Privacy Policy
Effective date: 21 April 2026
Last updated: 21 April 2026
1. Introduction
Arch Consulting Ltd (“Arch”, “we”, “us” or “our”) is committed to protecting personal data and respecting your privacy.
This Privacy Policy explains how we collect, use, store, disclose and otherwise process personal data when you:
- visit or use any website operated by Arch;
- contact us, request information from us, register for events, download content, or otherwise interact with us;
- receive services from us or on behalf of your organisation; or
- use our products, including the Looply software and related services.
This policy explains your privacy rights and how the law protects you.
Please read this Privacy Policy carefully. If you have any questions, please contact us using the details in section 2.
2. Who we are and how to contact us
The data controller for the purposes described in this Privacy Policy is:
Arch Consulting Ltd
1b Elliot Road
London
W4 1PF
Email: contact@arch-global.com
Arch is registered with the Information Commissioner’s Office under registration reference Z7998768.
If you have any questions about this Privacy Policy or about how we handle personal data, please contact us at the address above.
You have the right to make a complaint to the Information Commissioner’s Office (“ICO”), the UK regulator for data protection matters, although we would appreciate the opportunity to address your concerns first.
3. Scope of this policy
This Privacy Policy applies to personal data processed by Arch in connection with:
- our websites and online content;
- sales, marketing and business development activity;
- customer, supplier and partner relationships;
- events, webinars, demonstrations and downloads;
- support, service delivery and account management; and
- Arch products and cloud services, including Looply.
This Privacy Policy does not apply to third-party websites, products, services or platforms that Arch does not control, even where they are linked from our websites or services. Those third parties will have their own privacy notices and terms.
Our websites and services are intended for business use and are not directed at children. We do not knowingly collect personal data relating to children.
4. When Arch is a controller and when Arch is a processor
Data protection law distinguishes between a controller and a processor.
Arch acts as a controller where we decide why and how personal data is used for our own business purposes. This includes, for example:
- website enquiries;
- contact form submissions;
- event registrations;
- marketing communications;
- customer and supplier relationship management;
- administration of customer accounts; and
- support, security, analytics and service improvement relating to our own systems and services.
Arch also acts as a controller in relation to certain information about Looply users, including administrative users and technical or usage data that we use to operate, secure, support and improve the service.
Arch acts as a processor where we process personal data on behalf of a customer in connection with their use of Looply or other services. In those cases, the customer is usually the controller and decides the purposes of the processing, and Arch processes the data in accordance with the relevant contract and the customer’s instructions.
Where Arch acts only as a processor, individuals should usually direct privacy requests concerning the customer’s underlying business data to that customer first. Arch will assist its customers where required under applicable law and contract.
5. The personal data we collect
The personal data we collect depends on how you interact with us.
5.1 Information you provide directly
You may provide us with personal data such as:
- your name;
- job title;
- employer or organisation name;
- business email address;
- business postal address;
- telephone number;
- account and login details;
- correspondence and enquiry details;
- event registration details;
- marketing preferences; and
- any other information you choose to provide to us.
5.2 Website and online usage information
When you use our websites, we may collect technical and usage data, including:
- IP address;
- browser type and version;
- device type and identifiers;
- operating system and platform;
- referral source;
- pages viewed;
- actions taken on the site;
- date and time data; and
- cookie, analytics and similar technology data.
5.3 Looply and related service data
In connection with Looply and related services, Arch may process personal data including:
- organisation and user-related details;
- administrator account details;
- workflow and process data;
- notification and approval content;
- audit and reporting information;
- support and service management data; and
- technical, diagnostic, session and log data.
For administrative users of Looply, Arch will typically process identity and contact information in its capacity as controller in order to create, maintain and support the account. For customer workflow or end-user data processed through Looply, Arch will usually act as processor on behalf of the relevant customer.
5.4 Special category data
Arch does not generally seek to collect special category personal data through its websites or normal business interactions.
