Privacy & Cookie Policy

This policy explains how we collect, use, store, and protect your personal data when you visit our website. It applies to all visitors of www.graymatter.co.uk.

Last updated: 6 March 2026

1. What Information Do We Collect About You?

We collect and store information about you that you voluntarily provide when you complete a 'Contact Us' form or telephone us using the number displayed on our website. We also collect information about you if you register for any event that we are co-hosting with a partner or affiliate. This personal information may include your name, the company you work for, your telephone number, location and email address.

If you choose to telephone us, your call may be recorded so that we can ensure that we have a record of your enquiry and answer your request appropriately. If you contact us, we may keep a record of that correspondence, including any CV you have voluntarily submitted to us for recruitment purposes, via the website.

Website usage information is also collected using cookies and other automated means such as Google Analytics (GA4) and the LinkedIn Insight Tag. Google Analytics is configured with IP anonymisation enabled (anonymize_ip: true), so your full IP address is not stored. This may include details of your visits to the website, including but not limited to, traffic data, weblogs and other communication data as well as the pages you visit and resources or information you access.

2. How Will We Use the Information About You?

We use the information collected about you or submitted by you, to process and answer your request whether for recruitment purposes, services, event registration or for more information. If you agree, we also use your information to email you about the other similar products and services we think may be of interest to you.

We use the information collected by automated means to personalise your visits to our website. This includes such things as the type of internet browser you are using and information on actions taken on the site or the route chosen to navigate through it as well as the number of times you have visited.

Collecting this information enables us to continually improve our site for visitors. We may also use it to perform data analyses, including anonymisation of personal information.

3. Who Might We Share Your Information With?

In order to provide you with information about some services, we may share your information with third parties which include:

• Business partners where Graymatter Reply is partnering as a specialist provider to offer a service or host an event. Where an event is hosted with an affiliate, any personal data collected regarding your attendance will also be subject to the relevant affiliate's Privacy Notice.
• Third-party platforms and sub-processors employed by Graymatter Reply to support our marketing communications and CRM activities. Some of these providers may operate outside the UK, in which case appropriate safeguards will be in place (see Section 4).
• Other companies and organisations for the purposes of fraud protection and credit risk reduction, to protect our rights, property or safety of employees, clients or others or otherwise comply with any legal obligation.

We will never sell your information to another provider.

Our website provides the ability to share articles and news via LinkedIn. When you choose to use this 'share' function, you will be redirected away from Graymatter Reply's website to LinkedIn, where your personal data is controlled and processed in line with LinkedIn's Privacy Policy.

4. International Transfers

Because we use third-party marketing automation and CRM platforms, some of the data we collect from you may be transferred to or stored in countries outside the United Kingdom. It may also be processed by staff operating outside the UK who work for these platforms.

Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR. This includes the use of the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office (ICO). Such platforms are committed to ensuring that any sub-processors protect your personal data to the same standard as provided by us.

5. Marketing and Our Legitimate Interests

'Legitimate interests' means the interests of our Company in conducting and managing our business to enable us to give you the best service; in this case to ensure that our marketing is relevant to you and we send you marketing that is tailored to your interests.

When you choose to complete a 'Contact Us' form on this website or telephone us for more information, you are registering your interest in receiving selected information about our marketing services. With respect for your privacy, it is only when you explicitly select how you wish to be contacted, by telephone and/or email, that we will contact you with marketing information.

6. How Long Do We Keep Your Personal Data?

We may retain your personal data for a period of time consistent with the original purpose of collection (see "Marketing and Our Legitimate Interests" above). Where you cancel your registration for an event hosted by us or co-hosted with an affiliate (see "Who Might We Share Your Information With?" above), your personal data will be deleted from Graymatter Reply's systems on receiving your cancellation within the timescales set out in the event specific information. Failure to 'show' will not constitute a cancellation. Please refer to any affiliated partner's Privacy Notice for details of how they manage your personal information.

The length of time we keep your information for is determined by an assessment of the amount, nature and sensitivity of the information being processed, the potential risk of harm from unauthorised use or disclosure of your personal data and whether we can achieve the purposes of the processing through other means, as well as on the basis of applicable legal requirements.

After expiry of the applicable retention periods, your personal data will be deleted or anonymised. If there is any data that for technical reasons, we are unable to delete entirely from our systems, we will put in place appropriate measures to prevent any further use of such data.

