Free Privacy Policy Template

PRIVACY POLICY

UK GDPR · Data Protection Act 2018 · DUA Act 2025  ·  Acme Technologies Ltd

Acme Technologies Ltd ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit https://www.acmetech.co.uk, in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025), and the Privacy and Electronic Communications Regulations 2003 (PECR), as amended.

Acme Technologies Ltd is the data controller responsible for your personal data within the meaning of Article 4(7) UK GDPR.

Registered Address: 10 Innovation Drive, Manchester, M1 2AB, United Kingdom
Contact Email: privacy@acmetech.co.uk
Contact Phone: +44 20 7946 0958
Company Registration Number: 12345678
ICO Registration Number: ZA123456

Under section 137 of the Data Protection Act 2018, organisations that process personal data must register with the Information Commissioner's Office (ICO) and pay the annual data protection fee unless an exemption applies.

We collect and process personal data that you provide to us directly and data that is automatically generated when you use our website.

The categories of personal data we collect include: Names, email addresses, IP addresses, cookies, website usage data.

We collect this information when you contact us, complete forms on our website, subscribe to our newsletter, make a purchase, or otherwise interact with our services. We collect only the minimum personal data necessary for the purpose, in line with the data minimisation principle in Article 5(1)(c) UK GDPR.

We process your personal data on the following lawful basis under UK GDPR Article 6: Consent (Article 6(1)(a) UK GDPR).

We use your personal data to: (a) provide and maintain our services; (b) respond to your enquiries; (c) send you information about products or services you have requested or that we believe may interest you (where you have consented under Article 6(1)(a) UK GDPR or where the soft-opt-in under regulation 22(3) PECR applies); (d) comply with our legal obligations (including AML, tax and accounting laws); (e) improve our website and services; and (f) protect against fraud and ensure security.

Where we process special categories of personal data (Article 9 UK GDPR) — for example health data or data revealing racial or ethnic origin — we do so only on a lawful basis under Article 9(2) UK GDPR and Schedule 1 of the Data Protection Act 2018.

We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying any legal, accounting, or reporting requirements, in line with the storage-limitation principle in Article 5(1)(e) UK GDPR. Our retention period is: 2 years from last interaction, or as required by law.

When personal data is no longer required, we will securely delete or anonymise it in accordance with our data retention schedule.

Your personal data is stored in the United Kingdom. We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, as required by Article 32 UK GDPR. These measures include encryption in transit and at rest, role-based access controls, multi-factor authentication, regular security assessments, and staff training. We align our information-security programme to recognised standards (such as NCSC Cyber Essentials or ISO/IEC 27001:2022) where appropriate to our scale.

Despite these measures, no method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

Our website uses cookies and similar tracking technologies (regulated by regulation 6 of the Privacy and Electronic Communications Regulations 2003) to enhance your experience and analyse usage patterns. We classify cookies as follows:

(a) Strictly necessary cookies — required for the website to function; no consent required;
(b) Functional cookies — remember choices; consent required;
(c) First-party analytics cookies — used solely to measure and improve our own service; permitted on a soft-opt-in basis (with clear notice and opt-out) under the amendments made to PECR by the Data (Use and Access) Act 2025;
(d) Marketing / advertising cookies — used to target advertising; strict opt-in consent required.

We manage your cookie preferences through a cookie consent banner and a dedicated cookie settings page. You may control the use of cookies through your browser settings or our cookie preference centre. Please note that disabling certain cookies may affect the functionality of our website. For more information about the cookies we use, please refer to our Cookie Policy.

We will send you electronic marketing communications (including email and SMS) only where: (a) you have given prior consent under regulation 22 of the Privacy and Electronic Communications Regulations 2003 ("PECR"); or (b) the "soft opt-in" under regulation 22(3) PECR applies, meaning that we obtained your contact details in the course of a sale (or negotiations for a sale) of similar products or services, we offered you a free and easy means of opt-out at that time, and we offer you a free and easy opt-out in every subsequent message.

You may opt out of marketing at any time by clicking the "unsubscribe" link in any marketing email, by contacting us at the address above, or by adjusting your account preferences. We process opt-outs within 28 days as required by the ICO Direct Marketing Code of Practice.

We do not engage in postal mailing or live-call telemarketing without first screening against the relevant Mail Preference Service / Telephone Preference Service registers.

