Skip to content
WhatMSP
Legal

Privacy Policy.

How we collect, use and protect personal data when you use WhatMSP — whether you’re a business looking for an IT provider or a managed service provider listed on the register.

Last updated: 25 June 2026

WhatMSP is an independent UK register that scores and compares managed service providers (MSPs). This policy explains what personal data we hold, why we hold it, who we share it with, and the rights you have over it. It is written to meet our obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Who we are

WhatMSP is an independently operated UK service — it is not owned by, or operated on behalf of, any provider listed on the register. WhatMSP is the data controller responsible for the personal data described in this policy, meaning we decide why and how that data is processed. (A registered company will be named here once formed.)

If you have any questions about this policy, want to exercise your rights, or wish to make a complaint, you can reach us at [email protected].

What personal data we collect

The data we hold depends on how you interact with us. We aim to collect only what we need.

a) Buyer enquiries and leads

When you contact us or send an enquiry through the register — for example by using a matching form or messaging a provider — we collect the details you give us, which typically include:

  • your name;
  • your email address;
  • your phone number (if you provide one);
  • your company or organisation name; and
  • the content of your message and any requirements you describe.

b) MSP applications and listing claims

When a provider applies to be listed, claims an existing listing, or submits evidence for vetting, we collect:

  • company details (legal name, trading name, registered address, company number, website);
  • the name, job role, email address and phone number of the contact person;
  • declared credentials, certifications, accreditations and service information; and
  • uploaded evidence documents, such as insurance certificates, certification certificates and other supporting material.

Uploaded evidence may contain personal data (for example, the name of a certificate holder or a signatory). We treat these documents as confidential and store them privately — see Security below.

c) Account data for registered providers

If you create an account to manage a listing, we hold your name, email address, a securely hashed password, and records relating to your account activity and the listings you manage.

d) Analytics and cookies

With your consent, we use Google Analytics 4 to understand how visitors use the site. This involves cookies and the collection of usage data such as the pages you view, approximate location (derived from your IP address) and the type of device and browser you use. See Cookies below for how to control this.

e) Technical and log data

Like most websites, our servers automatically record technical information when you visit, including your IP address, request timestamps, the pages requested and error logs. We use this to keep the service secure, available and working correctly.

Our lawful bases for processing

Under UK GDPR we must have a lawful basis to process personal data. Depending on the activity, we rely on:

  • Legitimate interests — to operate and improve the register, to match buyers with suitable providers, to pass enquiries to providers, to verify provider credentials, and to keep the service secure. We have considered these interests against your rights and freedoms.
  • Consent — for analytics cookies. You can withdraw consent at any time.
  • Contract — to provide and administer provider accounts and listings, and to deliver the services a provider has signed up for.
  • Legal obligation — where we must retain or disclose data to comply with the law.

How we use your data

We use the personal data we collect to:

  • operate the directory and present accurate, independently scored listings;
  • deliver buyer enquiries to the relevant provider(s) so they can respond;
  • verify provider credentials against issuing bodies and public records;
  • administer provider accounts and the listings they manage;
  • send transactional and status emails (for example, enquiry notifications, application updates, password resets and verification outcomes);
  • understand and improve how the register is used; and
  • keep the platform secure and prevent misuse.

Sharing your data with providers

When you submit an enquiry intended for one or more managed service providers, we pass the relevant details of that enquiry to the provider(s) concerned so they can contact you. Those providers act as independent data controllers for the information they receive, and their own privacy practices will apply once your enquiry reaches them. We are not responsible for how a provider subsequently uses your details, but we only share what is necessary to connect you.

Service providers and third parties

We use a small number of trusted third-party services to run WhatMSP. These act as our data processors or as independent controllers, and process data only as needed to provide their service:

  • Resend — delivery of transactional and status emails.
  • Google Analytics — website analytics (used only with your consent).
  • Google Places API — to retrieve review and business data used in scoring.
  • Companies House API — to verify company registration details.
  • Stripe — payment processing, used only if and when billing is enabled for providers.
  • Laravel Cloud — hosting and infrastructure for the platform.

Some of these providers may process data on servers outside the UK. Where that happens, we rely on appropriate safeguards — see International transfers. We do not sell your personal data to anyone.

Cookies

Cookies are small files stored on your device. We use two kinds:

  • Essential cookies — required for the site to function, such as maintaining your session and keeping you signed in. These cannot be switched off.
  • Analytics cookies — set by Google Analytics 4 to help us understand usage. These are only used with your consent.

You can opt out of analytics at any time by declining or withdrawing consent, by adjusting your browser settings to block or delete cookies, or by installing the Google Analytics Opt-out Browser Add-on. Blocking essential cookies may stop parts of the site from working.

How long we keep data

We keep personal data only for as long as we need it for the purposes set out above, after which we delete or anonymise it. In practice that means we retain buyer enquiries for as long as needed to facilitate and follow up the introduction; provider application, account and evidence data for as long as the listing or account is active and for a reasonable period afterwards; and log and analytics data for a limited period. We may keep certain records longer where the law requires it.

How we keep data secure

We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss or misuse. Data is transmitted over encrypted connections, passwords are stored only as secure hashes, and uploaded evidence documents are stored in private storage that is not publicly accessible and is available only to authorised people who need it for verification. No system can be guaranteed completely secure, but we work to protect your information and to respond promptly to any incident.

Your rights

Under UK data protection law you have the right to:

  • Access a copy of the personal data we hold about you;
  • Rectification — ask us to correct inaccurate or incomplete data;
  • Erasure — ask us to delete your data in certain circumstances;
  • Restrict or object to our processing, including processing based on legitimate interests;
  • Data portability — receive certain data in a portable format; and
  • Withdraw consent at any time where we rely on consent (such as analytics).

To exercise any of these rights, email us at [email protected]. We will respond within the time limits set by law. If you are unhappy with how we have handled your data, you can complain to the Information Commissioner’s Office (ICO), the UK supervisory authority, at ico.org.uk — though we’d appreciate the chance to put things right first.

International transfers

Some of the third-party services we use are based outside the UK, which means your data may be transferred to and processed in other countries. Where we transfer personal data outside the UK, we rely on an adequacy decision or appropriate safeguards (such as the International Data Transfer Agreement or Standard Contractual Clauses) to ensure your data continues to be protected to UK standards.

Children

WhatMSP is a business-to-business service intended for use by organisations and the people who work for them. It is not directed at children, and we do not knowingly collect personal data from anyone under the age of 18.

Changes to this policy

We may update this policy from time to time to reflect changes to our practices or the law. When we do, we will revise the “last updated” date at the top of this page. Significant changes may be highlighted on the site. Please check back periodically.

This policy is provided in good faith as a general template and is not legal advice; the operator should have it reviewed by a solicitor before relying on it.

Related