← Back to home

Privacy Policy

How we collect, use, and protect your personal data.

Last updated: 21 April 2026

The Fig Group Limited ("Fig", "we", "us") is committed to protecting your privacy. This policy explains how we collect, use, and protect your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller

The Fig Group Limited, registered at 167-169 Great Portland Street, London, W1W 5PF. For data protection enquiries, contact: enquiries@figgroup.co.uk

What We Collect

We collect the following categories of personal data:

  • Contact information: name, email address, phone number, company name, and job title - provided when you request a demo, purchase certification, or contact us.
  • Enquiry content: any message content you include in contact forms.
  • Technical data: IP address, browser type, and pages visited - collected automatically through essential cookies.
  • Certification data: information submitted as part of Defence Cyber Certification (DCC) assessments at Level 0 and Level 1, including organisational details, governance documentation, supply chain assurance evidence, and Cyber Security Model (CSM) v4 control evidence.

Lawful Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

  • Contract performance (Article 6(1)(b)): to deliver certification services, provide platform access, and fulfil our contractual obligations.
  • Legitimate interests (Article 6(1)(f)): to respond to enquiries, improve our services, and send relevant communications about our products. You can object to this processing at any time.
  • Legal obligation (Article 6(1)(c)): to comply with regulatory requirements, including IASME certification obligations under the Defence Cyber Certification scheme.

How We Use Your Data

We use your personal data to:

  • Respond to enquiries and provide requested information.
  • Deliver Defence Cyber Certification assessment and certification services at Level 0 and Level 1.
  • Provide and maintain platform access, including the Fig technology platform used for DCC gap analysis.
  • Send relevant communications about our products and services.
  • Improve our website and services.

We do not sell your personal data to third parties.

Data Sharing

We may share your data with:

  • IASME: as required for Defence Cyber Certification processing, in its capacity as the body that administers the DCC scheme on behalf of the UK Ministry of Defence.
  • Payment processors: Stripe processes payment data for certification purchases. Stripe acts as an independent data controller for payment information.
  • Hosting providers: our infrastructure is hosted on Microsoft Azure (UK data centres).

International Transfers

Your data is primarily stored and processed in the United Kingdom. Where data is transferred outside the UK (for example, to service providers), we ensure appropriate safeguards are in place, including UK International Data Transfer Agreements or adequacy decisions.

Data Retention

We retain your personal data for the following periods:

  • Enquiry data: 24 months from last contact, unless a business relationship is established.
  • Customer data: for the duration of the business relationship plus 6 years, as required for legal and regulatory purposes.
  • Certification records: 6 years from the date of certification, in line with IASME and Defence Cyber Certification scheme requirements.
  • Technical data: 12 months.

After these periods, data is securely deleted or anonymised.

Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data (Subject Access Request).
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten"), where there is no legal basis for continued processing.
  • Restrict processing in certain circumstances.
  • Port your data to another provider in a structured, machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, contact enquiries@figgroup.co.uk. We will respond within one month.

Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Cookies

We use essential cookies only, required for the website to function correctly. We do not use advertising, analytics, or tracking cookies. No cookie consent banner is required as we only use strictly necessary cookies.

Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically.

Contact Us

If you have any questions about this Privacy Policy, please contact us at: