Contact

Privacy Policy

Virtual Lease Services Limited VLS

External Privacy Notice

1. Introduction

  • Virtual Lease Services (VLS) is a business located in the United Kingdom (UK). As such, we have a legal responsibility to comply with the UK version of the General Data Protection Regulation (UK GDPR) and Data Protection Act 18 (DPA 18). One of the requirements of the UK GDPR is to provide individuals with information on how VLS uses personal data. This privacy notice aims to meet that legal requirement.
  • This privacy notice uses terminology that is defined in the UK GDPR. Examples include ‘personal data’, ‘processing’, ‘data subject’, etc.
  • This Privacy Notice sets out information on how and why Virtual Lease Services Limited whose registered office is at 1st Floor, Vista, St. Davids Park, Ewloe, Deeside, Flintshire, CH5 3DT (“we” or the “Company”) processes personal information about our external data subjects (“you”) and your rights in relation to that information.

2. Scope

  • This notice covers all our external data subjects. This includes, potential clients, clients, suppliers, and recruitment candidates.
  • This notice does not apply to VLS staff (employees, workers, contractors or agency staff). For staff wishing to see the internal privacy notice, please contact your line manager.

3. Data Processing Details

  • This section of the privacy notice is intended to give you details of data processing activities that involve your personal data. It has been grouped by data subject type. Please be aware that you may fall into multiple categories of data subject.
  • Where this notice describes the types of data which we collect, this list is not exhaustive; it is intended to give you an indicative list of the types of data used.
  • Where this notice describes the purposes of processing, we detail the processing activities that occur on a regular or frequent basis. There may be other processing activities which are one-off or only apply to specific people. Where these less frequent activities occur, we will provide you with relevant details at the time of processing. In the sections that describe the purpose of the processing, the relevant UK GDPR Article 6 lawful basis which we rely on to conduct this activity is provided in brackets.
  • As part of VLS’s standard business operations, we may transfer your personal data to third parties. Where we describe the third party transfers of data, we summarise the categories of third party which regularly or frequently receive data from us. Some one-off or less frequent data transfers may not be included in these lists. When these less frequent transfers occur, we will inform you. Depending on the third party that data is transferred to, your information may be sent outside of the UK. In these instances, VLS will ensure that the appropriate safeguards have been applied to this transfer of data, including insuring that any relevant contracts are UK-GDPR compliant.
  • Your data may be transferred to the VLS intercompany group. This includes transfer of your data to Netsol Inc which is located in both Pakistan and the USA.
  • If you need more specific details of the transfer of your personal data, such as the location of the organisation or the specific appropriate safeguard, please contact us.

3.2. Potential Clients, Clients & Suppliers

  • This section applies to potential clients, clients, and suppliers.

3.2.2. What information do we collect about you?

  • Basic contact details including your name, work email, work address, work phone number, office location and the region you work in.
  • Basic information about your organisation including the name, approximate size, location, and core services.
  • Information about your job role, including your job title and any other information which you share with us (e.g. job functions that you are responsible for).
  • If you have a publicly available, work-related, social media account (e.g. LinkedIn), we may have notes on topics which you are interested in or post about.
  • Records of any conversations, meeting notes, proposals or other miscellaneous material that may be stored prior to signing a contract with you.
  • Contracts, signatures and related data.
  • Financial data related to your organisation for the purposes of receiving/paying invoices and record keeping.
  • Where you have been provided with access to our systems, we maintain security and access logs of your interactions with our infrastructure.
  • Where you have accepted cookies or have been provided with access to our systems, we will collect device data. This may include, the type of device you use, a unique device identifier (e.g., an IMEI number or Ip or MAC address), IP (internet protocol) address, device ID, app ID, vendor ID, advertising ID, the type of operating system and browser, time zone settings, and other device-related information; date, time and duration of access including pages viewed.
  • Where you submit an IT support ticket to us, we will store your basic contact data, descriptions of the issues you are facing, conversation history, and related information about your device.
  • Where you are required to undergo a due diligence check, we will collect data that is required as part of that. This may include, your name, date of birth, 3 year residential history, identification documents (passport, driver’s license, national insurance number, etc.) and your employment details.

3.2.3. Purpose of Processing and Lawful Basis

  • Clients & Supplier Management (Legitimate Interests) – Storage of contact information for sales prospects, clients, & suppliers alongside records of meetings, conversations and calls.
  • New Client & Supplier Onboarding (Legitimate Interests) – The performance of due diligence checks on new clients and suppliers.
  • Accounts Receivable (Legal Obligation) – The issuing of invoices and the receipt of money from VLS clients. This process manages the associated personal data for this.
  • Account Management – External (Legitimate Interests) – The enrolment and management of IT accounts for external users, including access control, and access to applications.
  • Service Desk (Legitimate Interests) – Management of support tickets for IT related issues.
  • Interaction Data & Security Logs (Legitimate Interests) – Recording and storage of interaction data for the purposes of security management. This includes log in dates and times, files and systems accessed, etc.

