OneAdvanced Privacy Notice
Customers, Suppliers, Marketing and Website Visitors
Updated: 2 July 2026
This privacy notice explains how OneAdvanced (referred to as "we", "us", or "our") collects, uses, manages, protects, and retains your personal data when we act as the Data Controller for our prospective customers, customers, suppliers, marketing leads, and visitors to our websites and offices. It consolidates and replaces our previous separate Website Privacy Notice and Customer and Supplier Privacy Notice.
We consider the protection and security of your data to be of paramount importance. We never sell personal data, and we strive to carry out all our processing operations in strict compliance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and other applicable data protection laws including the Data (Use and Access) Act 2025.
When We Act as a Data Processor
For the majority of services we provide to our customers, OneAdvanced acts as a Data Processor on behalf of the customer. In these situations, this privacy notice does not apply. Instead, the privacy notice of the relevant customer (the Data Controller) governs that processing, and any questions about that processing should be directed to that organisation in the first instance.
This notice applies only where OneAdvanced determines the purposes and means of processing personal data - that is, where we act as the Data Controller for the categories of individual described above.
Who We Are
When we say "we", "us", "our" or "OA" in this notice, we are referring to OneAdvanced Group Limited and its subsidiaries (collectively, OneAdvanced). OneAdvanced Group Limited is a company registered in England and Wales under company number 05965280, whose registered office is at The Mailbox, Level 3, 101 Wharfside Street, Birmingham, B1 1RF, United Kingdom.
Our Global Data Protection Officer (GDPO) provides guidance to help us meet our obligations and ensure your data is protected. A full list of the OneAdvanced legal entities that may process your data is set out in Section 13 (Who is Your Data Controller?).
What Personal Information We Collect and Why
We collect different categories of personal data depending on how you interact with us, as set out below.
Marketing
If you are a customer or prospective customer, we collect your business email address, full name, company name, and business contact number to market our products and services to you and to send relevant business communications, support-related information, business updates, and certain offerings from our selected partners. Our lawful basis for this processing is legitimate interests (and, for certain email marketing, consent).
When You Visit Our Website
We collect and use your personal data when you contact us via the Contact Form on our website. We will ask for your full name, job title, the company you work for, your work email address, contact number, and the sector you work in, so that we may respond to your query.
When you visit our website we also store the name of your internet service provider, the website from which you visited us (where applicable), the parts of our site you visit, the date and duration of your visit, and information from the device you used (device type, operating system, screen resolution, language, country, and web browser type). We process this data to facilitate access to our services, and in anonymised form for statistical purposes and to improve our site.
Website Usage and Cookies
We use cookies and similar technologies to help distinguish you from other users, to provide a personalised service, and to improve our websites, applications, and services. Our Cookie Consent Manager is managed by TrustArc, and you can select your preferences via the link at the foot of our website. Further information is available in our Cookie Policy.
Non-essential tracking technologies (including the LinkedIn Insight Tag described below) are only deployed after you provide clear, affirmative consent via our cookie consent banner, which you may withdraw at any time through your cookie settings.
Use of the LinkedIn Insight Tag
Our website uses the LinkedIn Insight Tag, a conversion-tracking tool provided by LinkedIn Ireland. When you visit our website, the tag collects the URL of the page visited, the referrer URL, your IP address, device and browser characteristics, a timestamp, and page views. This data is encrypted and de-identified by LinkedIn within seven days and deleted within 90 days; we do not receive personally identifiable information about individual users. We use this data for conversion tracking, website retargeting, and aggregated website demographics. Our lawful basis is consent. LinkedIn processes this data as a separate data controller; please review LinkedIn's own privacy and cookie policies.
