1. Data controller identity and contact
For the purposes of the UK GDPR and the EU GDPR (where applicable), the data controller is Thames & Ledger Ltd. We determine the purposes and means of processing personal data collected through this website.
2. Personal data we collect
We collect only the data that is reasonably necessary to operate the website, improve content quality, respond to enquiries, and (if you choose) send an email briefing. We do not ask for sensitive categories of personal data (such as health, political opinions, or financial account details) through our standard forms.
Data you provide directly
- Full name (when provided in a contact request)
- Email address (newsletter signup or contact)
- Phone number (only if you choose to include it)
- Message content (the text you submit to us)
- Marketing consent status (whether you opted in)
Data collected automatically
- IP address and approximate location (derived from IP)
- Browser and device information (user agent, OS, screen size)
- Usage data (pages viewed, time on page, referrer, clicks)
- Cookies and similar identifiers (see Section 10)
- Server logs (request time, URL, response code)
What we do not collect
We do not request bank account numbers, payment card details, national insurance numbers, passport numbers, or documents. If you choose to include such details in a message, please remove them before submitting. If we receive sensitive data unintentionally, we will limit access and delete it where appropriate.
3. How we collect personal data
We collect data through a small number of channels. Some collection is necessary for the website to function, such as standard server logs. Other collection is optional and depends on your choices, such as accepting analytics cookies or signing up to receive emails.
Web forms
When you submit a form (for example, email briefing signup), we collect the values you enter such as email and name. We use this to provide the requested communication. Each form includes a link to this Privacy Policy so you can review how the data will be used.
Cookies and similar technologies
Cookies are small text files stored on your device. We use a cookie banner so you can accept or reject optional cookies. Strictly necessary cookies and local storage entries may be used for preferences such as cookie consent status.
Analytics tools
If you accept analytics cookies, we may measure aggregated site usage to understand which pages are helpful and where visitors get stuck. We aim to configure analytics to collect the minimum data required for meaningful reporting. We may use Google Analytics 4 (GA4) for this purpose.
Advertising and measurement pixels
If you accept marketing cookies, we may use a pixel such as the Meta Pixel to measure whether visitors reached key pages or completed a signup. This helps us evaluate campaigns and limit irrelevant ads. We do not show different content to different users based on tracking.
Server logs and security monitoring
Like most websites, our servers automatically collect logs when pages are requested. These logs can include IP address, date and time, requested URL, response code, and user agent. We use logs for troubleshooting, detecting abuse, and maintaining the security and stability of the website. Access to logs is restricted to personnel and providers who need it for operational reasons.
4. Legal basis for processing (GDPR Article 6)
We process personal data only when there is a valid legal basis. Depending on the context, we rely on consent, contract necessity, legitimate interests, and legal obligations. The table below provides a practical mapping for common activities.
| Activity | Data types | Legal basis |
|---|---|---|
| Newsletter signup and delivery | Email, name, consent status, delivery metrics (if enabled) | Consent (Art. 6(1)(a)); Contract necessity for sending requested messages (Art. 6(1)(b)) |
| Responding to enquiries | Name, email, phone (optional), message | Legitimate interests (Art. 6(1)(f)) to respond; Contract necessity (Art. 6(1)(b)) where you request a service |
| Website analytics (optional) | Cookie identifiers, IP (may be truncated), device and usage data | Consent (Art. 6(1)(a)) |
| Marketing measurement (optional) | Cookie/pixel identifiers, event data, referrer | Consent (Art. 6(1)(a)) |
| Security and abuse prevention | Server logs, IP, request metadata | Legitimate interests (Art. 6(1)(f)) to secure our systems; Legal obligations (Art. 6(1)(c)) where applicable |
Where we rely on legitimate interests, we consider necessity, proportionality, and your reasonable expectations. You can object to processing based on legitimate interests as described in Section 9.
5. Purposes of processing
We process personal data for a defined set of purposes. We do not use your personal data for unrelated activities without providing notice and, where required, obtaining your consent. In practical terms, the main reasons we process data are listed below.
Service delivery and site operation
We process technical data to deliver pages to your device, remember essential preferences, and keep the website stable. This includes routing requests, mitigating abuse, and diagnosing performance issues.
Customer support and communications
If you contact us, we use your details to respond and to keep a record of the conversation so we can follow up and handle corrections or complaints. We limit access to messages and apply retention rules in Section 6.
Marketing (consent-based only)
If you opt in, we send a weekly email briefing. If you accept marketing cookies, we may measure campaign performance using pixels. You can withdraw consent at any time without affecting your ability to read our site.
Fraud prevention and legal compliance
We may process limited data to protect the site from bots, scraping, and other attacks, and to comply with legal obligations such as responding to valid legal requests.
6. Retention periods
We keep personal data only for as long as needed to fulfil the purpose for which it was collected, including for legal, accounting, or security reasons. Where possible, we delete or anonymise data after the retention period.
Retention schedule (typical)
- Form submissions (enquiries): up to 2 years after last contact, then deletion unless a longer period is required to resolve a dispute.
- Newsletter list: until you unsubscribe, then suppressed for 30 days to prevent accidental resubscription, then deletion or irreversible anonymisation.
- Analytics data (if enabled): 14 months in the analytics tool, then automatically deleted according to configuration.
- Server logs: typically 30 to 90 days, unless needed longer for security investigations.
- Cookie consent preference: stored until you change it or clear your browser storage.
Retention may be extended when required by law, when a complaint is being handled, or when it is necessary to establish, exercise, or defend legal claims.
8. International data transfers
We are based in the United Kingdom. Some of our service providers may process data outside the UK or the European Economic Area (EEA), for example in the United States, depending on where their infrastructure and support teams are located.
Where personal data is transferred internationally, we use appropriate safeguards. This typically includes Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement (IDTA) or UK addendum where applicable, plus additional technical and organisational measures when needed.
What this means for you
If you consent to analytics or marketing cookies, some event data may be processed by providers outside the UK/EEA. You can reject optional cookies using the cookie banner. Reading our articles does not require accepting optional cookies.
9. Your rights under GDPR
If the GDPR applies to you, you have rights over your personal data. We respect these rights and provide ways to exercise them. Some rights are subject to limits and exceptions under law, such as where fulfilling a request would adversely affect the rights of others.
Your rights
- Right of access (receive a copy of your data)
- Right to rectification (correct inaccurate data)
- Right to erasure (delete data in certain cases)
- Right to restrict processing (pause certain uses)
- Right to data portability (receive certain data in a portable format)
- Right to object (to processing based on legitimate interests)
- Right to withdraw consent (where processing is consent-based)
How to exercise your rights
Email [email protected] from the address associated with your request, and include:
- the right you want to exercise
- the email address used for subscription or contact
- any relevant context (for example, the date you contacted us)
We may ask for additional information to verify your identity before fulfilling a request. This is a security measure to prevent unauthorised access.
Right to complain
If you are in the UK and you believe our processing infringes data protection law, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). You can find guidance and complaint forms on the ICO website. We would appreciate the opportunity to address your concerns first, and you can contact us at [email protected].
11. Children’s privacy
Our content is educational and is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, please contact us at [email protected].
If we learn that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that data and to prevent further collection where possible.
12. Policy updates
We may update this Privacy Policy to reflect changes in our practices, technologies, or legal requirements. When we make changes, we will update the “Last Updated” date at the top of the page. If changes are significant, we may provide additional notice such as a banner on the site or an email to subscribers when appropriate.
Continued use of the website after an update means you have had the opportunity to review the revised policy. If you do not agree with the updated policy, you should stop using the site and, where applicable, withdraw consent for optional cookies or unsubscribe from email communications.
13. Contact details and Data Protection Officer
If you have questions about this policy, want to exercise your rights, or want to request deletion of data, you can contact our privacy team. We may not be legally required to appoint a formal Data Protection Officer for our activities, but we maintain a dedicated privacy contact to ensure requests are handled promptly and consistently.
If you receive our newsletter, you can unsubscribe using the link in every email. For deletion requests (including unsubscribe confirmation and removal), email us at [email protected]. We typically respond within one month, and sooner where possible.
To reduce risk of fraud, we may verify requests by replying to the email address on file or asking for limited information that confirms identity.
Quick summary (plain English)
We run a publishing website. You can read it without accepting optional cookies. If you subscribe to our email briefing, we use your email address to send the newsletter and keep minimal records to manage subscriptions and prevent accidental re-subscription after an unsubscribe. Optional analytics and marketing cookies are controlled by the cookie banner. We do not sell your personal data, and you can ask for access or deletion by emailing our privacy team.