our services, or applies to one of our programmes for government funding;
  • as a result of your relationship with one or more of our clients or partners as part of a referral;
  • when you apply for a role or work placement opportunity;
  • when you complete application forms on our Websites;
  • when you attend our events;
  • when we conduct open source searches on you in connection with our business development processes;
  • when you visit our Websites and online services (including our Digital Platform); and
  • when you are entered onto our mailing lists to receive publications and other marketing emails (please see section 13 for more information).


Across our Group, we may collect personal data:

From you directly: 
- information that you provide by filling in forms or surveys;
- information in correspondence that you send us;
- details of your visits to our website including, but not limited to, traffic data, location data, blogs and other communication data, and the resources that you access;
- Personal contact details, such as title, full name, contact details, date of birth, address;
- Your nationality, if needed for the provision of service or for grant eligibility;
- Information about your employment status, if relevant;

- Bank account information, if needed for the payment of grants;
- Equality, Diversity & Inclusion information;
- Information about your career, workplace, employer, research / innovation;
- Services, you currently hold with us, included funded services;
- Marketing to you, including history of those communications, and information about funded services or related business support services we think you may be interested in to improve your business, and analysing data to help target offers to you that we think are of interest or relevance to you;
- Dietary and / or accessibility needs;

- Information about your use of funded services or services held with our Delivery Partners;

From the following general sources:
- Information generated about you when you use our services
- Information from delivery partners 
- Information from public authorities
- Information from publicly available directories and information (e.g. social media, internet, Companies House, HMRC), and other organisations that operate to assist in offering individuals business support
- We buy information about you from accredited third parties, including marketing lists, publicly available information or information to improve our service delivery Information

- Insights about you and our customers gained from analysis or profiling of customers

- We receive information about you from government departments or third parties to offer you funded business support services.


When you use our online services, we may collect the following:

- information you provide by completing subscription, registration and application forms (including when you  submit  material or request further services);

- information you provide to us if you contact us, for example to speak with an adviser, or to report a problem with our online services; and

- details of visits made to our online services such as the volume of traffic received, logs (including, the internet protocol (IP) address and location of the device connecting to the online services and other identifiers about the device and the nature of the visit) and the resources accessed.


If you apply for a job or work placement you may need to provide information about your education, employment, racial background and state of health.  Your application will constitute your express consent to our use of this information to assess your application and to allow us to carry out both recruitment analytics and any monitoring activities which may be required of us under applicable law as an employer. Without your personal information we may not be able to progress considering you for positions with us. If you apply for a job or work placement using our on-line application system, you will access a separate privacy policy which explains how your information will be used, how long we will retain it and to whom it may be disclosed.


We may use your personal data if:

  • it is necessary for the performance of a contract with you or the organisation you work for; or
  • necessary in connection with a legal or regulatory obligation; or
  • for public task, when we are engaged as the government’s delivery partner when we carry out tasks in the public interest;
  • you have provided your consent (where necessary) to such use or the organisation that you work for has obtained your consent (where necessary); or
  • we (or a third-party) have a legitimate interest which is not overridden by your interests or your rights and freedoms; or
  • we are otherwise required or authorised by law.


We may use your information to:

  • To provide you with information or services that you request from us or which we feel may interest you
  • To notify you about changes to our website or services
  • For communications and public engagement activities: surveys, events, newsletters, communications, websites and social media
  • To manage funding applications and awards
  • To alert you to funding opportunities
  • To undertake funded business support monitoring and evaluation
  • To support participation in events and workshops; this may include surveys and collecting information on dietary or accessibility requirements
  • To ensure our terms and conditions of funding are met, for example audits
  • To operate our complaints policy 
  • To facilitate commercialisation and our legitimate business interest
  • For evaluation and recording
  • For current or past employees, interns or associates for:
    • Recruitment including recording equality and diversity, personnel files, rewards and benefits, training and development, management information, pension scheme administration, accidents, incidents and general health and safety at work, legal casework – grievances, disciplinary, and dismissal.
    • provide and improve our services and products to you or the organisation you work for (including auditing and monitoring use of those services and products);
  • maintain and develop our relationship with you and your organisation;
  • monitor and analyse our business;
  • facilitate our internal business operations;
  • fulfil our legal, regulatory (including state aid requirements), accounting, reporting, risk management or professional obligations;
  • send you legal updates, publications, marketing and details of events (please see Section 13 for more information);
  • process and respond to requests, enquiries or complaints received from you.


We may not be able to do these things without your personal information.



We may disclose information to government bodies and law enforcement agencies for their enforcement purposes. We may also disclose information provided by you to other third parties where this is necessary for the purposes set out in this privacy policy, to Exemplas operators and to suppliers that we engage to process your information on our behalf.


We may share your information with third parties including:

  • our partners, our business advisers and your employers or place of business;
  • third parties involved in the provisions of services to clients including professional advisers;
  • our professional advisers, auditors and insurers;
  • third party service providers to whom we outsource services, for example archival, auditing, reference checking, professional advisory (including legal, accounting, financial and business consulting), IT support, mailing house, delivery, technology, website, social media, research, banking, payment, client contact, data processing, insurance, marketing and security services;
  • third parties with whom we have co-promotional arrangements (such as jointly sponsored events);
  • third parties who carry out research and analyses of our services and products on our behalf; or
  • public authorities that fund our services.


