Privacy Policy -

EPN Consultants

Last Updated: July 13, 2025

1. Introduction

EPN Consultants Limited ("we," "us," or "our") understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who visits our website, www.epnconsultants.co.uk ("Our Site"), and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the law.

This Privacy Policy explains how we collect, use, store, and share your personal data when you interact with us, particularly in a business-to-business (B2B) context.

Please read this Privacy Policy carefully and ensure that you understand it. Your acceptance of this Privacy Policy is deemed to occur upon your first use of Our Site. If you do not accept and agree with this Privacy Policy, you must stop using Our Site immediately.

2. Definitions and Interpretations

In this Policy, the following terms shall have the following meanings:

  • "Cookie" means a small text file placed on your computer or device by Our Site when you visit certain parts of Our Site and/or when you use certain features of Our Site.

  • "Cookie Law" means the relevant parts of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

  • "GDPR" means the General Data Protection Regulation (EU Regulation 2016/679).

  • "Personal data" is defined by the GDPR as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’. In simpler terms, this means any information about you that enables you to be identified.

3. Information About Us (Data Controller)

EPN Consultants Limited is the data controller responsible for your personal data.

  • Organisation Name: EPN Consultants Limited

  • Company Number: 14708368

  • Registered Address: 320 Firecrest Court Centre Park, Warrington, Cheshire, United Kingdom, WA1 1RG

  • Email: info@epnconsultants.co.uk

  • Phone: 01608 645616

  • Website: www.epnconsultants.co.uk

  • Data Protection Contact: Livia Evans, Data Protection Officer

4. What Does This Policy Cover?

This Privacy Policy applies only to your use of Our Site and our direct business-to-business interactions. Our Site may contain links to other websites. Please note that we have no control over how your data is collected, stored, or used by other websites and we advise you to check the privacy policies of any such websites before providing any data to them.

5. What is Personal Data?

Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.

6. The Data We Collect About You

We may collect, use, store, and transfer different kinds of personal data about you. The types of data we process are primarily professional contact details relevant to our B2B interactions:

  • Identity Data: First name, last name.

  • Contact Data: Business email address, business phone number (direct or main switchboard), company address.

  • Professional Data: Job title, company name, and details related to your professional role that are relevant to our services.

  • Technical Data: (When you visit our website) Internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system, device type, and other technology on the devices you use to access this website. This may also include a list of URLs starting with a referring site and your activity on Our Site.

  • Usage Data: Information about how you use our website, products, and services.

  • Marketing and Communications Data: Your preferences in receiving marketing from us and your communication preferences.

We do not collect any "Special Categories of Personal Data" (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

7. How Your Personal Data is Collected

We use different methods to collect data from and about you, including:

  • Direct Interactions: You may give us your Identity, Contact, and Professional Data by filling in forms on our website, corresponding with us by post, phone, email, or otherwise. This includes personal data you provide when you:

    • Enquire about our services.

    • Request marketing materials to be sent to you.

    • Provide feedback or contact us.

    • Enter into a contract for our services.

  • Publicly Available Sources: We may collect Identity, Contact, and Professional Data from publicly available sources such as:

    • Company Websites: Information published on corporate websites.

    • Professional Networking Platforms: Such as LinkedIn, where individuals make their professional details publicly available.

    • Industry Directories: Reputable directories specific to the construction, architectural, and engineering sectors.

    • Trade Associations: Publicly available member lists or directories.

  • Automated Technologies or Interactions: As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this personal data by using Cookies and other similar technologies. Please see Part 13 on our use of Cookies for more details.

8. How We Use Your Personal Data

Under the GDPR, we must always have a lawful basis for using personal data. This may be because the data is necessary for our performance of a contract with you, because you have consented to our use of your personal data, or because it is in our legitimate business interests to use it.

Your personal data will be used for one or more of the following purposes:

  • Providing and managing our services to you: This includes processing your enquiries, preparing proposals, and delivering our civil engineering services as per our contractual obligations. Your personal details are required for us to enter into and perform a contract with you.

  • Personalising and tailoring our services for you: To ensure our offerings are relevant to your specific needs and projects.

  • Communicating with you: This may include responding to emails or calls from you, providing updates on projects, or addressing queries.

  • Direct Marketing: Supplying you with information by email and/or telephone and/or post that is relevant to our civil engineering services. This may include news, updates, and pitches for potential collaborations. We will not send you any unlawful marketing or spam. We will always work to fully protect your rights and comply with our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and you will always have the opportunity to opt-out.

