On 25 May 2018, a new regulation called The General Data Protection Regulation (GDPR) came into force and applies to all UK businesses.

The regulation requires businesses to document how we manage client data in a simple and easy-to-understand format. This document details how Ltd manages your data.

Legitimate Interest and Contractual Obligations

To offer our services we have to collect key bits of data about you. This data can be used to personally identify individuals and either carry a legitimate interest (a legitimate reason as to why we need it) or a contractual obligation (an agreed reason why we need it).

An example of a legitimate reason: you have contacted Ltd so we, therefore, have a legitimate interest (reason) to store your data so that we can contact you back.

An example of a contractual obligation: we are supporting a process within your company, to do this we need to be able to recognise individuals in your business that need to have access to our employees, and the authorisation to keep, manage and secure this data would belaid out in a contract.

The rights you have to your data

You have the right to be informed about how we use your data, as laid out in this document. You have the right to update your personal data as follows:

•   To keep this data up to date you need to contact us.
•   To ask us to delete your personal data – however, there may be circumstances where we are legally entitled to retain it.
•   To get a free copy of your personal data through a Subject Access Request (covered later in this policy).
•   You can object to the processing of your data and have it restricted. There are circumstances in where we are legally entitled to refuse this request.

The security of your data

We use a number of services to manage and maintain the data we control and process. These services are vetted to make sure they abide by the highest level of security. In addition, where possible, we implement our own additional access controls and security procedures.

We also contract with Kimbley IT to manage our IT security; they are a certified Google Cloud Partner and are also Cyber Essentials Certified.

The processors we use to manage your data

Google Cloud – Google Workspace

We use Google Workspace to manage our email, calendars, documents, and files in Google Drive.
We keep data for 36 months then it is auto-deleted.
You can read more about Google GDPR here.

Google Cloud Platform

We use Google’s built-in industry-standard security to store and process your data. Your data is backed up daily in line with Google’s security policy.


Third Party Processors

Ourcarefully selected partners and service providers may process personal information about you on our behalf as described below:

“Digital Marketing Service Providers
We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information.  Our appointed data processors include:

(i)ProspectGlobal Ltd (trading as Sopro) Reg. UK Co. 09648733. You can contact Sopro andview their privacy policy here:  Sopro are registeredwith the ICO Reg: ZA346877 their Data Protection Officer can be emailedat:”


Xero is our accounting software and is used for invoicing, bank reconciliations, and other similar accountancy functions.

Our accountants, Towers and Gornall, have access to this system and process data for the purposes of bookkeeping and annual accounts.

Data stored in Xero is kept for six years from the date it was created. This is a regulatory requirement under the VAT Act 1994 (Schedule 11, paragraph 6) and HMRC Notice 700/21. You can read more about Xero’s GDPR compliance here.

Subject Access Request

It is really important that you can request to find out what personally identifiable data a business holds about you.

You can email to make a SAR request. You will need to supply identification before we can proceed with the SAR, this is to make sure that you are the real owner of the data you are requesting. We will then collect the data we hold about you and release it to you within 30 days of your request and suitable identification being produced.

Your first SAR request is free of charge, however, any subsequent requests which fall within a close period of your first request will be chargeable.