We will not sell, rent or disclose your information to any third parties other than those set out in this privacy policy without your consent. We do not transfer your personal information outside of the European Economic Area without your consent.


We will only retain your personal information for as long as is reasonably necessary in the circumstances. Personal data provided in connection with the provision of our services will be retained in accordance with Exemplas’ retention policies unless we agree otherwise with you, in writing. If you wish to know more about our retention policies, please contact:


Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.

However, we will normally collect personal information from you only where we need the personal information to perform a contract with you (for example, when providing our services); or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms; or under public task when we are engaged as the government’s delivery partner when we carry out tasks in the public interest; or where consent is required, for example, direct marketing.

If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as the possible consequences, if any,  if you do not provide your personal information).

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information (including any legitimate interests relied upon), please send an email to



We may share your information across the Exemplas Group including our delivery partners.

Where we transfer your information internationally we will take reasonable steps to ensure that your information is treated securely and the means of transfer provides adequate safeguards.



We take reasonable steps to hold information securely in electronic or physical form and to prevent unauthorised access, modification or disclosure. Our information security policy is supported by security standards, processes and procedures and we store information in access controlled premises or in electronic databases requiring logins and passwords. We require our third party data storage providers to comply with appropriate information security industry standards. All partners and staff and third party providers with access to confidential information are subject to confidentiality obligations.

The transmission of information via the internet is not completely secure. We cannot guarantee the security of your data transmitted to our online services; any transmission is at your own risk.


We use cookies on our online services. Please see our Cookie Policy for details.


Our Websites contain links to other sites which are controlled by third parties.

Visitors should consult these other sites' privacy policies and please be aware that we do not accept responsibility for their use of information about you.



You have rights under data protection laws in relation to your personal data. It is our policy to respect your rights and we will act promptly and in accordance with any applicable law, rule or regulation relating to the processing of your personal data.

Details of your rights are set out below:

  • right to be informed about how personal data is used – you have a right to be informed about how we will use and share your personal data. This explanation will be provided to you in a concise, transparent, intelligible and easily accessible format and will be written in clear and plain language;
  • right to access personal data – you have a right to obtain confirmation of whether we are processing your personal data, access to your personal data and information regarding how your personal data is being used by us;
  • right to have inaccurate personal data rectified – you have a right to have any inaccurate or incomplete personal data rectified. If we have disclosed the relevant personal data to any third parties, we will take reasonable steps to inform those third parties of the rectification where possible;
  • right to have personal data erased in certain circumstances – you have a right to request that certain personal data held by us is erased. This is also known as the right to be forgotten. This is not a blanket right to require all personal data to be deleted. We will consider each request carefully in accordance with the requirements of any laws relating to the processing of your personal data;
  • right to restrict processing of personal data in certain circumstances – you have a right to block the processing of your personal data in certain circumstances. This right arises if you are disputing the accuracy of personal data, if you have raised an objection to processing, if processing of personal data is unlawful and you oppose erasure and request restriction instead or if the personal data is no longer required by us but you require the personal data to be retained to establish, exercise or defend a legal claim;
  • right to data portability – in certain circumstances you can request to receive a copy of your personal data in a commonly used electronic format. This right only applies to personal data that you have provided to us (for example by completing a form or providing information through a website). Information about you which has been gathered by monitoring your behaviour will also be subject to the right to data portability. The right to data portability only applies if the processing is based on your consent or if the personal data must be processed for the performance of a contract and the processing is carried out by automated means (i.e. electronically);
  • right to object to processing of personal data in certain circumstances, including where personal data is used for marketing purposes – you have a right to object to processing being carried out by us if (a) we are processing personal data based on legitimate interests or for the performance of a task in the public interest (including profiling), (b) if we are using personal data for direct marketing purposes, or (c) if information is being processed for scientific or historical research or statistical purposes. You will be informed that you have a right to object at the point of data collection and the right to object will be explicitly brought to your attention and be presented clearly and separately from any other information; and
  • right not to be subject to automated decisions where the decision produces a legal effect or a similarly significant effect – you have a right not to be subject to a decision which is based on automated processing where the decision will produce a legal effect or a similarly significant effect on you.

You may exercise any of your rights at any time using the contact details set out in Section 15.  You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one calendar month. It may take us longer than one calendar month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

In the limited circumstances where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.

Information we hold about you should be up-to-date and accurate. Please advise us in writing of any changes to your information using the contact details set out in Section 15 below.



If you receive marketing materials relating to our services by email or post, you may withdraw your consent for us to send these to you at any time, by using the “unsubscribe” option included in the email or other material. Alternatively, you can let us know your preferences by sending an email to



We review this Privacy Policy regularly and reserve the right to revise it or any part of it from time to time to reflect changes in the law or technology practices. It is your responsibility to review the amended Privacy Policy.

If we wish to use your personal data for a new purpose, not covered by this Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.


Please contact our Data Protection Officer, if you have any questions about this privacy notice or the information we hold about you.
If you wish to contact our Data Protection Officer, please send an email to, or write to Marcia Kilmurry, Titan Court, 3 Bishops Square, Hatfield, Hertfordshire, AL10 9NE, UK.

Please contact us if you have any questions about this Privacy Notice or the personal information we hold about you or to exercise all relevant rights, queries or complaints.


The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at or telephone: 0303 123 1113 or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.


Last updated: 30/01/2019