When You Interact with Us on Live Chat (Website Visitors)
When you use our webchat service on our website or our Contact Us Form, we collect the contents of your chat session, your name, and email address to respond to your inquiry and provide related information. Our lawful basis is our legitimate interests in responding to enquiries you initiate.We will only use your details to send you marketing where you have given your consent, which you can withdraw at any time via the unsubscribe link. Live chat data is retained for 12 months and then deleted, save that where you have consented to marketing, your name and email will be retained until you withdraw that consent. Our webchat is provided by a third-party processor whose sub-processors include AI tools located outside the UK; these are listed in our sub-processor list and any resulting international transfers are protected by the safeguards described in the International Data Transfers section below.
When You Use Our Customer Webchat
If you are a customer and use our customer webchat or Contact Us Form, we collect the contents of your chat session, your name, and email address to respond to your enquiry and to provide information about our products and services. Our lawful basis is performance of a contract, and we retain this data for the duration of our contract with you.
When You Interact with Our AI-Powered Chat System
When you engage with our chat service, you will be clearly informed whether you are communicating with an AI system or a human agent. Our AI chat system provides automated responses to common inquiries based on pre-trained models; it generates responses using existing knowledge and does not learn or retain information from individual conversations, and it does not have access to your personal account information or confidential business data. You may request a human agent at any point. The same data collection, retention (12 months), and security measures described for standard Live Chat apply, and all standard data subject rights apply to information collected through AI chat interactions.
Support Services
When you contact us for support (for example, feedback or technical requests), we may use this information for research, analytics, and product/third-party tool development, aggregating and anonymising it wherever possible. Our lawful basis is performance of a contract.
Research and Development
We process your personal data to improve our products and services. For most research activities our lawful basis is legitimate interests. For interview-based research involving audio or video recordings, we will always seek your explicit consent; the data collected may include your name, contact details, image, voice, and the opinions you express.
Suppliers
If your company supplies us with goods or services, we collect your business contact information (full name, job role, work address, email address, and contact number) to communicate with you. Our lawful basis is performance of a contract.
Communication
Where we have entered into a contract to provide products and services, we will communicate with you to fulfil our contractual obligations, and our accounts team will process invoices for payments due. We require certain business contact details (name, job title, email address, and phone number). Our lawful basis is performance of a contract.
OneAdvanced AI
When using OneAdvanced AI, you decide what personal data you enter, and you remain the controller for that content. When you create an account we collect:
Account Information: your name, contact details, and account credentials.
Content: personal data you provide as input, including prompts and uploaded content. We do not use or access this content for any purpose other than providing the service to you.
Technical Information: log data (such as IP address, browser type and settings, date and time of requests, and how you interact with the service), usage data, device information, and general location (derived from your IP address, for security and to enhance your experience).
OneAdvanced AI is hosted in the UK, and each customer environment is private and secure to that customer. If you purchase OneAdvanced AI, you may wish to read our AI Explainability Statement.
Intelligent Chat
Intelligent Chat is an optional add-on to OneAdvanced AI that lets you use a web search engine alongside the AI product. It is switched off by default. If you purchase it and switch it on, the web search is provided by Tavily, and the information you enter into the web search is transferred to the United States.
OneAdvanced has completed a Transfer Risk Assessment and has appropriate transfer mechanisms in place for this transfer in accordance with UK GDPR. As the controller of your own data, you should be aware that anything you enter into the web search (where Intelligent Chat is enabled) is sent to the US. This data is used only to deliver the response to your web search. It is retained for the duration of our contract with you, after which it is deleted; a zero-retention option is available for your inputs, and any usage data is retained only in anonymised form.
Visitors to Our Offices
We keep our premises secure using building access control, CCTV, and visitor records. Where CCTV is managed directly by OneAdvanced, images are securely stored and accessed on a need-to-know basis by authorised personnel. Where CCTV is installed and maintained by building management, OneAdvanced does not own the equipment, but executive staff may request access to relevant images for security reasons. Visitors are required to sign in at reception; visitor records are securely stored and accessible on a need-to-know basis.
Information We Collect from Third Parties
We may collect information about you from third-party partners where you have shown interest in our products and services, typically your full name, the company you work for, and your business email address.
