GDPR Compliance

Our commitment to protecting your data rights under UK data protection law

Last Updated: 7 April 2026

Our Commitment to Data Protection

CotswoltechAI operates in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognize that data protection is not merely a legal obligation but a fundamental aspect of maintaining trust with our clients.

This document outlines our approach to data protection compliance and explains your rights in clear, accessible language.

Data Controller Information

For the purposes of data protection legislation, CotswoltechAI acts as the data controller for personal information collected through our services and website.

Data Controller: CotswoltechAI
Address: 42 High Street, Cirencester, Gloucestershire GL7 2NG, United Kingdom
Contact Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. The specific legal basis depends on the purpose of processing:

Contractual Necessity

When you engage our services, we process your personal and financial information because it's essential for fulfilling our contractual obligations to you. Without this information, we cannot provide the financial guidance you've requested.

Consent

For certain processing activities, such as sending marketing communications or using non-essential cookies, we rely on your explicit consent. You can withdraw this consent at any time without affecting the lawfulness of processing conducted before withdrawal.

Legitimate Interests

We may process data when necessary for our legitimate business interests, such as improving our services, preventing fraud, or maintaining security. We carefully balance these interests against your rights and freedoms to ensure processing remains fair and appropriate.

Legal Obligations

Certain processing is required to comply with legal and regulatory requirements, such as record-keeping obligations under UK financial services regulations.

Your Data Protection Rights

Under UK data protection law, you have comprehensive rights regarding your personal information. These rights are not absolute and may be subject to certain limitations, but we're committed to facilitating their exercise wherever possible.

Right of Access

You have the right to obtain confirmation of whether we're processing your personal data and, if so, to access that data along with specific information about the processing.

How to exercise this right: Submit a subject access request by emailing [email protected] with "Subject Access Request" in the subject line. We'll provide the requested information within one month, free of charge for the first request.

Right to Rectification

If personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected or completed.

How to exercise this right: Contact us with the specific information that needs correction. We'll update our records within one month and notify any third parties to whom we've disclosed the data, unless this proves impossible or involves disproportionate effort.

Right to Erasure ("Right to be Forgotten")

In certain circumstances, you can request deletion of your personal data. These circumstances include:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent on which processing is based, and there's no other legal ground for processing
  • You object to processing based on legitimate interests, and we have no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is required to comply with a legal obligation

This right is not absolute. We may retain certain information where we have a legal obligation to do so, such as UK financial record-keeping requirements.

Right to Restriction of Processing

You can request that we limit how we use your personal data in the following situations:

  • You contest the accuracy of the data (restriction applies while we verify accuracy)
  • Processing is unlawful, but you prefer restriction to erasure
  • We no longer need the data, but you need it for legal claims
  • You've objected to processing (restriction applies while we verify whether our legitimate grounds override yours)

When processing is restricted, we may still store the data but cannot use it without your consent, except for legal claims, protecting another person's rights, or important public interest reasons.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you can request a copy of your personal data in a structured, commonly used, machine-readable format. You can also request that we transmit this data directly to another controller where technically feasible.

This right applies only to data you've provided to us, not to data we've derived or generated through our analysis.

Right to Object

You have an absolute right to object to processing for direct marketing purposes. We'll cease such processing immediately upon receiving your objection.

For processing based on legitimate interests or public interest, you can object on grounds relating to your particular situation. We'll cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you. We do not currently engage in automated decision-making that would trigger this right, but if our practices change, we'll update this notice accordingly.

How to Exercise Your Rights

To exercise any of the rights described above, please contact us at [email protected]. Include "Data Protection Rights" in the subject line and specify which right you wish to exercise.

We may need to verify your identity before fulfilling your request to ensure we don't disclose personal information to unauthorized individuals. We'll respond to your request within one month, though complex requests may require up to three months. We'll notify you if an extension is necessary and explain the reason for the delay.

Exercising these rights is generally free of charge. However, we may charge a reasonable administrative fee or refuse requests that are clearly unfounded, excessive, or repetitive.

Data Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. Our security measures include:

Technical Safeguards

  • Encryption of data in transit and at rest using industry-standard protocols
  • Secure authentication mechanisms with strong password requirements
  • Regular security assessments and vulnerability testing
  • Firewall protection and intrusion detection systems
  • Regular software updates and security patches
  • Secure backup procedures with encrypted storage

Organizational Safeguards

  • Access to personal data is restricted to authorized personnel who require it for their roles
  • Staff training on data protection principles and secure data handling
  • Confidentiality agreements with all personnel who access personal data
  • Clear data retention and disposal policies
  • Regular review and updating of security policies and procedures
  • Incident response procedures for data breaches

Data Breach Procedures

Despite our robust security measures, no system is entirely immune to breaches. In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in risk to individuals
  • Notify affected individuals without undue delay if the breach is likely to result in high risk to their rights and freedoms
  • Document the breach, including facts, effects, and remedial actions taken
  • Take immediate steps to contain and remedy the breach
  • Review our security measures to prevent similar incidents

Third-Party Data Processors

We carefully select third-party service providers who process personal data on our behalf. These processors are contractually bound to:

  • Process data only according to our documented instructions
  • Implement appropriate technical and organizational security measures
  • Assist us in responding to data subject rights requests
  • Notify us of any data breaches without undue delay
  • Delete or return personal data at the end of the service provision
  • Not engage sub-processors without our prior authorization

International Data Transfers

Your personal data is primarily processed within the United Kingdom. If we transfer data to countries outside the UK, we ensure appropriate safeguards are in place, such as:

  • Standard contractual clauses approved by the ICO
  • Adequacy decisions recognizing equivalent data protection standards
  • Binding corporate rules for intra-organizational transfers

Data Protection Impact Assessments

When introducing new processing activities that are likely to result in high risk to individuals' rights and freedoms, we conduct Data Protection Impact Assessments (DPIAs). These assessments help us identify and minimize data protection risks.

Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected or as required by law. Our retention periods are based on:

  • Legal and regulatory requirements (e.g., UK financial record-keeping obligations require seven-year retention)
  • The nature and sensitivity of the information
  • The purposes for which we process the data
  • Whether purposes can be achieved through other means
  • Legal limitation periods for potential claims

After the retention period expires, we securely delete or anonymize personal data.

Children's Data

Our services are not directed to individuals under 18. We do not knowingly process personal data of children. If we become aware that we've collected data from a child without appropriate parental consent, we'll delete it promptly.

Updates to This Notice

We may update this GDPR compliance notice periodically to reflect changes in our practices or legal requirements. Significant changes will be communicated through our website and, for active clients, via email. The "Last Updated" date at the top of this document indicates when changes were last made.

Complaints and Regulatory Authority

If you believe we've not handled your personal data in accordance with data protection law, please contact us immediately so we can address your concerns.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: cotswoltechai.uk

Contact Us

For questions, concerns, or requests related to data protection and your rights under UK GDPR, please contact:

CotswoltechAI
42 High Street
Cirencester
Gloucestershire GL7 2NG
United Kingdom
Email: [email protected]