This policy explains what personal data Boundless Immersive collects, why, and the rights you have under UK GDPR.
Who we are
This policy explains how Boundless Immersive Limited ("Boundless", "we", "us", "our") collects and uses personal data when you visit boundlessimmersive.com, enquire about our services, or work with us on a project.
We are the data controller for the personal data described in this policy. Our details:
- Boundless Immersive Limited (registered in England & Wales, company no. 11783757)
- Registered office: Century House, Wargrave Road, Henley-on-Thames, Oxfordshire, RG9 2LT
- Privacy contact: privacy@boundlessimmersive.com
What personal data we collect
We only collect what we need to respond to you and deliver our work.
Information you give us
- Enquiry form fields: name, work email, company, role, training challenge, audience size, materials status and any free-text message.
- Correspondence by email, phone or video call, including notes we take during scoping conversations.
- Project information you share with us — briefs, content, subject-matter expertise, names of stakeholders involved in delivery.
Information collected automatically
- Server and request logs, including IP address, user agent and pages requested, used to operate and secure the site.
- Analytics events from Google Analytics 4 (GA4) where you have given consent — see our Cookie Policy.
Why we use it (and our lawful basis)
Under Article 6 of the UK GDPR, we rely on the following lawful bases:
- Responding to your enquiry and pre-contract steps — Art. 6(1)(b) (steps before entering a contract) and Art. 6(1)(f) (legitimate interests in operating our business).
- Delivering services to clients — Art. 6(1)(b) (performance of a contract).
- Marketing follow-up to existing business contacts — Art. 6(1)(f), relying on the "soft opt-in" under regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR). You can opt out of marketing at any time using the link in any email or by writing to us.
- Analytics and improving the site — Art. 6(1)(a) (consent), captured via our cookie banner.
- Legal, accounting and tax obligations — Art. 6(1)(c) (legal obligation).
- Security and abuse prevention — Art. 6(1)(f) (legitimate interests in keeping the service secure).
International transfers
Some of our suppliers — including Google for GA4 — may transfer personal data outside the UK. Where they do, we rely on the UK Extension to the EU-US Data Privacy Framework where applicable, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, together with appropriate safeguards.
How long we keep it
- Enquiry data — up to 24 months after our last meaningful contact, unless an engagement begins.
- Project records and contracts — 7 years from the end of the engagement, in line with UK statutory and tax retention periods.
- Marketing contacts — until you opt out, then permanently suppressed on a do-not-contact list.
- Analytics — retained in GA4 in line with Google's default (currently 14 months) unless we shorten it.
- Server logs — typically 30–90 days, longer where needed to investigate security incidents.
Your rights
Under the UK GDPR you have the right to:
- Access the personal data we hold about you.
- Ask us to correct inaccurate data or complete incomplete data.
- Ask us to erase your data ("right to be forgotten") in certain circumstances.
- Ask us to restrict how we use your data.
- Object to processing carried out under legitimate interests, including direct marketing.
- Request portability of data you provided to us.
- Withdraw consent at any time where we rely on consent — without affecting prior lawful processing.
To exercise any of these rights, email privacy@boundlessimmersive.com. We will respond within one month.
You also have the right to complain to the Information Commissioner's Office (ICO), ico.org.uk, helpline 0303 123 1113. We would prefer the chance to address your concern first.
How we keep data safe
We use TLS encryption in transit, access controls on internal systems, a UK-based delivery team and supplier due-diligence for processors. Where a personal data breach is likely to result in a risk to your rights, we will notify the ICO within 72 hours and, where required, notify affected individuals without undue delay.
Children
Our services are aimed at organisations and their workforces. The site is not directed at children under 18 and we do not knowingly collect their personal data.
Automated decision-making
We do not use personal data for automated decision-making that has legal or similarly significant effects on you.
Changes to this policy
We may update this policy from time to time. The "last updated" date at the top of the page tells you when it last changed. Material changes will be highlighted where appropriate.