Social Media and Third-Party Platforms
We use social networking sites such as LinkedIn, LinkedIn Sales Navigator, and X (formerly Twitter). We do not control how these third-party sites collect, store, or use your personal information. We recommend you review the privacy policies and settings on any social networking site you use and contact those sites directly to explore opt-out options. OneAdvanced is not responsible for how these third-party sites use your information.
Who We May Share Your Personal Information With
We may share your information with our agents and service providers for the purposes described in this notice, including:
- Marketing agencies specialising in social media, to help us connect with your networks and generate interest in our products and services.
- Agents acting on our behalf to carry out search engine optimisation, modelling, analysis, market and customer research, and statistical analysis to improve our website and services (including creative agencies and user experience testing agencies). We do not provide personal information to these agents.
- Our processors and sub-processors, including IT system providers (such as our Customer Relationship Management and financial management systems) and IT infrastructure providers (such as Microsoft Azure or Amazon Web Services). A current list of our sub-processors is available at OneAdvanced Sub-Processors.
- Our email platform and other service providers used to send you service and marketing messages.
- Other OneAdvanced group companies for general business purposes, including back-office support, customer support, and group effectiveness.
- The police, law enforcement agencies, and public bodies in the detection or prevention of crime.
- Government bodies and regulators, such as HMRC or data protection regulators worldwide.
- Our legal and professional advisors, including our auditors (for example, financial auditors or our ISO 27001 certification body).
- Debt recovery agencies when pursuing repayment of a debt.
- An organisation taking over all or substantially all of our business assets.
- Any party to whom we are required to disclose information to comply with the law.
Lawful Basis for Processing Your Information
Our lawful bases for processing your information include:
- Legitimate interests pursued by us, third parties, or selected partners to promote our products or services, or for research to improve and develop our products and services.
- Performance of our contract with you.
- Consent, for certain email marketing activities based on individual opt-in.
- Legal obligation, where we are required to comply.
Change of purpose: We will only use your personal data for the purposes for which it was collected, unless we determine that use for another purpose is compatible with the original purpose in accordance with Article 6(4) UK GDPR, or where we are otherwise required or permitted by applicable law.
Duration of Processing
We retain personal data for as long as is necessary for the purpose for which it was collected, as set out below:
|
Type of data |
Retention period |
|
Support service logs |
12 months, then deleted |
|
Website Live Chat |
12 months, then deleted |
|
Customer Webchat |
Kept for the duration of our contract with you |
|
Communications |
Kept for the duration of our contract with you |
|
Research data |
2 years, then deleted |
|
Call recordings |
12 months, then deleted |
|
Consent for email marketing |
Kept until you unsubscribe |
|
Cookies |
See our separate Cookie Policy |
| Visitors sign-in records |
3 months, then deleted |
We may retain personal data for longer periods where required by applicable law or regulation, or to establish, exercise, or defend our legal rights.
Call Recordings for Marketing Purposes
If you consent prior to the beginning of a call, we record our marketing calls for quality and training purposes. If you do not consent, call recording is switched off. All call recordings are retained for 12 months and deleted thereafter. To request deletion of a call recording, contact us at dataprotection@oneadvanced.com.
Third-Party Websites
Our websites may contain links to third-party websites. We are not responsible for how these external sites process your personal information. We encourage you to review the privacy notice of every third-party website you visit and to contact the website owner with any questions or concerns.
International Data Transfers and Country-Specific Safeguards
OneAdvanced operates globally, with offices and subsidiaries in the UK, EU, USA, Canada, India, and Australia. We share data with authorised personnel in these locations to deliver our services and operate our business, always adhering to the purposes and lawful bases set out in this notice.
Transfers Within Adequate Jurisdictions
Data transfers between our UK and EU offices are governed by the UK GDPR and EU GDPR respectively. No additional safeguards are required, as both jurisdictions provide adequate protection. Standard data processing agreements are in place between group entities.
