Privacy Notice

Hi! Thanks for taking the time to read about how we use your information.

This Privacy Notice isn’t here to be agreed to, signed, consented to or otherwise – and it definitely doesn’t form any part of Ts&Cs. Its only purpose is to inform you about how and why your personal data is used so that we are as transparent as possible, and to ensure that you are aware of your rights under data protection legislation. If you have any questions, or you think something is missing or unclear, let us know by getting in touch at [email protected].

Who we are

We are Garden City Assurance Ltd, registered with Companies House under registration 12123178, and with the ICO under registration ZA540727.

Our registered address is:

Red Sky House
Fairclough Hall Farm 
Halls Green

The basics 

  • We keep the minimum amount of information we can about you.
  • We use your personal data to provide our services to you and meet our legal obligations.
  • We delete your data when it is no longer needed for the things we used it for.
  • We do not pass your information to third parties – but there are some exceptions.
  • You have lots of privacy rights.
  • We apply appropriate technical and organisational controls to keep your data secure.
  • We are happy to respond to any queries you have about any of this.

What data do we process?

As our client, we will hold the following information about you:

  • Your name and contact information, along with that of the contacts within your organisation we need to work with.
  • Information about your business activities.
  • Information and documentation about your matters or enquiries, including communications with you.
  • There will sometimes be a Teams meeting recording held on Sharepoint – but only if the session were recorded as mutually agreed.
  • Billing and payment information.

As a potential client, we will hold the following:

  • Your name, and contact information.
  • Information relating to any queries, including business information you have provided to allow us to discuss opportunities.
  • Information and documentation relating to your business gathered from yourself, websites, Companies House, LinkedIn and the ICO.

As an Associate Consultant, we hold the following:

  • Your name, contact and billing information.
  • Information about the type of project you prefer to work on.
  • Your availability.

Explaining the lawful basis

References to the basis of processing (e.g. “(Basis: Art. 6.1.f)”) are a reference to the article of the General Data Protection Regulation under which we undertake the processing in question. This will usually be an Article 6 lawful basis; in the very rare circumstances that Special category Data is processed, a suitable Art 9 basis will be listed.

Providing advice and support about Data Protection, e-Privacy and other good stuff

We use the information we hold about you and your business — both personal and otherwise — to give you the best advice and service we can. For example, we will add your contact details to our internal email address book.

We also use your information to send contracts, bill you, and keep track of payments that you make, as well as to keep in contact throughout our relationship.

(Basis: Art. 6.1.b – performance of a contract for sole traders, and Art 6.1.f Legitimate interests for limited companies).

Sending occasional news and email direct marketing to prospective and existing clients

If we have met at a networking event, have asked for support on internet forums, or contacted us via our website, and we feel that you could be a suitable client, we will perform due diligence checks to ensure that we would be a compatible company for you. The information from these checks is used to contact you to explore business opportunities.

(Basis Art 6.1.f) We have a Legitimate Interest to perform basic due diligence on prospective clients, and to market our services to other organisations.

If at any time, you want to stop receiving marketing emails from us, simply let us know by responding to an email, and we will stop.

N.B. We don’t operate an actual marketing list, so we will never be sending mass mailings.

Third parties

As a general rule, we will not transfer your personal data to third parties without your permission.

There are some exceptions to this:

  • If you do not pay your bills, we may choose to engage a third party to recover any money you owe us. We’ve never done this, but we want to keep this option open to us. (Lawful basis Art 6.1.f. We have a legitimate interest to pursue money owed to us).
  • It is possible, though unlikely, that we might be forced to disclose your information in response to a court order or other binding mandate. (Lawful basis Art 6.1.c. Legal obligation).
  • We use an external accountancy service and they have limited visibility of your personal business data for the administration of company financial affairs. Art 6.1.f. We have a legitimate interest to allow our accountant to have limited access to our client personal data in order to manage our accounts.

Data collected by third parties on our behalf 

Web hosting

Our site is hosted by Fifteen Three Digital Ltd. (registered company number 09033201 in England and Wales).

Our website security plugins log all requests in order to determine the causes of reported faults and to detect and block suspicious traffic. The log records the time of the request, your IP address, the requested resource, and your browser’s user agent string (which will usually include the name and version of your browser and operating system).

Lawful basis for processing: Compliance with a legal obligation.
Why? To comply with the GDPR obligation to implement appropriate technical measures to protect data.

If you send us a message via the Contact Us form, the information provided and the message are stored on the server for 30 days after it’s been delivered to our inbox, and automatically deleted after that.

Lawful basis for processing: We have a legitimate interest to be able to retrieve messages from the server for business continuity purposes. i.e. if for any reason our email fails and we can’t find your message in our internal system.

Overseas transfers

GCA makes minimal use of SaaS solutions, but we do use Microsoft Sharepoint and Microsoft Teams for collaboration projects such as your document uplift and for day to day communication. We only use this if you’re unable to provide us with access to your own systems.

All data stored in MS 365 systems is located in the UK.

Our email is provided by a secure Swiss provider. They have no access to any information unless they are compelled to release it via a court order or similar.

We also sometimes use a Swiss Document Drive – but this is for simple upload and download of documents, not for collaboration work (because it’s not designed for that).

We do not transfer or process data outside the European Economic Area unless we have your specific consent or where the nature of the processing needs it (for example, where we are emailing someone who is based outside the EEA to support your business needs, or because you have chosen to use an email or other communications service which routes data outside the EEA). 

Occasionally, we may work on your matters when we are outside the EEA (for example, when on business or even if we are on holiday) — if this might be a problem for you, please let us know, and we can discuss. 

Your rights

You have lots of rights in respect of our processing of your personal data. The relevant rights are:

  • Get access to your personal data and information about our processing of it.
  • In some circumstances, compel us to erase the bits we do not use for legal reasons – this isn’t an absolute Right, so we’ll assess these requests on a case by case basis.
  • Object to our processing for business to business marketing.
  • Ask us to rectify any inaccurate information we may inadvertently hold, and restrict us from using it, until things are corrected.

If you want to exercise any of these rights, please just get in contact at [email protected]  and we’ll be happy to assist.

We will need to ensure you are who you say you are when you submit a Rights Request, but once that has been done, we will respond in a timely manner and within one month of receipt. 

We’d much prefer you talk to us if you have an issue, but you also have the right to lodge a complaint about our processing with a supervisory authority — the UK’s Information Commissioner’s Office. 

Information Commissioner’s Office
Wycliffe House
Water Lane
SK9 5AF 

Telephone: 0303 123 1113

How long do we keep your information?

Data about clients: duration of your relationship with us, then seven years.
Data about prospective clients: 2 years from last meaningful contact unless you have asked us to add your information to a suppression list. If you have requested suppression, we will keep the bare minimum so that we can be sure not to re-add you to any marketing lists.
Data about specific matters: duration of the matter, then seven years.
Data about associates who work with us: duration of your relationship with us, then seven years.

We think that covers everything, but if you feel that we’ve forgotten something, please let us know by emailing: [email protected]

Version - September 2023

Scroll to Top