Website Terms and Conditions and Privacy Policy

Infuse Technology Ltd t/a PKF Infuse
A company registered in England and Wales with company number 07661373
Registered Office: Prospect House, 1 Prospect Place, Millennium Way, Derby, DE24 8HG

Last updated: 26 March 2026

1. Who we are

For the purposes of UK data protection law, the controller of personal data collected through this website is:

Infuse Technology Ltd t/a PKF Infuse

Prospect House, 1 Prospect Place, Millennium Way, Derby, DE24 8HG

Phone: 01332 374444
Email: dpo@pkfsmithcooper.com
Website: www.pkfinfuse.com

We process personal data in line with:

• The UK General Data Protection Regulation (UK GDPR) as amended by the Data (Use and Access) Act 2025
• The Data Protection Act 2018
• The Privacy and Electronic Communications Regulations 2003 (PECR) as amended

2. Key definitions

The following terms have the meanings given in UK GDPR:

3. Personal data we collect

We may collect and process the following categories of personal data:

• Identity data such as name and job title.
• Contact data such as business address, email address and telephone number.
• Technical data such as IP address, browser type and version, time zone setting, operating system and platform.
• Usage data such as information about how you use our website, pages viewed and time spent on pages.
• Marketing and communications data such as your preferences in receiving marketing from us and your communication preferences.
• Support interaction data such as information you provide on support tickets, emails and recorded calls to our helpdesk.

We do not intentionally collect special category data (for example health or religious data) through the website and ask you not to submit this through contact forms.

4. How we collect personal data

We collect personal data in the following ways:

• Directly from you when you complete a contact form, sign up to an event or newsletter, email us, call us or otherwise communicate with us.
• Automatically as you interact with our website through cookies and similar technologies.
• Through our service systems such as ConnectWise and N-able where you are a user of services that we manage for your organisation.

5. How we use personal data and legal bases

We will only use personal data when UK law allows us to. Most commonly we will use personal data in the following circumstances:

To respond to enquiries and provide information you request

Legal basis: legitimate interests (to respond to enquiries and grow our business) or performance of a contract where we are discussing or delivering services.

To manage and deliver our services to clients

Legal basis: performance of a contract with your organisation and legitimate interests (to manage our business).

To improve our website, services and user experience

Legal basis: legitimate interests (to keep our site updated and relevant and to develop our services).

To send you marketing communications

Legal basis: consent where required under PECR, or legitimate interests where consent is not required and you have not opted out.

To comply with legal obligations

For example to keep records for tax, regulatory or insurance purposes. Legal basis: compliance with legal obligations.

For cybersecurity, fraud prevention and service monitoring

Legal basis: legitimate interests (to secure our systems and detect malicious activity) and compliance with legal obligations where relevant.

Where we rely on consent you have the right to withdraw that consent at any time.

6. Cookies and similar technologies

Our website uses cookies and similar technologies. Cookies are small text files stored on your device when you visit a website.

We use:

• Strictly necessary cookies that are required for the operation of the site. These are set without consent.
• Preference and analytics cookies that help us understand how the site is used and improve performance. Where required under PECR we obtain your consent before setting these cookies.

You can control cookies through our on-site cookie banner or preference centre where available, or through your browser settings which allow you to block or delete cookies. If you disable cookies some parts of the site may not function correctly.

Cookies used by the Sopro plugin

We use Sopro, a digital marketing service provided by Prospect Global Ltd (trading as Sopro), to support our outreach and marketing activities. Sopro may set the following cookies on your device:

• _obid: tracks unique visits to the site and relates them to the email campaign. Expires after 1 year. This cookie is used for performance and analytical purposes.
• _obid_visit: identifies a session across multiple pages. Expires after 4 hours. This cookie is used for advertising and tracking purposes and requires your consent under PECR before being set.

Sopro is registered with the ICO (registration number ZA346877). For further information about how Sopro processes personal data, including your rights in relation to that processing, please see Sopro's privacy policy at sopro.io or contact their Data Protection Officer at dpo@sopro.io.

7. ConnectWise, N-able and SentinelOne

We use the following third party platforms to deliver managed IT services and support to our clients:

• ConnectWise platforms including professional services automation and related tools.
• N-able platforms including N-sight RMM, backup and remote monitoring and management services.
• SentinelOne endpoint detection and response (EDR) services.

7.1 Types of personal data processed in these systems

Through these platforms we may process:

• Names, business email addresses and telephone numbers of your staff and authorised users.
• Device identifiers, usernames and technical logs relating to the devices and services we manage.
• Ticket and support information including incident descriptions and troubleshooting notes.
• Limited location or usage data associated with devices where required to provide the service.

We do not use these systems to intentionally store special category data and we ask clients not to enter such data into ticket descriptions unless strictly necessary.

7.2 Roles and responsibilities

The role of each party depends on the nature of the processing activity:

• Where we are delivering managed services to your organisation, your organisation is usually the controller for personal data relating to your staff and devices, and Infuse Technology Ltd acts as a processor under your instructions and in accordance with our contract with you.
• Where we are processing data for our own business purposes, such as managing client relationships, billing and service delivery records, Infuse Technology Ltd acts as a controller.

