Privacy Notice

This Privacy Notice is intended to inform you about how we collect and process your personal information.

TrueCue’s privacy notice at a glance

TrueCue is a division of Concentra Consulting Limited.  The data controller responsible for processing your personal information is Concentra Consulting Limited which you can contact online or by post at:

Concentra Consulting Limited, 100 Cheapside, London EC2V 6DT

The data we collect about you includes identity data and contact data (such as name or identifier, postal and email address, telephone), technical data and usage data (such as IP address, login data, browser type and other technical data, information on how you use our services and websites).

The main ways we use your data are:

  • to register you as a prospect, visitor or customer to process your orders including managing payment
  • to provide you with resources from this site
  • to manage our relationship with you
  • to deliver relevant content to you
  • to use data analytics to measure, understand and improve the effectiveness of our services.

We may share your personal data with carefully selected third parties such as our partners who may use the information to contact you in relation to our products and services.

You can exercise your rights to access the information we hold about you, to correct or delete information from our records, to object to processing of your information or exercise any other of your legal rights by contacting us.


Concentra is committed to protecting and respecting your privacy and personal data. This privacy notice will explain how we look after your personal data; please read it carefully.

1. Purpose of this privacy notice

This notice aims to give you information on how Concentra collects and processes your personal data through your use of any of our websites and participation in our events, including any data you may provide when you sign up to receive information about our products, any newsletter we might release, register for or attend one of our events, request further information about or purchase any of our services.

This privacy notice supplements any more specific privacy notices we may provide to you when collecting specific information from you and is not intended to override them.

Third-party links

Our websites may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

2. The data we collect about you

Personal data, or personal information, means any information about an individual from which that person can be directly or indirectly identified. It does not include data where the identity has been removed (anonymous data).

We collect, use, store and transfer different kinds of personal data about you, as described below. In some cases, the data may not be personal data by itself but where it is associated with other data from which you can be identified, we treat it as personal data:

  • Identity Data includes first name, last name, username or similar identifier, title and gender.
  • Contact Data includes billing address, delivery address, email address and telephone numbers.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
  • Profile Data includes your username and password, enquiries or orders made by you, your interests, preferences, feedback and survey responses.
  • Usage Data includes information about how you use our website, products and services.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We may also utilise the above information to create Aggregated Data such as statistical or demographic data. Whilst Aggregated Data may be derived from your personal data it is not considered personal data in law as this data does not directly or indirectly reveal your identity.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

3. How is your personal data collected?

We use different methods to collect data from and about you including through:

Direct interactions

You may give us your Identity and Contact Data by filling in forms, providing us with your business card or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:

  • apply or enquire for one of our services;
  • register to attend one of our events;
  • create an account on one of our websites;
  • subscribe to a service provided by us;
  • view and access our content;
  • request marketing to be sent to you;
  • give us some feedback.

Automated technologies or interactions

As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our Cookie Notice for further details.

Third parties or publicly available sources

We may receive personal data about you from publicly available sources such as Companies House, LinkedIn, or from third parties (examples of which are set out below), who may be based outside of the EU. Once we receive such data we will look after it in accordance with the terms of this privacy policy.

Examples of third party sources:

  • Analytics providers, Search information providers and advertising networks who provide Technical Data about your use of websites.
  • Data brokers or aggregators who provide us with Identity and Contact Data of individuals likely to be interested in our services.

4. How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • To register you as a new customer
  • To register you as a visitor at one of our events
  • To process and deliver your services including:
  • Manage payments, fees and charges
  • Collect and recover money owed to us
  • To manage our relationship with you which will include:
  • Notifying you about changes to our terms or privacy policy
  • Asking you to leave a review or take a survey
  • To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
  • To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you
  • To use data analytics to improve our website, products/services, marketing, customer relationships and experiences
  • To make suggestions and recommendations to you about content, goods or services that may be of interest to you.

The appendix at the end of this policy informs you in more detail of the legal basis of processing your data, and in particular what our legitimate interest is in each case.

