Privacy Notice

Introduction

Amba Defence Global Ltd (“we”, “us”, “ADG”) is committed to protecting your privacy and ensuring you have a positive experience on our website and when engaging with our services. This privacy notice explains how we collect, use and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

ADG provides integrated physical security solutions for high-net-worth principals, family offices and large estates. Our services include security architecture, CCTV systems, perimeter detection, access control, security operations centre (SOC) monitoring, residential security management, and strategic security advisory services through Modicum Consulting.

This privacy notice applies to all personal data we collect and process when you or your organisation engages with ADG, whether for security assessments, system installation, ongoing monitoring, maintenance, or strategic advisory services.

  • When you engage ADG for security services, we collect and process personal data necessary to deliver those services effectively and securely. This includes:

    Contact and Identification Data:

    • Names, titles and contact details of principals, occupants, family members, estate managers, and key personnel

    • Email addresses and telephone numbers

    • Postal addresses and property locations

    • Company and organisational information

    Security and Operational Data:

    • CCTV and video surveillance system access logs and monitoring records

    • Intruder alarm and fire alarm system activation records

    • Access control system logs (including entry and exit records from systems such as Unifi)

    • Security incident reports and assessments

    • Panic button and emergency alert activation records

    • Call recordings to and from our Security Operations Centre

    • Information related to security threats, vulnerabilities or incidents affecting your property or personnel

    Site and Property Information:

    • Property layouts, plans, maps and GPS coordinates

    • Location and positioning data for security systems

    • Photographs and video imagery of properties and external perimeters

    • Information about security system installations, configuration and maintenance

    Residential and Personnel Data:

    • Names and contact details of residential security staff, property managers and estate personnel

    • Shift schedules and work arrangements

    • Information necessary to manage security team communications and coordination

    • Background check and vetting information (where provided)

    Communications Data:

    • Emails, messages and correspondence relating to your security services

    • Call recordings (internal and external)

    • Operational notes and communications between our SOC team and your property management

    System and Technical Data:

    • System access credentials and authentication logs

    • Security system passwords, codes and technical access information

    • Device and system performance data

    • Network and connectivity information where we manage or monitor your infrastructure

    We do not process biometric data directly; biometric data (such as fingerprint or facial recognition) associated with access control systems is stored locally on your systems and remains your responsibility. However, we do have access to access control logs which may include records of biometric authentication events. Such logs are processed as part of our access control monitoring services.

  • We process your personal data on the following legal bases:

    Contract: We process personal data necessary to perform the security services you have contracted us to deliver. This includes monitoring, maintenance, incident response, and reporting.

    Legitimate Interest: We process personal data to protect your property, personnel and assets; to maintain the effectiveness of security systems; to investigate security incidents; to protect our business interests and those of your estate or organisation; and to ensure operational resilience and business continuity of critical security infrastructure.

    Legal Obligation: We process call recording data to comply with legal and regulatory requirements for recording in operational and business contexts. We retain records as required for potential legal, regulatory or law enforcement purposes.

    Consent: Where we process special categories of data (such as information revealing physical security vulnerabilities or sensitive family information), we do so on the basis of explicit consent granted through your engagement with us and our security contracts.

    Public Task: Where we process data to respond to emergency services requests, law enforcement enquiries or legal proceedings, we do so in performance of a legal obligation or public task.

  • We use the personal data you provide for the following purposes:

    Service Delivery and Monitoring:

    • Installing, configuring, maintaining and operating security systems

    • Monitoring your property via CCTV, alarm systems and access control

    • Responding to security alerts and incidents

    • Providing 24/7 SOC monitoring and incident management

    • Managing access to your property and facilities

    • Coordinating with your residential security team and estate management

    Incident Response and Investigation:

    • Investigating security breaches, incidents or suspicious activity

    • Analysing CCTV footage and access logs in response to security events

    • Communicating with you, emergency services, or law enforcement regarding incidents

    • Reviewing system performance and identifying improvements

    Maintenance and System Management:

    • Scheduling and performing planned preventative maintenance

    • Identifying system faults or vulnerabilities

    • Conducting technical testing and system reviews

    • Managing software and firmware updates

    • Monitoring system health and availability

    Reporting and Communication:

