Privacy & Cookie Policy


Data Protection and Privacy Policy

Last Reviewed: January 2022

Integra Aerospace Ltd. has a duty of care to any individual it holds data about, and therefore takes the protection of personal data seriously. It is our aim to provide the highest level of service possible whilst safeguarding the privacy of our colleagues and customers. Collecting some personal information is necessary to deliver the high level of service our customers expect.

Taken together with our obligations under the Data Protection Act 2018, we have set out in this document what personal information we collect and what we do with it.


  1. Introduction

1.1. Definitions:

1.2. The GDPR Principles and Lawful Bases for Processing

  1. The Company’s Purpose for Data Processing

2.1. Usage of

2.2. Usage of

2.3. Purchases and/or Paid Subscriptions

2.4. Communication

2.5. NHS Track and Trace

  1. Storage and Retention of Personal Data
  2. Rights of Data Subjects

4.1. Access to Data

4.2. Right to Erasure, Objection and Rectification

  1. Personal Data Breaches

5.1. The Company’s Obligations

  1. Website Cookies
  2. Further Information or Questions
  3. Introduction

The General Data Protection Regulation (‘GDPR’) replaces the EU Data Protection Directive of 1995 and supersedes the United Kingdom (UK) Data Protection Act 1998. The purpose of GDPR is to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to ensure that personal data is not processed without their knowledge, and wherever possible, that it is processed with their consent. The UK has subsequently implemented GDPR under the Data Protection Act 2018. For more information, please visit:​.

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

We reserve the right to vary the terms within our Privacy and cookies policy from time to time. Our new terms will be displayed on this page and by continuing to use and access our website following such changes, you agree to be bound by any variation made by us. It is your responsibility to check our privacy policy from time to time to verify such variations.

1.1. Definitions:

‘​Company​​’ is Integra Aerospace Ltd.

‘​D​ata Controller’​​ ​is an individual, organisation or other legally defined entity which alone or jointly with others determines the purposes for and in which manner any personal data are, or are to be, processed. ​Where the purposes and means of such processing are determined by union or member state law, the controller or the specific criteria for its nomination may be provided for, by union or member state law.

‘​Data Processor’​ is an individual, organisation or other legally defined entity which processes personal data on behalf of the Data Controller.

‘​D​ata Protection Officer’​​ refers to an individual within the company who is responsible for data protection.

‘​​Data Subject’​ is a living individual.

‘​Information Commissioner’s Office (ICO)​​’ is the supervising authority for Data Protection within the United Kingdom.

‘M​aterial Scope​’ ​means the Data Protection Act 2018 applies to the processing of personal data wholly or partly by automated means (i.e. by computer) and to the processing other than by automated means (i.e. paper records) that form part of a filing system or are intended to form part of a filing system.

‘​Personal Data​​’ is any information relating to an identified or identifiable data subject; an identifiable data subject is one who can be identified, directly or indirectly, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that data subject.

‘​Personal Data Breach​​’ refers to a breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

‘​Processing’​ refers to any operation performed on personal data by any means. This will include: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, eraser or destruction.

‘​Special Categories of Personal Data​’ includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a data subject or data concerning a data subject’s sex life or sexual orientation.

‘Territorial Scope’​ ​means the Data Protection Act 2018 will apply to all data controllers that are established in the UK while the GDPR elements apply to all data controllers within member states within the European Union (‘EU’) who process the personal data of data subjects, in the context of that establishment. It will also apply to data controllers outside of the EU that process personal data in order to offer goods and services, or monitor the behaviour of data subjects who are resident in the EU.

1.2. The GDPR Principles and Lawful Bases for Processing

The GDPR sets out seven key principles which underpin the processing of personal data:

  • Lawfulness, fairness and transparency
  • Data minimisation
  • Storage limitation
  • Accountability
  • Purpose limitation
  • Accuracy
  • Integrity and confidentiality (security)

The principles are at the heart of the GDPR, set out right at the start of the legislation, and inform everything that follows. They don’t give hard and fast rules, but rather embody the spirit of the general data protection regime - and as such there are very limited exceptions.

