Privacy Policy

Privacy Policy

How we use your information

This privacy notice tells you what to expect when Mirus collects personal information. It applies to information we collect about:

  • Visitors to our websites;
  • Complainants and other individuals in relation to a data protection or freedom of information complaint or enquiry;
  • People who use our services, e.g. who subscribe to our newsletters or request downloads and publications from us;
  • Job applicants and our current and former employees.

Visitors to our websites

When someone visits or any other alias to our website we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is then reviewed by a reverse IP lookup tool (Lead Forensics) which may allow us to see the name of the organisation who visited our website but not the specific individual, this information is used to proactively contact prospects to ensure they have been given all the information they need about our services.

Social Media Features

When clicking on Social Media Features, such as the Facebook and Twitter links published on our sites, will re-direct you to these services. The Social Media provider may collect your IP address, which page you are visiting from on our site, and may set a cookie to enable their features to function properly. Social Media Features and Widgets are hosted by a third party. This Privacy Policy does not apply to these features.  Your interactions with these features are governed by the privacy policy and other policies of the companies providing them.

Use of cookies by Mirus

You can read more about how we use cookies on our Cookies page.


We use a third party provider (HubSpot) to deliver our monthly newsletters. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our newsletter. For more information, please see HubSpot’s privacy notice, the link is further below.

Security and performance

Mirus uses a third party service to help maintain the security and performance of the Mirus website. To deliver this service it processes the IP addresses of visitors to the Mirus website.

Mirus Blog

We use a third party service, HubSpot, to publish our blog, which is hosted at, which is hosted and run by HubSpot. We use a standard HubSpot service to collect information about users’ activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it. Visitors can comment on our blogs by supplying their full name, email address and job title, and visitors can subscribe to our monthly blog updates by entering their email. This agreement will only subscribe them to relevant information regarding our blog and no other services. To sign up for further information from us, a user would need to complete a relevant more detailed form on our website.

For more information about how HubSpot processes data, please see HubSpot’s Privacy notice.

Communication via social media

All conversations conducted on any of our accounts/profiles on a public social media platform such as Twitter, Instagram, Facebook, LinkedIn, Google+ or YouTube, will be housed within that platform. If possible or applicable we will reply via that platform.

We do not save or utilise the contact details of social media interactions for any other purpose unless indicated by the contact/message directly.

Within the HubSpot platform, we can monitor interactions on the relevant social accounts connected to the Social Media monitoring and publishing provision.

We also monitor pertinent content streams for relevant conversations, mentions and for content curation. and and

People who call us

When you call Mirus we collect Calling Line Identification (CLI) information. We use this information to help improve the  efficiency and effectiveness of our services. We also record all calls made to and from our offices, this helps with training and development purposes for our team.

People who email us

We use Transport Layer Security (TLS) to encrypt and protect email traffic. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software.

People who make a complaint to us

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile and publish statistics internally showing information like the number of complaints we receive, but not in a form which identifies anyone.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

When legal enforcement action is necessary, we may publish the identity of the defendant in our Annual Report or elsewhere. As MIRUS provide B2B services we will identify complainants by Company name and Job Title, unless the details of the complaint have already been made public.

People who use Mirus services

Mirus offers various services to SMEs. We use a third party to deal with some publication requests, but they are only allowed to use the information to send out the publications.

We have to hold the details of the people who have requested services in order to provide them. However, we only use these details to provide the services they have requested and for other closely related purposes. For example, we might use information about people who have requested a publication to carry out a survey to find out if they are happy with the level of service they received. When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this.

People who provide feedback via our “Smiley Faces”

Mirus allow customers to provide feedback by clicking on a smiley face when a ticket has been completed, the customer can then add comments regarding the experience they have received which may include personal information. Information is not routinely removed from CrewHu as it is used to measure the service performed for Mirus customers. If you feel specific information should be removed this can be completed by emailing

Further information on CrewHu’s GDPR compliance can be found here

People who require third party services

Occasionally, we may need to use a third party to deliver part of a service, e.g. where an exceptional hardware repair is required that is outside the capabilities of our own teams, or where a courier delivery requires a specific individuals’ contact details . This may contain personal information, for example where the business is a sole trader. Mirus cannot therefore give any guarantees as to how the information will be used by those accessing it, but will vet all terms and conditions and apply all contractual and legal protections to prevent the misuse of personal information when we engage with third parties.

When businesses fill in their registration forms, they are asked to provide the contact details of a relevant member of staff. Mirus will use this for its own purposes, for example where we have a query about a service requirement, but will not put it on a publicly available register.

When we request information as part of the registration process, we make it clear where the provision of information is required by law and where it is voluntary.

