Privacy Policy

Apex Aspire Limited is committed to protecting your personal data and respecting your privacy. This privacy policy explains how we collect, use, store, and protect information about you when you visit our website at apexaspire.co.uk or contact us directly.

This policy is written in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Please read it carefully.

1. Who we are

The data controller for this website is:

As data controller, Apex Aspire Limited determines the purposes and means of processing your personal data. If you have any questions about how we handle your data, please contact us using the details above.

2. What personal data we collect

We only collect personal data that is necessary for the purposes described in this policy. The categories of data we may collect are as follows:

Contact form enquiries

When you submit an enquiry through our contact form, we collect:

• Your name
• Your email address
• The content of your message
• A Cloudflare Turnstile token (used to verify you are not a bot — no personal data from this token is stored by us)

Website analytics

We use two analytics services to understand how visitors use our website:

• Vercel Analytics — collects aggregated, anonymised data about pages visited and traffic patterns. Vercel Analytics operates without cookies or persistent identifiers and does not collect personally identifiable information.
• Google Analytics 4 (GA4) — used to understand user journeys and site performance in more detail. GA4 sets cookies (_ga and _ga_*) that persist for up to 2 years. These cookies are only set if you accept analytics cookies via our consent banner. Data is processed by Google LLC and may be transferred to the United States under appropriate safeguards. For more information, see Google's Privacy Policy.

CMS and administrative accounts

Our website uses Payload CMS for content management. User accounts within the CMS are restricted to authorised staff and administrators only. Account data (name, email address, hashed password) is held solely for the purpose of managing website content.

Data you provide voluntarily

If you correspond with us by email, we may retain records of that correspondence, including any personal data you include.

3. Lawful bases for processing

Under UK GDPR, we must have a lawful basis for processing personal data. We rely on the following bases:

• Legitimate interests — processing contact form submissions and email correspondence to respond to your enquiries and manage our business relationships (Article 6(1)(f) UK GDPR). We have assessed that our legitimate interests are not overridden by your rights and interests.
• Legitimate interests — collecting anonymised, aggregated analytics data via Vercel Analytics (cookieless) to understand how our website is used and to improve it.
• Consent — setting Google Analytics 4 cookies (_ga, _ga_*) where you have accepted analytics cookies via our consent banner (Article 6(1)(a) UK GDPR). You may withdraw consent at any time by adjusting your cookie preferences or clearing your browser cookies.
• Contract performance or pre-contractual steps — if you engage with us in a professional capacity, processing your data may be necessary to take steps prior to entering into, or performing, a contract (Article 6(1)(b) UK GDPR).
• Legal obligation — we may need to process or retain data to comply with a legal obligation to which we are subject (Article 6(1)(c) UK GDPR).

4. How we use your personal data

We use the personal data we collect for the following purposes:

• To respond to your enquiry or message
• To communicate with you about our services and brands
• To manage our website and improve user experience
• To protect our website against automated abuse (bot protection)
• To comply with applicable legal and regulatory obligations

We will not use your personal data for automated decision-making or profiling in a way that produces legal or similarly significant effects on you.

We will not sell, rent, or trade your personal data to any third party for marketing purposes.

5. Cookies and tracking technologies

Our website uses a limited number of cookies and similar technologies. Please refer to our Cookie Policy for full details of the cookies we use, their purposes, and how you can manage your preferences.

In summary, we use strictly necessary functional cookies, and — where you have given consent — Google Analytics 4 cookies for site performance measurement. Vercel Analytics operates without cookies. We do not use advertising or cross-site tracking cookies.

6. Third-party data processors

We share data with a small number of trusted third-party service providers who process data on our behalf. All processors are bound by contractual obligations to handle your data securely and only for the purposes we specify.

Vercel Inc. (hosting and analytics)

Our website is hosted on Vercel's infrastructure. Vercel may process technical data such as IP addresses and request logs as part of normal web hosting operations. Vercel Inc. is headquartered in the United States and is certified under the EU-US Data Privacy Framework; data transfers are subject to appropriate safeguards. We also use Vercel Blob for media file storage. For more information, see Vercel's Privacy Policy.

Neon Inc. (database)

We use Neon's serverless Postgres database service to store CMS content and contact form submissions. Data is stored in a dedicated schema within our Neon project. Neon Inc. is headquartered in the United States; data transfers are subject to appropriate contractual safeguards (Standard Contractual Clauses). For more information, see Neon's Privacy Policy.