Compliance with the spirit of these key principles is therefore a fundamental building block for good data protection practice. It is also key to compliance with the detailed provisions of the GDPR. Data Controllers who fail to comply with the principles may be open to substantial fines.

Lawful Bases

The following lawful bases are outlined with regards to the processing of personal data:

(a) ​'Consent​’ means the data subject has given clear consent for the data controller to process their personal data for a specific purpose.

(b) 'Contract​’ means processing is necessary for a contract and/or entering into a contract between the data controller and data subject.

(c) 'Legal obligation​’ means processing is necessary for you to comply with the law. This does not include contractual obligations.

(d) 'Vital interests​’ means processing is necessary to protect someone’s life.

(e) 'Public task​’ means processing is necessary to perform a task in the public interest or for the data controller’s official functions, and the task or function has a clear basis in law.

(f) 'Legitimate interests​’ means processing is necessary for data subject’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the data subject’s personal data which overrides those legitimate interests. This cannot apply for a public authority processing data to perform official tasks.

  1. The Company’s Purpose for Data Processing

In all cases, the company will rely on the lawful basis of consent when processing any personal data. The company does not buy, sell, rent or trade personal data of any kind with any other entity. The company may collect, store and process personal data for the following purposes:

2.1. Usage of ​
This is the company’s primary public facing website and is used to market the company as well as its products and services.

Website Usage Statistics

The company collects anonymous data for the purpose of producing its own aggregated website usage statistics in order to assist it in developing the accessibility of its website. This data may include:

  • IP address
  • Geographic location
  • Browser type
  • Operating system
  • Referral source
  • Length of visit
  • Page views
  • Navigation paths

Newsletter and Notification Subscriptions

  • The company requires your name and email address in order to deliver any notifications and/or newsletters you choose to subscribe to.
  • The company will never automatically subscribe you to any mailing lists of any kind. Where you have previously subscribed to any mailing list, you can unsubscribe at any time by contacting the company directly or by following the instructions on how to unsubscribe, which are included in each email.

2.2. Usage of ​

This is the company’s learning management web system and is used to deliver some of its services. Access is only provided to users who are enrolling on courses the company delivers.

The company relies on consent and contract for the lawful processing of any personal data connected to the use of ​​.

Creating a Profile and Enrolling on Courses.

Information that you provide when registering, creating a profile and enrolling on a course at ​​. Personal data collected here can include:

  • Names
  • Address
  • Profile pictures
  • Date of birth
  • Gender
  • Email address
  • Phone number
  • Employer Details

Usage and Course Statistics

  • Information that you provide to us when using the services on our website, or that is generated in the course of the use of those services, including the timing, frequency and pattern of service use.

2.3. Purchases and/or Paid Subscriptions

  • Information relating to any purchases you make of our services or any other transactions that you enter into through our website, including your name, address, telephone number, email address and card details.
  • While the company provides the facility for online payment of its products and services, this is handled by PayPal, which acts as a data processor for the company. You are encouraged to read and review PayPal’s privacy policy which is available at:​.
  • You are under no obligation to use PayPal for payments, in which case please contact the company directly so an alternative method can be arranged.

2.4. Communication

Details on how to contact the company are provided on its website at:​.

The company will communicate with you using the data you provide and only for purposes you consent to. Any personal data you supply to the company will only be used for the purposes of responding to your enquiry and will not be stored and processed for any other purpose.

  • In order to respond to any correspondence, the company requires you to provide your name, a means of contact, namely an email address and/or phone number.
  • From time to time the company attends industry exhibitions and events and as such may collect and process names, email addresses and/or phone numbers for the reason of contacting individuals who explicitly and expressly consent at the time.
  • Before you disclose to us the personal information of another person, you must obtain that person’s consent to both the disclosure and the processing of that personal information in accordance with this policy.

2.5. NHS Track and Trace

As some of the company’s services are delivered in a physical group setting, and in light of the COVID-19 pandemic and under the lawful basis of legal obligation, the company may be required to transfer names and contact details of specific individuals to NHS Track and Trace if legally and lawfully requested to do so as set out under section 2g of the published government document containing guidance for community facilities(1).

