Privacy Policy

Last Updated: 30 September 2025

1. Who We Are

FIVE SUM LTD (trading as 5sum) is a company registered in England and Wales under Company No. 15691937. We act as the data controller for the personal information we collect and process.

Registered Office:
27 Old Gloucester Street
London WC1N 3AX
United Kingdom

In this Privacy Policy, references to “5sum,” “we,” “us,” or “our” mean FIVE SUM LTD.

If you have any questions or requests relating to your personal data or this Privacy Policy, please contact us at:

Email: privacy@5sum.com
Postal Address: 27 Old Gloucester Street, London WC1N 3AX, United Kingdom

We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR), the EU GDPR, the UK Data Protection Act 2018, and other applicable privacy laws.

At this time, 5sum does not meet the threshold for mandatory appointment of a Data Protection Officer (DPO). However, a privacy lead has been designated—reachable through the contact details above—to oversee data protection and compliance. If required by law in future, we will appoint an EU representative and update this notice accordingly.

2. Scope of This Policy

This Privacy Policy explains how 5sum collects, uses, discloses, and protects personal data in connection with the following:

Our public website and any related microsites operated or controlled by us.
Online forms, such as general contact or career inquiry submissions.
Newsletter subscriptions and email marketing communications.
Business communications with prospective clients, existing clients, vendors, and freelance consultants.
Recruitment and career-related interactions, including job applications and CV submissions.

Exclusions

This Privacy Policy does not apply to the following:

Client Data Processed as a Service Provider (Processor):
When 5sum processes personal data on behalf of a client (for example, in the delivery of marketing or analytics services), that processing is governed by the client’s own privacy policy and the applicable contractual terms.
Employees and Contractors:
Data relating to employees or contractors is covered under 5sum’s internal HR privacy policies.
Third-Party Websites or Services:
Our website may contain links to external sites or services not operated by 5sum. We are not responsible for the privacy practices, content, or policies of those third parties and recommend reviewing their privacy notices before providing any personal data.

3. Personal Data We Collect

3.1 Information You Provide Directly

We collect personal information that you choose to share with us when interacting with 5sum. This includes the following categories:

Contact and Inquiry Data

When you fill out our contact form or otherwise get in touch, we collect your name, email address, company name, and any other contact details you provide (such as a phone number, if included).
We also collect the content of your message or inquiry, which may include additional personal data you choose to disclose.
For example, if you request a consultation or ask a question through our web form, we process the information included in your message.

Newsletter Sign-Up Data

If you subscribe to our newsletter or marketing updates, we collect your email address and any related preference information (for example, topics of interest, where applicable).
Where required by law, we use a double opt-in process, meaning you may need to confirm your subscription via a verification email to ensure your consent is intentional.

Job Application and Career Data

If you apply for a role or submit a CV/resumé via our website or email, we collect the personal data contained in your application. This typically includes:

Contact details (name, email, phone, address)
Employment history and education
Skills, portfolio links, or LinkedIn profile

We ask that applicants do not include sensitive personal data (e.g., relating to race, ethnicity, health, or similar categories) unless strictly necessary. If you provide references or third-party contact details, you confirm that you have obtained their consent to share that information with us.

Vendor and Freelancer Information

If you are a vendor, supplier, or freelance consultant working with 5sum (or seeking to do so), we may collect your business contact details (name, email, phone, company, and title) and any information you provide about your services. This usually occurs when you reach out to offer services or when we engage you to support a client project.

Client Representative Data

When we engage with client organisations, we collect the contact details of the individuals we liaise with—typically name, business email, phone number, and job title—to communicate and deliver services effectively.

3.2 Information We Collect Automatically

When you visit our website or interact with our communications, certain technical information is automatically collected.

Device and Log Data

Our web servers automatically log details such as your IP address, browser type, operating system, referring URLs, pages viewed, and timestamps of access.
We use this information to maintain website functionality, monitor security, and analyse general usage trends (e.g., which pages are most visited).
This information does not directly identify you but may be considered personal data under applicable law. It is retained securely for a limited period (see Section 10: Data Retention).

Cookies and Similar Technologies

5sum uses cookies in a minimal, privacy-focused manner. Cookies are small text files placed on your device to support essential site functionality.

By default, we only use strictly necessary cookies, for purposes such as:

remembering your cookie preferences;
enabling basic security functions (e.g., load balancing); and
maintaining site operation.

We do not currently use cookies for analytics, advertising, or behavioural tracking.
If we introduce optional analytics (e.g., Google Analytics) or marketing pixels (e.g., Meta Pixel, LinkedIn Insight Tag), we will:

update this Privacy Policy;
provide clear notice; and
obtain consent where required.

For detailed information, please refer to our Cookie Policy, which forms part of this Privacy Policy. Unless you actively consent to optional cookies, only strictly necessary cookies will operate during your visit.

3.3 Information from Third Parties

We primarily collect data directly from individuals. However, in limited cases, we may receive personal data from legitimate third-party sources, including:

Referrals and Recommendations

If a client, colleague, or contact refers you to us or provides your information as a point of contact, we will process that data lawfully and only for relevant business communications. You will always have the opportunity to opt out of further communication.

Public Sources

We may collect publicly available business contact information (e.g., from LinkedIn or company websites) for legitimate business development purposes. This typically includes name, job title, company, and business email. We use this information solely for B2B communications and provide an opt-out option in all outreach.

Recruitment Agencies and Job Boards

If you apply through a recruitment agency or job platform, we may receive your data from that source. We ensure such third parties have a lawful basis for sharing your information and handle your application in accordance with this Privacy Policy.

5sum does not purchase consumer data or marketing lists from third parties. All personal data processed originates from individuals themselves or legitimate, transparent sources as described above.

