Gordon Associates (“we”, “our”, “us”) (registered company number 2342560) is committed to protecting your privacy. We aim to respect any personal information you share with us or that we receive from others and keep it safe.
This Privacy Policy (“Policy”) sets out our data processing practices and your rights and options regarding how your personal information is used and collected (including through our website – www.gordonassociates.co.uk).
Please read this Policy carefully to understand how we use your personal information. The provision of your personal information to us is voluntary; however, without it, you may be unable to use certain services (e.g., ordering a product).
Content of this policy:
- How we collect personal information about you
- What personal information do we use?
- How and why will we use your personal information?
- Lawful bases
- Communications for marketing/ fundraising
- Children’s personal information
- How long do we keep your personal information?
- Will we share your personal information?
- Security/ storage of and access to your personal information
- International Data Transfers
- Exercising your Rights
- Data Subject Access Requests (DSARs)
- Changes to this Policy
- Links and third parties
- How to contact us
1. How we collect personal information about you
We may collect personal information:
- Directly from you – e.g., when you submit information via our website or contact us.
- Indirectly – e.g., from third-party service providers, analytics providers, or social media platforms. We’ll inform you when we do so where required.
- Publicly available sources – e.g., social media platforms (based on your settings).
- Automatically when you visit our website – e.g., IP address, browser type, browsing behaviour, etc.
We use essential cookies only as necessary to ensure site functionality. These do not collect personally identifiable information. You may disable cookies via your browser settings. For more, visit www.allaboutcookies.org.
2. What personal information do we use?
We may collect and process:
- Name, contact details, job title
- Date of birth, gender
- Financial data (e.g. employee bank details)
- Transaction history
- Device and technical data
- Photos, CVs, qualifications
- National Insurance/tax data
We may also process special categories of data (e.g., health, ethnicity, criminal offences) only where permitted under the UK GDPR and where necessary.
Where you use your credit or debit card to purchase from us, we will ensure that this is carried out securely and in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). We do not store your card details for use in future transactions.
(The above list is representative and not exhaustive.)
3. How and why will we use your personal information?
We may use your personal information to:
- Deliver products/services
- Manage relations with customers and suppliers
- Provide technical support and updates
- Process employment applications
- Meet legal and regulatory obligations
- Prevent fraud or misuse
- Analyse and improve our services
- Defend or establish legal claims
(The above list is representative and not exhaustive.)
4. Lawful bases
Under the UK GDPR, we rely on one or more of the following lawful bases:
- Consent – e.g., for marketing communications
- Legal obligation – e.g., tax or regulatory compliance
- Contractual necessity – e.g., fulfilling orders
- Legitimate interests – e.g., improving services or ensuring security
We assess any potential impact on your rights before relying on legitimate interests.
5. Communications for marketing/promotional purposes
We may contact you about products, services, or updates related to your interests. We will only do so by email, SMS, or phone with your prior consent, unless otherwise permitted by law.
You may opt out at any time by:
- Clicking “unsubscribe” in our emails
- Contacting marketing@gordonassociates.co.uk
6. Children’s personal information
Where we collect data from individuals under 16, we ensure parent/guardian consent is obtained if required. We apply appropriate safeguards for children’s data.
7. How long do we keep your personal information
We retain personal data for no longer than 6 years, unless legally required or you exercise your right to erasure earlier. If you opt out of communications, we retain minimal data on a suppression list to honour your request.
8. Will we share your personal information?
We may share data with trusted third parties, including:
- Payment processors
- Professional advisors
- Marketing and analytics platforms
- Regulatory authorities (e.g., HMRC)
- Business buyers (in the event of a sale or merger)
We do not sell or rent your data to third parties for marketing.
(The above list is representative and not exhaustive.)
9. Security/ storage of and access to your personal information
We take the security of your personal information seriously and implement appropriate technical and organisational measures to protect it against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:
- Encryption: We use encryption to protect your data during transmission and at rest.
- Access Controls: Access to your personal information is restricted to authorised personnel only, based on a need-to-know basis.
- Regular Security Assessments: We conduct regular security assessments and audits to ensure our systems remain secure.
- Data Minimisation: We only collect and retain the minimum amount of personal information necessary for the purposes outlined in this policy.
- Secure Storage: Your personal information is stored on secure servers located within the UK or the European Economic Area (EEA).
We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Once your information is no longer needed, we will securely delete or anonymise it.
10. International Data Transfers
As a UK-based organisation, we normally store and process your data in the UK or European Economic Area (EEA).
However, if we transfer personal data to countries outside the UK or EEA, we ensure appropriate safeguards are in place, such as:
- UK ICO-approved Standard Contractual Clauses (SCCs)
- Data transfer risk assessments
- UK adequacy regulations, where applicable
11. Your Rights Under the UK GDPR
You have the following rights:
- Access – Request a copy of your personal data
- Rectification – Correct any inaccuracies
- Erasure – Request deletion of your data
- Restriction – Limit how we process your data
- Objection – Object to processing for certain purposes
- Data Portability – Receive your data in a structured format
- Automated decision-making – Challenge decisions made solely by automated means
To exercise your rights, contact us (see section 14). You also have the right to lodge a complaint with the ICO: www.ico.org.uk.
12. Data Subject Access Request (DSARs)
You have the right to request access to the personal information we hold about you. This is known as a Data Subject Access Request (DSAR). To make a DSAR, please contact us using the details provided in the “Contact Us” section of this policy.
When making a DSAR, please include the following information:
- Your full name and contact details.
- A clear description of the information you are requesting.
- Any additional details that may help us locate your data (e.g., the context in which we may have collected your information).
We will respond to your request within one month of receiving it. If your request is complex or you have made multiple requests, we may extend this period by up to two further months. In such cases, we will inform you of the extension and the reasons for the delay.
Please note that we may need to verify your identity before processing your request. This is to ensure that your personal information is not disclosed to anyone who does not have the right to receive it.
13. Changes to This Policy
We may update this Policy occasionally. Significant changes will be communicated directly and posted on our website.
Last updated: 9 July 2025
14. Third-Party Links
Our site may contain links to other websites. This Policy does not apply to those websites. Please check their privacy notices before submitting any personal data.
15. How to Contact Us
If you have any questions or concerns, please contact:
Data Protection Officer: Gordon Harrison
Email: gordon@gordonassociates.co.uk
Phone: 01242 529820
Address: Suite G1, Montpellier House, Montpellier Drive, Cheltenham, Glos. GL50 1TY