Content of this policy:

1. How we collect personal information about you
2. What personal information do we use?
3.  How and why will we use your personal information?
4.  Lawful bases
5. Communications for marketing/ fundraising
6. Children’s personal information
7. How long do we keep your personal information?
8. Will we share your personal information?
9. Security/ storage of and access to your personal information
10. International Data Transfers
11. Exercising your Rights
12. Data Subject Access Requests (DSARs)
13. Changes to this Policy
14. Links and third parties
15. How to contact us

We may collect personal information:

1. Directly from you – e.g., when you submit information via our website or contact us.
2. Indirectly – e.g., from third-party service providers, analytics providers, or social media platforms. We’ll inform you when we do so where required.
3. Publicly available sources – e.g., social media platforms (based on your settings).
4. Automatically when you visit our website – e.g., IP address, browser type, browsing behaviour, etc.

We use essential cookies only as necessary to ensure site functionality. These do not collect personally identifiable information. You may disable cookies via your browser settings. For more, visit www.allaboutcookies.org.

We may collect and process:

• Name, contact details, job title
• Date of birth, gender
• Financial data (e.g. employee bank details)
• Transaction history
• Device and technical data
• Photos, CVs, qualifications
• National Insurance/tax data

We may also process special categories of data (e.g., health, ethnicity, criminal offences) only where permitted under the UK GDPR and where necessary.

Where you use your credit or debit card to purchase from us, we will ensure that this is carried out securely and in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). We do not store your card details for use in future transactions.

(The above list is representative and not exhaustive.)

We may use your personal information to:

• Deliver products/services
• Manage relations with customers and suppliers
• Provide technical support and updates
• Process employment applications
• Meet legal and regulatory obligations
• Prevent fraud or misuse
• Analyse and improve our services
• Defend or establish legal claims

(The above list is representative and not exhaustive.)

Under the UK GDPR, we rely on one or more of the following lawful bases:

• Consent – e.g., for marketing communications
• Legal obligation – e.g., tax or regulatory compliance
• Contractual necessity – e.g., fulfilling orders
• Legitimate interests – e.g., improving services or ensuring security

We assess any potential impact on your rights before relying on legitimate interests.

We may contact you about products, services, or updates related to your interests. We will only do so by email, SMS, or phone with your prior consent, unless otherwise permitted by law.

You may opt out at any time by:

• Clicking “unsubscribe” in our emails
• Contacting marketing@gordonassociates.co.uk

Where we collect data from individuals under 16, we ensure parent/guardian consent is obtained if required. We apply appropriate safeguards for children’s data.

We retain personal data for no longer than 6 years, unless legally required or you exercise your right to erasure earlier. If you opt out of communications, we retain minimal data on a suppression list to honour your request.

We may share data with trusted third parties, including:

• Payment processors
• Professional advisors
• Marketing and analytics platforms
• Regulatory authorities (e.g., HMRC)
• Business buyers (in the event of a sale or merger)

We do not sell or rent your data to third parties for marketing.

(The above list is representative and not exhaustive.)

We take the security of your personal information seriously and implement appropriate technical and organisational measures to protect it against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Encryption: We use encryption to protect your data during transmission and at rest.
• Access Controls: Access to your personal information is restricted to authorised personnel only, based on a need-to-know basis.
• Regular Security Assessments: We conduct regular security assessments and audits to ensure our systems remain secure.
• Data Minimisation: We only collect and retain the minimum amount of personal information necessary for the purposes outlined in this policy.
• Secure Storage: Your personal information is stored on secure servers located within the UK or the European Economic Area (EEA).

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Once your information is no longer needed, we will securely delete or anonymise it.

As a UK-based organisation, we normally store and process your data in the UK or European Economic Area (EEA).

However, if we transfer personal data to countries outside the UK or EEA, we ensure appropriate safeguards are in place, such as:

• UK ICO-approved Standard Contractual Clauses (SCCs)
• Data transfer risk assessments
• UK adequacy regulations, where applicable

You have the following rights:

• Access – Request a copy of your personal data
• Rectification – Correct any inaccuracies
• Erasure – Request deletion of your data
• Restriction – Limit how we process your data
• Objection – Object to processing for certain purposes
• Data Portability – Receive your data in a structured format
• Automated decision-making – Challenge decisions made solely by automated means

To exercise your rights, contact us (see section 14). You also have the right to lodge a complaint with the ICO: www.ico.org.uk.

You have the right to request access to the personal information we hold about you. This is known as a Data Subject Access Request (DSAR). To make a DSAR, please contact us using the details provided in the “Contact Us” section of this policy.

When making a DSAR, please include the following information:

• Your full name and contact details.
• A clear description of the information you are requesting.
• Any additional details that may help us locate your data (e.g., the context in which we may have collected your information).

We will respond to your request within one month of receiving it. If your request is complex or you have made multiple requests, we may extend this period by up to two further months. In such cases, we will inform you of the extension and the reasons for the delay.

Please note that we may need to verify your identity before processing your request. This is to ensure that your personal information is not disclosed to anyone who does not have the right to receive it.