Home
Services

Infrastructure

Network administrationLinux administrationWindows ServerVirtualization & containersHardware & technical

Cloud & DevOps

Cloud infrastructureMicrosoft 365 & cloudDevOps & advancedBackup & disaster recovery

Security

CybersecurityInfrastructure deploymentSystem administration

Support

IT support & helpdeskManaged IT services
BlogSolutionsContact
Get Started

Privacy Policy

Last updated: June 24, 2026

1. Who We Are & Scope

GBWise ("we", "us", or "our") is a trading name of GBWise Ltd, a company registered in the United Kingdom. We also maintain an operational presence in Syracuse, New York, United States.

  • UK registered address: GBWise Ltd, United Kingdom.
  • US operational address: Syracuse, NY, United States.
  • Privacy contact: For all privacy-related enquiries, please email [email protected].

This Privacy Policy applies to the GBWise website at gbwise.com and all associated subdomains. It explains how we collect, use, disclose, and safeguard your personal data when you visit our website, contact us, or engage with our online services.

Important: This policy covers data collected through our website and pre-sales communications only. The processing of client data that we access while managing client infrastructure, servers, or systems is governed by a separate Data Processing Agreement (DPA) — see Section 7 below.

2. What Data We Collect

We collect the following categories of personal data:

2.1 Contact Form Data

When you submit our contact form, we collect:

  • Your name
  • Email address
  • Subject of your enquiry
  • Message content

2.2 Technical Data

Our website automatically collects certain technical information:

  • IP address (anonymised where possible)
  • Browser type and version
  • Operating system
  • Pages visited and time spent on each page
  • Referral source (the website that directed you to us)
  • Country of origin (derived from IP address)

We use Plausible Analytics, a privacy-focused analytics platform that does not use cookies, does not track users across websites, and is fully compliant with GDPR, CCPA, and PECR without requiring consent banners.

2.3 Communication Data

If you contact us through other channels, we may retain:

  • Emails sent to our company email addresses
  • WhatsApp messages sent to our business number
  • Any attachments or files you choose to share with us

2.4 Cookies & Similar Technologies

  • Essential/functional cookies: Used to ensure basic website functionality, including language preferences and session management. These are strictly necessary and do not require consent.
  • Cloudflare Turnstile: Our contact form uses Cloudflare Turnstile for bot protection. This may set cookies necessary for security verification. Cloudflare processes minimal data in accordance with their privacy policy.
  • Google Translate: If you use the translation widget, Google may set cookies to facilitate translation services. This is subject to Google's Privacy Policy.

We do not use advertising cookies, tracking pixels, or retargeting technologies.

3. Legal Basis for Processing

We process your personal data on the following legal grounds:

PurposeLegal Basis
Responding to enquiries and providing requested informationLegitimate interest
Preventing fraud, spam, and securing our websiteLegitimate interest
Client onboarding and service deliveryContract performance
Sending marketing communications (if applicable)Consent (with opt-out)
Maintaining tax records and meeting compliance obligationsLegal obligation
Improving website performance and user experienceLegitimate interest

Where we rely on legitimate interest, we have conducted a balancing test to ensure your rights and freedoms are not overridden. You may object to processing based on legitimate interest at any time — see Section 6.

4. Who We Share Data With

We may share your personal data with the following categories of recipients:

4.1 Service Providers

  • Plausible Analytics — privacy-focused website analytics (EU-hosted, no personal data transferred).
  • Cloudflare — CDN, DNS, and bot protection (Turnstile). Cloudflare may process IP addresses for security purposes.
  • SMTP / Email provider — to deliver contact form notifications and confirmation emails.
  • WhatsApp (Meta) — if you initiate contact via WhatsApp, your messages are processed by Meta in accordance with their terms of service.
  • Google — Google Translate widget and Google Maps embed on our contact page. Subject to Google's Privacy Policy.

4.2 Sub-contractors & Team Members

Engineers or team members who assist with client communications may have access to enquiry data on a need-to-know basis. All personnel are bound by confidentiality obligations.

4.3 Legal Disclosures

We may disclose your personal data where required by law, regulation, court order, or governmental request. We will notify you of such disclosures where legally permitted to do so.

We do not sell, rent, or trade your personal data to any third party. Ever.