3.2.4. Transfers of Personal Data

  • Your personal data may be transferred to the following categories of third parties:
  • Banks, accountants, and financial management tools
  • Cloud-based document management systems
  • IT security management software and related systems
  • Customer support tools
  • Cloud computing services
  • Email providers and instant messaging systems
  • Third parties who perform due diligence checks
  • Third party consultants who work with VLS
  • (where applicable) Clients of VLS

3.3. Recruitment candidates

  • This section applies to individuals who apply for a job at VLS and may also apply to consultants or other suppliers who wish to work with VLS.

3.3.2. What information do we collect about you?

  • your name, title, personal telephone number and personal email address
  • Information you provide to us on your curriculum vitae (CV).
  • information gathered, and any references obtained during your recruitment process, including right to work checks;
  • information regarding unspent or spent criminal convictions and criminal records checks where applicable. We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. We may collect this information during the recruitment process, our annual checking or where we are notified by you or a third party during your employment;
  • we will collect information about your criminal convictions history if your role is one that requires this under the Financial Conduct Authority (FCA) Senior Managers and Certification Regime approving any role or change of role relevant to your employment.
  • driving licence
  • passport
  • education records, training records, records of qualifications and achievements and any professional memberships;

3.3.3. Purpose of Processing and Lawful Basis

  • Recruitment (Contract) – Recruitment of new employees, including the collection of CVs, interviews, and job offers.
  • Background Checks (Legal Obligation) – Performing basic personnel security screening including, DBS checks, right to work checks, and financial checks.
  • Additional FCA Background Checks (Legal Obligation) – Additional security screening for regulated roles which require higher standards of background checks (e.g., registered directors, certified roles, and SMF3 or CF1 roles), as required by the FCA.
  • Joiners, Movers, Leavers (Contract) – Management of changes in employee job roles, including promotions, change in role and release of employee (including voluntary leavers, redundancy and misconduct).

3.3.4. Transfers of Personal Data

  • Your personal data may be transferred to the following categories of third parties:
  • Human Resources management platforms
  • Cloud-based document management systems
  • Third parties who conduct right to work checks and background checks
  • Organisations who specialise in Financial Conduct Authority background checks

3.4. All Data Subjects

  • This section applies to all data subjects.

3.4.2. What information do we collect about you?

  • Where you use our website and cookies are placed onto your device, we collect device data. This may include, the type of device you use, a unique device identifier (e.g., an IMEI number or Ip or MAC address), IP (internet protocol) address, device ID, app ID, vendor ID, advertising ID, the type of operating system and browser, time zone settings, and other device-related information; date, time and duration of access including pages viewed.
  • Where you are involved in a security incident, we will record any data that is relevant to the incident.

3.4.3. Purpose of Processing and Lawful Basis

  • Website Cookies (Consent) – The use of website cookies and related data on the VLS website.
  • Incident Logs (Legal Obligation) – Records of security incidents, following the incident management standard, collection of evidence, and related investigations.

3.4.4. Transfers of Personal Data

  • Cloud-based document management systems
  • IT security management software and related systems
  • Customer support tools
  • Cloud computing services
  • Providers of widely available website cookies

3.5. Retention Periods

  • VLS has set retention schedules which state how long we will keep personal data for. The majority of our data processing activities fall within the below categories; however, for some less frequent data processing activities we may have different retention schedules set. For more information on these other retention schedules, please contact us.
  • Default Retention Schedule – For data which does not fit into another category, data is kept for 7 years after the data entry was created, at which point it is reviewed for further retention, deletion, or archiving.
  • Unsuccessful Recruitment Candidate Data – For individuals who are not successful in their job application with VLS, we keep your data for 1 year after the date of last action, at which point, your data will be deleted.
  • Successful Candidate Recruitment Data (HR Data) – For any data relating to your personnel file or data that relates to you as an employee, your data will be kept for 6 years after the end of your employment at which point your data will be deleted.
  • Financial Data – For any financial related data such as payroll data, pension data, tax records, invoices, etc., data is kept for 6 years after the end of the financial year, at which point, data is deleted.
  • IT Account Data – For any data relating to a VLS IT account (excluding emails and interaction data), data will be kept for 30 days after the account has been disabled, at which point data will be deleted.
  • Email Data – For any emails that have been sent or received from a VLS email account, data is kept for 7 years after the email was sent/received, at which point data is deleted.
  • Interaction data – For any interaction data relating to your IT Account (e.g. access logs, security logs, etc.), data is kept for 90 days after the event occurrence, at which point data is deleted.
  • Incident Logs – For any data relating to an information security incident, data is held for 6 years after the date of last action, at which point, the data is reviewed for further retention or is deleted.
  • Support Tickets – For any data relating to an IT support ticket submitted to VLS, the ticket is kept for 6 months after the end of the contract with the relevant Client.
  • Sales Prospect Data – For any data relating to a potential sales prospect or unsuccessful sales prospect, data is held for 2 years after the point of last contact/last action with that individual, at which point, data is deleted.
  • Third Party Website Cookies – Please see the VLS cookie management system for details on the retention schedule of specific cookies.
    • VLS employs a retention schedule +1 system for management of data. We will keep data for the stated duration and then review data for deletion during an annual review of all data at some point during the following year.