4. Purpose and Legal Basis for Processing

We process personal data only where it is lawful, necessary, and transparent. This section explains how 5sum uses personal data and the legal bases relied upon under the UK GDPR, EU GDPR, and other applicable privacy laws.

For individuals outside the UK or EEA (for example, in the United States), 5sum ensures that data processing aligns with relevant local privacy frameworks and that your rights are respected (see Section 9 – Your Rights).

Responding to Inquiries and Providing Services

When you contact us through our website, email, or other channels to request information, schedule a call, or explore potential collaboration, we use your personal data to respond and communicate effectively. This may include sending proposals, arranging meetings, and providing relevant service details.

Legal basis:

Contractual necessity– to take steps at your request before entering into a contract (Art. 6(1)(b) UK/EU GDPR).
Legitimate interests– our legitimate interest in responding to inquiries and developing business relationships (Art. 6(1)(f)).

When an inquiry results in a formal engagement, further processing is governed by contractual necessity.

Service Delivery and Client Communication

For client organisations, we process the personal data of authorised representatives to deliver consultancy services, manage projects, and fulfil contractual obligations. This includes communication, billing, and operational coordination.

Legal basis:

Performance of a contract– to deliver agreed services (Art. 6(1)(b)).
Legitimate interests– to maintain records, manage relationships, and improve service quality (Art. 6(1)(f)).

Marketing and Newsletters

With your consent, or where permitted by law, we may send newsletters, updates, or invitations to relevant industry events. We use a double opt-in process where required and always include an unsubscribe option in every email.

Legal basis:

Consent– when you opt in to receive marketing communications (Art. 6(1)(a)).
Legitimate interests– for B2B outreach to business contacts, in compliance with the Privacy and Electronic Communications Regulations (PECR) and the EU ePrivacy Directive (Art. 6(1)(f)).

You may withdraw consent or opt out at any time. We do not send marketing texts or make promotional calls without explicit prior consent.

Recruitment and Talent Management

If you apply for a role or express interest in career opportunities, we process your personal data to assess applications, communicate with candidates, and make hiring decisions.

Legal basis:

Contractual necessity– to take steps before forming an employment contract (Art. 6(1)(b)).
Legitimate interests– to maintain a limited talent pool for potential future opportunities (Art. 6(1)(f)).
Consent– where you agree for us to retain your CV for longer-term consideration (Art. 6(1)(a)).

If you share sensitive data (e.g., disability information for workplace adjustments), we process it only when legally permitted or based on explicit consent.

Business Operations and Vendor Management

We process limited personal data of suppliers, vendors, and freelance consultants to manage relationships, contracts, payments, and collaborations.

Legal basis:

Legitimate interests– to ensure efficient operational and vendor management (Art. 6(1)(f)).
Contractual necessity– where the vendor or contractor is an individual party to a contract with 5sum (Art. 6(1)(b)).

Website Functionality and Security

We process technical and log data (such as IP addresses and device information) to operate and protect our website. This includes fraud detection, uptime monitoring, and cybersecurity.

Legal basis:

Legitimate interests– to maintain the integrity and security of our systems (Art. 6(1)(f), GDPR Recital 49).
Legal obligation– where record-keeping or incident reporting is required by law (Art. 6(1)(c)).

Only essential cookies are used for functionality and security; they do not require consent under PECR or equivalent ePrivacy rules.

Analytics and Improvements

As of the date of this policy, 5sum does not use analytics cookies or tracking tools that process personal data. If privacy-friendly analytics (for example, anonymised Google Analytics) are introduced, they will operate only with clear notice and, where required, your consent.

Legal basis:

Consent– for analytics involving non-anonymised data or cookies (Art. 6(1)(a)).
Legitimate interests– for anonymised, aggregated insights used to improve website performance (Art. 6(1)(f)).

You will always be able to opt out of analytics that are not strictly necessary.

Personalisation and Advertising (Future Use)

We do not currently use advertising pixels, remarketing tags, or targeted advertising technologies. If such tools are introduced in the future (for example, Meta Pixel or LinkedIn Insight Tag), they will only be activated with your explicit opt-in consent.

Legal basis:

Consent– for UK/EU visitors under ePrivacy and GDPR (Art. 6(1)(a)).
Opt-out mechanisms– for jurisdictions such as the United States, consistent with applicable state privacy laws.

Any change will be clearly disclosed before implementation.

Legal Compliance and Protection

We may process or retain personal data as necessary to comply with legal obligations or to protect 5sum’s legitimate business interests. This may include preventing fraud, maintaining tax records, or responding to lawful requests from authorities.

Legal basis:

Legal obligation– compliance with legal or regulatory duties (Art. 6(1)(c)).
Legitimate interests– protecting our business, enforcing or defending legal claims, and ensuring security (Art. 6(1)(f)).

Processing for these purposes is always limited to what is strictly necessary and proportionate.

For more information about how we use your personal data or to request clarification about a specific processing activity, please contact privacy@5sum.com.

5. Special Categories of Data and Children’s Data

Sensitive Personal Data

5sum does not actively collect or request any special category personal data through our website or during normal business operations unless you choose to provide it.

Under the UK GDPR and EU GDPR, special categories of personal data include information revealing:

racial or ethnic origin,
political opinions,
religious or philosophical beliefs,
trade union membership,
genetic or biometric identifiers,
health information, or
details concerning a person’s sex life or sexual orientation.

We have no reason to collect such data in the course of providing our services. Please do not send sensitive personal data to 5sum unless it is necessary for a clearly defined purpose and you have a lawful basis to do so.

