Privacy Policy & GDPR Statement

1. Introduction

Oxford Environmental Consultants Limited ("OEC", "we", "us") is committed to protecting and respecting the privacy of everyone whose personal data we hold. This Privacy Policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.

This Policy has been prepared in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). We are registered with the Information Commissioner's Office (ICO) as a data controller.

2. Who is the controller?

The controller of your personal data is Oxford Environmental Consultants Limited, a company registered in England & Wales. You can contact us at enquiries@oxford-ec.co.uk or on 03456 868 868. For data protection matters, please contact our Data Protection Lead at the same email.

3. Personal data we collect

We collect and process the following categories of personal data:

• Identity data — name, job title, organisation.
• Contact data — email, telephone, postal address.
• Enquiry data — details of the services you have enquired about, premises addresses, compliance concerns you have raised.
• Technical data — IP address, browser type, device identifiers, pages visited (via cookies and analytics).
• Marketing preferences — your choices about whether to receive communications.
• Employment data (for job applicants) — CV, right-to-work documentation, references.

We do not routinely collect special category personal data (health, ethnicity, political opinions etc.). Where we do (e.g. in access-needs or evacuation-plan contexts), we do so under a specific lawful basis with your explicit consent.

4. Lawful bases for processing

Under Article 6 of the UK GDPR, we rely on the following lawful bases:

• Contract (Art. 6(1)(b)) — to take steps at your request prior to entering into a contract, and to perform a contract to which you are a party.
• Legitimate Interests (Art. 6(1)(f)) — to run, grow and secure our business; to respond to B2B enquiries; and to maintain the integrity of our systems.
• Consent (Art. 6(1)(a)) — for optional marketing communications and for non-essential cookies.
• Legal Obligation (Art. 6(1)(c)) — to comply with tax, accounting, health and safety, and other statutory obligations.

5. How we use your personal data

We process your personal data to: respond to enquiries and quotations; deliver our services (surveys, risk assessments, remedial works); issue invoices and process payments; administer our client relationships; comply with legal and regulatory obligations; and, where you have consented, send you marketing communications.

6. Who we share your data with

We only share personal data with third parties where it is necessary to do so. Our sub-processors include: cloud infrastructure providers (Amazon Web Services, Google Cloud); email delivery providers (Resend); CRM and analytics providers (Google Analytics 4); accounting systems (Xero/equivalent); and, where required, our sub-contracted surveyors, analytical laboratories and fire-door installers.

All sub-processors are bound by written data processing agreements under Article 28 of the UK GDPR. We do not sell your personal data to anyone.

7. International transfers

Where personal data is transferred outside the UK, we do so only where an adequacy decision exists under Article 45, or we rely on appropriate safeguards under Article 46 — typically the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, supported by a Transfer Risk Assessment.

8. Data retention

We retain personal data only for as long as necessary for the purpose for which it was collected and to meet any statutory or regulatory retention requirements. Our retention schedule is:

• Enquiry data — 3 years from the last contact (for B2B lead-nurture).
• Contract data & survey reports — 12 years (to align with contract claims under the Limitation Act 1980 in respect of deeds).
• Accounting records — 6 years (HMRC statutory retention).
• Job applications (unsuccessful) — 6 months.
• Employee records — 6 years after end of employment.

9. Your rights

Under Articles 15–22 of the UK GDPR, you have the right to: be informed about how we process your data; access the personal data we hold about you (subject access request); have inaccurate data corrected; request erasure of your data in certain circumstances ("the right to be forgotten"); restrict or object to processing; data portability; and, where we rely on consent, withdraw that consent at any time.

To exercise any of these rights, please email enquiries@oxford-ec.co.uk. We will respond within one calendar month in accordance with Article 12.

10. Cookies

Our website uses cookies in accordance with the PECR. Strictly necessary cookies are set without consent; analytics and marketing cookies are only set once you have given consent through our cookie banner. For details of the cookies we use, please see our Cookie Notice (available on request).

11. Security

We operate appropriate technical and organisational measures, including ISO 27001-aligned information security controls, encrypted data transmission (TLS 1.2+), access controls, audit logging, and staff training. Personal data breaches are managed through a documented incident response process, with reporting to the ICO within 72 hours where required by Article 33.

12. Complaints

If you are unhappy with how we have handled your personal data, please contact us first and we will do our best to resolve the issue. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) — Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — ico.org.uk — Helpline 0303 123 1113.

13. Changes to this Policy

This Policy may be updated from time to time. The current version is reviewed annually and updated as required by changes to law or our processing activities. The last review date is stated at the end of this document.