Effective Date: 05 January 2026

Next Review Date: 05 January 2027

This Privacy Policy explains how we collect, use, share, store, and protect personal data, and your rights. We aim to provide this information in a clear and accessible way, consistent with transparency and “right to be informed” requirements

Depending on the context, Dataframe Solutions may act as:

Data Controller (we decide why/how personal data is processed), e.g. for our website enquiries, marketing, recruitment, invoicing, and supplier management.
Data Processor (we process personal data on a client’s instructions), e.g. when providing analytics, cloud, data engineering, support, or managed services to public or private sector clients (including under frameworks such as G-Cloud).

Company: DataFrame Solutions Ltd (“we”, “us”, “our”)
Company number: 12679537
Registered office: Chester Business Park, Heronsway, Chester CH4 9QR
Privacy contact email: security@thedataframe.co.uk
DPO/Privacy Lead contact:  Heather Williams

This notice applies to personal data about:

• Website visitors and people who contact us

• Prospective customers, customers, and customer representatives

• Suppliers, partners, and their representatives

• job applicants and candidatesAttendees at our events/webinars and people who receive our communications

• Users of our services where we are the Controller (for Processor scenarios, see Section 11)

We may collect the following categories (depending on relationship):

A) Identity and contact data
Name, job title, organisation, business email, business phone, postal address.

B) Account and transaction data
Billing contacts, invoices, purchase orders, contract information, payment status (we do not intentionally collect card details unless you provide them via a payment provider).

C) Communications data
Emails, call notes, meeting notes, support tickets, and correspondence.

D) Technical and usage data (website/services)
IP address, device identifiers, browser type, pages visited, referral source, logs, and cookie identifiers.

E) Recruitment data
CVs, employment history, qualifications, references (where provided), right-to-work checks (where required), and recruitment notes.

F) Special category data
We do not seek to collect special category data (e.g., health, biometrics) unless strictly necessary (e.g., accessibility needs for interviews) and will apply additional safeguards.

We collect personal data in the following ways:

• When you fill in forms on our website or contact us by email/phone

• When you register for events or request information

• When you contract with us, or we contract with your organisation

• From publicly available sources (e.g., company websites, professional networking platforms) for B2B relationship management

• From partners or referrals (where appropriate)

• Automatically through cookies and similar technologies when you use our website (see Section 12)

Where personal data is collected directly, we provide privacy information at the point of collection; where collected indirectly, we provide information within a reasonable timeframe, consistent with transparency obligations.

UK GDPR requires us to have a lawful basis for each processing purpose and to communicate that clearly.

Purpose 1 — Responding to enquiries and managing relationships

• What we do: handle enquiries, schedule meetings, maintain contact records

• Lawful basis: Legitimate interests (to run our business and respond to requests) and/or Contract steps (pre-contract enquiries)

Purpose 2 — Delivering contracted services (Controller activities)

• What we do: onboard clients, manage projects, provide support and service communications

• Lawful basis: Contract (to perform a contract) and/or Legal obligation (e.g., accounting)

Purpose 3 — Supplier and partner management

• What we do: due diligence, onboarding, contract management

• Lawful basis: Legitimate interests and/or Contract

Purpose 4 — Marketing and business development (B2B

• What we do: send relevant updates, invitations, insights, manage preferences

• Lawful basis: Legitimate interests (B2B marketing) and/or Consent (where required, e.g., certain cookie/marketing contexts)

Purpose 5 — Recruitment and hiring

• What we do: manage applications, assess candidates, arrange interviews, make offers

• Lawful basis: Legitimate interests and/or Contract steps; Legal obligation for right-to-work and equality monitoring where applicable

Purpose 6 — Security, fraud prevention, and compliance

• What we do: protect systems, investigate incidents, maintain audit logs

• Lawful basis: Legitimate interests and/or Legal obligation

Purpose 7 — Improving our website and services

• What we do: analytics, troubleshooting, performance monitoring

• Lawful basis: Legitimate interests and/or Consent (depending on cookie choices)

We may share personal data with:

• Service providers who support our website and business operations (e.g., hosting, email, analytics, CRM such as HubSpot);

• Professional advisers (e.g., legal, accounting) where needed;

• Regulators, law enforcement, or public authorities where legally required; and

• Clients where you are acting on behalf of your organisation and sharing is needed to deliver services.

  We only share what is necessary and expect appropriate safeguards and confidentiality.

We may store or access personal data outside the UK. Where we do, we implement appropriate safeguards (such as UK adequacy regulations or contractual safeguards like UK International Data Transfer Agreement / Addendum) and assess risk.

If you want details of current transfer locations and safeguards, contact us using Section 2.

We retain personal data only for as long as necessary for the purposes described in this policy.

Typical retention periods include:

• Website enquiries and correspondence: up to 24 months after last contact (unless a relationship continues).

• Newsletter subscribers: until you unsubscribe, plus a minimal suppression record to respect your preference..

• Client relationship records: retained in line with contractual and legal requirements (typically up to 7 years after contract end).

• Website analytics data: retained in line with cookie settings and platform defaults.

We regularly review retention periods and securely delete or anonymise data when it is no longer needed.

We take information security seriously and aim to protect confidentiality, integrity, and availability of personal data through appropriate technical and organisational measures.

Examples of measures we may use include:

• access controls and least‑privilege permissions;

• multi‑factor authentication where available;

• encryption in transit and, where appropriate, at rest;

• secure configuration and patching practices;

• supplier due diligence and contractual safeguards;

• backups and resilience planning; and

• incident response processes, including reporting and learning.

We describe our security governance and approach further in our Information Security & Data Protection materials. Many supplier assurance processes (including defence/aerospace supplier qualification ecosystems such as JOSCAR communities) commonly cover areas like cyber security and data privacy among other management topics, so it is normal for buyers to request evidence of these measures. 

Important: We avoid claiming formal certification unless we have it. Where we reference “ISO‑aligned” controls, we mean our approach is designed to reflect recognised good practice, not that we are necessarily certified.

Where Dataframe Solutions acts as a Data Processor:

• The client is the Controller and determines the lawful basis and privacy information to provide to data subjects.

• We process personal data only on documented instructions of the client, as set out in our contract and Data Processing Agreement (DPA).

• We implement appropriate security and confidentiality measures.

• We assist clients (as agreed) with:

  • Subject access requests and other data subject rights requests

  • Security incident notifications

  • Deletion/return of data at contract end

  • Audit and assurance requests within agreed parameters

Our website may use cookies and similar technologies to:

• enable core site functions

• remember preferences

• measure website performance and usage

  Where required, we provide a cookie banner and allow you to manage non-essential cookies. You can also control cookies via your browser settings.

Under UK GDPR, you have rights in relation to your personal data. 

These include the right to:

• be informed;

• access your data;

• rectify inaccurate data;

• request erasure (right to be forgotten) where applicable;

• restrict processing in certain circumstances;

• data portability (where applicable);

• object to processing in certain circumstances (including direct marketing); and

• withdraw consent at any time where we rely on consent

How to exercise your rights: Email hello@thedataframe.co.uk with enough detail for us to identify you and locate your data. We may request reasonable proof of identity. We aim to respond within one month, and may extend where permitted for complex requests, explaining why. 

Marketing: You can opt out at any time using the unsubscribe link in our emails or by contacting us.