Examples:

If you are a job applicant and need to share health-related information for an accommodation request, we will handle it confidentially and use it only for that purpose.
Any such data will be processed only under appropriate lawful bases, such as:
- explicit consent, or
- compliance with employment law obligations(UK GDPR Art. 9(2) and Data Protection Act 2018).

If we receive sensitive information inadvertently and it is not required for a lawful reason, we will securely delete or anonymise it immediately.

When 5sum legitimately processes special category data (for example, health or dietary requirements for an event), it is done only under lawful conditions, including:

your explicit consent, or
fulfilment of employment or social protection obligations.

Criminal Records

5sum does not request or intentionally process information about criminal convictions or offences during ordinary business activities.

If there is a legitimate need to process such data — for example, to comply with legal or client-specific project requirements — we will:

ensure we have lawful authority under UK Data Protection Act 2018, Schedule 1and GDPR Article 10, and
provide additional notice to affected individuals explaining the purpose and basis for such processing.

Any criminal records data processed by 5sum will be handled with enhanced security, strict access control, and confidentiality.

Children’s Privacy

Our website and services are not directed to children, and we do not knowingly collect personal data from individuals under the age of 16 (or under 13 in the UK) without verified parental consent.
As a B2B consultancy, 5sum’s services are not intended for minors under 18.

If you are under the applicable age threshold, please do not submit personal information through our website or forms.

In the UK, only children aged 13 or older can lawfully consent to online services.
In the EU, the default minimum age is 16, though member states may lower it to no less than 13.

If we learn that personal data has been collected from a child without appropriate consent, we will promptly delete it. Parents or guardians who believe their child’s data may have been submitted to 5sum should contact privacy@5sum.com to request removal.

Children and Marketing

5sum does not engage in marketing to children, nor do we conduct profiling or automated decision-making concerning minors.

In the unlikely event that a teenager (for example, aged 16–17) interacts with our website — such as by subscribing to a newsletter — we will:

process their data with extra care and transparency, and
honour any withdrawal of consent by the individual or their parent or guardian.

We comply with the UK Age-Appropriate Design Code and similar global guidance to ensure that any digital content accessible to minors respects their privacy and is not exploitative.

6. Automated Decision-Making and Profiling

Automated Decision-Making

5sum does not use your personal data to make decisions that have legal or similarly significant effects on you based solely on automated processing, as defined in Article 22 of the UK GDPR and EU GDPR.

This means no algorithms or software systems make important decisions about you without human involvement. All decisions concerning client relationships, recruitment, communications, or service delivery are made by qualified professionals using informed judgement.

Profiling

We may use limited profiling in a marketing context to ensure that our communications remain relevant and useful.

Examples:

If you subscribe to our newsletter, we may segment mailing lists by industry, region, or topic to send more relevant updates (for instance, event invitations or insights related to your sector).
We may track basic engagement metrics, such as whether emails are opened or links are clicked, to understand audience interests and improve our content.

This profiling is minimal, proportionate, and does not produce any legal or significant effects on you.

We do not:

build detailed behavioural or psychological profiles,
combine personal data with third-party datasets for enrichment, or
conduct targeted advertising or automated decision-making about individuals.

You can opt out of such personalisation at any time by unsubscribing from marketing communications or contacting privacy@5sum.com.

Future Use of Automation

If 5sum introduces any form of automated processing in the future that could significantly affect individuals — such as AI-assisted assessment tools for recruitment or project evaluation — we will:

implement appropriate safeguards and human oversight,
ensure full compliance with Article 22 of the UK GDPR and EU GDPR,
obtain explicit consent or provide a clear right to object, and
update this Privacy Policy with transparent details before such processing begins.

Human Oversight

All key decisions at 5sum involve human judgement. Automation, where used, serves only to support efficiency, analysis, or relevance — never to replace human review or decision-making.

7. How We Share Personal Data

5sum values your privacy and transparency.
We do not sell your personal information to anyone and do not share it with third parties for their own independent marketing or advertising purposes.

We only share personal data with trusted third parties to operate our business and deliver services, in accordance with this Privacy Policy and applicable data protection laws.
All third parties act under strict contractual obligations to protect your data and use it only for legitimate business purposes.

Internal Access

5sum Team and Affiliates

Your personal data may be accessed by authorised 5sum employees and key contractors on a strict need-to-know basis.
All personnel are bound by confidentiality agreements and trained in data protection.

5sum currently operates primarily within the United Kingdom and has no subsidiaries in other jurisdictions.
If, in the future, we establish affiliates or partner consultancies (for example, in the EU or United States) that require access to personal data, we will implement equivalent safeguards and update this Privacy Policy accordingly.

Service Providers (Processors)

We use reputable third-party service providers to support our operations.
Each provider acts as a data processor under our instruction and is bound by a Data Processing Agreement (DPA) in accordance with Article 28 of the UK GDPR and EU GDPR.

Categories of service providers include:

Website Hosting and IT Infrastructure:
Our website and related data (including contact forms and server logs) are hosted on secure, encrypted cloud servers managed by providers that comply with recognised international security standards.
Email and Communication Services:
We use third-party providers for:
- @5sum.com email hosting, and
- newsletter or marketing email distribution platforms.
  Subscriber data is stored securely and used only to send authorised communications on our behalf.
File Storage and Collaboration Tools:
Personal data contained in documents (such as CVs, contracts, or contact lists) may be stored on encrypted cloud platforms, CRM systems, or project management tools accessible only to authorised personnel.
Analytics and Site Utilities:
If tools such as Google Analytics (for site traffic) or Google reCAPTCHA (for spam protection) are implemented, these may process technical data from your device.
- Such tools will only operate in compliance with privacy law and, where necessary, after obtaining your consent.
- At present, no analytics or tracking tools are active by default on our website.
- Some providers (for example, Google reCAPTCHA) may act as independent controllers for specific purposes such as fraud prevention; in those cases, we will clearly disclose this and seek consent if required.
Payment and Accounting Services:
While 5sum does not process e-commerce payments through its website, we use secure accounting and banking systems to manage invoicing and supplier payments.
These systems may process limited personal data (for example, names and bank details of sole traders) to complete lawful financial transactions.
IT Support and Maintenance:
External IT specialists may occasionally access systems for maintenance or troubleshooting.
Such access is strictly controlled, logged, and covered by confidentiality agreements.

