PECR Policy

1. Legal compliance
We follow the UK GDPR and Data Protection Act 2018 in processing personal data and adhere to PECR regarding cookies and electronic communications.

2. Cookies

• Essential cookies required for site functionality don’t require consent.
• Analytics/marketing cookies require your prior consent, which can be withdrawn at any time.

3. Email & SMS marketing

• We only send marketing emails/SMS to those who have opted in.
• Every message includes an easy opt-out option.

4. Data security

• Personal data is stored securely, encrypted in transit and at rest.
• Access is restricted to authorised individuals only.
• We conduct regular staff training on data protection.

5. Data protection by design & default
We integrate data privacy into processes, systems, and contracts — collecting only what’s necessary and safeguarding it by default.

6. Data breaches
Any suspected breach is immediately assessed. If likely to risk rights or freedoms, we will notify the ICO within 72 hours and affected individuals where required.

7. DPIAs (Data Protection Impact Assessments)
We conduct DPIAs for high-risk processing (e.g., CCTV, sensitive data profiling) and implement mitigation measures as standard.

8. Third-party processors
All processors undergo due diligence and contractual obligations, including GDPR compliance. We audit their policies regularly.

9. Review cycle
This policy is reviewed at least annually, or following changes in law or data processing practices.