  • Website Improvement: Analysing website usage to improve Our Site's functionality and user experience.

  • Internal Business Operations: For internal record keeping, administration, and to comply with legal and regulatory obligations.

9. Our Lawful Basis for Processing Your Personal Data

We rely on the following lawful bases for processing your personal data:

9.1. Legitimate Interest (B2B Direct Marketing)

Our primary lawful basis for contacting you in a B2B context is our legitimate interest (GDPR Article 6(1)(f)). We have conducted a Legitimate Interest Assessment (LIA) to ensure that our interests in promoting our services are balanced against your rights and freedoms.

Our legitimate interests include:

  • Growing our business: By reaching out to relevant businesses that require civil engineering expertise.

  • Offering valuable services: To companies that can benefit from our specialized skills in roads, drainage, earthworks, flood risk, and other civil engineering disciplines, helping them unlock the true potential of their projects.

  • Establishing B2B relationships: To foster collaborations with key players in the construction and development sectors.

  • Informing the market: To make relevant businesses aware of the solutions we offer that can address their project challenges.

We believe that individuals working in professional roles within the construction and development industries can reasonably expect to receive business-to-business communications about relevant services that could benefit their professional work or their company's projects. The data we process is professional contact information, sourced from publicly available channels, and the impact on your privacy is considered low.

9.2. Performance of a Contract

We may process your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract. This applies when you engage us for civil engineering services.

9.3. Compliance with a Legal Obligation

We may process your personal data where it is necessary for compliance with a legal obligation that we are subject to (e.g., tax regulations, health and safety requirements).

10. Disclosures of Your Personal Data

We may share your personal data with the parties set out below for the purposes described in this Privacy Policy:

  • Internal Third Parties: Other companies within the EPN Consultants group (if applicable) acting as processors or joint controllers, where necessary for business operations.

  • External Third Parties:

    • Service providers acting as processors who provide IT and system administration services (e.g., email service providers, CRM systems, website hosting).

    • Professional advisors acting as processors or joint controllers, including lawyers, bankers, auditors, and insurers, who provide consultancy, banking, legal, insurance, and accounting services.

    • HM Revenue & Customs, regulators, and other authorities acting as processors or joint controllers who require reporting of processing activities in certain circumstances.

  • Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

11. International Transfers of Personal Data

GDPR protects all data stored and transferred within the European Economic Area (the “EEA” consists of all EU member states, plus Norway, Iceland, and Liechtenstein). These are known as "third countries" and may not have data protection laws that are as strong as those in the UK or the EEA.

Should we need to store or transfer your data outside of the EEA, we will take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the GDPR. This is achieved by ensuring that at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.

  • Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.

  • Where we use providers based in the US, we may transfer data to them if they are part of the EU-US Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US.

Please contact us using the details in Part 15 for further information about the particular data protection mechanism used by us when transferring your personal data to a third country.

12. Data Security

We have implemented appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

13. Data Retention

We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

For B2B marketing data collected under legitimate interest, we generally retain your data for a period of 24 months from the last meaningful interaction (e.g., email open, click, or phone call). If no engagement occurs within this period, or if you opt-out, your data will be suppressed or securely deleted from our marketing lists. Data related to contracts will be retained for the period required by law (e.g., 6 years for tax purposes).

14. How We Use Cookies

Our Site may place and access certain first-party Cookies on your computer or device. First-party Cookies are those placed directly by us and are used only by us. We use Cookies to facilitate and improve your experience of Our Site. We have carefully chosen these Cookies and have taken steps to ensure that your privacy and personal data is protected and respected at all times.

All Cookies used by and on Our Site are used in accordance with current Cookie Law.

Before Cookies are placed on your computer or device, you will be shown a notification requesting your consent to set those Cookies. By giving your consent to the placing of Cookies you are enabling us to provide the best possible experience and service to you. You may, if you wish, deny consent to the placing of Cookies; however certain features of Our Site may not function fully or as intended.

Our Site may use analytics services (e.g., Google Analytics or similar). Website analytics refers to a set of tools used to collect and analyse anonymous usage information, enabling us to better understand how Our Site is used. This, in turn, enables us to improve Our Site. The analytics service used by Our Site may use Cookies to gather the required information. You do not have to allow us to use these Cookies, however whilst our use of them does not pose any significant risk to your privacy or your safe use of Our Site, it does enable us to continually improve Our Site, making it a better and more useful experience for you.

