GDPR Compliance

Last Updated: June 2026

Our Commitment to Data Protection

cliff-badger is committed to protecting your personal data in accordance with the UK General Data Protection Regulation and the Data Protection Act 2018. This document outlines our compliance approach and your rights as a data subject.

Data Controller Information

For the purposes of data protection legislation, cliff-badger acts as the data controller for personal information collected through our website and services. We determine the purposes and means of processing your personal data.

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. Our processing activities rely on the following legal grounds:

• Contract: Processing necessary to perform our services or take steps before entering into a contract
• Legitimate Interests: Processing necessary for our legitimate business interests, balanced against your rights and freedoms
• Legal Obligation: Processing required to comply with legal or regulatory requirements
• Consent: Where you have given clear, specific consent for particular processing activities

Data Subject Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right to Access

You may request confirmation of whether we process your personal data and obtain a copy of that data. This allows you to verify the lawfulness of our processing activities.

Right to Rectification

You may request correction of inaccurate or incomplete personal data we hold about you. We will respond to such requests within one month.

Right to Erasure

In certain circumstances, you may request deletion of your personal data. This right applies when data is no longer necessary for its original purpose, when you withdraw consent, or when processing lacks legal basis.

Right to Restrict Processing

You may request limitation of how we use your personal data in specific situations, such as when you contest accuracy or object to processing.

Right to Data Portability

Where technically feasible, you may request transfer of your personal data to another service provider in a structured, commonly used format.

Right to Object

You may object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless compelling legitimate grounds override your interests.

Rights Related to Automated Decision-Making

We do not employ automated decision-making or profiling that produces legal effects or similarly significant impacts on individuals.

Exercising Your Rights

To exercise any of these rights, please contact us at: contact at cliff-badger.com

We will respond to requests within one month, though this may be extended by two additional months for complex requests. We will inform you of any such extension.

We may request additional information to verify your identity before fulfilling requests, particularly for access or deletion requests.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Retention periods vary depending on the nature of the data and legal requirements:

• Client engagement records: Seven years following service completion
• Financial records: Six years as required by UK tax law
• Marketing communications: Until consent is withdrawn or contact becomes inactive
• Website analytics: Typically anonymised after twenty-six months

Data Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit and at rest
• Regular security assessments and updates
• Access controls limiting data availability to authorised personnel
• Staff training on data protection principles and procedures
• Incident response procedures for potential data breaches

Data Breach Notification

In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify you without undue delay. We will also notify the Information Commissioner's Office within 72 hours of becoming aware of a breach, where required by law.

International Data Transfers

We primarily process personal data within the United Kingdom. If we transfer data outside the UK, we ensure appropriate safeguards are in place, such as adequacy decisions or standard contractual clauses approved by regulatory authorities.

Children's Privacy

Our services are not directed at individuals under sixteen years of age. We do not knowingly collect personal data from children. If we become aware of such collection, we will delete the information promptly.

Right to Lodge a Complaint

If you believe our processing of your personal data violates data protection law, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire
SK9 5AF

Telephone: 0303 123 1113
Website: ico.org.uk

Updates to This Statement

We may update this GDPR compliance statement periodically to reflect changes in our practices or legal requirements. Material updates will be indicated by revising the date at the top of this document.