GDPR & UK DPA Compliance

RMC Technology & Consultancy Limited (company number 12084911) is registered in England and Wales and operates under the UK General Data Protection Regulation and the Data Protection Act 2018. We act as a data controller for personal data collected through our website, and as a data processor when we deliver services to customers and handle data on their behalf.

• Consent — for non-essential cookies and marketing communications
• Contract — to deliver services agreed in a Statement of Work
• Legitimate interests — for security, fraud prevention, and improving our services
• Legal obligation — for accounting, tax, and regulatory reporting

• Contact details (name, email, company, role)
• Project information you choose to share with us
• Technical data (IP address, browser, device)
• Usage data (pages visited, conversion events)
• Customer data we process on behalf of clients (under DPA terms)

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — ask us to delete your data (the "right to be forgotten")
• Restriction — limit how we process your data
• Data portability — receive your data in a structured, machine-readable format
• Object — to processing based on legitimate interests
• Withdraw consent — at any time, where consent is the lawful basis
• Complain — to the Information Commissioner's Office (ICO)

Personal data is stored within the UK and EEA where possible. Where transfers outside the UK/EEA are necessary, we rely on UK International Data Transfer Agreements, the EU Standard Contractual Clauses, or equivalent safeguards. Customers can request UK-only or EU-only residency for their workloads.

We use a small set of vetted sub-processors (cloud hosting, email, analytics, error tracking). All are bound by written data processing agreements with appropriate technical and organisational safeguards. A current list is available to enterprise customers under NDA.

We retain personal data only as long as needed for the purposes set out, or as required by law. Enquiry data is typically deleted after 24 months of inactivity. Customer engagement data follows the retention terms in the relevant Statement of Work and DPA.

We follow the controls set out in our Security page — encryption in transit and at rest, least-privilege access, MFA, audit logging, and incident response. We commission independent penetration testing annually.

For customer engagements where we process personal data on your behalf, we sign a Data Processing Agreement that includes the EU/UK Standard Contractual Clauses by reference. You can request our standard DPA at privacy@rmctech.co.uk.

In the event of a personal data breach affecting our customers or their users, we will notify the affected customer without undue delay and within 72 hours of becoming aware. We will provide all information reasonably required to support the customer's own notification obligations to the ICO and data subjects.

For any data protection request, contact us at privacy@rmctech.co.uk.

You can also lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.