v2 · 20 May 2026

Data Protection Policy

This document sets out GearedApp Ltd's internal commitments to data protection, covering how we plan, build, and operate services that involve personal data — whether for our own visitors or as part of work delivered to clients. For how we use personal data on this website specifically, see our Privacy Policy.

Legal framework

We act in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where we process the personal data of people in the European Economic Area, we apply the EU GDPR on the same basis. We are registered with the Information Commissioner's Office under reference ZA493339.

The seven data-protection principles

Every project and decision involving personal data is assessed against the principles set out in Article 5 of UK GDPR:

1. Lawfulness, fairness and transparency— we identify a lawful basis before processing, and we tell people what we're doing and why.
2. Purpose limitation— we collect personal data for specified, explicit purposes and don't reuse it incompatibly.
3. Data minimisation— we collect only what we need.
4. Accuracy— we keep personal data accurate and up to date; we correct or delete it when it is not.
5. Storage limitation— we don't keep personal data longer than necessary. Retention windows for this site are published in our Privacy Policy.
6. Integrity and confidentiality— we apply appropriate technical and organisational security.
7. Accountability— we can demonstrate compliance through the records, agreements and assessments we maintain.

Lawful bases we rely on

• Consent— for analytics cookies on our website (see Cookie Policy).
• Contract— to deliver services to clients and process payments.
• Legitimate interests— to respond to business enquiries, run our internal CRM and email infrastructure, and keep our systems secure. We carry out a balancing assessment where this basis is used.
• Legal obligation— where retention is required by tax, employment or other law.

Working with sub-processors

We use third-party providers to host our infrastructure, send email, manage our CRM, and so on. Before engaging any provider that will process personal data on our behalf we:

• Carry out due diligence proportionate to the risk
• Sign a data-processing agreement covering Article 28 obligations
• Where data is transferred outside the UK or the EEA, ensure appropriate safeguards are in place — typically the UK International Data Transfer Addendum alongside the EU Standard Contractual Clauses

The current list of sub-processors used by gearedapp.co.uk is maintained in our Privacy Policy.

Security

We apply technical and organisational measures appropriate to the risk, including:

• TLS in transit, encrypted storage at rest, restricted access by role
• Strong authentication on all admin tools
• No long-lived shared secrets in client code — secrets are held in our hosting platform's secret store
• Code is reviewed before deployment; gitleaks pre-commit gates prevent secret leakage to source control
• Backups managed by our cloud-hosting provider

Data protection by design and by default

When we build something new — for ourselves or for a client — we consider data protection at the design stage rather than as an afterthought. Where a project is likely to result in a high risk to people's rights and freedoms, we conduct a Data Protection Impact Assessment (DPIA) covering the nature, scope, context and purposes of the processing; the risks involved; and the measures we plan to take to mitigate them.

Subject rights and complaints

Individuals can exercise any of the rights set out in our Privacy Policy— access, rectification, erasure, restriction, portability, objection, and withdrawal of consent — by emailing privacy@gearedapp.co.uk. We respond within one calendar month. If you remain unhappy, you may complain to the Information Commissioner's Office at ico.org.uk.

Staff responsibilities

Everyone at GearedApp is responsible for handling personal data carefully. New starters are briefed on our data-protection obligations during onboarding. Anyone with broader access to client or visitor data receives role-specific training. Suspected personal-data breaches must be escalated to a director immediately so we can assess whether notification to the ICO is required (within 72 hours of becoming aware).

Review

This policy is reviewed at least annually and after any material change to our processing activities or to data-protection legislation.