People who are captured by our perimeter CCTV cameras

We do not collect or process personal data captured by CCTV; Mirus are the operator of our own CCTV system where the cameras are located on Mirus premises. Mirus retains CCTV footage for a discretionary period and is required by law to make it available to authorities.  As access to CCTV footage is available to the authorities, Mirus cannot give any guarantees as to how the information will be used by those accessing it, only that it may be used use as evidence to support investigations into alleged criminal or civil offences.

Reporting a breach of Personal Information

Mirus are required by law to report any security breaches involving personal data to the Information Commissioner’s Office (ICO).

The ICO provide an online form for this purpose, which in the event of a breach of Personal Information security will be completed by Mirus. The online form is hosted by Egress. The ICO use the data collected by the form to record the breach, to make decisions about the action they may take, and as relevant in order to carry out those actions. The ICO retain personal information only for as long as necessary to carry out these functions, and in line with their own retention schedule. This means that logs and breach reports will be retained for two years from receipt, and longer where this information leads to regulatory action being taken. The ICO retain de-personalised information about organisations for as long as is necessary to help inform future actions, but no individuals are identifiable from that data.

The ICO and Egress have measures in place to ensure the security of data collected and transferred to the ICO via this form. Egress is a data processor for the ICO and only processes personal information in line with the ICO’s instructions.

Job applicants, current and former Mirus employees

Mirus is the data controller for the information you provide during the process unless otherwise stated. If you have any queries about the process or how we handle your information please contact us at

What will we do with the information you provide to us?

All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.

We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.

We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.

What information do we ask for, and why?

We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.

The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it might affect your application should you choose not to.

Application stage

If you use our online application system, this will be collected by a data processor on our behalf (please see below).

We ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for. Our recruitment team will have access to all of this information.

You will also be asked to provide equal opportunities information. This is not mandatory information – if you don’t provide it, it will not affect your application. This information will not be made available to any staff outside of our recruitment team and hiring managers, in a way which can identify you. Any information you do provide will be used only to produce and monitor equal opportunities statistics.


Our hiring managers shortlist applications for interview. They will not be provided with your equal opportunities information if you have provided it.


We might ask you to participate in assessment days; complete tests or occupational personality profile questionnaires; and/or to attend interviews – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by Mirus.

If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of twelve months. If you say yes, we would proactively contact you should any further suitable vacancies arise.

Conditional offer

If we make a conditional offer of employment we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.

You will therefore be required to provide:

  • Proof of your identity – you will be asked to attend our office with original documents, we will take copies.
  • Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies.
  • You will be asked to complete a criminal records declaration to declare any unspent convictions.

We will provide your email address to the Government Recruitment Service who will contact you to complete an application for a Basic Criminal Record check via the Disclosure and Barring Service, or Access NI, which will verify your declaration of unspent convictions.

We will contact your referees, using the details you provide in your application, directly to obtain references.

If we make a final offer, we will also ask you for the following:

  • Bank details – to process salary payments
  • Emergency contact details – so we know who to contact in case you have an emergency at work
  • Membership of a Pension scheme – so we can send you a questionnaire to determine whether you are eligible to re-join your previous scheme.

Use of data processors

Data processors are third parties who provide elements of our recruitment service for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.


If you are employed by Mirus, relevant details about you will be stored in the Brightpay payroll system. This will include your name, bank details, address, date of birth, National Insurance Number and salary.

Data may be visible during support calls with Brightpay support logged onto the Mirus network but a Mirus member of staff will monitor the actions of the Brightpay staff at all times during the support call.


Legal and General

Likewise, your details will be provided to Legal and General who are the administrators of the Pension Scheme, of which Mirus is a member organisation. You will be auto-enrolled into the pension scheme and details provided to Legal and General will be your name, date of birth, National Insurance number and salary. Your bank details will not be passed to Legal and General at this time.

Employee Benefit Providers

Mirus provide various benefits to our colleagues. In order to provide these benefits Mirus provide the following companies with the following details about Mirus colleagues. Neyber, Westfield Heath and Perkbox. Information provided is name, email address, postal address, date of birth. In the case of Neyber we also provide salary details.

The relevant privacy policies for these companies are at:


Brightgauge is a third party, cloud based, reporting tool that Mirus use to analyse service performance data.  As such it contains customer and Mirus employee names, and any information that may be required to provide Business to Business (B2B) services to our customers, such as organisation name, role, work email address and work telephone numbers.

Being a United States cloud based service, the information (or data) is held on Brightgauge’s servers which are physically located within the United States.

Brightgauge, although a U.S. based organisation, have updated their legal documents and improved their security posture, making them fully compliant with GDPR.   As mentioned in their blog, they took the GDPR regulation as an opportunity to focus on security from top to bottom.