Generally, we do not rely on consent as a legal basis for processing your personal data unless you have gone through a specific consent process for a particular service.


We may use your Identity, Contact, Technical, Usage and Profile Data for marketing products and services to you where we have a lawful basis on which to do so.

Unless you opt-out, you will receive marketing communications from us if you have requested information from us, registered to attend one of our events or purchased services from us. You have the right to opt-out of these communications at any time by following the unsubscribe links on any marketing message sent to you or by contacting us.

Third-party marketing

Where we have your express consent to do so, we may share your personal data with trusted partners outside of Concentra for marketing purposes.


You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our websites may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Notice.

Change of purpose

We will only use your personal data for the purposes for which we collected it or for a compatible purpose, if we reasonably consider that we need to use it for that purpose and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please get in touch with us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

5. Sharing your personal data

We may share your personal data with selected third parties, including:

  • TrueCue partners who may be acting as joint controllers or processors
  • Service providers who provide IT systems, customer management systems and administration services and who will process your data in accordance with the terms of our data processing agreements with them. These include providers such as Google, Amazon Web Services and Microsoft Azure
  • Service providers who provide marketing services at our control.

We may share your information with law enforcement agencies, public authorities or other organizations if legally required to do so, or if we have a good faith belief that such use is reasonably necessary to:

  • comply with legal obligation, process or request;
  • enforce our terms and conditions and other agreements, including investigation of any potential violation thereof;
  • detect, prevent or otherwise address security, fraud or technical issues; or
  • protect the rights, property or safety of us, our users, a third party or the public as required or permitted by law (including exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction).

We may also disclose your information to third parties:

  • in the event that we sell or buy any business or assets, in which case we may disclose your data to the prospective seller or buyer of such business or assets; or
  • if we or substantially all of our assets are acquired by a third party, in which case information held by us about our users will be one of the transferred assets.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

6. Data transfers outside the EEA

Sometimes we may transfer your details to third parties outside of the European Economic Area (EEA) to support the delivery of our services. If this happens we remain responsible to you for the transfer, processing and storage of your information.

7. Data security

Concentra is ISO 27001:2013 certified. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

Unfortunately, the transmission of information via the internet is not completely secure. We will do our best to protect your information, but we cannot guarantee the security of your information transmitted over the internet; any transmission is at your own risk. We will use strict procedures and security features to try to prevent unauthorised access to your information within our control and possession.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

8. Data retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements and for no longer than six years (unless a longer period is required by law).

In certain circumstances you can ask us to delete your data: see ‘Your rights’ below for further information.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

9. Your rights

You have the right to:

  • Ask for a copy of any information we hold about you
  • Withdraw any consents you have given.
  • Ask us to correct any inaccurate or incomplete information we have about you.
  • Ask us to delete your information from our records.
  • Ask us to send a copy of your information to a third party in a data portable format.
  • Object to the processing of your information when we process it for direct marketing purposes on the basis of our legitimate interest.
  • Ask us to suspend the processing of your information.
  • Lodge a complaint with us or the Information Commissioner’s Office or with any other relevant supervisory authority about how we handle your personal data.

If you wish to exercise any of the rights set out above, please contact us. A fee is not usually payable to exercise your rights (although we reserve the right to charge you a reasonable fee if your request is unfounded, repetitive or excessive). We will ask you to provide identification to ensure that we are providing information to the correct person. We will try to respond to requests within a month.

Data Subjects’ Rights in California

If you are a resident of California you may have a right pursuant to Section 1798.83 of the California Civil Code to obtain certain information about the types of personal data that we have shared with third parties for direct marketing purposes during the preceding calendar year, including the names and addresses of those third parties, and examples of the types of services or products marketed by those third parties.

Please contact us at if you would like to exercise any of your rights explained above in relation to your personal data.

10. Contact us

Concentra Consulting Limited is the controller and responsible for this website.

