Last updated: 12 May 2026
1st Step Consulting Ltd trading as Cromwell Visa Services ("Cromwell Visa Services", "we", "us" or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, share and protect personal data when you visit our website, contact us, make an enquiry, instruct us, use our visa support services, or otherwise communicate with us.
This policy is written for clients, prospective clients, website visitors, business contacts, corporate clients, travellers, applicants, dependants and any other person whose personal data may be provided to us in connection with our services.
Cromwell Visa Services is the trading name used by 1st Step Consulting Ltd for its visa support services. We provide visa information, document checking, appointment support, application preparation support and related travel visa assistance for individuals, families and business travellers.
Item | Details |
Legal entity | 1st Step Consulting Ltd |
Trading name | Cromwell Visa Services |
Company number | 14708821 |
Registered office | 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ |
Privacy contact | info@cromwellvisas.com |
This Privacy Policy explains what personal data we collect, why we use it, the lawful bases we rely on, who we may share it with, how long we keep it, and the rights you have under UK data protection law.
This policy applies to our website at https://cromwellvisas.com and to services we provide by email, telephone, online form, consultation, document review, appointment booking support or any other communication method.
This Privacy Policy should be read together with our Terms and Conditions and any separate engagement letter, service agreement, consent form, Cookies Policy or client care document that applies to your matter.
For the purposes of the UK General Data Protection Regulation, the Data Protection Act 2018 and other applicable UK data protection laws, 1st Step Consulting Ltd trading as Cromwell Visa Services will usually act as the data controller for the personal data we collect and use for our own business and service purposes.
In some situations, other organisations involved in a visa process, such as embassies, consulates, government departments, visa application centres, appointment booking portals and travel service providers, may act as separate independent data controllers. Their own privacy notices and terms may also apply when your data is submitted to them or processed through their systems.
If we act on behalf of a corporate client, travel company or other organisation that provides personal data about its employees, travellers or customers, that organisation must ensure it has a lawful basis and proper authority to share that data with us.
The personal data we collect depends on your enquiry, the service you request, your nationality, your travel purpose, the country you are applying to visit and the requirements of the relevant embassy, consulate, government department or visa application centre.
We may collect and use the following categories of personal data:
Category | Examples |
Identity and contact data | Name, title, date of birth, gender, nationality, postal address, email address, telephone number and contact preferences. |
Passport and travel document data | Passport number, issue and expiry dates, place of issue, copies of passport pages, biometric appointment details and previous passport information where required. |
Immigration and residence data | UK residence status, visa or residence permit details, BRP/eVisa information where relevant, previous visas, previous refusals, travel history and immigration history. |
Travel and application data | Purpose of travel, intended travel dates, itinerary, accommodation details, invitation letters, sponsor information, appointment details and application reference numbers. |
Financial and employment data | Employment details, business details, income information, bank statements, payslips, tax documents, sponsorship evidence, self-employment records and proof of funds where required. |
Family and dependant data | Details of spouse, partner, children, parents, relatives, hosts, sponsors or accompanying travellers where relevant to the application. |
Education and professional data | Education history, course details, qualifications, professional background, employer letters, enrolment letters and other supporting evidence where relevant. |
Communication data | Emails, letters, call notes, consultation notes, messages, documents you send to us, instructions you provide and records of our communications with you. |
Payment and transaction data | Invoices, payment confirmations, billing details, refunds, receipts and records required for accounting, tax and internal business purposes. |
Website and technical data | IP address, device information, browser type, website usage information, cookies, analytics data and security logs. |
Special category, sensitive or criminal offence data | Health information, medical or travel insurance information, religion, marital or family information, biometric appointment information, criminal conviction information or other sensitive data where a visa authority requires it or where you provide it to us for your application. |
We may collect personal data directly from you when you complete an online form, send us an email, call us, book a consultation, provide documents, pay our fees, instruct us to support a visa application, or otherwise communicate with us.
We may also receive personal data from third parties, including family members, employers, sponsors, hosts, travel agents, corporate clients, universities, accommodation providers, translators, professional advisers, couriers, payment providers, appointment booking systems, visa application centres, embassies, consulates and government portals.
We may automatically collect technical data when you use our website, including through cookies, analytics tools, server logs and similar technologies. Further details will be set out in our Cookies Policy where applicable.
If you provide personal data about another person, including a family member, child, dependant, employee, traveller, sponsor, host or client, you must ensure that you have authority to provide that information to us and that the person has been made aware of this Privacy Policy where appropriate.
We use personal data only where we have a proper reason to do so. We may use your personal data for the following purposes:
If you do not provide information that is necessary for a visa service, we may not be able to assess your matter, provide the requested support, prepare your application properly, book an appointment or continue acting for you.