You can visit Brightgauge’s security page for more details, but the following are the most important changes:

  1. Updated Terms of Services and Privacy Policy to more specifically provide GDPR related privacy and terms and added a Data Processing Addendum.
  2. In an effort to be more transparent about how Brightgauge handle your information they have added further detail to their Security page.
  3. Updated internal security policies –  Information Security,  Risk Management, Incident Response / Breach Notification.
  4. Created a formal bug/vulnerability program for Brightgauge users (i.e. Mirus) to find and report vulnerabilities they see.
  5. Performed and scheduled external penetration test on their system, which are conducted twice per year.
  6. Added disk encryption for information at rest in their databases.
  7. Updated & Increased their application monitoring tools to provide even greater visibility into data flow and potential malicious activity.
  8. Assigned a dedicated Data Protection Officer (DPO) who is responsible for security and privacy at BrightGauge.
  9. Added a more stringent password policy for all user types.
  10. Added the ability for personal data to be deleted / downloaded by request (a GDPR specific requirement).
  11. Worked with all of their 3rd party Software as a Service (SaaS) applications providers to ensure that they too are GDPR compliant.
  12. Gained acceptance into the U.S.

    How long is the information retained for?

    If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references.

    If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign.

    Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the campaign.

    Equal opportunities information is retained for 6 months following the closure of the campaign whether you are successful or not.

    Hiring Hub will provide us with management information about our recruitment campaigns. This is anonymised information which tells us about the effectiveness of campaigns, for example, from which source did we get the most candidates, equal opportunities information for monitoring purposes. This anonymised information will be retained for 6 years from the end of the campaign.

    How we make decisions about recruitment?

    Final recruitment decisions are made by hiring managers and members of our recruitment team. All of the information gathered during the application process is taken into account.

    You are able to ask about decisions made about your application by speaking to your contact within our recruitment team or by emailing


    We also offer opportunities for people to come and work with us on a secondment basis. We accept applications from individuals or from organisations who think they could benefit from their staff working with us.

    Applications are sent directly to Mirus. Once we have considered your application, if we are interested in speaking to you further, we’ll contact you using the details you provided.

    We might ask you to provide more information about your skills and experience or invite you to an interview.

    If we do not have any suitable work at the time, we’ll let you know but we might ask you if you would like us to retain your application so that we can proactively contact you about possible opportunities in the future. If you say yes, we will keep your application for 6 months.

    Your rights

    Under the General Data Protection Regulation (GDPR) (EU) 2016/679, you have rights as an individual which you can exercise in relation to the information we hold about you.

    You can read more about these rights here.

    Subscriptions and opting out

    Reviewing, correcting and removing your Personal Information

    Mirus will always offer you the option to review, correct and remove your personal information when sending you information about or products and services.  Information and links to achieve this will be contained within the material that you receive.

    Also, upon request, Mirus will provide you with information about whether we hold any of your Personal Information. If you provide us with your Personal Information, you have the following rights with respect to that information:

    • To review the user information that you have supplied to us
    • To request that we correct any errors, outdated information, or omissions in user information that you have supplied to us
    • To request that your user information not be used to contact you
    • To request that your user information be removed from any solicitation list that we use
    • To request that your user information be deleted from our records
    • To opt out of being solicited by Mirus or their third parties

    To exercise any of these rights, please contact us at or the postal address further below. We will respond to your request to change, correct, or delete your information within a reasonable timeframe and notify you of the actions we have taken.

    Complaints or queries

    Mirus tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

    This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects Mirus’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.

    If you want to make a complaint about the way we have processed your personal information, you can contact us by email at

    Access to personal information

    Mirus tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the General Data Protection Regulation (GDPR). If we do hold information about you we will:

    • Give you a description of it;
    • Tell you why we are holding it;
    • Tell you who it could be disclosed to; and
    • Let you have a copy of the information in an intelligible form.

    To make a request to the Mirus for any personal information we may hold you need to put the request in writing to the address provided further below.

    If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

    If we do hold information about you, you can ask us to correct any mistakes by either calling us, emailing us or writing to us.

    Disclosure of Personal Information

    In many circumstances we will not disclose personal data without consent. However when we investigate a complaint, for example, we will need to share personal information with the organisation concerned and with other relevant bodies. Further information is available in our Data Protection Policy about the factors we shall consider when deciding whether information should be disclosed.

    You can also get further information on:

    • Agreements we have with other organisations for sharing information;
    • Circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics;
    • Our instructions to staff on how to collect, use and delete personal data; and
    • How we check that the information we hold is accurate and up to date.

    Links to other websites

    This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

    Changes to this privacy notice

    We keep our privacy notice under regular review. This privacy notice was last updated on 29th May 2018.

    How to contact us

    If you want to request information about our privacy policy you can email or write to us:

    Data Protection
    The Mirus Trading Group Limited
    7 Clarendon Drive
    Milton Keynes
    MK8 8ED


    For general enquiries regarding privacy and data protection please call us:

    T: 01908 257350