    • Providing security reports, assessments and recommendations

    • Communicating with you regarding system status, incidents or maintenance

    • Issuing alerts and notifications regarding security events

    • Providing strategic security advisory services

    Business Operations:

    • Managing contracts and billing

    • Managing personnel, contractors and third-party relationships

    • Complying with legal, regulatory and contractual obligations

    • Managing our Information Security Management System (ISMS) and ISO 27001:2022 compliance

    • Conducting internal audits, risk assessments and compliance reviews

    Call Recording:

    • Recording calls to our SOC to maintain accurate incident records

    • Providing evidence in case of disputed incidents or legal proceedings

    • Ensuring quality and compliance of our monitoring services

    • Analysing calls for training and operational improvement purposes

    Automated Decision Making:
    We do not use automated decision-making or profiling in a way that produces legal or similarly significant effects on you. However, we do use automated systems to flag security alerts and incidents that require human review and decision-making by our SOC operators or senior management.

  • Internal Access:
    Your personal data is accessible to our SOC operators, senior management and operational staff who require access to deliver your security services. Access is strictly limited to those with a legitimate operational need.

    Directors and Related Entities:
    James Ferrero and Shires Crichton are directors of both ADG and Modicum Consulting. In limited circumstances, data may be shared between the two entities where necessary for strategic security advisory services or where you have engaged both companies.

    Third Parties:
    We do not share your personal data with third parties outside our organisation, except where required by law or in the following circumstances:

    • Emergency Services: We may disclose information to police, fire services, ambulance services or other emergency responders in response to a security incident, emergency or legal requirement

    • Law Enforcement: We may disclose data in response to court orders, legal proceedings, or statutory obligations

    • Your Contractors and Service Providers: Where you instruct us to coordinate with your own contractors, engineers or service providers (such as system installers or IT support), we may share necessary operational information with your explicit consent

    • Your Representatives: Where you authorise us to communicate with your property manager, estate manager, family office, or other representatives, we may share relevant information with them

    We do not sell, rent or transfer your personal data to external data brokers or third-party marketing organisations. We do not process your data for marketing purposes.

    International Transfers:
    Some of your personal data may be transferred to and processed by our systems which may be located in the United Kingdom or, in limited circumstances, the European Union. Where we process data for EU/EEA residents, transfers are made in accordance with the UK GDPR and appropriate safeguards are in place.

  • Client Contact Information:
    We retain indefinitely. This is necessary to maintain our relationship with you, respond to future enquiries, and manage ongoing service contracts and liability.

    CCTV Footage:
    We do not store CCTV footage. All footage is stored locally on your systems under your control. Retention is subject to your recording equipment specifications and local storage availability. You remain responsible for managing CCTV data retention in accordance with your own legal obligations and privacy policies.

    Call Recordings:
    We retain call recordings for six months. Immediate access is maintained for 48 hours, after which recordings are moved to archival storage. Access to call recordings is restricted to senior staff. Older recordings are deleted in accordance with our retention schedule, except where required for legal, regulatory or contractual reasons.

    Site Reports and Security Assessments:
    We retain indefinitely. These documents form the basis of your security infrastructure and are necessary for ongoing maintenance, incident investigation, legal liability and business continuity.

    Access Control and System Logs:
    We retain access logs for as long as the access control system is active. Logs are necessary for incident investigation, auditing and compliance purposes. Where a site is decommissioned, logs are retained for a further period to ensure any unresolved incidents can be properly investigated.

    Call Recording Archives:
    After the initial six-month retention period, older call recordings are moved to archival storage. These may be retained for a further period if required for legal proceedings, investigations, or compliance audits. Archives are deleted when no longer required for legitimate business purposes, typically within 12 months of the initial retention period.

    Communications and Operational Records:
    We retain emails, messages and operational notes relating to your security services for as long as necessary to fulfil our contractual obligations and for a period thereafter to manage potential liability. Typically this is indefinite while there is an active relationship, and for seven years following contract termination (in line with UK business records retention requirements).

    Incident Investigation Records:
    Records relating to security incidents or investigations are retained for as long as necessary to investigate the incident fully and for any subsequent legal proceedings. Where an incident may result in legal action, records are retained for the duration of any proceedings and beyond if required.

    Legal and Compliance Records:
    Where we process data to comply with legal obligations, we retain data for the period required by law. This typically includes records relating to regulatory compliance, audits and subject access requests.

