GDPR Compliance

Your data protection rights explained

The General Data Protection Regulation (GDPR), as retained in UK law following Brexit (UK GDPR), along with the Data Protection Act 2018, governs how we handle personal data. This page explains our compliance approach and your rights as a data subject.

Our Role as Data Controller

CotswoltechAI acts as the data controller for personal information we collect directly from you. This means we determine the purposes and means of processing your personal data and are responsible for ensuring compliance with data protection law.

Our contact details for data protection matters are:

CotswoltechAI
47 Colmore Row
Birmingham, B3 2BS
United Kingdom
Email: [email protected]

Lawful Bases for Processing

We process personal data only when we have a valid lawful basis. The specific basis depends on how we collect and use the information:

Contractual necessity

When you engage our services, we need to process your personal and financial information to deliver those services. Without this information, we cannot provide the guidance you are seeking.

Legitimate interests

We may process data based on legitimate business interests, provided these do not override your fundamental rights. Examples include improving our services based on feedback and maintaining records of past consultations for continuity of service.

Consent

Where we rely on consent, such as for sending marketing emails, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before you withdrew consent.

Legal obligation

In some cases, we must process data to comply with UK law, such as financial record-keeping requirements or responding to lawful requests from authorities.

Your Rights Under UK GDPR

Data protection law provides you with specific rights regarding your personal information:

Right to be informed

You have the right to know how we collect and use your personal data. Our privacy policy and this GDPR page provide this information in clear, accessible language.

Right of access

You may request a copy of the personal data we hold about you. This is commonly known as a Subject Access Request. We will respond within one month and provide the information free of charge in most cases.

Right to rectification

If any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. We aim to update records within one month of receiving a valid request.

Right to erasure

Also known as the right to be forgotten, this allows you to request deletion of your personal data in certain circumstances. This right is not absolute and may not apply where we have a legal obligation to retain data or an ongoing legitimate need.

Right to restrict processing

You can ask us to limit how we use your data while we address any concerns you have raised about accuracy or our lawful basis for processing.

Right to data portability

Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.

Right to object

You may object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will stop processing immediately.

Rights related to automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

Exercising Your Rights

To exercise any of these rights, contact us at [email protected]. We may need to verify your identity before processing your request. Please provide sufficient information to help us locate your records.

We will respond to valid requests within one month. If your request is complex or we receive multiple requests, we may extend this by a further two months, but we will inform you within the first month if this is necessary.

There is no fee for most requests. However, if requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request.

Data Minimisation

We collect only the personal data necessary for the purposes we have explained. We do not gather information speculatively or retain it longer than needed. Our consultation process focuses on information directly relevant to your financial guidance needs.

Data Security Measures

We implement appropriate technical and organisational measures to protect personal data against accidental loss, destruction, damage, or unauthorised access. These include:

  • Encryption of sensitive data at rest and in transit
  • Access controls limiting data access to authorised personnel
  • Regular review of security practices and protocols
  • Secure disposal of data when no longer required
  • Staff training on data protection responsibilities

International Data Transfers

We primarily store and process data within the United Kingdom. Where we use service providers based outside the UK, we ensure appropriate safeguards are in place, such as:

  • Standard contractual clauses approved by the UK government
  • Adequacy decisions recognising the destination country provides adequate protection
  • Other lawful transfer mechanisms permitted under UK GDPR

Data Breaches

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to you, we will also inform you directly without undue delay.

Children's Data

Our services are intended for adults. We do not knowingly collect personal data from individuals under 18 years of age. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

Complaints

If you are unhappy with how we have handled your personal data or responded to a rights request, please contact us first so we can try to resolve the matter.

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Website: ico.org.uk

Updates to This Information

We may update this GDPR page to reflect changes in our practices or legal requirements. Material changes will be communicated through our website.