Privacy Policy
Last updated: [lastUpdated]
1. Who we are
[controllerName] ("we", "us", "our") is the controller of your personal data under the UK GDPR (retained Regulation (EU) 2016/679) and the Data Protection Act 2018.
- Entity type: [controllerType] - Address: [controllerAddress] - ICO registration number: [icoNumber] - Contact for data requests: [privacyEmail] - Website: [websiteUrl]
2. What personal data we collect
- Account data: name, email address, hashed password, country, preferences. - Communications: any messages you send us via email or contact form.
We do not intentionally collect special-category data (UK GDPR Art. 9). If you submit such data via free-text fields, we will delete it on request.
3. How we use your data and our lawful basis
| Purpose | Lawful basis (UK GDPR Art. 6) | |---|---| | Provide our service (account, login, dashboard) | Performance of a contract — Art. 6(1)(b) | | Comply with HMRC tax recordkeeping | Legal obligation — Art. 6(1)(c) | | Service announcements, password resets, security alerts | Legitimate interest — Art. 6(1)(f) |
4. Cookies (PECR)
Under the Privacy and Electronic Communications Regulations 2003, we ask for consent before setting any non-essential cookies. Strictly necessary cookies (login session, CSRF, consent record) are always loaded; analytics, advertising, and personalisation cookies require your active opt-in via the cookie banner.
5. Sharing your data
We share your data only with:
- our hosting and infrastructure providers (cloud hosts, database providers); - HMRC, regulators, and courts where legally required; - professional advisers (accountants, solicitors) under confidentiality.
We do not sell your data, share it for advertising, or use it for any purpose not listed above.
6. International transfers
Some of our processors are based outside the UK. Where data is transferred outside the UK we rely on the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses with the UK Addendum, or applicable adequacy decisions (e.g. EU-US Data Privacy Framework).{{^internationalTransfers}}All data is processed within the UK. We do not transfer your personal data outside the UK.{{/internationalTransfers}}
7. How long we keep your data
| Data | Retention | |---|---| | Account data | While your account is active; deleted within 1 year(s) of account closure unless overriding legal obligation applies | | Server access logs | 30 days |
8. Your rights
Under the UK GDPR you have the right to:
- access your personal data (Art. 15); - have inaccurate data corrected (Art. 16); - have data erased — "right to be forgotten" (Art. 17); - restrict processing (Art. 18); - object to processing based on legitimate interest or for marketing (Art. 21); - data portability (Art. 20); - withdraw consent at any time (Art. 7(3)); - not be subject to a decision based solely on automated processing producing legal or similarly significant effects (Art. 22); - lodge a complaint with the Information Commissioner's Office: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF · 0303 123 1113 · ico.org.uk/make-a-complaint
To exercise any of these rights, email [privacyEmail]. We will respond within one calendar month, extendable by up to two further months for complex requests, with reasoned notification within the first month if we extend.
9. Security
We use industry-standard security measures including TLS in transit, encryption at rest, role-based access controls, and audit logging. No system is 100% secure. If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours as required by Article 33 UK GDPR, and we will notify you without undue delay where the breach is likely to result in a high risk (Article 34).
10. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified at least 30 days before they take effect via email and an in-site banner. Continued use after the effective date constitutes acceptance.
This privacy policy was generated by UKContracts.uk as a starting point. [controllerName] is the data controller and is responsible for the accuracy of the disclosures in this policy.