Privacy Policy

Who we are

Spyced Concepts is the trading name of the data controller responsible for this website. If you have any questions about how we handle your personal data, please contact us:

• Email: datacontroller@spycedconcepts.co.uk
• Website: www.spycedconcepts.co.uk

Legal framework

Spyced Concepts is established in England and Wales. Our handling of personal data is governed primarily by the laws of England and Wales — specifically, UK GDPR and the Data Protection Act 2018.

As a matter of principle, we also voluntarily align our practices with the European Union's General Data Protection Regulation (EU GDPR), even where we are not strictly required to. We do this because we believe EU GDPR's standards reflect good practice and the right level of respect for the people whose data we hold. Where the two frameworks differ, we apply whichever standard offers the stronger protection for you.

What data we collect and why

We collect only the personal data you actively provide to us — for example, when you send us an enquiry via our contact form or email. This typically includes your name, email address, and any information you choose to share about your project.

We do not collect data about visitors who simply browse this website. We do not use analytics tools, advertising trackers, or demographic profiling of any kind.

Legal basis for processing

We process your personal data under the following lawful bases (UK GDPR Article 6):

• Legitimate interests — responding to enquiries you have sent to us and maintaining our client relationship records.
• Contract performance — processing data necessary to deliver services under an agreement with you.
• Legal obligation — retaining financial records as required by UK law.

How we use your data

• To respond to your enquiry or provide a quote.
• To deliver and manage projects we undertake for you.
• To fulfil our legal and financial obligations.
• To maintain our legitimate business records.

We will never sell your data or share it for marketing purposes.

Third-party services

We use a small number of third-party tools to run our business. Where those tools may store or process personal data on our behalf, we have agreements in place that require them to handle that data lawfully and securely. The services that may handle your personal data include:

• Capsule CRM (Zestia Ltd, Manchester, England and Wales) — contact and client relationship management. Names, email addresses, and message content from contact-form enquiries are stored here. See Capsule's privacy policy.
• Proton Mail(Proton AG, Geneva, Switzerland) — encrypted email hosting under Swiss data-protection law. Email addresses and message content sent to or from us are stored on Proton's servers. See Proton's privacy policy.
• Online meeting service — when we hold a video meeting with you, any recording or transcript is stored on the service mutually agreed in our engagement letter. The specific service is named per-client.
• FreeAgent — accounting and invoicing for billable engagements only.
• GitHub — source code management. No client personal data is stored here.
• Atlassian (Jira / Confluence) — internal project management. Client personal data is generally not stored here unless explicitly required for project delivery.

Each provider listed above operates under applicable data protection law and has its own privacy policy. We encourage you to review their policies if you wish to understand how your data is handled within those platforms.

Disclosure to authorities

We will only disclose your personal data to law enforcement, regulators, or other public authorities where:

• we are required to by valid legal process under the laws of England and Wales — for example, a court order, search warrant, or formal request from a UK regulator such as the Information Commissioner's Office (ICO); or
• the disclosure is necessary to protect the rights, property, or safety of Spyced Concepts, our clients, or others.

We do not voluntarily share personal data with authorities. We will challenge any request we consider unlawful or disproportionate, and where we are legally permitted to do so, we will inform you that your data has been requested. Formal data-protection enquiries — including breach notifications and disputes — should be directed to our Data Protection Officer at dpo@spycedconcepts.co.uk.

Pre-engagement due diligence

Before entering into a working relationship — as a client, supplier, partner, or collaborator — we may carry out due diligence on the individuals and organisations involved. This typically includes:

• searches of publicly available sources (websites, news, professional profiles);
• checks against UK regulatory registers, including Companies House, the ICO register, and the FCA register where relevant;
• checks against UK and international sanctions and restricted-party lists;
• verification of professional credentials, accreditations, or certifications you have asserted.

We carry out this work under our legitimate interests in assessing business risk, meeting our legal and regulatory obligations, and protecting Spyced Concepts, our clients, and our partners. Where we hold personal data gathered through this process, your rights under UK GDPR apply in full and you can exercise them via the contact details above.

Penetration testing and other technical security assessments we may carry out under a separate engagement may involve more detailed examination of personal or business data. Where that is the case, the scope, lawful basis, retention period, and disclosure terms are set out in the engagement letter and statement of work for that specific piece of work — not in this general policy.

International data transfers

Some of the third-party services listed above may store or process data outside the UK or European Economic Area. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or we use providers certified under equivalent frameworks.

How long we keep your data

• Enquiries that do not become projects — we retain your contact details for up to 12 months, after which they are deleted.
• Client project records — retained for 7 years following project completion to meet our legal and financial obligations.
• Financial records — retained for 7 years as required by HMRC.

Your rights under UK GDPR

You have the following rights in relation to your personal data:

• Right of access — to request a copy of the data we hold about you.
• Right to rectification — to ask us to correct inaccurate data.
• Right to erasure — to ask us to delete your data, subject to our legal obligations.
• Right to restriction — to ask us to limit how we use your data.
• Right to data portability — to receive your data in a structured, machine-readable format.
• Right to object — to object to processing based on legitimate interests.

To exercise any of these rights, please email datacontroller@spycedconcepts.co.uk. We will respond within one calendar month.

Cookies

This website uses a single, strictly necessary cookie (sc_cookie_ok) to remember that you have acknowledged this privacy notice. It expires after 30 days and contains no personal information. We do not use advertising, analytics, or tracking cookies.

Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Helpline: 0303 123 1113

We would, however, appreciate the chance to address your concerns before you contact the ICO — please reach out to us first.

Changes to this policy

We may update this policy from time to time. Any material changes will be reflected on this page with an updated date. We encourage you to review this page periodically.