For further information on applicable data retention periods, please contact us at digital.graymatter@reply.com

7. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation, you have the following rights in relation to your personal data:

• Right of access, You have the right to request a copy of the personal data we hold about you. Subject access requests are free of charge. We will respond without undue delay and within one month of receipt of your request. This may be extended by a further two months where requests are complex or numerous. To make a request, please email digital.graymatter@reply.com
• Right to rectification, You have the right to request that we correct any inaccurate personal data we hold about you without undue delay, and within one month of your request.
• Right to erasure, You have the right to request that we delete your personal data where there is no compelling reason for its continued processing.
• Right to restrict processing, You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while we verify the accuracy of your data.
• Right to data portability, Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format.
• Right to object, You have the right to object to processing based on legitimate interests or for direct marketing purposes. You have the right at any time to stop us from contacting you for marketing purposes.

In order to ensure that we can comply with a marketing opt-out request, we will need to retain a minimal record of your information on a suppression list, including your forename, surname and email address.

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
ico.org.uk/make-a-complaint

8. Cookies

Cookies are text files placed on your computer or mobile device to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of our website, such as what pages are visited and in what order and what is downloaded and to compile statistical information on website activity.

For further information about cookies, visit the ICO's guidance: ico.org.uk/for-the-public/online/cookies

This website uses the following categories of cookies, managed via our OneTrust consent management platform:

• Strictly Necessary Cookies (C0001), These cookies are essential for the website to function and cannot be switched off. They are usually set in response to actions you take such as setting your privacy preferences or filling in forms.
• Performance Cookies (C0002), These cookies allow us to count visits and traffic sources using Google Analytics (GA4) so we can measure and improve site performance. All information collected is aggregated and anonymised.
• Targeting Cookies (C0004), These cookies are set by the LinkedIn Insight Tag to enable campaign measurement and audience targeting on LinkedIn. They do not store directly personal information but are based on uniquely identifying your browser and device.

You can set your browser to not accept cookies. Some of our features may not function as a result of doing this however.

You can manage your cookie settings at any time using the cookie preferences button on our website.

9. Third-Party Analytics and Tracking

Our site uses third-party web analytics tools to understand how visitors use our website. These tools compile reports on website activity for website operators. All data is stored on the respective provider's services.

For more information about each provider's privacy policy please refer to their own websites:

• Google Analytics (GA4): policies.google.com/privacy
• LinkedIn Insight Tag: linkedin.com/legal/privacy-policy

No other third-party tracking or advertising pixels are active on this website.

10. Accuracy of Your Information

We want to make sure that your personal information is up to date and accurate. You can request access to the personal information we hold about you so that you can check, correct or delete it. To make a request, please email digital.graymatter@reply.com. We will respond without undue delay, within one month of your request.

11. Applying for a Job at Graymatter Reply

By submitting your CV to us via our website, you are deemed to have agreed that we can process your personal information as necessary to progress your application, including the processing of any sensitive data about you.

Data Protection Principles

In relation to your personal data, we will:

• Process it fairly, lawfully and in a clear, transparent way
• Collect your data only for reasons that we find proper for the course of your employment in ways that have been explained to you
• Use it only in the way that we have told you about; ensure it is correct and up to date
• Keep your data for only as long as we need it
• Process it in a way that ensures it will not be used for anything that you are not aware of or have not consented to (as appropriate), and is not lost or destroyed

Types of Information We May Collect or You May Provide

Your information may include some or all of the following:

• Your personal details including your name, address, date of birth, email address, telephone numbers; your photograph if you have provided one (but note that we do not request photo ID as part of the recruitment process)
• Gender; marital status
• Whether or not you have a disability
• Information included on your Curriculum Vitae (CV) including references, education history and employment history
• Documentation relating to your right to work in the UK; driving licence check data

How We Collect Your Data

We collect data about you in a variety of ways including the information you would normally include in a CV or a job application cover letter, or notes made by our interviewers during a recruitment interview. Other details may be collected directly from you in the form of official documentation such as your driving licence details, passport or other right to work evidence. In some cases, we will collect data about you from third parties, such as employment agencies or former employers when gathering references or credit reference agencies.

Personal data is stored on Reply's central recruitment database within the company's HR and IT systems.

Why We Process Your Information

We use the information we collect from you to ensure we are complying with legal requirements such as:

• Carrying out checks in relation to your right to work in the UK; and
• Making reasonable adjustments for disabled candidates

And in the legitimate interests of the Company when:

• Making decisions about who to offer employment to
• Making decisions about salary and other benefits
• Assessing skills gaps and training needs
• Dealing with legal claims made against us

If you are unsuccessful in your application, we may ask you if we can retain your data in case other suitable job vacancies arise at Graymatter for which we think you may wish to apply. You can simply decline, if you don't want us to keep your information. Where we do not ask your consent to retain your details, your data will not be used for any reason other than in the ways explained in relation to the specific application you have made.