Cloudflare Inc. (bot protection)

Our contact form is protected by Cloudflare Turnstile, a privacy-preserving bot detection service. Turnstile analyses browser signals to determine whether a submission is human-generated. It does not use tracking cookies or build advertising profiles. Cloudflare may process a limited set of technical signals (such as browser characteristics) on our behalf. For more information, see Cloudflare's Privacy Policy.

Resend Inc. (transactional email)

Contact form submissions are delivered to us via Resend, a transactional email service. The content of your submission (name, email address, and message) is transmitted through Resend's infrastructure in order to reach us. Resend processes this data solely to deliver the email. For more information, see Resend's Privacy Policy.

Google LLC (analytics)

Where you have consented to analytics cookies, we use Google Analytics 4 (GA4) to collect information about how you use this website. Google LLC may process data including your IP address (anonymised), browser type, pages visited, and session duration. Google LLC is headquartered in the United States; data is transferred under Standard Contractual Clauses. You can opt out of Google Analytics tracking at any time by withdrawing cookie consent or by installing the Google Analytics opt-out browser add-on. For more information, see Google's Privacy Policy.

7. International data transfers

Some of our third-party processors are based outside the United Kingdom. Where personal data is transferred to a country that does not provide an equivalent level of data protection, we ensure that appropriate safeguards are in place — such as the International Data Transfer Agreement (IDTA), Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner, or reliance on an adequacy decision by the UK Secretary of State.

You may request further information about the specific safeguards in place for any particular transfer by contacting us at admin@apexaspire.co.uk.

8. How long we retain your data

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by law. Our general retention periods are as follows:

• Contact form submissions — retained for up to 2 years from the date of submission, or until the enquiry is resolved and no longer required, whichever is sooner.
• Email correspondence — retained in accordance with our internal email retention policy, typically up to 6 years where there may be an ongoing business relationship or contractual context.
• CMS administrator accounts — retained for the duration of employment or engagement, and deleted promptly following departure.
• Analytics data — aggregated and anonymised; no personal data is stored.

When data is no longer required, it is securely deleted or anonymised.

9. Your rights under UK GDPR

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access — you may request a copy of the personal data we hold about you (a Subject Access Request).
• Right to rectification — you may ask us to correct inaccurate or incomplete personal data.
• Right to erasure— you may ask us to delete your personal data where there is no longer a lawful basis for us to hold it (“right to be forgotten”).
• Right to restriction of processing — you may ask us to restrict how we use your data in certain circumstances.
• Right to data portability — where processing is based on your consent or a contract, you may ask us to provide your data in a structured, commonly used, machine-readable format.
• Right to object — you may object to processing based on our legitimate interests, including any profiling. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Rights related to automated decision-making — you have the right not to be subject to a decision based solely on automated processing where it produces a legal or similarly significant effect on you. We do not carry out such processing.

To exercise any of these rights, please contact us at admin@apexaspire.co.uk. We will respond within one calendar month of receiving your request. We may need to verify your identity before processing the request.

These rights are not absolute and may be subject to exemptions under UK law. Where we cannot fulfil a request, we will explain why.

10. Right to complain to the ICO

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters.

We would welcome the opportunity to resolve any concern you have before you contact the ICO, so please do contact us in the first instance.

11. Data security

We take appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. These measures include:

• All data in transit is encrypted using TLS (HTTPS)
• Database connections are encrypted and restricted by IP allowlist where applicable
• CMS access is restricted to authorised personnel with strong authentication
• We use reputable, enterprise-grade infrastructure providers (Vercel, Neon)

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, and will notify affected individuals where required.

12. Links to third-party websites

Our website contains links to websites operated by our portfolio brands and third parties. This privacy policy applies only to apexaspire.co.uk. We are not responsible for the privacy practices of any linked websites. We encourage you to review the privacy policies of any third-party sites you visit.

13. Children's data

Our website is not directed at, and is not intended for use by, children under the age of 13. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately so we can delete it.

14. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the “last updated” date at the top of this page. We encourage you to review this policy periodically.

15. Contact us

If you have any questions, concerns, or requests relating to this privacy policy or the way we handle your personal data, please contact us:

Last updated: March 2026. This policy applies to apexaspire.co.uk only and does not apply to websites operated by our portfolio brands, which maintain their own privacy policies.