  1. Storage and Retention of Personal Data
  • Personal data which the company processes for use in ​ is stored in a structured and organised form within a hosted database provided by Data Protection and GDPR compliant hosts. The company regularly monitors this infrastructure, applying updates where applicable and maintains a good standard of authentication and daily backups.

(1) COVID-19: Guidance for the safe use of multi-purpose community facilities

  • The company regularly audits the personal data it holds and will destroy any personal data which is no longer required for any processing.
  1. Rights of Data Subjects

This document outlines the company’s purpose for the processing of personal data. Under the Data Protection Act 2018, data subjects have the right to access personal data about them held by a data controller, as well as the right to rectify erroneous data, object to processing or to request their personal data be erased.

4.1. Access to Data

This is commonly referred to as a “subject access request” and can be done at any time, free of charge. Subject access requests should be addressed to the company’s data protection officer and made in writing or by email to [email protected]​.
If making a subject access request, please provide your name and a means of contact when submitting it to the company.

The company can charge an administration fee if:

  • The request is manifestly unfounded or excessive, particularly if it is repetitive; and,

To comply with requests for further copies of the same information.

The company is obliged to provide the information without delay and at the latest within one month of receiving a request. Any fees charged will be based purely on the cost of providing the information.

In the case of manifestly unfounded or excessive requests, the company can also refuse to release the requested personal data. If so, the company will inform the data subject why this is the case, and inform them of their right to complain to the supervising authority. They should make any complaint without undue delay and within the latest of one month.

In situations where requests are complex or numerous, the company can extend this deadline by a further two months. The company must immediately inform the data subject of this, and why this is necessary within one month of receiving the request.

4.2. Right to Erasure, Objection and Rectification

Data subjects can at any time object to the manner in which their personal data are processed and/or have any erroneous data held about them by the company corrected. It is also the company’s duty and responsibility to ensure any personal data it holds about any data subject is current and up to date.

Additionally, Data subjects can at any time request to have their personal data held by the company erased. This is also often informally referred to as the ‘right to be forgotten’.

Objections to data processing, requests for rectification or erasure should be addressed to the company’s data protection officer and made in writing or by email to ​[email protected]​. The company is obligated to respond within one month of receiving such a request. In certain circumstances this would not be possible and the company will respond with reasons why, where this is the case.

  1. Personal Data Breaches

In the event of a personal data breach, the company has an obligation to rapidly assess the nature of the breach and the severity of any resulting potential risk and harm to data subjects.

The company takes its duty of care to data subjects and their personal data seriously and endeavours to process all personal data as securely as it can. This section outlines what the company will do in the event of a personal data breach.

5.1. The Company’s Obligations

In the event of a personal data breach of any kind, the company will immediately assess the impact of the breach. Where there is risk of impact to data subjects, the company is obligated to notify the supervising authority of the personal data breach within 72 hours from becoming aware of it. In addition, the company will also inform all affected data subjects of the breach and the risks identified without undue delay.

Should the company’s assessment that the personal data breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, then it will communicate with all identified affected individuals to inform them of the situation without undue delay.


The company will document the personal data breach and adjust its processes and procedures in order to prevent further such breaches.

  1. Website Cookies

A cookie is a small text file that is downloaded onto a computer, smartphone or tablet when a user accesses a website. It allows the website to recognise a user’s device and store information about the user’s preferences or past actions.

Both ​ and use cookies only for necessary browsing reasons, namely, for providing a secure connection (SSL) between the user’s device and website.

Further information about cookies can be found at:

  1. Further Information or Questions

Further information is available from the ICO’s website at ​​. If you have any additional queries, please contact the company for further assistance at​.

Integra Aerospace Ltd. is a registered data controller in the United Kingdom, our registration number is: ZA253827. We are registered in England and Wales under registration number 08794646, and our registered office is The Forge, Brampton, Norwich, Norfolk, England, NR10 5HN.