All service providers are carefully vetted, and their compliance with data protection and information security standards is reviewed periodically.

Business Partners and Subcontractors

In certain projects, we may collaborate with independent professionals or partner agencies (for example, a freelance designer or data analyst).
If these partners require limited access to personal data, we share only what is necessary and ensure that:

confidentiality obligations are in place, and
appropriate data processing or controller-to-controller agreements are executed, depending on their role.

These partners are selected for their professionalism and commitment to ethical and legal standards.

Clients (Service Context)

When 5sum provides services to clients, certain personal data may be shared with or on behalf of those clients.

Examples include:

A freelancer’s name or contact details appearing in deliverables sent to the client.
Client contact information used internally for communication and project coordination.
Processing client-supplied data (such as email lists for campaigns), where the client acts as the data controller and their privacy policy governs that data.

All such processing occurs under written contracts clearly defining each party’s data protection responsibilities.

Legal and Compliance Disclosures

We may disclose personal data when required to:

comply with legal obligations or valid government requests;
respond to subpoenas, court orders, or regulatory inquiries;
establish, exercise, or defend legal claims; or
cooperate with law enforcement, auditors, or legal advisers.

Where permitted by law, we will notify affected individuals before disclosure.
All disclosures are confidential and limited to what is legally necessary.

Corporate Transactions

If 5sum undergoes a merger, acquisition, restructuring, or sale, personal data may be transferred as part of the business assets.
Any successor entity will be required to uphold this Privacy Policy and maintain the same level of protection for personal data.
We will provide notice on our website — and directly where feasible — before any such change in data control takes effect.

No Unauthorised Sharing

5sum does not rent, sell, or trade personal data, nor do we share information with third-party advertisers or social media platforms for their own use.
We do not permit third-party ad networks or external tracking technologies on our website.

For details about our active vendors and their processing functions, you may contact privacy@5sum.com to request an updated list.

8. International Data Transfers

5sum is headquartered in the United Kingdom but works with clients, partners, and website visitors in multiple regions (including the EU/EEA and the United States). When personal data is transferred across borders, we apply appropriate legal and technical safeguards to ensure protection equivalent to UK/EU standards.

Transfers from the United Kingdom

Where personal data is transferred from the UK to another country (for example, to a service provider in the U.S. or elsewhere), we rely on one or more of the following safeguards under the UK GDPR:

Adequacy decisions/data bridges.Where the UK government has recognised a country or framework as providing adequate protection (including the UK–US “Data Bridge” for certified U.S. organisations), we transfer data to recipients covered by that decision.
Standard contractual safeguards.For destinations without adequacy, we use approved transfer tools such as the EU Standard Contractual Clauses (SCCs) with the UK Addendum or the UK International Data Transfer Agreement (IDTA).
Supplementary measures.Following regulatory guidance, we implement technical and organisational measures (for example, encryption in transit and at rest, pseudonymisation where feasible, strict access controls, and transfer risk assessments).
Derogations (exceptional cases).In limited situations and only where permitted by law, we may rely on explicit consent or necessity for contract performance.

Transfers from the European Union/EEA

The European Commission currently recognises the UK as providing adequate protection, allowing flows from the EU/EEA to the UK without additional tools. For onward transfers from the EU/EEA to other countries, we use the EU–US Data Privacy Framework (where the recipient is certified) or the EU SCCs with appropriate supplementary measures.

Other International Transfers

For any transfers to countries not deemed “adequate” by the UK or EU, we will implement an SCC/IDTA or equivalent safeguard, or use anonymisation/pseudonymisation where appropriate. We keep our transfer practices under review in light of legal developments.

Transparency

You may request more information about our transfer safeguards (for example, the relevant SCCs/IDTA used). While commercially sensitive terms may be redacted, we will confirm that valid data protection clauses are in place.

Summary

By using our website or engaging with 5sum, your personal data may be transferred and stored outside your home country. In all cases, we ensure appropriate legal bases and protections are applied, and we will update this Policy if applicable transfer mechanisms or adequacy decisions change.

9. Data Retention

5sum retains personal data only for as long as necessary to fulfil the purposes for which it was collected, or to meet legal, regulatory, or legitimate business obligations.
When data is no longer required, it is securely deleted or anonymised so that it can no longer identify an individual.
Retention periods vary depending on the context and type of data, as outlined below.

Retention by Data Category

General Inquiries

If you contact us through the website or by email and do not enter into a contract, your inquiry and any correspondence are retained for approximately 12 months from the last interaction.
After that, they are deleted or anonymised unless retention is required to resolve a dispute or meet a legal obligation.
You may request earlier deletion, which we will honour unless retention is legally required.

Client Data

For clients and their representatives, data is retained for the duration of the engagement and typically for up to six years afterward to comply with contractual and legal recordkeeping requirements.
This includes contracts, communications, and project deliverables that may contain personal data.
Where 5sum acts as a processor, data is handled and deleted according to the client’s written instructions.