  • You have the following rights in relation to your personal data:

    Right of Access:
    You have the right to request a copy of the personal data we hold about you. We will provide this within 30 calendar days of a valid request, free of charge.

    Right of Rectification:
    You have the right to request that we correct inaccurate personal data. This is particularly important for security-related data where accuracy is critical.

    Right of Erasure:
    You have the right to request that we delete your personal data in certain circumstances. However, we may retain data where required by law, for the purposes of establishing, exercising or defending legal claims, or where retention is necessary for legitimate security or operational reasons. Requests to delete operational security data (such as incident records or access logs) may be refused where such deletion would compromise security or your protection.

    Right to Restrict Processing:
    You have the right to request that we restrict or suspend processing of your personal data in certain circumstances, for example where you dispute the accuracy of the data or the lawfulness of our processing.

    Right to Withdraw Consent:
    Where we process data on the basis of your consent, you have the right to withdraw that consent. However, this does not affect the lawfulness of processing before withdrawal.

    Right to Data Portability:
    You have the right to request that we provide your personal data in a portable format. This right applies where processing is based on contract or consent.

    Right to Object:
    You have the right to object to processing of your personal data where we rely on legitimate interests. However, objections to security-related processing may be refused where continued processing is necessary for your protection or security.

    Right Not to be Subject to Automated Decision Making:
    You have the right not to be subject to automated decision-making that produces legal or similarly significant effects. We do not make automated decisions about you except where necessary for routine operational purposes with human review.

    Right to Lodge a Complaint:
    You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe we have breached your privacy rights. You can contact the ICO at:

    Information Commissioner’s Office
    Wycliffe House
    Water Lane
    Wilmslow
    Cheshire SK9 5AF
    Tel: 0303 123 1113
    Email: casework@ico.org.uk

  • Information Security Management:
    ADG maintains an Information Security Management System (ISMS) certified to ISO 27001:2022 and ISO 9001:2015. Our systems and processes are regularly audited to ensure compliance with information security standards and regulatory requirements.

    Access Control:
    Access to personal data is restricted to authorised personnel with a legitimate operational need. Access is role-based, regularly reviewed, and removed promptly when no longer required. Multi-factor authentication is implemented where appropriate.

    Secure Communications:
    Operational communications involving clients, sensitive information and security data are conducted through approved, encrypted and monitored channels. Unauthorised disclosure through insecure platforms is prohibited.

    Physical Security:
    Our offices, control room operations and information storage are protected by controlled access, CCTV monitoring, alarm systems and secure working environments.

    Encryption and Data Protection:
    Personal data in transit and at rest is protected through encryption, secure storage and access controls proportionate to the sensitivity of the data.

    Personnel Security:
    All personnel with access to your data are subject to background checks and vetting in accordance with BS7858 standards. All staff are bound by confidentiality obligations through contracts, non-disclosure agreements and policies.

    Incident Management:
    We maintain procedures for identifying, investigating and managing information security incidents. All incidents are recorded and investigated proportionately, and corrective actions are implemented to prevent recurrence.

    Business Continuity:
    We maintain business continuity and backup arrangements to ensure your data remains protected and available in the event of system failure or disruption. Backups are regularly performed, tested and securely stored.

  • We may update this privacy notice from time to time to reflect changes in our data processing practices, legal requirements, or other operational changes. Any significant changes will be communicated to you directly. Your continued use of our services following such changes constitutes your acceptance of the updated terms.

    This privacy notice was last updated in May 2026. We review this notice annually or following significant business or regulatory changes.

  • For questions about this privacy notice, to exercise your rights, or to report a privacy concern, please contact:

    Amba Defence Global Ltd
    1 Cotswold Link
    Moreton in Marsh
    GL56 0JU
    UK

    Data Protection Officer:
    James Ferrero

    Email:
    compliance@amba-defence.com

    Telephone:
    01451 480 582

    We aim to respond to all privacy enquiries and rights requests within 30 calendar days.

    Data Controller: Amba Defence Global Ltd (Company Number: 10873290)

    Registered Office: 1 Cotswold Link, Moreton in Marsh, GL56 0JU

    Certification: ISO 27001:2022, ISO 9001:2015

    Compliance Framework: UK GDPR, Data Protection Act 2018, BS7858, BS7958, SSAIB Codes of Practice