ConnectWise, N-able and SentinelOne act as our sub-processors under their own data processing agreements. Those agreements reflect the requirements of Article 28 UK GDPR and include appropriate security, confidentiality and sub-processor controls.

7.3 International transfers

ConnectWise, N-able, SentinelOne and Microsoft are global providers and personal data may be processed or stored outside the UK. Where that occurs we ensure that appropriate safeguards are in place, which may include:

• The UK International Data Transfer Addendum to the EU Standard Contractual Clauses, as approved by the Information Commissioner's Office.
• UK adequacy regulations where the destination country has been deemed adequate by the UK Government.

Technical and organisational measures to protect data in transit and at rest 

We review our processors' security and privacy documentation regularly and keep records of the data processing arrangements in place.

7.4 How this affects you

Your rights under UK data protection law continue to apply to data held in these systems. Requests to exercise your rights should be made to us as controller or to your employer where your employer is the controller. We will work with our processors where necessary to respond to those requests.

8. Third party tools, plugins and marketing processors

We may use third party tools on the site such as analytics, security and social media plugins. These providers act as processors or independent controllers depending on the integration.

Where our website includes links to or plugins for third party sites such as Facebook, LinkedIn, X (formerly Twitter) or others, your use of those services is subject to their own privacy notices and cookie policies. You should review those notices before using such services.

Where these tools set cookies that are not strictly necessary we will seek your consent through our cookie controls.

We engage carefully selected third party partners who process personal data on our behalf in compliance with UK data protection law. Our appointed data processors for marketing purposes include:

• Prospect Global Ltd (trading as Sopro), registered in England and Wales (company number 09648733), registered with the ICO (ZA346877). Privacy policy: sopro.io. DPO: dpo@sopro.io.

 

9. Disclosure of personal data

We may share personal data with:

• Members of our corporate group where needed to deliver services.
• Professional advisers including lawyers, bankers, auditors and insurers.
• Service providers who act as processors such as hosting providers, email and telephony providers, ConnectWise, N-able and SentinelOne.
• Regulators, law enforcement agencies and other authorities where required by law or to protect our legal rights.
• Potential buyers and their advisers in the context of a merger, acquisition or restructuring, subject to confidentiality obligations.

We do not sell personal data.

10. International transfers

Where we transfer personal data outside the UK we will ensure that one of the following conditions applies:

• The destination country has been deemed to provide an adequate level of protection by the UK Government under UK adequacy regulations.
• We use a UK International Data Transfer Addendum or other approved contractual mechanism with the recipient.
• Another appropriate safeguard recognised under UK data protection law applies.

You can contact us at dpo@pkfsmithcooper.com for more information about specific transfer mechanisms used for your data.

11. Data retention

We keep personal data only for as long as reasonably necessary for the purposes set out in this notice and to satisfy legal, regulatory, tax, accounting or reporting requirements. In general:

• Website enquiry data is kept for up to 3 years from last contact.
• Client and contract records are kept for the life of the contract then for up to 7 years after the end of the relationship.
• Call recordings are kept for 30 days unless needed in connection with a complaint, claim or investigation.

Where we no longer need personal data we will delete or anonymise it.

12. Call recording

When you call our helpdesk or other support lines your call may be recorded. We use call recordings to monitor and improve the quality of our customer service, train and develop our staff, and investigate complaints, incidents and potential security issues.

Call recordings may be shared with third parties who help us deliver telephony and recording services, and with regulators, law enforcement or professional advisers where required by law or in connection with a claim.

We normally retain call recordings for 30 days. Recordings needed for complaints, disputes or legal matters may be kept for longer. You have the same rights in relation to call recordings as for other personal data, described in section 13 below.

13. Your rights as a data subject

Subject to certain conditions and exemptions, you have the following rights under UK GDPR and related law:

• Right of access: you can request confirmation that we process your personal data and obtain a copy of that data together with certain information about the processing.
• Right to rectification: you can ask us to correct inaccurate data and complete incomplete data.
• Right to erasure: you can ask us to delete your personal data in certain situations, for example where the data is no longer needed for the original purpose and we have no legal reason to keep it.
• Right to restriction of processing: you can ask us to restrict processing in certain cases, for example while we check the accuracy of data or assess an objection.
• Right to data portability: you can ask us to provide certain personal data in a structured, commonly used and machine-readable format or to transmit that data to another controller where technically feasible.
• Right to object: you can object to processing based on legitimate interests where you believe your rights and interests outweigh ours. You can always object to direct marketing at any time.
• Rights in relation to automated decision-making: you have rights where we make decisions about you solely by automated means that have legal or similar significant effects. We do not carry out such profiling through this website.
• Right to withdraw consent: where we rely on consent you can withdraw it at any time. This will not affect the lawfulness of processing before consent was withdrawn.

To exercise any of these rights please contact us at dpo@pkfsmithcooper.com or by post using the contact details in section 1.