Contact details:

Full name of legal entity: Concentra Consulting Limited

Email address:

Postal address: Concentra Consulting Limited, 100 Cheapside, London, EC2V 6DT

Telephone number: +44 20 7099 6910

If you have any questions about this privacy notice, please contact us at

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues ( We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance. This website is not intended for children and we do not knowingly collect data relating to children. Where we have inadvertently collected information from a child, we will delete it as soon as possible. If you know that a child has given their information to us, please contact us at


This notice was last updated on 15 October 2018. Any changes we may make to this notice in the future will be posted on this page. Please check back frequently to see any updates or changes to this notice. Archived copies can be obtained by contacting us at the address above.

11. Legal basis of processing

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please Contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/ActivityType of dataLawful basis for processing including basis of legitimate interest
To register you as a new customer(a)    Identity(b) ContactPerformance of a contract with you
To process and deliver your services including:(a) Manage payments, fees and charges(a) Identity
(b) Contact
(c) Marketing and Communications
(a) Performance of a contract with you
To deliver relevant website content to you and measure or understand the effectiveness of the content we serve to you.(a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications
(f) Technical
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences(a) Technical
(b) Usage
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that may be of interest to you(a) Identity
(b) Contact
(c) Technical
(d) Usage
(e) Profile
Necessary for our legitimate interests (to develop our products/services and grow our business) 

12. Glossary of terms

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.


This is intended to provide information and assurance on how TrueCue has been designed to segregate and protect customer data and how Concentra meets key Information Security Requirements from an organisational perspective.
This supports the Concentra Data Protection Schedules and the TrueCue Security Schedule.
As a TrueCue client you are the Data Controller for data you upload into TrueCue and Concentra Consulting Ltd is the Data Processor. Our legal basis for processing any data you upload into your TrueCue tenant will always be founded on the performance of the contract we have with you.
As a Data Processor, Concentra delivers compliance with its obligations to provide sufficient guarantees in implementing appropriate technical and organisational measures, notably through our ISO 27001:2013 certification. This is supported by the extensive security and data protection controls we have in place for the TrueCue application which we describe in detail in our product documentation. This documentation also includes the security measures built into the Azure platform which TrueCue is hosted from and information on how we approach security as an organisation.
TrueCue has always held the principle of ‘Secure by Design’ as a core pillar of its architecture and security posture. As a true multi-tenanted environment, each TrueCue client tenant is logically separated, ensuring appropriate technical measures are in place to safeguard your data.
To meet requirements related to the ongoing confidentiality, integrity, availability and resilience of our processing, our adoption of the Azure platform for TrueCue hosting has enabled us to provide industry leading levels of security, resiliency and scalability which we deliver to you. More information on Azure compliance programs is available at
The terms of the TrueCue licence includes our commitment to you that we will notify you of any intended changes concerning the addition or replacement of processors. Apart from Concentra, only Microsoft (via the Azure platform) is involved in the delivery of the TrueCue service and has no access to your data on TrueCue.
Currently we offer TrueCue in the EU region only, with future support for more locations planned. Your data will remain in the deployed region only and will not be transferred to any other region as they become available without prior agreement.
In selecting Azure we have chosen a hosting provider who complies with EU Model Clauses and whose platform enables ISVs to maintain compliance with the requirements of GDPR. More information is available here:
Our Security Schedule also includes our commitment to you that we will retain your TrueCue tenant data for up to 10 working days at the end of your relationship with us, or shorter if you require. At which point your data will be destroyed and ultimately rendered unrecoverable after our 30 day backup retention cycle has passed.
The following sections provide further detail on the information security and data protection controls we implement to safeguard your data:

Organisation of Information Security

Concentra’s commitment to data security and privacy is reflected at all levels throughout the organisation. Concentra has a dedicated Information Security team and Data Protection Officer, with governance in place through an Information Governance Board led by C-Level Executives. An established risk management program is in place with Board level visibility.