Newsletter and Marketing Subscriptions

Your contact information is kept while you remain subscribed.
If you unsubscribe, your data is immediately removed from active mailing lists but retained in a suppression list to prevent future mailings.
Inactive contacts may be removed after 12 months of inactivity.
If you request full deletion (including suppression removal), we will comply unless retention is legally necessary.

Job Applicants

Recruitment data is retained for six months after a role is filled or an application process ends, in line with ICO and ACAS guidance.
If you consent to remain in our talent pool, your information may be kept for up to 12 months longer.
If hired, your information transitions to internal HR systems under separate retention rules.
Unsolicited CVs may be deleted promptly.

Vendors and Freelancers

Contact and contractual details for suppliers and consultants are retained for the duration of the relationship and for six years thereafter, consistent with accounting and tax law.
If discussions do not lead to engagement, data is deleted after one year of inactivity.

Website Logs and Technical Data

Web server logs (including IP addresses, timestamps, and user-agent data) are retained for up to 90 days for security monitoring and troubleshooting.
Afterward, logs are automatically deleted or anonymised.
If analytics are introduced in the future, only aggregated, anonymised data will be kept for longer (up to one to two years).

Cookies

Cookie retention depends on their type and purpose:

Necessary cookies(e.g., for load balancing or remembering preferences) last only for the session or a few months.
Analytics or preference cookies, if introduced, will follow durations disclosed in our Cookie Policy.
You can delete cookies at any time through your browser settings.

Legal and Compliance Records

Documents containing personal data needed for statutory or regulatory purposes (such as contracts, invoices, or tax filings) are retained for at least six years or longer if required.
These records are securely archived and accessed only when necessary for compliance or audit.

Secure Deletion and Anonymisation

At the end of their retention period, all data is irreversibly deleted or anonymised using appropriate safeguards, including:

permanent erasure from digital systems (e.g., cryptographic wiping),
secure shredding of physical records, and
aggregation or de-identification for statistical use.

If processing is based on consent and that consent is withdrawn, the data is deleted unless another lawful basis (e.g., legal retention) applies.

Retention Schedule and Review

A full internal retention schedule defines standard retention periods for each category of data.
This schedule is reviewed regularly and adjusted as laws or operational needs evolve.
5sum’s principle is clear: personal data is not retained in identifiable form longer than necessary.

10. How We Protect Your Data (Security)

5sum takes the security and confidentiality of personal data extremely seriously.
We apply a combination of technical, organisational, and human safeguards designed to protect data against unauthorised access, alteration, disclosure, or destruction.
Our measures are risk-based and aligned with Article 32 of the UK/EU GDPR, ensuring that the level of protection corresponds to the sensitivity of the data and potential risks.

Access Control

Personal data is accessible only to authorised personnel on a strict need-to-know
Strong authentication mechanisms are in place, including secure password management and multi-factor authentication (MFA) for supported systems.
Access privileges are reviewed regularly and promptly revoked when no longer required, such as upon project completion or staff departure.

Encryption

All data transmitted between your browser and our website is secured using HTTPS (SSL/TLS encryption).
Data stored by trusted cloud providers is encrypted at rest.
Sensitive files may be further protected using end-to-end encryptionor encrypted archives when shared externally.
All company devices, including laptops and portable drives, are encrypted to safeguard information in case of loss or theft.

Secure Infrastructure

5sum’s systems are hosted in secure data centres certified to standards such as ISO 27001or SOC 2.
Firewalls, anti-malware solutions, and intrusion detection systems are maintained and regularly updated.
System patches and updates are applied promptly to minimise vulnerabilities.
Ongoing monitoring and risk assessments help us detect and respond to threats proactively.

Employee Training and Policies

Every team member undergoes confidentiality and data protection trainingduring onboarding and receives refresher training periodically.
Internal policies govern secure data handling, access management, password hygiene, phishing awareness, and incident reporting.
Security awareness is embedded in our culture—staff are encouraged to report potential security concerns immediately.

Vendor Due Diligence

All third-party processors are vetted for security capabilities before engagement.
We enter into Data Processing Agreements (DPAs)requiring GDPR-compliant controls and timely breach notifications.
Vendors are periodically reviewed to ensure continued adherence to contractual and security standards.

Backups and Resilience

Regular encrypted backups of key data are maintained to support recovery from accidental loss or system failure.
Backups are stored securely, verified for integrity, and tested periodically.
Business continuity and disaster recovery plans ensure rapid restoration of services in the event of disruption.

Testing and Monitoring

Our systems undergo periodic security assessments, including vulnerability scans and internal reviews.
Logs and alerts are continuously monitored for suspicious activity.
Any irregularities trigger formal investigation under our Data Breach Response Plan.
Insights from incidents and audits inform ongoing security improvements.

Physical Security

Although 5sum operates primarily in the cloud, any physical records (for example, signed contracts) are kept in locked storage with restricted access.
Devices containing personal data are never left unattended in public or unsecured environments.
All hardware is securely wiped or destroyed prior to disposal or recycling.

Incident Response and Breach Notification

While 5sum maintains rigorous controls, no system is entirely immune to cyber threats.
In the unlikely event of a data breach that could affect your rights or freedoms, we will:

promptly investigate and contain the incident,
notify the Information Commissioner’s Office (ICO)(and, if applicable, relevant EU authorities) within 72 hours, and
inform affected individuals if the risk is high.

Our internal procedures ensure that every incident is managed swiftly, transparently, and in compliance with applicable law.

Shared Responsibility

Security is a shared responsibility.
We encourage clients and users to:

use strong, unique passwords for online accounts,
avoid transmitting sensitive data via unsecured email, and
contact privacy@5sum.comimmediately if they suspect misuse or a potential breach.