5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy:

Data CategoryRetention Period
Contact form enquiries (no contract formed)Up to 2 years from submission
Client contact data (active contract)Duration of contract + 7 years (statutory retention for financial records)
Website analytics (Plausible)Aggregated, non-personal data retained indefinitely. No individual user tracking.
Email correspondenceDuration of business relationship + 2 years
WhatsApp messagesDuration of business relationship + 2 years

When the retention period expires, data is securely deleted or anonymised. Electronic records are permanently purged from our systems and any backups within 30 days of the retention period ending. Paper records, if any, are cross-shredded.

6. Your Rights

Depending on your jurisdiction and applicable data protection legislation (including the UK GDPR, EU GDPR, and applicable US state privacy laws), you may have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal exceptions (e.g., data required for tax compliance).
  • Right to restrict processing: Request that we limit how we use your data in certain circumstances.
  • Right to object: Object to processing based on legitimate interest or direct marketing.
  • Right to data portability: Request your data in a structured, machine-readable format.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

How to Exercise Your Rights

To exercise any of these rights, email us at [email protected]. Please include enough information to verify your identity and specify which right you wish to exercise.

We will respond to all valid requests within 30 days. If your request is complex or we receive a high volume of requests, we may extend this by a further 60 days, in which case we will notify you within the initial 30-day period.

7. Data Processing Agreement (DPA)

As an infrastructure and managed IT services provider, GBWise may access, process, or store data on behalf of our clients during the course of service delivery — including data hosted on client servers, cloud environments, and network infrastructure.

This website privacy policy does not govern how we handle client data in those engagements. Instead, all clients who engage GBWise for managed services, infrastructure administration, or any service involving access to client systems will sign a separate Data Processing Agreement (DPA).

The DPA defines:

  • The scope and nature of data processing on behalf of the client.
  • Security measures and access controls applied to client data.
  • Sub-processor disclosures and approval procedures.
  • Breach notification obligations and timelines.
  • Data return and deletion procedures upon contract termination.

If you require a DPA for your organisation or have questions about our data processing practices as a service provider, please contact [email protected].

8. International Data Transfers

GBWise operates from both the United Kingdom and the United States (Syracuse, NY). As a result, personal data collected through this website may be transferred between these jurisdictions.

Where personal data is transferred from the UK or EEA to a country that has not received an adequacy decision from the relevant authority, we implement appropriate safeguards to protect your data, including:

  • Standard Contractual Clauses (SCCs): Approved by the European Commission and adopted by the UK Information Commissioner's Office (ICO) as International Data Transfer Agreements (IDTAs) where applicable.
  • Data Protection Impact Assessments: Conducted where transfers present elevated risk.
  • Adequacy decisions: Where available (e.g., the UK has its own adequacy framework post-Brexit).

Our third-party service providers (including Cloudflare, Plausible, and email infrastructure) may process data in the EU, UK, or US. We ensure each provider maintains appropriate transfer mechanisms and data protection commitments.

9. Security Measures

As an enterprise infrastructure provider, we hold ourselves to the highest standard of data security. We implement the following categories of safeguards to protect your personal data:

  • Encryption: All data in transit is protected by TLS/SSL encryption. Data at rest is encrypted using industry-standard algorithms.
  • Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis, enforced through multi-factor authentication (MFA) and role-based access controls.
  • Audit logging: Access to systems containing personal data is logged and monitored.
  • Infrastructure hardening: Our servers and systems are hardened in accordance with industry benchmarks and regularly updated against known vulnerabilities.
  • Incident response: We maintain a documented incident response procedure to detect, contain, and remediate data security incidents.

Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required under UK GDPR Article 33). If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, providing details of the nature of the breach, likely consequences, and the measures we have taken or propose to take.

10. Policy Updates & Supervisory Authority

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Display a prominent notice on our website for a reasonable period.
  • Where we hold your email address and the change materially affects how we process your data, notify you by email.

We encourage you to review this page periodically to stay informed.

Supervisory Authority

If you are not satisfied with how we handle your personal data or our response to a request, you have the right to lodge a complaint with a supervisory authority:

  • United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
  • Albania: Information and Data Protection Commissioner (IDPC) — idp.al
  • European Union: Your local data protection authority, if you are an EU resident.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us: