LAST UPDATED MARCH 2026

DATA PROTECTION

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). All our handling of data and retention of data is compliant with the law.

As a UK business, we are legally "Data Controllers." Every employee has a duty to protect the personal information of our clients, suppliers, and colleagues.

• The "Need to Know" Rule: Only access or collect personal data (names, emails, IDs) if it is strictly necessary for your current task.
• AI Data Safety: Do not upload any Personal Identifiable Information (PII) into AI tools unless using a Company-approved account. Ensure "Training Mode" is disabled so our data is not used to train public models.
• Reporting Breaches: If you lose a company device (laptop/phone) or accidentally send sensitive data to the wrong person, you must notify Tom within 4 hours. We are legally required to report significant breaches to the ICO within 72 hours.
• Access Requests: If a person asks to see the data we hold on them (a Subject Access Request), pass this to Tom immediately. We only have 30 days to comply.

DATA RETENTION

All company and employee information is retained, stored and destroyed in line with current legislation and regulatory guidelines.

For all data and records obtained by us, we carry out periodical reviews of the data retained, checking purpose, continued validity, accuracy and requirement to retain the data