5sum continually reviews and enhances its security practices to align with evolving threats, technology, and industry best standards, maintaining a safe and trustworthy environment for all data it handles.

11. Direct Marketing and Communication Preferences

5sum conducts all marketing activities in full compliance with applicable privacy and marketing laws, and always with respect for your communication preferences.
This section explains how we manage marketing communications and how you can control or change your choices at any time.

Email Marketing and Newsletters

As outlined in our legal bases for processing, 5sum sends newsletters, updates, and promotional materials only to:

individuals who have subscribed or consented, or
corporate professionals who we reasonably believe have a legitimate business interestin our services.

All marketing emails include a clear unsubscribe link. You can opt out at any time by:

clicking the unsubscribe link in any email,
emailing privacy@5sum.com, or
replying directly to the message with your request.

Your opt-out request is applied promptly across all communication lists. If you unsubscribe from a particular list (e.g., newsletters), we will stop sending that specific category of content.

Please note: if you are an active client, you may still receive essential non-marketing communications such as project updates, invoices, or legal notices, which are necessary for contract performance.

SMS and Phone Calls

5sum primarily communicates through email and scheduled calls.
We do not conduct SMS marketing or unsolicited (“cold”) calling.
If we ever introduce SMS notifications (e.g., event reminders), we will first obtain your explicit consent.

For corporate B2B phone outreach within the UK, we comply with the Telephone Preference Service (TPS) rules.
We will always:

identify ourselves clearly,
respect “do not call” requests immediately, and
record those preferences in our internal suppression lists.

If you prefer not to receive calls from us, simply inform us, and we will honour your preference.

Postal Mail

We currently do not send marketing materials by post.
If this changes (for example, to share event brochures or printed reports), such communications will be sent only to corporate addresses, in compliance with the UK Privacy and Electronic Communications Regulations (PECR).
You may opt out of any postal communications by emailing privacy@5sum.com.

B2B Marketing and PECR Compliance (UK/EU)

Under UK PECR and the EU ePrivacy Directive, different rules apply to business and individual recipients:

Corporate subscribers(e.g., company or work email addresses) may receive relevant business communications under legitimate interest, provided:
- there is a clear business context, and
- every message includes a free and simple opt-out option.
Individual subscribers(e.g., sole traders or private individuals) will receive marketing communications only if they have:
- given explicit consent, or
- meet the “soft opt-in” criteria (they provided their contact details during a prior interaction, such as an inquiry or quote request, and were offered an opt-out at that time).

In practice:
If you contact us about our services or exchange business cards, we may follow up with relevant information.
If you simply browse our website, you will not receive marketing communications unless you actively subscribe.

We also maintain comprehensive “do not contact” lists to ensure that once someone opts out, no further marketing communications are sent.

U.S. Marketing Law Compliance

For recipients located in the United States, 5sum complies with the CAN-SPAM Act and Telephone Consumer Protection Act (TCPA).
This means:

Every email includes our company name, mailing address, and a clear unsubscribe link.
Subject lines and sender details are always accurate and not misleading.
Opt-out requests are honoured promptly.
We do not send marketing text messages or telemarketing calls without the required consent.

Preference Management

Currently, you can manage your preferences by:

using the unsubscribe link in any email, or
contacting privacy@5sum.com.

We are developing a self-service preference centre to let you select which types of updates you wish to receive (e.g., newsletters, insights, or events).
Once available, a link to this portal will be included in all marketing emails and on our website.

Non-Marketing Communications

Opting out of marketing does not affect operational communications such as:

responses to inquiries,
project coordination updates,
billing and administrative messages, or
legally required notices.

These messages are functional, not promotional, and are essential for our contractual relationship.

Third-Party Marketing and Referrals

5sum does not share, sell, or rent your data to third-party marketers.
Your preferences apply exclusively to communications from 5sum.
If you discovered 5sum via a third-party platform (for example, a freelance marketplace or professional network), please check that platform’s privacy settings, as their marketing practices are outside our control.

12. Your Privacy Rights

Depending on your location and applicable law, you may have certain rights concerning your personal data.
5sum respects these rights and ensures they are honoured fairly, transparently, and without discrimination.
This section outlines the privacy rights available under key global frameworks and how to exercise them.

A. Rights for Individuals in the UK, EU, and EEA

If you are based in the United Kingdom, European Union, or a country applying similar data protection laws, your rights under the UK GDPR / EU GDPR include:

1. Right of Access

You can request a copy of the personal data we hold about you and details about how it is processed. This includes:

the purposes of processing,
the categories of personal data,
recipients or categories of recipients,
retention periods, and
the source of the data, if not obtained directly from you.
We respond within one month, unless a lawful extension applies.

2. Right to Rectification

You can request correction of inaccurate or incomplete data. For example, if your contact details change, we will promptly update them.

3. Right to Erasure (“Right to Be Forgotten”)

You may request deletion of your personal data where:

it is no longer necessary for its original purpose,
you withdraw consent and no other lawful basis applies, or
you object to processing and no overriding legitimate grounds exist.
This right is not absolute — for example, we may retain data required by law (e.g., tax or accounting records) or for legal defence purposes.

4. Right to Restrict Processing

You can request restriction of your data in specific situations, such as:

while verifying the accuracy of contested data,
when processing is unlawful but you prefer restriction over deletion, or
when you require the data for legal claims.
Restricted data will be stored securely and not used for other purposes.

5. Right to Object

You can object to processing based on:

legitimate interests, or
public interest tasks.
We will assess your objection unless we have compelling legitimate grounds to continue.
You have an absolute rightto object to direct marketing at any time, including related profiling, and we will cease all such communications immediately.

6. Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you can request your data in a structured, machine-readable format and ask us to transfer it to another controller where technically feasible.

7. Right Not to Be Subject to Automated Decision-Making

5sum does not make decisions with legal or significant effects based solely on automated processing.
If this ever changes, we will provide notice and ensure appropriate safeguards, including a right to human review.

All rights are exercised free of charge, unless a request is clearly unfounded, repetitive, or excessive.
We may ask for proof of identity before acting on your request.

B. Rights for California Residents (CCPA/CPRA)

If you reside in California, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

1. Right to Know

You may request disclosure of:

categories and specific pieces of personal data collected in the past 12 months,
sources of that data,
purposes for collection, and
categories of third parties with whom it was shared.

2. Right to Delete

You may request deletion of personal data we collected from you, subject to lawful exceptions (e.g., for compliance or fraud prevention).

3. Right to Correct

You may request correction of inaccurate personal data we hold.

4. Right to Opt Out of Sale or Sharing

5sum does not sell or share personal data for cross-context behavioural advertising.
If this changes, we will:

provide a clear “Do Not Sell or Share My Personal Information”link, and
honour browser-based Global Privacy Control (GPC)signals as opt-out requests.

5. Right to Limit Use of Sensitive Personal Information

We do not use sensitive data in ways requiring a limitation mechanism under CPRA. If that changes, a compliant limitation option will be made available.

6. Right to Non-Discrimination

You will not be denied services or charged different prices for exercising your privacy rights.
If 5sum ever offers financial incentives tied to data use, participation will be optional and fully explained.

C. Rights Under Other U.S. State Privacy Laws

Other states — including Virginia, Colorado, Connecticut, and Utah — have privacy laws granting similar rights.
If you are covered by one of these laws, you may:

confirm whether we process your data and access it,
request correction or deletion,
request data portability, and
opt out of:
- the sale of personal data,
- targeted advertising, and
- certain types of automated profiling.

5sum does not currently sell data or engage in targeted advertising.
If this changes, we will implement compliant opt-out tools.
Where applicable (e.g., in Virginia or Colorado), you also have the right to appeal a privacy decision, and we will respond within statutory timeframes.

D. Rights for Other Jurisdictions

If you are located in another country with individual privacy rights — such as:

Canada (PIPEDA)– access and correction rights,
Brazil (LGPD)– access, deletion, and portability rights, or
other countries with similar frameworks —
5sum will make every reasonable effort to honour those rights in accordance with applicable law and our global privacy principles.

Our goal is to maintain a consistent standard of transparency and user control across all jurisdictions.

E. Exercising Your Rights

To exercise your privacy rights, please contact us at:
📧 privacy@5sum.com

When submitting a request, please include:

the right(s) you wish to exercise,
details of the data or processing concerned, and
sufficient information for us to verify your identity.

We will confirm receipt and respond within the relevant legal timeframe — typically:

30 daysfor UK/EU requests, or
45 daysfor U.S. requests (with possible lawful extensions).

13. How to Exercise Your Rights

You may exercise your privacy rights at any time by contacting:
privacy@5sum.com

5sum is committed to handling all privacy requests promptly, transparently, and in accordance with applicable data protection laws. This section explains how to submit a request, what information may be required, and how we respond.

Submitting a Request

To help us process your request efficiently, please:

Specify the right you wish to exercise.
For example:
- “Right of access – I would like a copy of my data,” or
- “Right to deletion – please erase my information.”
  If you are unsure which right applies, describe your concern in plain language, and we will determine the appropriate right.
Provide sufficient information for us to verify your identity.
- The simplest method is to email us from the same address you previously used when contacting 5sum.
- If your request concerns a specific interaction or project, include relevant details such as the approximate date or subject matter.
- For correction or deletion requests, specify which data you would like us to amend or remove.
Include your full name and any alternative contact details previously used.
This helps ensure that we locate the correct record and act only on verified data.

Identity Verification

We may need to verify your identity before fulfilling certain requests, such as access or deletion, to protect against unauthorised disclosures.

Verification usually involves confirming basic information already on file, such as your last interaction, company name, or email domain.
Any verification data provided will be used solely for that purpose and deleted once verification is complete.

If an authorised representative (for example, an attorney or agent) submits a request on your behalf, we will require:

proof of authorisation, such as a signed letter or power of attorney, and
direct confirmation from you, unless the power of attorney provides full authority for verification.

Response Timeframes

We aim to respond as quickly as possible and within the applicable legal timeframe:

UK and EU (GDPR):within one month of receiving your request. This may be extended by up to two additional months for complex or numerous requests, but you will be notified within the first month.
California (CCPA/CPRA):acknowledgement within ten business days, and a full response within forty-five calendar days. One lawful forty-five-day extension may apply.
Other U.S. States:generally forty-five days, with one possible forty-five-day extension.

If an extension or delay is necessary, we will inform you of the reason and the expected completion date.

Format of Responses

For access requests, data will be provided in a clear, commonly used format such as PDF, DOCX, or CSV.
For data portability requests, we will provide data in a structured, machine-readable format such as CSV, JSON, or Excel.
If you prefer a specific format, we will accommodate your preference where feasible.

All disclosures are transmitted securely to protect your information.

Limitations and Legal Exemptions

We will comply with your request unless an exemption applies. A request may be limited or denied if fulfilling it would:

infringe another person’s privacy rights,
breach legal or regulatory requirements,
interfere with lawful investigations or audits, or
require disclosure of confidential business information.

If a request cannot be fulfilled, we will explain the reason, unless prohibited by law (for example, in cases involving law enforcement or national security).

