Privacy Policy

"Security is a process, not a product"

Last updated: March 2026

1. Who we are

Charter Meridian (“Charter Meridian”, “we”, “us”, “our”) is a trading name of Project Productions LTD and provides cyber security assessment, reporting, procurement support, and related brokerage services for organisations seeking clarity on their security position and the most appropriate delivery partner.

This Privacy Policy explains how we collect, use, store, and disclose personal data when you:

  • visit www.chartermeridian.com;
  • use our portal and questionnaire services, including portal.chartermeridian.com;
  • contact us;
  • purchase or use our services; or
  • otherwise interact with us.

For privacy enquiries, you can contact us at: Privacy email: privacy@chartermeridian.com General email: contact@chartermeridian.com

2. Scope of this policy

This policy applies to personal data collected through:

  • our public website;
  • our client portal;
  • our assessment and questionnaire workflows;
  • our enquiry and onboarding forms;
  • our communications by email, SMS, and other business correspondence; and
  • our payment and reporting processes.

This policy is intended for business and professional use. Our services are not directed at children, and users should not submit sensitive personal information unless we expressly request it as part of a legitimate service process.

3. The personal data we collect

Depending on how you interact with us, we may collect and process the following categories of personal data:

Identity and contact data

  • name;
  • company name;
  • email address;
  • telephone number; and
  • other contact details you choose to provide.

Account and access data

  • account credentials;
  • portal account information;
  • username issuance details;
  • password delivery and reset records; and
  • account activity relevant to access and security.

Enquiry and service data

  • details of your enquiry;
  • questionnaire answers;
  • information about your organisation’s security position;
  • information about technologies, systems, controls, or compliance context relevant to our services;
  • service selection and report preferences; and
  • related notes required to assess fit, prepare reports, or support procurement.

Transaction data

  • payment status and related transaction metadata from our payment provider;
  • service purchase records; and
  • associated billing references.

We do not intentionally store full payment card details ourselves where payments are processed by Stripe.

Technical and usage data

  • IP address;
  • browser and device information;
  • log data;
  • login/session data;
  • cookie identifiers;
  • analytics data; and
  • event data relating to site and portal usage.

Marketing and communications data

  • your communications preferences;
  • whether you have engaged with marketing messages;
  • subscription or opt-out status; and
  • records of objections or suppression preferences.

4. How we collect personal data

We collect personal data:

  • directly from you when you submit forms, create an account, complete a questionnaire, make a purchase, or communicate with us;
  • automatically through cookies, logs, analytics tools, and similar technologies;
  • from service and infrastructure providers that support our website, payments, messaging, or hosting; and
  • from internal systems used to deliver assessments, reports, and brokerage support.

5. Why we use your personal data

We use personal data to:

  • respond to enquiries;
  • assess whether our services are appropriate for your requirements;
  • provide questionnaire access and portal functionality;
  • send usernames, passwords, secure links, reports, and related service communications;
  • process payments;
  • generate and deliver reports and related outputs;
  • maintain service records;
  • improve our website, portal, and workflows;
  • run analytics and performance measurement;
  • conduct fraud prevention, security monitoring, and troubleshooting;
  • send marketing communications;
  • run remarketing and advertising activities where applicable; and
  • comply with legal, regulatory, and recordkeeping obligations.

6. Our lawful bases for processing

We rely on one or more lawful bases under UK GDPR depending on the context, including:

  • Contract — where processing is necessary to provide services you have requested, create and administer accounts, deliver reports, or take steps before entering into a service arrangement.
  • Legitimate interests — where processing is necessary for our legitimate business interests, such as responding to business enquiries, assessing fit, operating and improving our services, preventing fraud, and securing our systems, provided those interests are not overridden by your rights and interests.
  • Consent — where consent is required or appropriate, including certain cookies and some marketing activities.
  • Legal obligation — where we need to process personal data to comply with legal or regulatory obligations.

7. Cookies, analytics, and tracking technologies

We use cookies and similar technologies on our website and portal, including cookies that support:

  • login/session functionality;
  • security;
  • analytics; and
  • marketing/advertising activities.

We currently use or may use tools including:

  • Google Analytics; and
  • Meta Pixel.

Strictly necessary cookies used to support essential functions such as login or user-requested security/session behaviour may be exempt. Other analytics and marketing cookies should be handled through appropriate consent controls where required.

You can manage cookie choices through our cookie banner and related settings tools where available.

8. Marketing communications

We may send marketing communications about our services, offers, updates, and related content.

Where required, we will rely on consent or another lawful route permitted by applicable law.

You can opt out of marketing emails at any time using the unsubscribe link in the message or by contacting us.

9. Sharing your personal data

We do not sell your personal data.

We may share personal data where necessary with:

  • hosting and infrastructure providers;
  • Google services used for hosting, email, and storage;
  • Stripe for payment processing;
  • Twilio for SMS messaging;
  • analytics and advertising providers;
  • internal or proprietary systems used for CRM, forms, document generation, reporting, chat/support, and related workflows;
  • professional advisers; and
  • carefully selected delivery partners or suppliers where this is necessary to provide brokerage or supplier-matching services relevant to your request.

We may also disclose personal data where required by law, regulation, court order, or lawful request by a competent authority.

10. International transfers

You told us your intended position is that data is stored in the UK/EU only, and that providers are not intended to be outside the UK. However, some technology vendors may involve international processing or access depending on configuration and service design.

Where personal data is transferred outside the UK, we will seek to ensure appropriate safeguards are in place where required.

11. Security

We take reasonable technical and organisational measures to protect personal data. These include steps designed to support access control, service security, and the secure delivery of credentials, reports, and portal functionality.

However, no internet transmission or storage system is ever completely secure, and we cannot guarantee absolute security of data transmitted to or from our services.

12. Retention

You indicated that enquiry, client, project, and questionnaire-related data may be retained for as long as is relevant to the client or company relationship.

In practice, we retain data only for as long as reasonably necessary for:

  • the purpose for which it was collected;
  • the management of the relationship;
  • legal, tax, accounting, security, or recordkeeping requirements; and
  • the establishment, exercise, or defence of legal claims.

Where data is no longer required, we will delete it or anonymise it where appropriate.

13. Your rights

Under UK GDPR, individuals may have rights including:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to object; and
  • the right to data portability in certain circumstances.

If you want to exercise any of these rights, contact privacy@chartermeridian.com.

You also have the right to complain to the Information Commissioner’s Office (ICO).

14. Third-party websites and services

Our website or portal may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties.

15. Changes to this policy

We may update this Privacy Policy from time to time. The latest version will be posted on our website with the revised “Last updated” date.

16. Contact us

If you have any questions about this Privacy Policy or how we handle personal data, contact:

Charter Meridian at privacy@chartermeridian.com or contact@chartermeridian.com

Scroll to top