top of page
Privacy Policy

Last updated: 14th November 2025
Valid from: 14th November 2025


Hebborn Consultancy Ltd takes your privacy seriously. This policy explains what personal data we collect, why we collect it, the lawful reasons for doing so, how long we keep it, who we share it with and the rights you have. We follow the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 as amended and the Data Use and Access Act 2025.


We do not sell or trade personal data.
We only collect what we need to deliver our services or to meet our legal obligations.


1. Who we are

Hebborn Consultancy Ltd
Registered office: [Insert address]
Telephone: [Insert number]
Email: dpo@hebborn.co.uk
 

We are the Data Controller for all personal data described in this policy.
 

2. Personal data we collect
We may collect:
• Your name, contact details and job role.
• Information relating to enquiries, instructions or the services we provide.
• Emails, correspondence and records of calls you make to us.
• Website usage information collected through cookies with your consent (see section 9).
 

We do not intentionally collect special category data. If you choose to share such information with us in circumstances where it is necessary for the work being carried out, we will apply the correct Article 9 and DPA 2018 conditions and store it securely.
 

We do not carry out automated decision making or profiling.


3. Lawful bases for processing

We process personal data on the following lawful bases:
 

Contract
To respond to enquiries, provide quotations, deliver consultancy or DPO services and manage our relationship with you.
UK GDPR Article 6(1)(b).
 

Legal obligation
To meet statutory duties under the UK GDPR, DPA 2018, DUAA 2025, PECR 2003 and general UK law.
UK GDPR Article 6(1)(c).
 

Legitimate interests
Where we need to operate and protect our business, manage client relationships, secure our systems, keep records of advice given or pursue or defend legal claims.
UK GDPR Article 6(1)(f).
 

Our interests never override your rights and you can object at any time.
 

Consent
Used only where required for non essential cookies or for direct marketing where PECR requires it.
You can withdraw consent at any time.
 

Special category data
Where required, we use the relevant conditions under Article 9(2) and Schedule 1 DPA 2018.
We do not seek such data routinely.
We do not rely on the DUAA legitimate interest extension for public-interest purposes unless strictly applicable.
 

4. How we use your personal data

We may use your personal data to:
• Provide consultancy and DPO services.
• Respond to enquiries.
• Maintain records for accountability, including advice given.
• Manage billing and finance.
• Meet regulatory or legal duties.
• Protect our systems, security and business continuity.
• Carry out marketing where allowed under PECR.
 

We do not use your data for unrelated purposes.
 

5. Sharing your personal data

We only share your data when necessary and proportionate. This may include:
• Professional advisers who assist us (accountants or legal advisers).
• IT and communications providers who support our systems.
• Regulators if required by law (for example the ICO).
 

All third parties are bound by contracts that meet UK GDPR Article 28 and DUAA Section 14 standards.
 

Data is not shared with any organisation for their marketing purposes.
 

6. International transfers

We process and store data in the UK.
If we ever transfer data outside the UK, we will ensure the receiving country has an adequacy decision or that the transfer is covered by appropriate safeguards such as the UK IDTA or the UK Addendum to the SCCs.


We will update this section if the DUAA’s international transfer provisions change once the relevant amendments to UK GDPR Articles 44 to 49 come fully into force.


7. Data retention

We keep personal data only for as long as necessary for the purpose it was collected and to meet legal, regulatory or contractual requirements.
 

General retention periods:
• Client contact details and service records: normally 2 years after last contact unless longer is required for legal claims or accountable record keeping.
• Financial and invoicing records: 6 years.
• Marketing data: until withdrawn or after 2 years of inactivity.
• Cookies: see your browser settings and section 9.
 

Where retention is extended for legal claims or regulatory matters, we will retain only what is necessary and review annually.
 

8. Your rights

You have the following rights under the UK GDPR:
• Right to be informed.
• Right of access.
• Right to rectification.
• Right to erasure.
• Right to restrict processing.
• Right to data portability.
• Right to object.
• Rights related to automated decision making (not used by us).
 

We will respond to rights requests within one calendar month.
Under the DUAA, we may apply the reasonable and proportionate search standard when responding to Access Requests. We will explain if this applies and why.
 

9. Cookies

Our website uses necessary and non essential cookies. Non essential cookies require your consent. Cookies are never dropped before consent.


We do not list every individual cookie because cookies change, but a full list is available on request.
You can manage or withdraw cookie consent at any time via your browser settings or our cookie notice. Please see our Cookie Policy


10. Information security

We apply appropriate technical and organisational measures which include secure systems, access controls, logging, encryption where applicable and regular review.
All staff and contractors are bound by confidentiality duties.
Audit trails are maintained in line with DPA 2018 and DUAA requirements.


11. DUAA 2025

Where the Data Use and Access Act 2025 introduces enhanced duties, we adopt them.


This includes:
• Maintaining access and processing logs.
• Applying the DUAA’s reasonableness standard for access requests.
• Ensuring processors meet Section 14 requirements for transparency, contracting and accountability.
• Meeting the new obligations around data stewardship and oversight.
This section will be updated as further guidance is issued by the ICO.
 

12. Complaints

If you are unhappy about how we handle your personal data, contact us first so we can resolve the matter for you.

You can also contact:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
ico.org.uk


13. Changes to this policy

We review this policy regularly and update it when required to ensure accuracy with UK GDPR, DPA 2018, PECR 2003 and DUAA 2025.
 

Significant updates will be clearly signposted on our website.

cyberalarm.jpg

Click on the Hiscox icon for insurance details

Hiscox logo.jpg
OGL.jpg
0333 772 1510

Hebborn Consultancy Ltd. is a private company limited by shares, registered in England and Wales number 11479220. ICO registration number ZA768371

Hebborn Consultancy Ltd. Chapman Way Hethel Norfolk  NR14 8FB.

The Company's' registered office is Tedder House Tedder Close Watton Norfolk IP25 6HU

©2025 Hebborn Consultancy Ltd. 

bottom of page