Encryption is at the core of TrueCue’ information security and data protection controls. Each TrueCue client tenant is encrypted via AES-256 (GCM). AES remains the global benchmark for symmetric encryption at rest. TrueCue encrypts all data at rest using default encryption in place on the Azure platform. All TrueCue data in transit is encrypted via HTTPS over TLS 1.2 with 256-bit encryption.

Physical and Environment Security

TrueCue is hosted in Microsoft Azure data centre facilities providing benchmark levels of physical andenviron-mental security controls. Information on Azure compliance programs is available at: com/en-gb/overview/trusted-cloud/
In the interests of security, Microsoft does not publish physical address details for their Azure data centre locations. From an organisational perspective, Concentra offices are managed with extensive physical security controls and have been independently audited for compliance with the requirements of the ISO27001 standard.

Operational Security

TrueCue utilised serverless technologies on the Azure platform which are protected by full endpoint protection services, incorporating Anti-Virus, Intrusion Protection and Data Loss Prevention controls. The Azure environment provides additional controls, notably in the form of Azure Security Centre and Advanced Threat Protection delivering intelligent threat detection and continuous monitoring. TrueCue backups are made on a nightly basis and retained for 30 days.

Human Resource Security

All Concentra staff are subject to criminal record checks as part of our standard screening process for new em-ployees, which includes extensive background verifica-tion of previous employment and educational certificates.Formal Information Security and Data Protection training is mandatory for all staff and delivered through an online LMS platform. Awareness training is complemented through company presentations, newsletters and induction sessions.

Asset Management

Within our organisation, owners for physical and information assets are recorded with clear responsibilities outlined. These responsibilities include management of access to information assets, assignment of information classifications and retention periods.

Access Control

A key security principle of TrueCue is the client’s control over access to the application and the data within. Authentication is via Single Sign-On (SSO) only, enabling a client’s own internal access control policies to be extended to their TrueCue environment. Authentication via SSO enables support for Multi-Factor Authentication. From an organisational perspective, Concentra access control changes relating to role moves and departures from the organisation are closely managed, with all access to Concentra’s own internal systems removed on date of departure. The principles of least privilege and need to know are embedded in the organisation’s access control methodology.

Communications Security

All TrueCue data in transit is encrypted via HTTPS over TLS 1.2 with 256-bit encryption. Data transfers are up-loaded directly in to the segregated tenant environment.

Systems Acquisition Development and Maintenance

Concentra manages all TrueCue code development internally. This approach enables consistent levels of information security throughout an established SDLC process, while remaining agile in providing rapid updates and feature improvements through a DevOps and Continuous Delivery framework. All Developers receive training in secure coding practices which are aligned to the OWASP Top 10 Application Security Risks.

Supplier Relationships

Concentra directly manages the delivery of all Data-Plus services with Microsoft Azure being the only third party involved. Microsoft Azure has no open access to TrueCue data. Any change to existing or the introduction of new processors to the TrueCue service would be communicated to and approved by our clients.

Information Security Incident Management

Concentra has an established Incident Management process incorporating root cause analysis and corrective action remediation. Incident Managers have direct access to Executive leadership to ensure all appropriate resources are available. Any incident impacting the information security or privacy of your TrueCue data would be reported to our clients within 24 hours of discovery, which is formalized through the TrueCue Security Schedule.

Business Continuity

TrueCue leverages multiple Availability Zones within the Azure infrastructure providing very high levels of fault tolerance and resiliency. Azure Availability Zones enable TrueCue to be supported from multiple diverse locations, providing continuous service levels, while retaining data within the same geographical region. From an organisational perspective, Concentra has an established business continuity planning strategy and takes a cloud-first approach to its own internal systems, reducing dependency on physical infrastructure and office locations.

Compliance, Security Certifications and Audits

Concentra is ISO 27001:2013 and CSA (Cloud Security Alliance) STAR certified. Ongoing compliance with these standards ensures that Concentra’s information security management system is routinely reviewed and audited by external independent bodies. In addition, Concentra completes annual web application penetration tests for TrueCue using CREST certified resources. These tests provide assurance and contribute to the continual improvement of the security posture of TrueCue.