Privacy Notice
Last updated: June 2026
This privacy notice covers the Landed Lab platform and website. It explains the personal data we collect, why we collect it, what we do with it, and your rights.
Landed Lab is operated by Orum Consulting Ltd, registered in England and Wales. Data Controller: Orum Consulting Ltd. Contact: info@landedlab.com. Registered address: Belmont Suite, Paragon Business Park, Chorley New Road, Horwich, Bolton, BL6 6HG.
Who we are and legal framework
We are registered as a Data Controller with the Information Commissioner's Office (ICO).
This notice reflects the UK GDPR and the Data Protection Act 2018, including updates introduced by the Data (Use and Access) Act 2025 (DUAA), including provisions in force from 5 February 2026 and 19 June 2026.
Your rights
You can contact us at info@landedlab.com to exercise your rights. We do not charge for standard requests, and we aim to respond within one calendar month unless an extension is justified.
- Awareness: to be informed about why and how we process your personal data.
- Access: to receive a copy of the personal data we hold about you.
- Rectification: to ask us to correct inaccurate personal data.
- Erasure: to ask us to delete personal data, subject to required retention periods.
- Restriction: to ask us to limit processing in specific circumstances.
- Object: to object where processing relies on legitimate interests.
- Portability: to request your data in a machine-readable format where applicable.
- Automated decisions and profiling: rights relating to decisions made solely by automated processing.
- Complaints: to complain to us first and escalate to the ICO at ico.org.uk or 0303 123 1113.
Where your personal data comes from
- When you visit the Landed Lab website.
- When you sign up to our waitlist.
- When you create a platform account.
- When you complete assessments and receive feedback.
- When you interact with us by email or social media.
- When you subscribe to newsletters or marketing communications.
- When you enquire about our services.
Lawful bases for processing
A full list of personal data categories, purposes, and lawful bases is set out in Schedule 1.
Where we rely on consent, you can withdraw it at any time by contacting us or updating your account preferences. Withdrawal does not affect processing carried out before withdrawal.
Where we rely on legitimate interests, you can object at any time. For direct marketing, we stop communications when you object or unsubscribe.
Special category personal data
Special category data includes sensitive information such as ethnicity, health, disability, beliefs, and sexuality.
We may collect optional demographic information (such as ethnicity or disability status) only to improve fairness and equity in assessment design, only with explicit consent, and never as a condition of using the platform.
How long we keep personal data
Each processing purpose has its own retention period. Full details are in Schedule 2.
Where processing is based on legitimate interests or consent, we keep personal data until a valid objection is upheld or consent is withdrawn, unless we must retain data for legal reasons.
Who we share personal data with
We may disclose data where required by legitimate law enforcement requests.
We use third-party service providers for hosting, platform support, and communications. We put Data Processing Agreements (DPAs) in place and share only the minimum data needed.
We may also share data with professional advisers where necessary.
- We never sell your personal data.
- We never share personal data for advertising purposes without your explicit consent.
International transfers
Some providers operate outside the UK. Where data is transferred to countries without an adequacy decision, we use safeguards such as ICO-approved Standard Contractual Clauses (SCCs), Binding Corporate Rules where applicable, and additional technical and organisational safeguards.
We keep transfer safeguards under review as ICO guidance evolves.
How we keep your data secure
- Encryption in transit (TLS) between your browser and our services.
- Encryption at rest where personal data is stored by us or processors.
- Role-based access so only authorised people can access data.
- Password-protected systems and multi-factor authentication where available.
- Supplier DPAs requiring security and transfer protections.
- Data protection by design and by default in platform operations.
- Regular reviews of security policies, technical measures, and processor arrangements.
Children
Landed Lab is designed for graduates and early-career professionals aged 18 and over. We do not knowingly collect personal data from anyone under 18.
If we discover we have inadvertently collected data from someone under 18, we will delete it promptly.
Cookies
For full cookie details, see our Cookie Notice.
In line with updated ICO guidance and the DUAA, certain low-risk functional cookies may be set without prior consent. Where cookies process personal data beyond this, we request consent first.
How to make a complaint
If you have concerns about how we handled your personal data, please raise them with us first.
You can contact us by email at info@landedlab.com or by post to Orum Consulting Ltd, Belmont Suite, Paragon Business Park, Chorley New Road, Horwich, Bolton, BL6 6HG.
We aim to acknowledge complaints within 30 days and respond without undue delay, keeping records of investigation steps and outcomes.
If you are not satisfied with our response, you can escalate to the ICO at ico.org.uk or 0303 123 1113.
Changes to this privacy notice
We may update this notice to reflect changes to our services, software providers, or legal obligations. The latest version is always available on the Landed Lab website, and we notify users of material changes by email or in-platform.
Schedule 1 - Purposes and lawful bases
- Waitlist/prospective users: name and email from website sign-up to confirm registration and send launch updates (consent).
- Registered users: account details such as name, email, encrypted password, employment status, graduation year, and career stage for account creation and management (contract).
- Platform usage data: assessment responses, progress data, and feedback to deliver daily practice and personalised expert feedback (contract).
- Technical data: IP address, browser, device, session and usage logs for security, performance, and aggregate analytics (legitimate interests).
- Optional demographic data: ethnicity, disability status, or similar when voluntarily provided to improve fairness and equity of assessment design (explicit consent).
- Marketing/newsletter subscribers: name and email for product updates and launch communications (consent).
- Financial/transaction records: name, email, and payment reference (no card data held by us) for invoicing, accounting, and tax compliance (legal obligation/contract).
Schedule 2 - Retention schedule
- Registered account data: 3 years from last active use; then deleted from platform database and associated systems.
- Assessment responses and feedback: 3 years from last active use, or sooner upon account deletion request; then deleted from platform database.
- Waitlist data for non-converting users: 12 months from sign-up or until unsubscribe; then deleted from email platform and CRM.
- Marketing/newsletter data: until unsubscribe or consent withdrawal; removed from email platform and retained only on suppression list to prevent unwanted contact.
- Technical and usage logs: 12 months with automated deletion by hosting provider.
- Optional demographic data: until consent withdrawal or account deletion, then deleted immediately.
- Financial records: 6 years (HMRC requirement), then deleted from accounting software and hard copies shredded.
Schedule 3 - Third-party processors
The organisations below process personal data on our behalf under DPAs and with encryption-at-rest controls:
- Vercel Inc. (USA): IP addresses, usage/session data, platform performance data.
- Supabase Inc. (USA/AWS): user account data, assessment responses, and platform database content.
- Microsoft Azure / Microsoft Ireland Operations Ltd (EU/Ireland): platform data where Azure services are used.
- Squarespace Inc. (USA): IP addresses, usage data, and contact form submissions.
- IONOS SE (Germany/EU): email addresses and communications data.
- Brevo (Sendinblue SAS) (France/EU): names and email addresses for marketing and transactional emails.
- Vercel Analytics (USA): aggregate anonymised usage data.
- GitHub Inc. (USA): source code hosting (personal data only if present in code).
- OpenAI (USA): assessment responses processed to generate expert feedback, anonymised where possible.
- Slack Technologies LLC (USA): internal communications, with user data only when required in support contexts.
- ngrok Inc. (USA): temporary connection data during development and Slack authentication.