+44 7417 545 043
info@dposai.com
Client Portal
learing
securing

Privacy Notice

Introduction

DPOS AI Ltd (“the Company”, “we”, “us”, or “our”) is a United Kingdom–based data protection and regulatory compliance consultancy.

We are committed to upholding the highest standards of confidentiality, integrity, and lawful processing of personal data. This Privacy Policy explains how we collect, use, store, and protect personal data in accordance with:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR)

This policy applies where you:

  • Engage our consultancy services
  • Appoint us as outsourced Data Protection Officer (DPO)
  • Visit our website
  • Attend our training sessions
  • Communicate with us
  • Interact with us as a client, supplier, or professional contact

We operate solely within the United Kingdom and do not conduct international operations.

Company Information

Registered in England and Wales

Registered Office: 3rd Floor, 86-90 Paul Street
London
England
EC2A 4NE
United Kingdom

Contact details for data protection matters:

Email: info@dposai.com

 

For queries on cookies or data collected, contact: info@dposai.com

Our Data Protection Roles

Depending on the nature of our engagement, we may act in one of three capacities:

Data Controller

We act as Data Controller in respect of:

  • Our own business operations
  • Client and supplier contact information
  • Financial and accounting records
  • Training attendee records
  • Website administration

In this capacity, we determine the purposes and means of processing.

Data Processor

During consultancy engagements, we may process personal data on behalf of clients. In such cases:

  • Processing is governed by a written contract compliant with Article 28 UK GDPR.
  • We act strictly on documented instructions from the client.
  • The client remains the Data Controller.

Outsourced Data Protection Officer

Where formally appointed as an external DPO:

  • We perform duties under Article 39 UK GDPR.
  • We operate independently and without conflict of interest.
  • We are bound by statutory confidentiality obligations.

We may access personal data as necessary to fulfil our DPO responsibilities

Categories of Personal Data We Collect

We do not collect marketing leads online and do not operate mailing lists for promotional purposes.

We may collect the following categories of personal data:

Client and Professional Contact Information

  • Name
  • Job title
  • Organisation name
  • Business address
  • Business email address
  • Telephone number

Consultancy-Related Data (Processed on Behalf of Clients)

  • In the course of providing services, we may access:

    • Employee data
    • Customer data
    • Special category data (where relevant to compliance reviews)
    • Internal policies and governance documentation

    Such data is processed solely under contractual instruction.

Financial and Contractual Information

  • Billing address
  • Payment records
  • Contract documentation

Website Technical Data

  • IP address
  • Browser and device information
  • Limited usage analytics

Our website does not include newsletter sign-ups, automated lead capture forms, or behavioural advertising mechanisms.

Training and Event Data

  • Attendee names
  • Organisation details
  • Attendance records
  • Course feedback

Legal Bases for Processing

Under UK GDPR, we rely on the following lawful bases:

  • Contractual necessity – to deliver consultancy services
  • Legal obligation – to comply with statutory and regulatory duties
  • Legitimate interests – to manage professional relationships and operate our business effectively
  • Consent – where legally required

When acting as Data Processor, the lawful basis is determined by the client as Data Controller.

Special Category Data

We do not collect special category data for our own commercial purposes.

However, when conducting audits, DPIAs, investigations, or DPO functions, we may access special category data processed by our clients. In such circumstances:

  • Processing is governed by a written agreement.
  • We apply enhanced security safeguards.
  • We adhere to strict confidentiality standards.

How We Use Personal Data

We process personal data for the following purposes:

  • Delivering consultancy and compliance services
  • Performing outsourced DPO duties
  • Conducting audits and risk assessments
  • Drafting policies and governance documentation
  • Delivering training programmes
  • Managing contracts and invoices
  • Maintaining professional records
  • Complying with legal obligations
  • Protecting our legal rights and interests

We do not sell personal data.
We do not conduct automated marketing campaigns.
We do not engage in profiling.

Data Sharing

We may share personal data only where necessary and proportionate.

Professional Advisers

  • Accountants
  • Solicitors
  • Insurers

IT and Infrastructure Providers

  • Secure cloud hosting providers
  • IT support services

All third-party service providers are subject to contractual confidentiality and data protection obligations.

We do not transfer personal data outside the United Kingdom.

Data Retention

We retain personal data only for as long as necessary to:

  • Fulfil contractual obligations
  • Meet statutory and regulatory requirements
  • Comply with HMRC record-keeping rules
  • Protect against legal claims

Typical retention periods:

  • Client engagement records: 6–7 years after contract termination
  • Financial records: 6 years
  • Training records: 3–6 years
  • Processor data: In accordance with client instructions

Data is securely deleted or anonymised when retention is no longer required.

Data Security

As a specialist data protection consultancy, information security is embedded within our governance framework.

We implement appropriate technical and organisational measures, including:

  • Encryption in transit and at rest
  • Multi-factor authentication
  • Role-based access controls
  • Secure document management systems
  • Confidentiality agreements
  • Staff data protection training
  • Periodic security review

While we apply rigorous safeguards, no system can guarantee absolute security.

Individual Rights

Under UK GDPR, individuals have the right to:

  • Access their personal data
  • Rectify inaccurate information
  • Request erasure (where applicable)
  • Restrict processing
  • Object to processing
  • Data portability (where applicable)
  • Lodge a complaint with the Information Commissioner’s Office (ICO)

Where we act as Data Processor, data subject requests should ordinarily be directed to the relevant Data Controller (our client).

Requests may be submitted to:
info@dposai.com

Complaints may be made to the ICO at:
www.ico.org.uk

Confidentiality and Independence

All employees, consultants, and contractors are subject to strict confidentiality obligations.

Where appointed as outsourced DPO, we operate independently in accordance with Article 38 UK GDPR and ensure there is no conflict of interest in performing statutory duties.

Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

Cookies

Our website uses only essential and limited analytical cookies necessary for:

  • Website functionality
  • Security
  • Basic performance monitoring

We do not use marketing or behavioural advertising cookies

Changes to This Policy

We may amend this Privacy Policy from time to time to reflect legal or operational changes. Updates will be published on our website with a revised effective date.

Contact

DPOS AI Ltd
3rd Floor, 86-90 Paul Street
London
England
EC2A 4NE
United Kingdom

Email: info@dposai.com
Telephone: +44 7417 545 043

Facebook X-twitter Youtube
Company
About
Resources
Newsletter
Services
Service
Case Studies
Legal
Terms & Conditions
Privacy Notice

© 2026 DPOSAI Ltd, all rights reserved.