Where we use artificial-intelligence ("AI") or machine-learning tools to process your personal data, we comply with our obligations under Articles 13(2)(f), 14(2)(g), 15(1)(h) and 22 of the UK GDPR. In particular:

(a) we will not take a decision based solely on automated processing (including profiling) that produces legal effects concerning you, or similarly significantly affects you, except where permitted under Article 22(2) UK GDPR — that is, where the decision is necessary for entering into or performing a contract, is authorised by law, or is based on your explicit consent;
(b) where we do take such a decision, we provide meaningful information about the logic involved and the significance and envisaged consequences of the processing;
(c) we will ensure human review of any automated decision on request, and offer you the right to contest the decision and obtain a human decision; and
(d) we carry out a Data Protection Impact Assessment under Article 35 UK GDPR before deploying any high-risk AI processing, including any AI processing involving the systematic monitoring of, or profiling of, individuals.

We may share your personal data with payment processors, analytics providers, hosting providers, marketing partners, and legal advisers who assist us in operating our website and providing our services. Each third-party service provider acts as a processor on our instructions and is bound by a written data processing agreement meeting the requirements of Article 28 UK GDPR.

Third-party services we use include: Stripe (payments), Google Analytics (analytics), AWS (hosting), Mailchimp (email marketing), Anthropic API (AI assistant).

International Transfers: Your personal data may be transferred to, and processed in, countries outside the United Kingdom, including United States, Ireland, Germany. We ensure such transfers are protected by appropriate safeguards under Chapter V UK GDPR (Articles 44-49), specifically: the UK Extension to the EU-US Data Privacy Framework ("UK-US Data Bridge"), in force from 12 October 2023, for transfers to certified US recipients.

US Transfers — UK-US Data Bridge: For transfers to recipients in the United States, we rely (where the recipient is certified under the EU-US Data Privacy Framework with the UK Extension) on the UK Extension to the EU-US Data Privacy Framework, in force from 12 October 2023, which provides a UK adequacy regulation under section 17A of the Data Protection Act 2018.

No Sale of Personal Data. We do not sell your personal data to third parties.

In the event of a personal data breach within the meaning of Article 4(12) UK GDPR, we will: (a) document the breach in our internal Article 33(5) UK GDPR register; (b) notify the Information Commissioner's Office without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons; and (c) where the breach is likely to result in a high risk to your rights and freedoms, communicate the breach to you without undue delay, in accordance with Article 34 UK GDPR. You may report a suspected breach to us at the contact email above.

Under UK GDPR (Articles 15-22), you have the following rights regarding your personal data: (a) Right of Access (Article 15) — to obtain a copy of the personal data we hold about you; (b) Right to Rectification (Article 16) — to have inaccurate data corrected or incomplete data completed; (c) Right to Erasure ("Right to be Forgotten") (Article 17) — to request deletion of your personal data in certain circumstances; (d) Right to Restrict Processing (Article 18) — to limit how we use your personal data; (e) Right to Data Portability (Article 20) — to receive your personal data in a structured, commonly-used, machine-readable format; (f) Right to Object (Article 21) — to object to processing based on legitimate interests or for direct marketing (an absolute right for direct marketing); (g) Right to Withdraw Consent (Article 7(3)) — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing; and (h) Rights in relation to Automated Decision-Making and Profiling (Article 22) — not to be subject to solely automated decisions that produce legal or similarly significant effects, with the right to obtain human review.

How to Exercise Your Rights: Please submit your request by email to the contact address above or via our online rights request form. Our online form is available at: https://www.acmetech.co.uk/data-rights. We will respond within one calendar month of receiving your request (Article 12(3) UK GDPR). This period may be extended by a further two months in complex cases, in which event we will inform you within the original month. Subject Access Requests are normally free of charge; we may charge a reasonable fee or refuse to act on manifestly unfounded or excessive requests under Article 12(5) UK GDPR.

Right to Lodge a Complaint: If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection (Article 77 UK GDPR). The ICO can be contacted at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; Telephone: 0303 123 1113; Website: ico.org.uk.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements (including amendments made by the Data (Use and Access) Act 2025 and any future PECR reforms), or other factors. When we make material changes, we will notify you by email before any material changes take effect. The "Effective Date" at the top of this Policy indicates when it was last revised. We encourage you to review this Policy periodically.

This Privacy Policy is governed by and construed in accordance with the laws of England and Wales. It has been prepared to comply with the UK General Data Protection Regulation (UK GDPR) as it forms part of domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018, the Data Protection Act 2018 as amended by the Data (Use and Access) Act 2025, and the Privacy and Electronic Communications Regulations 2003.