Under UK and Norwegian data protection laws, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases for the UK in the UK GDPR and for Norway in the Norway GDPR. You can find out more about lawful bases on the relevant website for each country.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the relevant website:

1. Right to be informed
You have the right to know how your personal data is being used. Organizations must explain this clearly, usually in a privacy notice.

2. Right of access
You can ask for a copy of the personal data an organization holds about you (often called a Subject Access Request).

3. Right to rectification
If your data is inaccurate or incomplete, you can request that it be corrected.

4. Right to erasure (“right to be forgotten”)
You can ask for your data to be deleted in certain situations—for example, if it’s no longer needed or was processed unlawfully.

5. Right to restrict processing
You can request that an organization limits how it uses your data (e.g., while a dispute about accuracy is being resolved).

6. Right to data portability
You can obtain your data in a structured, commonly used format and transfer it to another service provider.

7. Right to object
You can object to your data being used for certain purposes, especially direct marketing or processing based on “legitimate interests.”

8. Rights related to automated decision-making and profiling
You have protections against decisions made solely by automated systems (without human involvement), particularly if they significantly affect you.

9. Right to withdraw consent
If processing is based on your consent, you can withdraw it at any time.

10. Right to complain
If you believe your data rights have been violated, you can complain to the Information Commissioner's Office (ICO) in the UK, who are the UK’s independent authority for data protection.

To make a data protection rights request, please contact us using the contact details above.

Our lawful bases for the collection and use of your data

Our lawful bases for collecting or using personal information for the operation of client or customer accounts are:

1. Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

2. Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

3. Recognised Legitimate Interests – we may process data without a balancing test for specific purposes defined by the Data (Use and Access) Act 2025 (‘DUAA’), including crime prevention, safeguarding vulnerable individuals, and emergency response.

Where we get personal information from

Directly from you or a supplier according to our contractual arrangements.

How long we keep information

We keep information according to the Storage Limitation Principle, considering factors such as the nature of the data, the purposes for which it is processed, and any legal or regulatory requirements.

For more information on how long we store your personal information or the criteria we use to determine this please contact us using the details provided above.

Who we share information with

Others we share personal information with

· Suppliers and service providers

· Professional consultants

Sharing information outside the UK or Norway

We only transfer data to countries that pass the UK's "Data Protection Test," ensuring the standard of protection is not materially lower than that provided in the UK and Norway.

Where necessary, we may transfer personal information outside of the UK or Norway. When doing so, we comply with the UK GDPR and Norway GDPR, making sure appropriate safeguards are in place.

In the normal course of events this means transfer of information between our systems based in either the UK or Norway, or between us and our clients / suppliers.

Data Subject Rights & SARs

We fulfill Subject Access Requests (SARs) within one month. Under 2026 rules:

Clarification "Clock-Stop": If a request is complex or broad, we may pause the response timer until you provide necessary clarification.
Proportionate Searches: Our searches will be "reasonable and proportionate" as defined by current ICO standards.

To make a SAR, please contact us using the details above.

How to complain

If you believe we have mishandled your data, you have a statutory right to complain directly to us.

How to Complain: Complaints can be submitted via email or post using the contact details above.
Acknowledgement: We will formally acknowledge your complaint within 30 days of receipt.
Investigation: We will investigate your concerns "without undue delay," keeping you updated on our progress.
Outcome: We aim to provide a final reasoned outcome within three months, unless the case is exceptionally complex.
Escalation: You must generally complete this internal process before escalating your complaint to the Information Commissioner’s Office (ICO).

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO in the UK or the Datatilsynet in Norway.

The ICO’s address (UK):

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

Datatilsynet address (Norway):

Datatilsynet
Postboks 458 Sentrum
0105 Oslo

Helpline number: 22 39 69 00

Contact Information: Kontakt oss | Datatilsynet

Website: How to complain to the Norwegian Data Protection Authority | Datatilsynet

Last updated

24 April 2026