3.6. Source of the Data

  • For the majority of cases, VLS will collect your personal data directly from you. In some instances, we may obtain your personal data from third parties:
  • In the area of recruitment, if you applied for a job at VLS, we may have obtained your personal data from recruitment agencies or from job listing websites. We may have obtained your data from your public information listed on social media websites (such as LinkedIn).
  • For clients and suppliers, we may have obtained your data from conferences or events that both you and VLS have attended. We may also match this data with publicly available data, such as data that you post on work-related social media accounts.

3.7. Statutory and Contractual Obligations

  • For some data processing activities that VLS undertakes, you may have a statutory or contractual requirement to provide VLS with your personal data. In these instances, if you decide not to provide VLS with your personal data, this may have consequences. For example, it may void a contract which you have with VLS.

4. General Information

4.1. Your UK GDPR Rights

  • Under the UK GDPR, you have rights that you may exercise at any time. Whilst you may exercise these rights at any time, VLS is not always obliged to comply with your requests. Each right has requirements and exemptions that are associated with them. For further information on these requirements and exemptions, please visit the Information Commissioner’s Office (ICO) website:

https://ico.org.uk

 

  • The Right to be Informed – You have the right to be informed about how VLS uses your personal data. We are required to provide you with details of our data processing activities (where they involve your personal data). Typically, VLSwill provide this information to you in privacy notices such as this one.
  • The Right of Access – You have the right to request a copy of the personal data that VLS holds about you.
  • The Right to Rectification – If VLSholds personal data about you that is inaccurate or outdated, you have the right to request that this information is changed.
  • The Right to Erasure – You have the right to request that VLS deletes personal data that relates to you.
  • The Right to Restrict Processing – You have the right to request that VLSrestricts or suppresses the further processing of your personal data.
  • The Right to Data Portability – You have the right to request that VLSprovide a copy of your personal data to you in a commonly used digital format.
  • The Right to Object – You have the right to object to specific processing activities that VLS undertakes. Specifically, you may object if VLS is using your data form marketing purposes, for a task carried out in the public interest, for an exercise of official authority, or where we have relied on legitimate interests as a lawful basis.
  • Rights in Relation to Automated Decision-Making Including Profiling – Where VLSuses IT systems to make decisions about you (with no human involvement or oversight), you have UK GDPR rights in relation to this. These rights include the ability to request for human intervention to challenge a computer made decision, or to request a check that an automated system is working as intended. Currently, VLS does not carry out any automated decision making or profiling.

4.2. The Right to Withdraw Consent

  • Where VLS has relied on consent as a UK GDPR Article 6 lawful basis or an Article 9 exemption, you have the right to withdraw this consent at any time. When you withdraw your consent for data processing, VLS will make reasonable efforts to stop the associated processing activity as soon as possible.

4.3. Right to lodge a complaint

  • You have the right to complain to the Information Commissioners Office (ICO) if you are concerned about the way we have processed your personal information. They can be contacted via:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

 

Tel: 0303 123 1113

4.4. VLS’s Data Protection Officer

  • VLS has appointed a third party Data Protection Officer (tmc3 Limited). They can be contacted here:

Name: Joe Morgan

Email: dataproetctionservices@tmc3.co.uk

4.5. Contact VLS

  • If you have any questions or comments regarding the content of this Privacy Notice, please contact us at the following address:

Virtual Lease Services Limited

1st Floor Vista

St David’s Park

Ewloe

Deeside

Flintshire

CH5 3DT

 

 

 

Version

Date

Status

Approved By:

V2.1

17/10/2024

Draft

Joe Morgan

 

 

 

 

 

Head Office
VLS, 1st Floor, Vista
St David’s Park, Ewloe
Flintshire
CH5 3DT

01244 957 236
hello@vls.uk.com

Join our newsletter:

Linkedin

Follow us:

VLS has a zero-tolerance approach to Modern Slavery. We are committed to acting ethically and with integrity in all our business dealings and relationships. We will implement and enforce effective systems and controls to ensure Modern Slavery is not taking place in our own business or supply chain. We are committed to ensuring that our business is transparent, as such we will comply with the disclosure obligations under the Modern Slavery Act 2015.

Virtual Lease Services is a company authorised and regulated by the Financial Conduct Authority

Privacy Policy and Cookies  |  Terms & Conditions  |  Modern Slavery Statement

© 2025 Virtual Lease Services Ltd. All rights reserved.

Website by Entyce Creative

Head Office
VLS, 1st Floor, Vista
St David’s Park, Ewloe
Flintshire
CH5 3DT

01244 957 236
hello@vls.uk.com

Privacy Policy and Cookies  |  Terms & Conditions  |  Modern Slavery Statement

Linkedin