Privacy Notice
Purpose
Step Change Outsourcing (“SCO”, “we”, “us” or “our”) operates https://www.stepchangeoutsourcing.co.uk and provides outsourced business services. We are committed to protecting and respecting your privacy. This Privacy Notice explains how we collect, use, disclose, store and protect personal data when you visit our website, contact us, apply for roles, use our services, or otherwise interact with us.
This notice is intended to provide privacy information required under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, Data (Use and Access) Act 2025 and, where relevant, the Privacy and Electronic Communications Regulations (PECR).
Scope
This privacy notice applies only to the actions of Step Change Outsourcing (SCO) and users with respect to this Website. It does not extend to any websites that can be accessed from this website including, but not limited to, any links we may provide to third parties.
For the purposes of applicable data protection laws, Step Change Outsourcing is the data controller for the personal data described in this notice unless we tell you otherwise. This means that SCO determines the purposes and means of processing your personal data.
You can contact us about this notice, your data protection rights, or any privacy-related query by emailing our Data Protection Officer at compliance@stepchangeoutsourcing.co.uk or by using the contact details provided on our website.
Definitions and Interpretations
The following definitions will be used in this notice:
Personal Data – is any information relating to an identified or identifiable living person – also known as the data subject. For example your date of birth is your personal data and you are the data subject because this data relates to you.
Data Controller – is the organisation responsible for the processing of the data.
Data Processor – a controller may outsource its processing to another organisation who processes the data on its behalf. The processor can only process the data according to the instructions of the controller.
Information Collection
When you interact with our website, contact us, apply for roles, use our services or otherwise communicate with us, we may collect and process the following categories of personal data, depending on the context:
- Identity and contact information: such as your name, job title, organisation, address, email address, telephone number and other contact details.
- Service, enquiry and recruitment information: such as information you provide in forms, applications, correspondence, telephone calls, meetings, account records, customer service interactions and other communications with us.
- Technical and usage information: such as your IP address, browser type, operating system, device identifiers, website usage information, cookie identifiers and information about how you interact with our website and services.
- Call recording and transcript information: such as your voice, call metadata, call content, transcripts and information discussed during telephone interactions.
- Special category data or criminal offence data: we do not seek to collect this type of information unless it is necessary for a specific purpose, you choose to provide it, or we are required or permitted by law to process it. Where we process such data, we will identify an appropriate lawful basis and a relevant condition under UK data protection law.
Use of Information
We use personal data for the following purposes and lawful bases:
- To provide services, manage customer relationships, respond to requests and take steps before entering into or performing a contract with you or your organisation. Lawful basis: performance of a contract and/or legitimate interests.
- To communicate with you about enquiries, services, applications, account matters, operational updates and customer support. Lawful basis: performance of a contract, legitimate interests and, where required, legal obligation.
- To improve, monitor and secure our website, systems, services and customer experience, including analysing usage data and interactions. Lawful basis: legitimate interests and, where required for non-essential cookies or similar technologies, consent.
- To comply with legal, regulatory, tax, accounting, audit, reporting and record keeping obligations, and to establish, exercise or defend legal claims. Lawful basis: legal obligation and/or legitimate interests.
- To use appropriate technology, including Artificial Intelligence (AI) tools, to support data analysis, customer service, internal operations, quality assurance and service improvement. Lawful basis: legitimate interests, performance of a contract and/or legal obligation, depending on the context. We assess and manage data protection risks before using AI tools for new purposes.
Where we rely on legitimate interests, our interests may include operating and improving our business, managing relationships, ensuring security, preventing misuse, maintaining accurate records, resolving disputes and meeting customer expectations. We balance these interests against your rights and freedoms. You may object to processing based on legitimate interests in certain circumstances; please see the “Your Rights” section.
Where we rely on consent, you may withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before consent was withdrawn.
Call Recording and Automated Transcription
We may record telephone calls and create automated transcripts of calls for training, quality assurance, compliance, dispute resolution, record keeping, and customer service purposes. Call recordings and transcripts may include your voice, contact details, information about your enquiry, account or services, and any other personal data you choose to provide during the call. Where practicable, we will inform you at the start of the call that recording and/or transcription may take place.
We process call recordings and transcripts where this is necessary for our legitimate interests in monitoring and improving our services, maintaining accurate records, handling complaints and disputes, and meeting compliance requirements. We may also process call recordings and transcripts where this is necessary for the performance of a contract with you or to take steps at your request before entering into a contract.
We may use automated transcription tools to convert call audio into text so that calls can be reviewed, searched, quality checked, and recorded accurately. We do not use call recordings or transcripts to make decisions about you based solely on automated processing that produce legal or similarly significant effects, unless we tell you separately and have a lawful basis for doing so.
Call recordings and transcripts are stored securely and are only accessible to authorised personnel who need access for the purposes described above. We retain recordings and transcripts only for as long as necessary in line with our data retention notice, unless a longer period is required for legal, regulatory, complaint handling, or dispute resolution purposes.
