Skip to main content

Privacy Policy

Our Commitment to Your Privacy

At Cardinal IT, we are committed to protecting your privacy. This policy explains what personal data we collect, why we collect it, and how we keep it safe. In short:

  • We collect the minimum data needed to respond to your enquiries and improve our website.
  • We use tools like Google Analytics to understand how our site is used, but only with your consent.
  • We never sell your personal data.
  • You have full control over your data and can exercise your rights at any time by contacting us.

For full details, please read the policy below.

Last updated: 04/09/2025

Who we are

Cardinal IT Ltd (“Cardinal IT”) is a bespoke software development company based in Edinburgh, Scotland, building reliable and scalable software solutions from rapid MVPs to mission‑critical enterprise platforms. Cardinal IT Ltd is the data controller for personal data described in this notice. Website: www.cardinal-it.co.uk.

What data we collect

Information provided by individuals:

  • Contact details and message content submitted via website forms or by email (e.g., name, business email, phone, company, project details).

Information collected automatically:

  • Technical and usage data such as IP address, device and browser type/version, broad location (city/country), pages viewed, links clicked, referral URLs, and session metrics, collected via our web server and analytics tools.

Cookies and similar technologies:

We use cookies and similar technologies. Details appear in the Cookie Policy section below.

Purposes and lawful bases

We process personal data only where a lawful basis applies under UK GDPR and, where relevant, EU GDPR.

  • Responding to enquiries and providing information about services: legitimate interests (to operate and grow a B2B services business and respond to requests).
  • Website operation, security, and performance (including spam/fraud prevention such as reCAPTCHA): legitimate interests.
  • Analytics for service improvement: consent for non‑essential cookies; legitimate interests for strictly necessary processing that does not require consent.
  • Contracting and service delivery if an engagement proceeds: performance of a contract or steps prior to entering a contract; legal obligations for invoicing and tax.
  • Legal and regulatory compliance and protection of rights: legal obligations and legitimate interests.

We will not rely on legitimate interests where these are overridden by the interests or fundamental rights and freedoms of individuals.

Sharing personal data

We may share personal data with:

  • Service providers that support our website, security, communications, analytics, hosting, and IT operations (for example, hosting providers, email services, Google Analytics, and Google reCAPTCHA), under appropriate contracts and safeguards.
  • Professional advisers (legal, accounting) under confidentiality.
  • Competent authorities, courts, or regulators when required by law.
  • A buyer (and its advisers) in connection with a proposed or actual corporate transaction, under confidentiality.
  • Others where the individual has provided consent or where permitted by law.

We do not sell personal data.

International transfers

Some service providers are located outside the UK/EEA (e.g., the United States). Where transfers occur, we use appropriate safeguards such as recognised adequacy decisions (including, where applicable, UK–US adequacy under the Data Bridge and EU–US Data Privacy Framework certifications), and/or Standard Contractual Clauses (and UK addendum) with supplementary measures as needed. Copies of relevant safeguards can be made available upon request, where legally permissible.

Data retention

  • Enquiry and correspondence data: retained for up to 12 months after the last meaningful contact, unless needed longer to establish, exercise, or defend legal claims or to comply with legal/contractual obligations.
  • Contract and billing records: retained for the statutory period required for tax and accounting (typically 6 years in the UK) or as required by law.
  • Recruitment data: see Recruitment Privacy Notice below.
  • Cookie/analytics data: retained according to tool‑specific settings and necessity; see Cookie Policy.

When retention periods expire, data is securely deleted or anonymised. If deletion is not immediately possible (e.g., backups), data is isolated and protected until deletion.

Security

We implement appropriate technical and organisational measures designed to protect personal data, including encrypted transport (HTTPS), access controls, least‑privilege access, vulnerability management, and supplier due diligence. No method of transmission or storage is entirely secure; we continually assess and improve our safeguards.

Individual rights

Subject to conditions and applicable law, individuals have the right to:

  • Access their personal data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Erase data in certain circumstances.
  • Restrict processing in certain circumstances.
  • Object to processing based on legitimate interests, including direct marketing.
  • Data portability for information provided to us where processing is based on consent or contract and carried out by automated means.
  • Withdraw consent at any time where processing is based on consent (this does not affect lawfulness prior to withdrawal).
  • Lodge a complaint with a supervisory authority:
    • UK: Information Commissioner’s Office (ICO) at ico.org.uk or +44 303 123 1113.
    • EEA: the local data protection authority of residence or work.