We rely on one or more lawful bases depending on why we are using your personal data. The main lawful bases we may rely on are:
Lawful basis | How it may apply to our services |
Contract | When we need to use your data to take steps before entering into a contract with you or to perform the services you have requested. |
Legal obligation | When we need to keep records, comply with tax or accounting duties, respond to lawful requests or meet other legal requirements. |
Legitimate interests | When we use data to manage and improve our business, respond to enquiries, keep records, protect our systems, prevent fraud, manage client relationships, communicate with you about relevant services, deal with complaints, recover unpaid fees or protect our business interests, provided your rights do not override those interests. |
Consent | When we ask for your clear consent, for example for certain marketing communications, certain cookies, or certain sensitive information where consent is the appropriate basis. You can withdraw consent at any time. |
Vital interests | In rare cases, where processing is necessary to protect someone’s life or safety, for example in an emergency affecting a traveller or applicant. |
Visa applications may sometimes require information that is more sensitive, such as health information, medical or travel insurance evidence, marital or family information, religion, biometric appointment information, previous refusal information, criminal conviction information or other sensitive details required by a government authority, embassy, consulate or visa application centre.
We only ask for sensitive information where it is relevant and necessary for your requested service, where a visa authority requires it, where you choose to provide it to us, or where we need it to protect legal rights or handle a complaint or dispute.
Where UK data protection law requires an additional condition for processing special category or criminal offence data, we will rely on an appropriate condition, such as explicit consent, establishment, exercise or defence of legal claims, substantial public interest where applicable, or another lawful condition available under UK data protection law.
If a visa authority requires sensitive information and you do not wish to provide it to us, we may advise you to submit the information directly to the relevant authority where possible. However, this may limit the support we can provide.
We do not intentionally collect sensitive personal data unless it is necessary for the service or you provide it to us in connection with your enquiry or application.
Many visa processes require personal data and documents to be submitted to or checked by third parties. These may include embassies, consulates, government departments, visa application centres, outsourced visa service providers, appointment booking portals, courier providers and overseas authorities.
Where you instruct us to support a visa application, you authorise us to use and share the personal data and documents reasonably required to provide that support. This may include preparing forms, checking documents, arranging appointments, communicating with third parties, submitting information through online systems, and helping you respond to requests for further information.
The final decision on any visa application is made by the relevant government authority, embassy, consulate or authorised decision maker. Those organisations may have their own privacy notices, processing rules and data retention periods. We are not responsible for how independent third parties use personal data once it is submitted to them under their own privacy terms.
Many visa processes require personal data and documents to be submitted to or checked by third parties. These may include embassies, consulates, government departments, visa application centres, outsourced visa service providers, appointment booking portals, courier providers and overseas authorities.
Where you instruct us to support a visa application, you authorise us to use and share the personal data and documents reasonably required to provide that support. This may include preparing forms, checking documents, arranging appointments, communicating with third parties, submitting information through online systems, and helping you respond to requests for further information.
The final decision on any visa application is made by the relevant government authority, embassy, consulate or authorised decision maker. Those organisations may have their own privacy notices, processing rules and data retention periods. We are not responsible for how independent third parties use personal data once it is submitted to them under their own privacy terms.
Our website may use cookies and similar technologies to operate the site, improve functionality, remember preferences, understand website usage, protect security and support marketing or analytics activity where permitted.
Some cookies may be strictly necessary for the website to work. Other cookies, such as analytics or marketing cookies, will only be used where required consent has been obtained. Further details about the cookies we use, the purpose of each cookie and how to manage cookie choices will be set out in our Cookies Policy.
You can usually control cookies through your browser settings. If you block all cookies, some parts of our website may not work properly.
We do not sell your personal data. We may share personal data only where necessary, lawful and relevant to the purpose for which it is being used.
We may share personal data with the following categories of recipients:
Where we use service providers to process personal data for us, we take reasonable steps to ensure they process the data securely and only in accordance with our instructions or an appropriate legal basis.
Visa services often require personal data to be transferred outside the United Kingdom. For example, your data may need to be sent to an embassy, consulate, visa application centre, government portal or overseas authority connected with the country you wish to visit.
Where an international transfer is necessary for the visa service you have requested, we will transfer only the information that is relevant and necessary for that purpose. In many cases, the transfer will be necessary to take steps at your request or to perform our contract with you. Where required, we may also rely on your explicit consent or another lawful transfer mechanism available under UK data protection law.
Some of our technology providers, cloud service providers or support providers may also process data outside the UK. Where this happens, we will take reasonable steps to ensure appropriate safeguards are used, such as adequacy regulations, international data transfer agreements, standard contractual clauses or other recognised safeguards where required.