Special Categories of Data

Special categories of data are information about your health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, trade union membership and genetic and biometric data. By law, if we process special categories of data, we must do so in accordance with more stringent guidelines, which means we will only process special categories of data when the following applies:

• You have given explicit consent to the processing
• We must process the data in order to carry out our legal obligations
• We must process data for reasons of substantial public interest; or
• You have already made the data public.

Graymatter Reply does not routinely collect special category data for recruitment purposes. If you are invited to interview, we will ask you if you have any special needs or access requirements; this is to ensure the interview can go ahead and may be used to inform the consideration of any reasonable adjustments. We do not need your consent if we only use special categories of personal data in order to carry out our legal obligations or exercise specific rights under employment law.

Criminal Conviction Data

We will only collect criminal conviction data where it is appropriate for the job advertised and where the law permits us. Currently Graymatter Reply has no requirement to collect criminal conviction data.

If You Do Not Provide Your Data to Us

One of the reasons for processing your data is to allow us to carry out an effective recruitment process. Whilst you are under no obligation to provide us with your data, we may not be able to process or continue with your application without it.

Sharing Your Information

Your CV and cover letter, if provided, will only be accessed by those directly involved in the evaluation and recruitment process. This includes, for example, the HR manager and those people within the hiring team who are responsible for screening your application and interviewing you. In some cases, a pseudonymised profile may be shared with a potential Reply client as part of your evaluation.

In some cases, we will collect information about you from third parties, such as employment agencies. Any such company will be designated as a Data Processor according to Art.28 of UK GDPR.

Your information will be shared with third parties if you are successful in your job application. In these circumstances, we will share your data to obtain references as part of the recruitment process. We may need to share your information with people or bodies outside of the United Kingdom if you have worked previously in a country beyond the UK.

Protecting Your Information

To ensure your information is protected against accidental loss or disclosure, destruction and abuse, it will be stored on secure servers with limited, permissions-based and password protected access. Organisational measures include a Data Protection policy which all staff are made aware of and a Data Transfer Security Policy that sets out the limited circumstances in which personal information can be transferred, the permission to be sought and the secure means by which it can be transferred.

Any third parties we share your information with, must implement appropriate technical and organisational measures to ensure the security of your data.

Your Rights Over Your Information

Where you have consented to our use of your information, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There are no consequences for withdrawing your consent but in some circumstances, we may continue to store your information for one year after the recruitment process has finished, in the legitimate interests of the company, to protect against potential legal claims.

How Long We Keep Your Data For

We only keep your data for as long as we need it for and this will depend on whether or not you are successful in your application. If you are not successful we will routinely keep your data for up to three years once the recruitment exercise ends unless you specifically request deletion. At the end of this period, we will delete or destroy your data, unless you have already withdrawn your consent to our processing of your data in which case it will be deleted or destroyed upon your withdrawal of consent.

If your application is successful, your data will be kept and transferred to the systems we administer for employees. We have a separate privacy notice for employees, which will be provided to you.

Automated Decision Making

Automated decision-making is where a decision is taken about you using an electronic system without human involvement and which has a significant impact on you. No automated decision technology will be used at Graymatter Reply.

12. Changes to This Privacy Policy

We review this privacy policy regularly and will place any updates on this web page. This privacy policy was last updated 6 March 2026.

13. Data Controller and DPO

Reply S.p.A. (with registered office at Corso Francia 110, Turin), Reply Deutschland SE (with registered office at Bartholomausweg 26 D-33334 Gutersloh), Reply Ltd (with registered office at 38 Grosvenor Gardens, London SW1W 0EB) together with one or more Reply Group Companies are the Joint Controllers of this recruitment processing activity, according to Art.26 of UK GDPR.

For all website-related data processing described in Sections 1–10 of this policy, the data controller is Reply Ltd.

The contact details of the UK Reply Data Protection Officer are:

UK DPO: dpo.uk@reply.com

14. How to Contact Us

If you have any questions about this privacy policy or the information we hold about you, please contact us:

Email: digital.graymatter@reply.com
DPO: dpo.uk@reply.com
Telephone: +44 (0) 207 730 6000

Or write to us at:

Graymatter Reply,
160 Victoria Street,
2nd floor Nova South,
Westminster,
London SW1E 5LB

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
ico.org.uk/make-a-complaint