Thamer James Ltd – Privacy Policy
Effective Date: October 2025
Version: 2.1 – UK GDPR + Data Use Access Act 2025 Compliant
1 | About Us
Thamer James Ltd (“we”, “us”, “our”) is a UK-registered governance, risk and compliance consultancy. We are the Data Controller for all personal data processed in connection with our services, client relationships, and website interactions.
Contact details:
Privacy Lead | Thamer James Ltd
Email: [email protected]
Registered Office: Unit 12, Shottery Brook Office Park, Timothy’s Bridge Road, Stratford upon Avon, Warwickshire, CV37 9NR
If we process data on behalf of a client (for example, during an audit engagement), we act as a Data Processor and follow that client’s written instructions.
2 | Purpose of This Notice
This Privacy Policy explains:
- What personal data we collect and why
- The lawful bases for processing
- How we share, store and protect your data
- How your rights operate under UK GDPR and the DUAA 2025
- How to contact us or the ICO if you have concerns
3 | What Personal Data We Collect
| Category | Examples | Source |
|---|---|---|
| Identity Data | Name, title, company, position | Direct from you |
| Contact Data | Email, phone, address | Direct or via business partners |
| Professional Data | Client organisation, audit/project details | From client engagement |
| Financial Data | Invoices, payment records (no card details retained) | From you / accounts |
| Technical Data | IP address, browser, cookies, usage logs | Via website |
| Communications Data | Emails, messages, meeting notes | From correspondence |
We do not intentionally collect special category data (e.g. health, ethnicity) unless it is relevant and voluntarily supplied.
4 | How We Use Your Data & Lawful Bases
| Purpose | Lawful Basis (UK GDPR) | DUAA 2025 Recognition |
|---|---|---|
| Responding to enquiries | Legitimate Interest (business communication) | Recognised Legitimate Interest – business communications |
| Delivering consultancy and audit services | Legitimate Interest (necessary to perform and manage client engagements) | Recognised Legitimate Interest |
| Managing supplier and partner records | Legitimate Interest (necessary for business operations) | Recognised Legitimate Interest |
| Maintaining statutory financial records | Legal Obligation (accounting and tax compliance only) | n/a |
| Direct B2B marketing emails & events | Legitimate Interest (with opt-out) | Recognised Legitimate Interest – direct marketing |
| Website security, analytics & fraud prevention | Legitimate Interest (security and service performance) | Recognised Legitimate Interest – crime prevention |
We never sell personal data. Processing will only occur for the above purposes.
5 | Cookies and Tracking
Our site uses:
- Essential cookies – to operate the site; required for login or security.
- Analytical cookies – to improve site performance (Google Analytics).
- Preference cookies – to remember display or language settings.
You can manage cookies at any time via your browser or our cookie banner. See our Cookie Policy for full details.
6 | Sharing Your Data
We may disclose limited personal data to:
- Cloud, hosting and IT service providers (e.g. Microsoft 365, website host)
- Accountants, insurers and professional advisers
- Subcontractors assisting in client delivery
- Regulators or law-enforcement agencies if legally required
All third parties sign Data Processing Agreements (DPAs) ensuring confidentiality, limited purpose use, and appropriate security measures.
7 | International Data Transfers
We primarily store and process data in the UK. Where transfers outside the UK occur, we apply approved safeguards:
| Destination | Safeguard Mechanism | Compliance Check |
|---|---|---|
| EEA countries | UK Adequacy Regulations | Equivalent protection |
| USA (UK-US Data Bridge vendors) | Certification verified annually | Not materially lower test met |
| Other countries | UK IDTA or Addendum to EU SCCs + TRA | Documentation retained |
8 | Data Retention
We hold personal data only as long as necessary for the original purpose or legal requirements.
| Data Type | Retention Period / Criteria |
|---|---|
| Enquiries & prospect communications | 3 years after last contact |
| Client engagement records | 6 years post-project completion |
| Supplier & contractor records | 6 years after contract end |
| Financial transactions | 6 years (statute of limitations) |
| Website logs / analytics | 26 months |
| DSAR & complaint records | 2 years from closure |
9 | Security Measures
- Encryption in transit and at rest
- Multi-Factor Authentication and role-based access
- Network segmentation and logging of admin access
- Regular patching and backup rotation
- Staff training in data protection and incident response
- Breach response procedure and ICO notification protocols
10 | Your Rights
You have the following rights under UK GDPR and DUAA 2025:
- Access – to obtain a copy of your personal data.
- Rectification – to correct inaccurate or incomplete data.
- Erasure – to request deletion where lawful.
- Restriction – to limit processing temporarily.
- Objection – to processing based on legitimate interest or marketing.
- Portability – to receive data in a machine-readable format.
- Withdraw Consent – where processing relies on consent.
- Challenge Automated Decisions – request human review.
Requests should be sent to the below. We will acknowledge within 30 days and respond within 1 month, applying stop-the-clock if identity clarification is required.
11 | Automated Decision-Making and Profiling
We do not undertake any automated decision-making that produces legal or similarly significant effects. Should this change, we will update this policy and ensure human oversight.
12 | Complaints Handling
If you believe we have mishandled your data, please contact our Privacy Lead first. We will:
- Acknowledge your complaint within 30 days
- Investigate promptly and provide a written outcome
- Log all actions for audit purposes
If unresolved, you may escalate to the Information Commissioner’s Office (ICO):
Website: www.ico.org.uk/make-a-complaint | Tel: 0303 123 1113
13 | Updates and Version Control
We review this notice annually or whenever relevant legislation changes. Material updates will be posted on our website and, where significant, notified directly to clients or subscribers.
14 | Contact Us
Questions, data requests or complaints can be sent to:
Privacy Lead | Thamer James Ltd
Email: [email protected]
Registered Office: Unit 12, Shottery Brook Office Park, Timothy’s Bridge Road, Stratford upon Avon, Warwickshire, CV37 9NR