In addition to the controls that we provide, you can choose to enable or disable Cookies in your internet browser. Most internet browsers also enable you to choose whether you wish to disable all Cookies or only third-party Cookies. By default, most internet browsers accept Cookies, but this can be changed. For further details, please consult the help menu in your internet browser or the documentation that came with your device.

You can choose to delete Cookies on your computer or device at any time, however you may lose any information that enables you to access Our Site more quickly and efficiently including, but not limited to, login and personalisation settings.

It is recommended that you keep your internet browser and operating system up-to-date and that you consult the help and guidance provided by the developer of your internet browser and manufacturer of your computer or device if you are unsure about adjusting your privacy settings.

15. Your Legal Rights

Under the GDPR, you have the following rights, which we will always work to uphold:

  • The right to be informed about our collection and use of your personal data. This Privacy Policy should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in Part 16.

  • The right to access the personal data we hold about you (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. Part 16 will tell you how to do this.

  • The right to rectification of your personal data if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in Part 16 to find out more.

  • The right to erasure (also known as the "right to be forgotten"), i.e., the right to ask us to delete or otherwise dispose of any of your personal data that we have. Please contact us using the details in Part 16 to find out more. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

  • The right to restrict processing (i.e., prevent) the processing of your personal data.

  • The right to object to processing us using your personal data for a particular purpose or purposes.

  • The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.

We do not use your personal data to carry out automated decision-making and profiling.

For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 16.

Further information about your rights can also be obtained from the Information Commissioner’s Office (ICO) or your local Citizens Advice Bureau. If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.

16. How Can I Control My Personal Data?

In addition to your rights under the GDPR, set out in Part 15, when you submit personal data to us, you may be given options to restrict our use of your personal data. In particular, we aim to give you strong controls on our use of your data for direct marketing purposes (including the ability to opt-out of receiving emails from us which you may do by unsubscribing using the links provided in our emails and at the point of providing your details).

You may also wish to sign up to one or more of the preference services operating in the UK: The Telephone Preference Service (“the TPS”), the Corporate Telephone Preference Service (“the CTPS”), and the Mailing Preference Service (“the MPS”). These may help to prevent you receiving unsolicited marketing. Please note, however, that these services will not prevent you from receiving marketing communications that you have consented to receiving.

17. Can I Withhold Information?

You may access Our Site without providing any personal data at all. However, to engage with us for services or to receive direct marketing communications, certain personal data will be required. You may also restrict our use of Cookies. For more information, see Part 14.

18. How Do I Contact You?

To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details for the attention of Livia Evans (or designated Data Protection Contact):

  • Email address: info@epnconsultants.co.uk

  • Telephone number: 01608 645616

  • Postal Address: 320 Firecrest Court Centre Park, Warrington, Cheshire, United Kingdom, WA1 1RG

19. Changes to This Privacy Policy

We may change this Privacy Policy from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.

Any changes will be immediately posted on our website and you will be deemed to have accepted the terms of the Privacy Policy on your first use of our website following the alterations. We recommend that you check the website regularly to keep up-to-date.

20. Documentation of Personal Data

EPN Consultants reviews all sources of personal data, its file location, and who has access to that data, and we maintain a register of all personal data sources. The information that we retain is processed with a lawful basis (as outlined in Part 9), and we only keep the minimum amount of data necessary to enable us to run our business effectively and legally.

21. Personal Requests for Deletion of Information

All requests for deletion of personal information shall be actioned providing the request is not in conflict with any legal obligations. Requests can be made via the channels listed in Part 18.

22. Employee Data Protection Training

At the point of induction, we make all our employees, associates, and key service providers aware of their personal obligations for data protection. Ongoing training is provided as necessary.

23. Monitoring of Our Data Protection Obligation

Our Data Protection Contact (Livia Evans or a nominated competent deputy) shall undertake periodic proactive monitoring of compliance to our Data Protection Policy. If any non-conformances are identified, the management team shall introduce appropriate corrective action.

24. Employee and Associate Engagement

All employees and associates are openly encouraged to make suggestions of ways we can improve our Data Protection compliance.

25. Policy Review

This Data Protection Privacy Policy shall be reviewed from time to time, not exceeding a 12-month cycle, and shall be updated where the Data Protection Contact deems that it is appropriate to do so. All changes shall be communicated to all employees, associates, and other business stakeholders that are affected by this Policy.