Transfers to Non-Adequate Jurisdictions
For transfers to countries without UK adequacy decisions, we implement appropriate safeguards, including UK-approved Standard Contractual Clauses / the International Data Transfer Agreement (IDTA), supplementary technical, organisational, and legal measures, and Transfer Risk Assessments (the statutory "data protection test"), reviewed annually.
United States of America
- UK-approved Standard Contractual Clauses (International Data Transfer Agreement).
- The UK Extension to the EU-US Data Privacy Framework (the "UK-US data bridge"), where the US recipient is self-certified under the EU-US Data Privacy Framework.
- Supplementary measures assessment conducted in accordance with applicable guidance.
- Technical safeguards include end-to-end encryption in transit (TLS 1.3 or higher), encryption at rest (AES-256), multi-factor authentication, regular penetration testing, and segregated network architecture with access controls.
- Organisational safeguards including staff background checks, regular data protection training, 72-hour breach notification procedures, and annual third-party security audits.
- Legal safeguards including a contractual commitment to challenge unlawful government access requests and to notify affected data subjects where legally permitted.
- Where Intelligent Chat is enabled, the web-search data you enter is transferred to the United States through our search provider, under the safeguards described above and supported by a completed Transfer Risk Assessment.
Canada
- UK-approved Standard Contractual Clauses.
- Recognition of Canada's substantially similar privacy framework under PIPEDA.
- Encryption in transit and at rest (AES-256), secure VPN connections, security monitoring and logging, and encrypted automated backups.
- Privacy Impact Assessments, staff training on UK GDPR requirements, and regular compliance audits.
India
- UK-approved Standard Contractual Clauses.
- Compliance with India's Digital Personal Data Protection Act 2023 requirements.
- Advanced encryption protocols (AES-256 at rest, TLS 1.3 in transit), access controls for data centres, real-time security monitoring, and segregated processing environments for EU/UK data.
- Comprehensive staff vetting, mandatory data protection certification, 24/7 security operations centre monitoring, and strict data retention and deletion policies.
Australia
- UK-approved Standard Contractual Clauses.
- Compliance with the Australian Privacy Principles under the Privacy Act 1988.
- Encryption using industry-standard protocols, secure cloud infrastructure with Australian data residency options, and multi-layered security architecture.
- Privacy officer designation, staff training, and incident management procedures aligned with UK GDPR.
Ongoing Monitoring and Review
We continuously monitor the legal and practical situation in each jurisdiction and will conduct annual reviews of transfer mechanisms and safeguards, update safeguards in response to legal developments, suspend transfers if adequate protection cannot be ensured, and implement additional measures as required by evolving data protection standards.
Your Data Protection Rights
Depending on your geographical location, you have certain rights under applicable data protection laws. For individuals in jurisdictions where the UK GDPR or EU GDPR applies, these rights include the following.
Right to Access
You can ask OneAdvanced to confirm what personal information we hold about you and how it is processed. To exercise this right:
- Existing customers: please contact the Support Desk.
- Job applicants: please refer to the recruitment privacy notice on our careers page.
- All others: please email us at dataprotection@oneadvanced.com.
We will respond within one month of receipt, which may be extended by up to a further two months for complex or numerous requests, as permitted under the UK GDPR. We may pause this time limit (the "stop the clock" rule) where we reasonably require further information from you to locate your data or verify your identity, and the time limit resumes once we receive what we have requested. We will carry out reasonable and proportionate searches to locate your personal data and are not required to conduct excessive or disproportionate searches. Please note that you may need to verify your identity to receive the information.
Right to Rectification
You have the right to have inaccurate personal data corrected.
- Existing customers: you may update your data within the relevant application or customer support portal, or contact the Support Desk.
- Website visitors, marketing leads, and prospective clients: you may update information submitted via our corporate website using the Contact Form.
- Job applicants: please refer to the recruitment privacy notice on our careers page.
- All others: please email us at dataprotection@oneadvanced.com.
