mimulus

Privacy notice

This privacy policy applies to the collection and use of client and mimulushq.com visitors’ personal data by Mimulus HQ Ltd (Company Number: 09155285) and its subsidiaries.

As a company processing your personal data, we are regulated by the General Data Protection Regulation (GDPR). This page is intended to keep you informed about what we do with the personal data we process.

What information do we collect?

When you visit our website

Information is collected in these ways:

• Automatically in our server logs, to help us keep the site reliable and secure. This includes your IP address and browser type, and which pages are visited. We use AWS to manage those logs, and may keep them for up to a year. Their privacy notice can be read here.
• We use cookies to record whether you consent to our use of analytics, and if you did consent then cookies are used to gather the data. If you give your consent, we use Google Analytics to help us improve the content and design of the website. This also includes IP address, browser type and pages visited, along with some extra information about the technology you use. We don’t use it to gather demographic information. Their privacy notice can be read here.
• The website is hosted by Amazon Web Services. Other than the server logs mentioned above we don’t store any personal information with Amazon Web Services.

When we have engaged in a business development conversation with you

When you engage with us to discuss a new business opportunity, we will collect, obtain, and hold a range of data about you that may be able to identify you directly or indirectly.

This data can include your name, contact information (such as email address and phone number), professional details (such as your job title and the organisation you work for), and any other information relevant to the business development conversation.

This information is used solely for the purpose of facilitating and maintaining our business relationship, including follow-up communications, project management, and service delivery.

When you are engaged with us as a client

When you engage with us to deliver services for you, we will collect, obtain and hold a range of data about you that may be able to identify you directly or indirectly. This information may include:

• Name
• Professional contact details- address, telephone number and email address
• Potentially personal contact details- address, telephone number and email address
• Company name
• Job title
• Social Media links
• Information relating to your business
• Personal data relating to your employees

Why do we collect this information?

We collect and process your personal data for the following reasons:

• Managing our website
• Recording and managing your professional information we hold
• Recording, administering and progressing your organisation’s contracted engagement
• Determining the terms on which we will provide services to you
• Generally administering the contract we have entered into with you
• Processing legal claims
• Respond to comments and enquiries
• Inviting you to events

Evaluating the effectiveness of our services, either by contacting you directly for feedback or using anonymised or pseudonymised data for analysis.

The legal basis for processing this information

We take our obligations around the handling of data very seriously, and it is therefore important for you to know the various lawful bases that we rely on under data protection law for the processing of your personal data.

In order to be able to process your data lawfully, we must rely on a specific lawful basis, depending on the main reason why we need the data. Below we will explain these lawful bases:

• Consent- You have explicitly consented to us processing your personal data, for example to communicate with you about potential business.
• Contract- It is necessary for the performance of a service contract with you. This also relates to information that we may need to process prior to entering into the service (e.g. providing a quote).
• Legal obligation- We may need to process your data to meet legal requirements such as responding to legal requests. Where we process special categories of data, such as information about ethnic origin, health conditions, and religious beliefs, we rely on this basis.
• Legitimate Interests- We will collect and use your data for our legitimate business interest in delivering services to you, to manage our relationship with you and to evaluate and maintain the efficacy of our services more generally. Where we use this basis we will have ensured your interests and fundamental rights do not override those of ours.

Who do we share your information with?

As a principle, only minimal information will be shared as necessary and only where we have identified a lawful basis or exemption for doing so, and the data is proportionate to the need.

Your information will be shared with the third party providers referred to above that help us operate this website and provide our products and services (these recipients act on our behalf and under our instructions only), we share internally within Mimulus for the purposes of delivering services and managing our relationship with you. It will also be shared as required with our contracted Associates who are supporting us to deliver the agreed services to you.

Transfers to third parties outside the EEA

Where appropriate for certain client matters, we may use service providers located outside the EEA. When we transfer personal data to such service providers it will usually be on an ad hoc basis, and in accordance with instructions from our clients.

To manage our services, we use third party platforms which may transfer your data outside of the EEA. Where the recipient is located in a country which has not been deemed by the European Commission to have adequate laws in place to protect it, we ensure the appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or your consent.

Mimulus is required to share your data with third parties when legally obliged, for example to the police for matters relating to the detection and prevention of crime.

How long do we keep your information?

As a principle, information about you will not be kept for longer than it is needed for the purpose it was collected.

Mimulus has a records retention schedule which documents how long different information is required to be retained. When it is no longer required in line with its retention period, personal information is securely and permanently destroyed.

How do we protect your data?

We take the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.

We ensure that your personal data is processed lawfully and respectfully, ensuring that we are always compliant with data protection laws and information security standards, for example, the General Data Protection Regulation and Data Protection Act 2018. We also have procedures in place to deal with any suspected data security breach.

Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions contained within a contract, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

What rights do you have in relation to the way we process your data?

As an individual whose data we process (a data subject), you have certain rights in relation to the processing:

The right to Information Access
You have the right to access the information about you that Mimulus holds about you.

The right to Data Portability
You have the right to move, copy or transfer the Personal Data we hold from one IT environment to another in a safe and secure manner.

The right to Rectification
You have the right to correct any personal information that we hold that may be incorrect.

The right to Object to Processing
This right allows to you to stop Mimulus using your Personal Data at any time for purposes such as direct marketing.

The right to Erasure (Right To Be Forgotten)
You can use this right in certain circumstances, to ask us to erase any personal data that Mimulus holds about you.

The right to Restriction of Processing
You have the right to restrict the processing of your Personal Data. This means you can limit the way we process your information in certain circumstances.

For more information about these rights please visit the Information Commissioner’s website.

If you would like to exercise any of these rights, please contact the Mimulus Data Protection Officer at dpo@mimulushq.com.

Contact us

For any query or request relating to our use of your personal data, or to exercise your rights, you may contact us via dpo@mimulushq.com.

If for any reason you're not satisfied with our response you can make a complaint to the UK Information Commissioner (an independent body set up to advise on information rights for the UK) about the way in which we process your personal data. Details on how you can do this can be found at the Information Commissioner's Office (ICO) website.

Changes to this policy

We may change this privacy policy. In that case, the ‘last updated’ date at the bottom of this page will also change. Any changes to this privacy policy will apply to you and your data immediately.

If these changes affect how your personal data is processed, we will take reasonable steps to let you know.

Last updated: 24 October 2025.