To exercise rights, use the contact details below. We may request information to verify identity and will respond within applicable statutory timelines.

Children

Our website and services are aimed at business users and are not intended for children. We do not knowingly collect data from children.

Automated decision‑making

We do not use personal data for automated decision‑making, including profiling, that produces legal or similarly significant effects.

Recruitment Privacy Notice

This section applies when Cardinal IT receives job applications or candidate details directly (e.g., via website forms, email, recruiters, or professional networks).

Categories of data:

Identification and contact details (name, email, phone, address), CV/resume, cover letter, qualifications, employment history, portfolio, references, interview notes, assessment outcomes, right‑to‑work evidence, and any information voluntarily provided in the process. Where applicable and lawful, background or reference checks.

Purposes and lawful bases:

  • Assessing suitability, communicating with candidates, arranging interviews, and making hiring decisions: legitimate interests and steps prior to entering a contract.
  • Legal obligations: right‑to‑work checks and equality monitoring where required or permitted by law.
  • Retaining details for future roles: consent (optional and can be withdrawn at any time).

We do not carry out automated decision‑making that produces legal or similarly significant effects.

Sharing:

Service providers supporting recruitment administration and IT systems; professional advisers as necessary; referees; background check providers where lawful and applicable; authorities where legally required.

Retention:

Unsuccessful candidate data is retained for up to 12 months from closure of the recruitment process unless a different period is required by law or explicit consent is given for longer retention for future opportunities. If hired, relevant data becomes part of the personnel record and is retained in accordance with our HR retention policies.

Special category data:

If special category data is processed (e.g., health or disability information for reasonable adjustments), we will rely on an appropriate legal basis and condition under data protection law and apply suitable safeguards.

Rights:

Candidates can exercise the rights set out in the Individual rights section of this policy.

Cookies and similar technologies (Cookie Policy)

What are cookies?

Cookies are small files placed on a device that store or access information. Similar technologies include local storage, pixels, and tags.

How we use cookies:

  • Essential cookies: required for core site functions (e.g., security, load balancing, and remembering cookie choices).
  • Analytics/performance cookies: help improve our website by measuring usage (e.g., pages visited, referral sources). These are non‑essential and require consent in the UK/EU.
  • Security and abuse prevention: e.g., Google reCAPTCHA to detect bots and spam.
  • Third‑party cookies: set by trusted providers supporting analytics and security.

Consent management:

On first visit, a banner allows accepting or rejecting non‑essential cookies. Non‑essential cookies are set only after consent. Preferences can be changed anytime via “Cookie Settings” in the site footer. Browser settings can also block cookies; essential site features may be impacted.

Retention:

Cookie and analytics retention aligns with the provider’s settings and our configuration (commonly 13–26 months for analytics; essential cookie durations vary). Specific durations may be listed in the cookie banner or settings panel.

Third‑party providers:

We currently use Google Analytics and Google reCAPTCHA. These providers may process limited personal data (e.g., IP address, device identifiers) to deliver services and for security/analytics. Where these services involve transfers outside the UK/EEA, we apply the safeguards described in the International transfers section.

Legal basis, jurisdiction, and scope

This policy is intended to meet transparency requirements under the UK GDPR and Data Protection Act 2018 and, where applicable, EU GDPR in relation to individuals in the EEA who interact with our website or business.

EU representative (Article 27)

Cardinal IT Ltd is a UK‑established controller. Based on our current activities, we take the position that the Article 27 EU representative requirement does not apply because any processing of personal data of individuals in the EEA is occasional, presents low risk to individuals’ rights and freedoms, and does not involve large‑scale processing of special‑category or criminal‑offence data. We keep this assessment under review. If our processing changes such that Article 27 applies, we will appoint an EU representative and update this policy accordingly.

Changes to this policy

We may update this policy to reflect legal, technical, or business developments. Material changes will be indicated on this page with a new “Last updated” date.

How to contact us

Cardinal IT Ltd
12 South Charlotte Street
Edinburgh, EH2 4AX
Scotland, United Kingdom
Email: privacy@cardinal-it.co.uk

If contacting us about data protection rights, please include enough information to verify identity and locate records (e.g., name, email used in prior correspondence).