This Privacy Notice explains:

1. Who we are
2. What information we collect
3. How we use your information
4. Our lawful basis for processing
5. Who we share your data with
6. International transfers
7. How long we keep your information
8. Your data protection rights
9. How we protect your information
10. Data breaches
11. Contact details

1. Who we are

Disklabs Limited provides data recovery, digital forensics, and secure IT disposal services.

Data Controller: Disklabs Limited
Registered Office: Disklabs House, Galena Close, Amington, Tamworth, Staffordshire, B774AS

Data Protection Officer: Matthew Jones
Email: gdpr@disklabs.com

2. What information we collect

We may collect and process:

• Visitors to our website: IP address, browser type, usage data, cookies.
• Customers: Contact details, service data, financial information.
• Suppliers: Contact details, contractual information.
• Job applicants: Application forms, CVs, references.
• Employees (current and former): Employment records, payroll and HR data.
• Marketing contacts: Business contact details collected from public or industry sources.
• Complaints and feedback: Contact information and communications.

3. How we use your information

We use personal data to:

• Provide and manage our services.
• Respond to enquiries, feedback, or complaints.
• Improve our website and monitor usage.
• Manage recruitment and employment.
• Comply with financial, legal, and regulatory requirements.
• Carry out marketing (business-to-business only).

4. Our lawful basis for processing

We process personal data under the following bases:

• Contract – to deliver our services and manage relationships.
• Legal obligation – to comply with tax, employment, and regulatory duties.
• Legitimate interests – to improve our services, maintain security, and manage business efficiency.
• Consent – for optional marketing communications or where retention of applicant details is agreed.

5. Who we share your data with

We may share data with trusted third parties, including:

• Accountants and auditors
• IT service providers and hosting providers
• Pensions provider (NEST)
• Vetting authorities
• Customers (where necessary for service delivery)

We only share data where necessary and subject to contracts requiring protection of your information.

6. International transfers

We do not routinely transfer personal data outside the UK or EEA. Where limited access occurs (e.g., through secure mobile devices), we apply safeguards in line with UK GDPR and our ISO 27001:2013 certified information security management system.

7. How long we keep your information

We retain personal data only as long as necessary:

• Website contact forms: until the enquiry is resolved.
• Marketing data: up to 18 months or the duration of a campaign.
• Job applicants: deleted after recruitment unless consent is given to retain contact details.
• Employees: retained during employment and for up to 3 years post-employment (longer where legally required, e.g., payroll records).
• Customer and supplier records: retained in line with legal and contractual obligations.
• Backups: retained for a maximum of one month.

8. Your data protection rights

You have the right to:

• Access your personal data
• Request correction of inaccurate data
• Request deletion of your data (“right to be forgotten”)
• Restrict processing
• Object to processing
• Request data portability
• Withdraw consent at any time (where consent is the basis of processing)
• Lodge a complaint with the Information Commissioner’s Office (ICO)

We respond to requests within one month. No fee is charged unless requests are excessive or repeated.

9. How we protect your information

We apply robust security measures, including:

• Monitored firewalls and malware protection
• Encryption of data at rest and in transit
• Access control and monitoring
• Regular audits and penetration testing
• Secure backups with defined retention

10. Data breaches

We investigate all data incidents in line with our Information Security Incident Policy. Where a breach is likely to result in a risk to individuals, we will notify the ICO within 72 hours and affected individuals without undue delay.

11. Contact details

If you have questions about this notice or wish to exercise your rights, contact:

Data Protection Officer (DPO):   Matthew Jones
Email: gdpr@disklabs.com
Phone: 01827 55555

You also have the right to complain to the ICO:   https://ico.org.uk/make-a-complaint/