email: joseph@durrantrileyadvisory.co.uk

Ipswich 01473 598427

    Privacy Notice

    We may collect and process the following categories of personal data:

    • Identity data: name, job title, and organisation name
    • Contact data: email address, postal address, and telephone number
    • Enquiry data: details of your query, instructions, and correspondence with us
    • Contractual data: information necessary to deliver our services and manage our client relationship
    • Technical data: IP address, browser type and version, and pages visited on our website
    • Marketing preferences: your preferences regarding communications from us.

    We do not collect special category data or children’s data through our website or standard services. Where our advisory work requires us to handle such data on behalf of clients, this is governed by a separate data processing agreement.

    We collect personal data through:

    • Direct interactions: enquiries submitted via our website contact form, email, or telephone
    • Contractual relationships: information provided in the course of engaging our services
    • Third parties: publicly available sources such as LinkedIn or company registries, where relevant to a business enquiry.

    We use your personal data for the following purposes:

    • To respond to your enquiries and provide pre-engagement support
    • To deliver our consultancy services and manage our client relationship
    • To maintain accurate business records and fulfil legal and regulatory obligations
    • To improve our website and services through analysis of usage data
    • To send you updates, insights, or resources relevant to our services, only where you have provided consent or we have a legitimate interest in doing so.

    We process your personal data on the following legal bases under UK GDPR Article 6:

    • Contractual necessity (Article 6(1)(b)): To fulfil our obligations under a contract with you or to take steps at your request prior to entering into a contract
    • Legal obligation (Article 6(1)(c)): Where processing is necessary to comply with a legal obligation, for example record-keeping under anti-money laundering legislation
    • Legitimate interests (Article 6(1)(f)): We process contact and enquiry data in our legitimate interest of responding to business communications and developing our advisory practice. We have conducted a legitimate interests assessment and are satisfied that these interests do not override your rights and freedoms. The DUA Act 2025 has codified examples of legitimate interests in law, including direct marketing and internal administrative purposes, though a legitimate interests assessment remains required in each case
    • Consent (Article 6(1)(a)): For marketing communications and the use of non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

    We do not sell, rent, or trade your personal data. We may share your data in the following limited circumstances:

    • Service providers: third-party suppliers who assist us in operating our business, including our website hosting provider, email platform, and document management tools. All such providers are subject to data processing agreements and are required to process your data only on our documented instructions
    • Professional advisers: solicitors, accountants, and insurers where necessary and subject to professional confidentiality obligations
    • Regulatory and legal authorities: where we are required to disclose information by law, court order, or a competent regulatory authority.

    We do not transfer your personal data outside the United Kingdom. Where any of our service providers store or process data outside the UK, we ensure appropriate safeguards are in place, including UK-approved Standard Contractual Clauses or the UK International Data Transfer Agreement (IDTA), as applicable.

    We retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with our Data Retention Schedule. Key retention periods are as follows:

    Data CategoryRetention PeriodRationale
    Website enquiry data12 monthsBusiness development
    Client contract & correspondence7 years post-engagementLegal / contractual
    Financial and billing records7 yearsHMRC / tax obligation
    AML due diligence records5 years post-relationshipProceeds of Crime Act 2002
    Marketing consent recordsUntil consent withdrawn + 1 yearAccountability
    Website technical/log data12 monthsSecurity and analytics

     

    At the end of applicable retention periods, personal data is securely deleted or anonymised.

    Under UK GDPR, you have the following rights in relation to your personal data:

    • Right of access (Article 15): to request a copy of the personal data we hold about you
    • Right to rectification (Article 16): to request correction of inaccurate or incomplete data
    • Right to erasure (Article 17): to request deletion of your data where there is no lawful basis for continued processing
    • Right to restriction of processing (Article 18): to request that we restrict processing of your data in certain circumstances
    • Right to data portability (Article 20): to receive your data in a structured, commonly used, machine-readable format where processing is based on consent or contract and carried out by automated means
    • Right to object (Article 21): to object to processing based on legitimate interests or for direct marketing purposes
    • Rights related to automated decision-making: the DUA Act 2025 has updated the framework for automated decision-making. The strictest controls now apply primarily to decisions based on special category data. We do not make significant decisions about you based solely on automated processing. Where we do use any automated tools, appropriate safeguards are in place, including the ability for you to receive information about the decision, make representations, and request human review
    • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal

    To exercise any of these rights, please contact us at joseph@dradvisory.co.uk. We will respond within one calendar month of receiving your request, as required by UK GDPR Article 12(3) and confirmed by the DUA Act 2025. Where we require further information from you to clarify the scope of your request, we may pause the response period until that clarification is received (“stop the clock”), as now codified in law by the DUA Act. We may also need to verify your identity before processing your request.

    If you are dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

    • Website: ico.org.uk
    • Helpline: 0303 123 1113
    • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

    We do not use cookies or similar tracking technologies on our website, other than those that are strictly essential for the website to function. We do not use analytics, advertising, or preference cookies, and no personal data is collected through our website’s technical infrastructure beyond that described in Section 2.

    We use IONOS WebAnalytics to monitor website performance. This service does not use cookies and processes data in anonymised form only (e.g., referrer, browser type, device type, and anonymised IP). No personal data is stored.

    We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, disclosure, alteration, or destruction. These measures include:

    • Encrypted communications and secure email practices
    • Access controls limiting data to those with a legitimate need
    • Regular review of our information security arrangements
    • Procedures for detecting, reporting, and managing personal data breaches in accordance with our obligations under UK GDPR Article 33/34.

    Whilst we take all reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. We will notify you and the ICO of any breach where we are legally required to do so.

    Our website may contain links to third-party websites. This Privacy Notice applies solely to our website and services. We are not responsible for the privacy practices of third-party sites and encourage you to read their privacy notices before providing any personal data.

    We may update this Privacy Notice from time to time to reflect changes in our practices, services, or legal obligations. The Data (Use and Access) Act 2025 is being commenced in stages throughout 2025 and 2026, and further provisions, including a statutory complaints-handling duty (Section 103, expected June 2026), will require additional updates to this notice as they come into force. The current version will always be published on our website at durrantrileyadvisory.co.uk/privacy-policy. We encourage you to review this notice periodically. Where changes are material, we will take reasonable steps to notify you.

    If you have any questions about this Privacy Notice, wish to exercise your rights, or have a concern about how we handle your personal data, please contact:

    Durrant Riley Advisory Limited

    Data Protection Officer: Joseph Durrant-Riley

    Email: joseph@dradvisory.co.uk

    Telephone: 01473 598427

    Website: durrantrileyadvisory.co.uk