Appeals (Applicable to U.S. State Laws)

If you reside in a jurisdiction providing a right to appeal (for example, Virginia or Colorado), and you disagree with our decision:

Reply to our response or contact privacy@5sum.comstating that you wish to appeal.
A senior reviewer, not involved in the original decision, will re-evaluate your request.
We will respond within the legally required timeframe, typically forty-five days.

If your appeal is denied, we will inform you of any further steps available, such as contacting your state’s Attorney General.

Fees

You will not be charged for exercising your privacy rights.
However, if a request is manifestly unfounded, repetitive, or excessive, we may charge a reasonable administrative fee or, in exceptional cases, refuse the request. Any such decision will be fully explained.

Global Privacy Control (GPC)

Our website recognises Global Privacy Control (GPC) browser signals as opt-out requests under applicable U.S. privacy laws.
At present, 5sum does not use advertising or tracking cookies that qualify as a “sale” or “sharing” of data. GPC signals therefore have no operational effect but remain active for compliance readiness.

Assistance

If you have difficulty exercising your rights or need clarification, contact privacy@5sum.com.
Our privacy team will guide you through the process to ensure your request is handled lawfully and transparently.

5sum maintains an internal Data Subject Request Workflow to ensure that all privacy-related requests are processed consistently, securely, and in accordance with global data protection standards.

14. Third-Party Links and Services

Our website may contain links to, or integrations with, external websites, plug-ins, and services that are not operated or controlled by 5sum.
Examples include links to our social media pages (such as LinkedIn or Instagram) or to industry publications where we share insights or articles.

When you click these links or interact with third-party features, you leave the 5sum website.
From that point, this Privacy Policy no longer applies, and any data collected by those third parties (for example, through cookies, embedded content, or online forms) is governed by their own privacy notices and terms.

External Websites

5sum has no control over, and assumes no responsibility for, the content, security, or privacy practices of external websites.
We strongly recommend that you review the privacy policies of any website you visit before providing personal data or accepting cookies.

This includes cases where 5sum embeds third-party content on its own pages. For instance:

a YouTube video,
a social media widget, or
an interactive map or analytics tool.

These services may collect technical data such as your IP address, browser type, or device information, according to their own privacy terms.
Where possible, 5sum uses privacy-enhanced settings (such as YouTube’s privacy-enhanced mode) to minimise unnecessary data collection.
However, once you interact with embedded content, your data may be transmitted directly to that third party.

Examples of Third-Party Integrations

Social Media:Links to LinkedIn, Instagram, or other networks may enable tracking through cookies or plug-ins after you click the link or log in to your account.
Google reCAPTCHA:Used on forms to detect spam or automated abuse.
- When active, the Google reCAPTCHA badge or notice will appear.
- The service is governed by Google’s Privacy Policy and Terms of Service.
- Google may collect device and browser information for security purposes only.
- 5sum will only implement reCAPTCHA where necessary and in accordance with consent requirements under UK/EU privacy law.
Collaborative Events or Content:For co-branded webinars, joint articles, or shared sign-up forms, 5sum will clearly identify when a third-party platform is used and whose privacy policy applies.

Accountability and Feedback

Once you leave the 5sum domain or submit information directly to a third-party service, that third party determines how your data is processed.
5sum cannot accept responsibility for the data protection practices or policies of external entities.

If you encounter a linked site or third-party feature that appears unsafe, misleading, or inconsistent with our standards, please report it to privacy@5sum.com.
We will review and, where appropriate, remove or flag the link to help maintain a safe and trustworthy online environment.

15. Changes to This Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or operational needs. When updates are made, the “Last Updated” date at the top of this page will be modified accordingly.

If any changes are significant, we will provide additional notice through appropriate channels, such as:

a banner or pop-up message on our website,
an email notification to subscribers or clients, or
a clear summary of the updates within the Policy itself.

Examples of Significant Changes

Substantial updates that may trigger additional notification include:

introducing new or expanded purposes for processing personal data,
adding new categories of recipients or service providers,
updates required by new legislation, regulatory guidance, or case law, or
organisational changes such as a merger, acquisition, or restructuring that affect how personal data is managed.

5sum is committed to transparency and will always highlight these changes clearly.

Review and Consent

We encourage users to review this Privacy Policy regularly to stay informed about how personal data is collected, used, and protected.

If the law requires it, we will seek your explicit consent before applying any material change that broadens the scope of how your data is used — for example, introducing a new processing purpose that is incompatible with the original one disclosed.

Otherwise, your continued use of the 5sum website or services after an updated Privacy Policy takes effect will constitute your acknowledgment and acceptance of the revised terms.

Version History and Accountability

For transparency, 5sum maintains an internal archive of all prior versions of this Privacy Policy.
If you wish to access an earlier version for reference, you may contact privacy@5sum.com and we will provide it upon request.

5sum will never reduce your privacy rights under this Policy or applicable data protection law without your explicit consent.
All updates are made solely to enhance clarity, transparency, and user control, never to weaken protections.

16. Contact Us

If you have any questions, comments, or requests regarding this Privacy Policy or our data practices, you may contact us using the details below.
5sum welcomes all inquiries and is committed to responding promptly and transparently.

Email: privacy@5sum.com

Postal Mail:
Data Protection Lead
FIVE SUM LTD
27 Old Gloucester Street
London, WC1N 3AX
United Kingdom

Email is generally the fastest and most reliable way to reach us for privacy or data protection matters. All privacy-related correspondence is handled in English; however, if you prefer to write in another language, we will make reasonable efforts to accommodate or arrange translation where feasible.

We take every inquiry seriously — whether it concerns a data access request, a question about how we use your information, or feedback on our privacy practices.
Your trust is important to us, and we are dedicated to maintaining it through transparency, accountability, and timely communication.