If such data is processed through Looply or another service, this will usually be because the relevant customer has chosen to use the service in a way that includes that data, in which case Arch will normally process it as processor under the customer’s instructions and contractual controls.
6. How we collect personal data
We collect personal data in the following ways.
6.1 Direct interactions
You may give us personal data by:
- submitting a website form;
- contacting us by email, phone or post;
- requesting a demonstration, proposal or quotation;
- downloading content;
- registering for or attending an event or webinar;
- corresponding with us as a customer, supplier, partner or prospect; or
- setting up or using an account for one of our services.
6.2 Automated technologies
As you interact with our websites or online services, we may automatically collect technical and usage data using cookies, log files and similar technologies. Please see section 8 for more information.
6.3 Third parties and other sources
We may also receive personal data from:
- your employer or organisation;
- event organisers;
- service providers who support our business;
- publicly available sources such as company websites and professional networking sites; and
- customers, where Arch is processing data on their behalf.
7. How we use personal data and our lawful bases
Under UK data protection law, we must have a lawful basis for processing personal data.
Depending on the circumstances, we rely on one or more of the following lawful bases:
- performance of a contract;
- taking steps at your request before entering into a contract;
- compliance with a legal obligation;
- legitimate interests; and
- consent, where required.
We do not generally rely on consent except where the law requires it, for example in relation to certain marketing activities or non-essential cookies and similar technologies.
7.1 Website, sales and marketing activity
We may use personal data to:
- respond to enquiries and provide information about our products and services;
- manage downloads, registrations and attendance for events, webinars and demonstrations;
- send communications relevant to our business relationship with you;
- send marketing communications where permitted by law;
- understand how our websites and campaigns are used;
- administer and protect our websites and systems; and
- maintain business records and carry out internal reporting.
The lawful bases for these activities may include legitimate interests, performance of a contract, steps prior to entering into a contract, legal obligation, and consent where required.
7.2 Customer, supplier and partner administration
We may use personal data to:
- set up and manage customer, supplier or partner relationships;
- manage contracts, renewals, billing and account records;
- provide support and service communications; and
- maintain our internal business and financial records.
The lawful bases for these activities may include performance of a contract, legitimate interests and legal obligation.
7.3 Looply and related services
Where Arch acts as controller, we may use personal data to:
- create and administer customer accounts and administrator profiles;
- verify identity and maintain customer records;
- provide, support, secure and maintain the service;
- troubleshoot, test and monitor service performance;
- generate technical and service analytics;
- improve the service and user experience; and
- protect our systems, business and users from fraud, misuse and security threats.
The lawful bases for these activities may include performance of a contract, legitimate interests and legal obligation.
Where Arch acts as processor on behalf of a customer, we process personal data only as permitted by the relevant contract and the customer’s instructions.
7.4 Legal and regulatory compliance
We may process personal data where necessary to:
- comply with legal, regulatory, accounting or tax obligations;
- investigate complaints or incidents;
- establish, exercise or defend legal claims; and
- protect the rights, property and safety of Arch, our customers and others.
The lawful bases for these activities may include legal obligation and legitimate interests.
7.5 Change of purpose
We will only use personal data for the purposes for which it was collected unless we reasonably consider that we need to use it for another compatible purpose. If we need to use personal data for an unrelated purpose, we will notify you where required by law.
8. Cookies and similar technologies
Our websites use cookies and similar technologies for essential website functions and, where enabled, analytics, performance measurement and marketing-related purposes.
Where non-essential cookies or similar technologies are used, we use a consent mechanism to give users choice in accordance with applicable law.
You can manage your preferences through our cookie banner or settings tool where available. You can also control cookies through your browser settings, although doing so may affect website functionality.
More detailed information may also be provided through our cookie banner, cookie settings or any separate cookie notice we make available.