14. Complaints

If you have a concern about how we have handled your personal data, we ask that you contact us directly in the first instance. We have a formal data protection complaints procedure in place and are committed to handling all complaints fairly and within the timeframes set out below.

You can submit a complaint by:

• Email: dpo@pkfsmithcooper.com
• Post: Data Protection Officer, PKF Smith Cooper, 1 Prospect House, Prospect Place, Millenium Way, Derby DE24 8HG.

We will acknowledge your complaint within 30 days of receipt and will respond to it without undue delay. We may ask you for further information to help us investigate your concern.

If you are not satisfied with our response, or if you would prefer to escalate your complaint directly, you have the right to contact the UK supervisory authority:

• Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
• Website: ico.org.uk/concerns
• Telephone: 0303 123 1113

 

15. Security

We have put in place appropriate technical and organisational measures to protect personal data against accidental loss, misuse, unauthorised access, alteration or disclosure. These measures include access controls, encryption where appropriate, regular security reviews and staff training.

We also expect our processors including ConnectWise, N-able and SentinelOne to implement appropriate security measures and we review their published security information and data processing terms.

Where a personal data breach occurs that is likely to result in a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to individuals we will also notify those affected without undue delay.

16. Artificial intelligence

16.1 AI tools we use

We use AI tools to assist in the delivery of our services and in our internal operations. Our policy is to use only approved AI tools within a controlled environment. The AI tools we currently use are:

• Microsoft Copilot for Microsoft 365, integrated across our Microsoft 365 environment including Word, Excel, Outlook and Teams, used to assist with drafting, summarising, data analysis and other productivity tasks.
• Microsoft Copilot (paid subscription), used for general AI-assisted tasks within our business.
• Claude, accessed via Microsoft Azure, used for AI-assisted drafting and analysis, deployed within Microsoft's infrastructure.

Staff are only permitted to use these approved tools when working with personal data. Use of other AI tools for processing personal or client data is not authorised.

16.2 Where AI processes personal data

When we use Microsoft Copilot and Claude in delivering managed IT services, personal data relating to your staff, devices and support interactions may be processed through these tools. This may occur, for example, where Copilot assists with drafting client communications, summarising support tickets, or analysing service delivery data. SentinelOne, which uses AI and machine learning as part of its endpoint detection and response functionality, analyses device and user behaviour data to identify security threats. This processing is carried out within SentinelOne's infrastructure under our data processing agreement with them.

16.3 Data location and transfers

All of the AI tools listed above are operated within Microsoft's infrastructure. Personal data processed through these tools is held in Microsoft data centres in Sweden. Sweden is a member of the European Economic Area and is covered by UK adequacy regulations, meaning data flows to Sweden freely without the need for additional transfer safeguards such as an IDTA or Standard Contractual Clauses.

This is a deliberately chosen position, we have selected AI tools hosted within the Microsoft estate specifically to ensure that personal data remains within a controlled, adequacy-covered environment.

16.4 Automated decision-making and AI

We do not use AI tools to make solely automated decisions about individuals that produce legal or similarly significant effects. AI is used as an assistive tool to support human decision-making, not to replace it. All decisions that affect individuals are subject to human review.

Under Articles 22A to 22D of the UK GDPR, as updated by the Data (Use and Access) Act 2025, you have the right to certain safeguards where significant decisions are made about you by automated means. As we do not make such decisions through AI, these provisions do not currently apply to our use of AI. If this position changes we will update this policy accordingly.

16.5 Your rights in relation to AI processing

Your rights under UK data protection law apply equally to personal data processed through AI tools. If you have questions about how AI tools are used in connection with your personal data, or if you wish to object to such processing, please contact us using the details in section 1.

17. Automated decision-making

We do not use solely automated decision-making processes that produce legal or similarly significant effects on individuals in connection with this website or our services, including through our use of AI tools.

Under Articles 22A to 22D of the UK GDPR, as updated by the Data (Use and Access) Act 2025, you have the right to certain safeguards where significant decisions are made about you by automated means. A decision is solely automated where there is no meaningful human involvement. As we do not make such decisions, these provisions do not currently apply. Please see the AI section of this policy for more information about how we use AI tools.

18. Security

We have put in place appropriate technical and organisational measures to protect personal data against accidental loss, misuse, unauthorised access, alteration or disclosure. These measures include access controls, encryption where appropriate, regular security reviews and staff training.

We also expect our processors including ConnectWise, N-able and SentinelOne to implement appropriate security measures and we review their published security information and data processing terms.

Where a personal data breach occurs that is likely to result in a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours of becoming aware. Where the breach is likely to result in a high risk to individuals we will also notify those affected without undue delay.

19. Third party websites

Our website may contain links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party sites and are not responsible for their privacy statements. We encourage you to read the privacy notice of every website you visit.

20. Changes to this notice

We may update this policy from time to time. Any changes will be posted on this page with an updated 'Last updated' date. Material changes may also be notified to you by email or through a notice on our website where appropriate.