Right to Object
You have the right to object to direct marketing where our lawful basis is legitimate interests. You can opt out at any time by clicking the unsubscribe link in any marketing email you receive from OneAdvanced, or by emailing dataprotection@oneadvanced.com.
Withdrawal of Consent
We do not rely on consent for most of our processing activities, except for certain email marketing and non-essential cookies. Where we rely on consent, you have the right to withdraw it at any time, by clicking the unsubscribe link in the relevant email or by adjusting your cookie settings. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right to Be Informed
You have the right to be informed about the data we process about you. This notice is designed to provide that information, and we will keep it updated to reflect changes in our processing activities.
Other Rights
You also have the right to erasure, the right to restrict processing, and the right to data portability. To exercise any of these rights, please contact our data protection team at dataprotection@oneadvanced.com.
You can find further information about your rights on the Information Commissioner's Office website at ico.org.uk.
Complaints
We strive to maintain an efficient and effective data protection compliance framework. If you have any questions or concerns about this notice, or wish to complain about our use of your personal data, please contact us in the first instance so we can try to resolve the matter:
Data Protection Office
The Mailbox, Level 3
101 Wharfside Street
Birmingham
B1 1RF
Email: dataprotection@oneadvanced.com
We will acknowledge your complaint within 30 days of receipt, investigate it thoroughly and without undue delay, and keep you informed of the outcome.
You also have the right to lodge a complaint directly with the Data Protection Authority in the UK, an EU member state, or any other regulatory body that oversees the use of personal data in your jurisdiction. The main establishment of OneAdvanced is in the UK and the relevant supervisory authority is the Information Commissioner's Office (ICO); please visit ico.org.uk for further information. We would, however, appreciate the chance to address your concerns first.
Changes to This Notice
Any changes we make to this notice will be posted on this page and, where appropriate, notified to you by email. We recommend that you check this page regularly to keep up to date with any changes. This notice was last updated on 2 July 2026.
Who Is Your Data Controller?
OneAdvanced Group Limited is a global company registered in England and Wales under company number 05965280, with its registered office at The Mailbox, Level 3, 101 Wharfside Street, Birmingham, B1 1RF. OneAdvanced Group Limited is your Data Controller. Any subsidiary of OneAdvanced may also process your data. Our main subsidiaries by region are set out below.
England and Wales
OneAdvanced Limited (trading as OneAdvanced). Company number 03214465. Registered office: The Mailbox, Level 3, 101 Wharfside Street, Birmingham, B1 1RF.
OneAdvanced IT Services Limited (trading as OneAdvanced). Company number 02124540. Registered office: The Mailbox, Level 3, 101 Wharfside Street, Birmingham, B1 1RF.
Advanced Health and Care Limited (trading as OneAdvanced). Company number 02939302. Registered office: The Mailbox, Level 3, 101 Wharfside Street, Birmingham, B1 1RF.
The National Will Register Limited. Company number 06256187. Registered office: The Mailbox, Level 3, 101 Wharfside Street, Birmingham, B1 1RF.
Australia
OneAdvanced Asia Pac Pty Ltd (trading as Portt) — ACN 142 778 005. Registered office: c/o BDO, Level 18, 360 Queen Street, Brisbane City, QLD 4000.
Canada
OneAdvanced Canada Inc. Company number 1907593. Registered office: 199 Bay Street, 5300 Commerce Court West, Toronto, Ontario, Canada, M5L 1B9.
Ireland
Advance Systems International Limited (Ireland). Company number 225199. Registered office: Workways, Block 5 High Street, Tallaght, Dublin 24, D24 YK8N, Ireland.
India
OneAdvanced India Private Ltd (trading as OneAdvanced). Company number U72900KA2001PTC028589. Registered office: W76, 2nd Floor, ClayWorks Opus, Campbell Rd, Austin Town, Bengaluru 560047, Karnataka, India.
United States of America
OneAdvanced Inc. (trading as OneAdvanced). Company number 7856661. Registered office: 3455 Peachtree Road NE, Suite 500, Atlanta, GA 30326, USA.