9. Who we share personal data with
We may share personal data with the following categories of recipient where necessary:
- companies within the Arch group;
- professional advisers such as lawyers, accountants, insurers and auditors;
- service providers who host, support or help us operate our websites, systems and services;
- cloud and infrastructure providers;
- CRM, communications, event and marketing platform providers;
- payment or billing service providers where relevant;
- regulators, courts, law enforcement bodies or public authorities where required; and
- prospective buyers, investors or advisers in connection with a merger, acquisition, financing or sale of business assets.
Where Arch acts as processor, we may also use approved sub-processors to support delivery of the service, subject to contractual and legal controls.
We require third parties to respect the security of personal data and to process it in accordance with applicable law. We do not sell personal data.
10. International transfers
Arch provides Looply using cloud infrastructure hosted in Ireland for its standard public cloud service. For private cloud deployments, the hosting location is agreed with the customer. Your clarified hosting position also means the privacy notice should not state that Arch never transfers data outside the UK.
In some cases, personal data may be stored in, accessed from, or otherwise processed in countries outside the UK.
Where personal data is transferred outside the UK, Arch will take steps to ensure that appropriate safeguards are in place as required by applicable data protection law.
11. Data security
Arch has implemented appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.
These measures include, as appropriate:
- access controls and permissions;
- role-based restrictions;
- managed hosting arrangements;
- technical security controls;
- confidentiality obligations; and
- internal policies and procedures relating to security and data handling.
We also have procedures in place to deal with suspected personal data breaches and will notify affected parties and regulators where required by law.
12. Data retention
We keep personal data only for as long as reasonably necessary for the purposes for which it was collected, including for legal, regulatory, tax, accounting, contractual and reporting purposes, and for the establishment, exercise or defence of legal claims.
In general:
- where Arch acts as controller, we retain personal data for the duration of the relevant relationship and then for an appropriate period afterwards to meet legal, audit, record-keeping and dispute-handling requirements;
- where Arch acts as processor for a customer, retention is governed primarily by the relevant contract, customer instructions and service configuration;
- according to Arch’s existing internal retention policy, Looply organisation and user-related details are held for the duration of the contract, workflow retention is determined by the customer’s chosen log-retention period, only completed processes are deleted under that mechanism, deletion also removes backup data, and customer data held on Microsoft Teams cards is subject to the customer’s own retention settings in Microsoft 365.
We may retain personal data for longer where there is a complaint, an actual or anticipated dispute, or another lawful reason to do so.
13. Your rights
Where Arch acts as controller, you may have the following rights under data protection law, subject to applicable conditions and exemptions:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to object to processing;
- the right to data portability; and
- the right to withdraw consent where consent is the lawful basis for processing.
To exercise any of these rights, please contact us using the details in section 2.
Where Arch acts only as processor on behalf of a customer, we may need to refer your request to the relevant customer as controller.
13.1 Fees and timescales
You will not usually have to pay a fee to exercise your rights.
However, we may charge a reasonable fee or refuse to comply with a request if it is manifestly unfounded, repetitive or excessive.
We will normally respond within one month, although this period may be extended where permitted by law.
13.2 Identity verification
We may need to request information from you to verify your identity before responding to a request. This is a security measure to help ensure that personal data is not disclosed to someone who is not entitled to receive it.
14. Third-party links and services
Our websites and services may include links to third-party websites, plug-ins, applications or services.
If you follow those links or enable those connections, the relevant third party may collect or process personal data in accordance with its own privacy notice. Arch is not responsible for the privacy practices of third parties that we do not control.
15. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect legal, technical or business developments.
The latest version will always be published on our website with the updated effective date. Where appropriate, we may also notify users of material changes by email or by a notice on the relevant website or service.
16. Contact and complaints
If you have any questions about this Privacy Policy, wish to exercise a privacy right, or have concerns about how we handle personal data, please contact:
Arch Consulting Ltd
1b Elliot Road
London
W4 1PF
Email: contact@arch-global.com
You also have the right to complain to the Information Commissioner’s Office, although we would welcome the opportunity to address your concerns directly first.