Where third-party service providers support call recording, storage, or transcription services, they process personal data on our behalf under appropriate contractual, confidentiality, and security obligations. Where personal data is transferred outside the UK, we will ensure appropriate safeguards are in place as required by UK data protection law.
You may have rights in relation to call recordings and transcripts, including rights to request access, correction, deletion, restriction, or to object to processing, depending on the circumstances. Please see the “Your Rights” section of this Privacy Notice for more information.
Sharing of Information
We may share personal data where necessary and lawful with the following categories of recipients:
- Service providers and processors: such as IT, hosting, cloud, telephony, call recording, transcription, CRM, recruitment, analytics, professional advisory and business support providers who process personal data on our behalf under appropriate contractual and security obligations.
- Regulators, public authorities, courts, law enforcement agencies and other third parties where required or permitted by law, regulation, court order or legal process.
- Business and transaction parties: if SCO is involved in a merger, acquisition, restructuring, investment, due diligence exercise, asset sale or similar transaction, personal data may be disclosed or transferred as part of that process.
We do not sell your personal data.
International Transfers
Some of our service providers or systems may process personal data outside the United Kingdom. Where we transfer personal data internationally, we will ensure that appropriate safeguards are in place as required by UK data protection law, such as adequacy regulations, approved contractual safeguards, or other lawful transfer mechanisms.
Data Retention
We retain personal data only for as long as reasonably necessary for the purposes for which it was collected, including to provide services, manage relationships, comply with legal, regulatory, tax, accounting and reporting obligations, resolve disputes, maintain records and establish, exercise or defend legal claims.
Retention periods vary depending on the type of personal data, the purpose of processing, contractual requirements, legal obligations and operational needs. When personal data is no longer required, we will delete it, anonymise it, or securely archive it in accordance with our retention procedures.
Data Security
We take the security of personal data seriously and implement appropriate technical and organisational measures designed to protect it from unauthorised access, disclosure, alteration, loss or destruction. These measures may include access controls, confidentiality obligations, secure storage, supplier due diligence, monitoring, backups and incident response processes. While we take reasonable steps to protect personal data, no method of transmission over the internet or electronic storage is completely secure.
If we become aware of a personal data breach, we will assess it and take appropriate action, including notifying affected individuals and the Information Commissioner’s Office where required by law.
Your Rights
Depending on the circumstances and the lawful basis for processing, you may have the following rights in relation to your personal data:
- Access: You can request access to the personal information we hold about you.
- Correction: You can request that we correct any inaccuracies in your personal information.
- Deletion: You can request that we delete your personal information, subject to certain legal obligations.
- Restriction: You can request that we limit the processing of your personal information.
- Objection: You can object to the processing of your personal information for specific purposes.
- Withdrawal of consent: Where we rely on consent, you can withdraw your consent at any time.
- Portability: You can request that we provide you with your personal information in a structured, commonly used, and machine-readable format.
- Automated decision-making: You have rights in relation to certain decisions made solely by automated means that have legal or similarly significant effects, including rights to be informed and to seek human review where applicable.
To exercise any of these rights, please contact our Data Protection Officer at: compliance@stepchangeoutsourcing.co.uk
14 Cavendish Road, Stevenage, SG1 2DY
We may need to verify your identity before responding. Some rights are subject to conditions and exemptions under data protection law.
If you are not satisfied with how we handle your personal data or any request made to us, please contact us first so we can try to resolve your concern. You also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters.
Please keep us informed if your data changes during the period for which we hold it.
Cookies and Tracking Technologies
We use cookies and similar technologies on our website. Some cookies are strictly necessary for the website to work. We may also use non-essential cookies or similar technologies for analytics, functionality or other purposes, where permitted by law and where we have obtained any consent required under PECR and UK data protection law.
Where we use Google Analytics or similar analytics services, we use them to understand how visitors use our website and to improve our services. You can manage cookie preferences through our cookie controls where available and through your browser settings. Non-essential cookies should not be used unless the required consent or another applicable PECR basis is in place.
Third Party Links
Our website may contain links to third-party websites. Please note that these third-party sites have their own privacy policies, and we do not accept any responsibility or liability for their policies or practices.
Changes to this Privacy Notice
This Privacy Notice was last updated on 25/06/2026. We may update or change this Privacy Notice from time to time, including where required by law, regulatory guidance, changes to our services or changes to how we process personal data. You should review this Privacy Notice periodically.
If we make material changes to this notice, we will take appropriate steps to make the updated notice available, such as publishing it on our website and, where appropriate, notifying affected individuals.
About
Step Change Outsourcing
Founded in 2009, Step Change Outsourcing provides outsource solutions for customer engagement campaigns on the phone and online.
Working with some of the UK’s best known brands, we are experts in acquiring and retaining customers by providing sales campaigns as well as delivering brilliant results.
14 Cavendish Road
Stevenage
Hertfordshire
SG1 2DY
What three words:
family.tries.sugars
Phone: 01438 989 234
Company registration number:
06330387