We may collect and use payment and billing information to process payments, issue invoices, manage refunds, keep accounting records, recover unpaid fees and comply with tax and legal obligations.
Where payments are processed through a third-party payment provider or bank, that provider may process payment details under its own terms and privacy policy. We do not normally store full card details unless expressly stated and handled through an appropriate secure payment system.
We take reasonable technical and organisational measures to protect personal data from unauthorised access, misuse, loss, alteration, disclosure or destruction. These measures may include access controls, password protection, secure systems, limited internal access, staff confidentiality, secure document handling, secure disposal and appropriate supplier due diligence.
No website, email system or internet transmission is completely secure. You are responsible for ensuring that any information you send to us is sent using a method you consider appropriate and secure. If you believe your personal data has been sent to us in error, accessed without authority or compromised, please contact us as soon as possible.
We keep personal data only for as long as reasonably necessary for the purposes for which it was collected, including to provide services, manage enquiries, keep business records, comply with legal and accounting obligations, resolve disputes and protect our legal rights.
Type of record | Typical retention approach |
General enquiries | Usually kept for up to 2 years after the last contact, unless a longer period is needed for business, legal or complaint handling reasons. |
Client matter files and visa support records | Usually kept for up to 6 years after the matter is closed, unless a longer or shorter period is required by law, contract, professional requirements, dispute management or the nature of the matter. |
Financial, invoice, payment and accounting records | Usually kept for at least 6 years to meet tax, accounting and legal record-keeping duties. |
Marketing records | Kept until you unsubscribe, withdraw consent or object, with a limited suppression record kept to respect your preference. |
Website, cookie and analytics data | Kept in line with our Cookies Policy, website settings and the retention periods used by relevant analytics, security or hosting providers. |
Complaint, dispute and legal records | Kept for as long as necessary to handle the issue and protect our legal rights. |
When personal data is no longer needed, we will delete, anonymise or securely dispose of it where reasonably possible. Some information may remain in secure backups for a limited period before being overwritten or deleted in accordance with our backup processes.
Subject to certain legal conditions and exemptions, you may have the following rights in relation to your personal data:
These rights are not absolute and may not apply in every situation. For example, we may need to keep certain information to comply with legal obligations, maintain business records, handle complaints, protect legal rights or complete a service you have requested.
To exercise your rights, please contact us at info@cromwellvisas.com. We may ask you to confirm your identity before responding. We will usually respond within one month, unless the request is complex or we are legally allowed to extend the response period.
You have the right to object to our use of your personal data where we rely on legitimate interests as our lawful basis. You also have an absolute right to object to direct marketing at any time.
Where we rely on consent, you can withdraw your consent at any time by contacting us at info@cromwellvisas.com. Withdrawing consent will not affect the lawfulness of any processing carried out before consent was withdrawn. If the information is necessary for a service or visa process, withdrawing consent may mean that we can no longer continue with that part of the service.
We do not make decisions that have legal or similarly significant effects on you solely by automated means. Visa decisions are made by the relevant government authority, embassy, consulate or authorised decision maker, not by Cromwell Visa Services.
We may use online forms, document management systems, website analytics, customer relationship systems or other technology tools to help us manage enquiries, documents and services. These tools do not replace human review where our service requires judgement or client support.
We may process personal data about children, dependants or family members where it is provided for a visa application, family travel, appointment support or related visa service. This may include passport details, birth certificates, parental consent letters, school letters, travel details and other documents required by the relevant visa authority.
Where a child or dependant applicant is involved, the personal data should be provided by a parent, guardian, responsible adult, authorised representative or another person with proper authority to act in relation to the application.
Our website, emails or documents may contain links to third-party websites, booking systems, payment pages, government portals, embassy websites, visa application centre websites, travel providers or other external platforms. We are not responsible for the privacy practices, content, security or policies of third-party websites or systems.
You should read the privacy policy and terms of each third-party website or platform before providing personal data to them.
We may update this Privacy Policy from time to time to reflect changes in our services, website, legal obligations, business practices or data protection requirements. The latest version will be made available on our website or provided on request.
Where changes are significant and we have a suitable way to contact you, we may take reasonable steps to bring the changes to your attention.
If you have any questions about this Privacy Policy, how we use your personal data, or how to exercise your data protection rights, please contact us:
Item | Details |
Organisation | 1st Step Consulting Ltd trading as Cromwell Visa Services |
info@cromwellvisas.com | |
Registered office | 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ |
You also have the right to complain to the UK Information Commissioner’s Office, the UK supervisory authority for data protection. The ICO can be contacted through its website at https://ico.org.uk or by post at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would appreciate the opportunity to deal with your concern first, so please contact us if you have any concerns about how we use your personal data.
