GDPR Compliance

Last updated: 2 June 2026

Our commitment to data protection

Polished Joist is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take the protection of your personal data seriously and have implemented appropriate measures to ensure compliance.

Data controller information

For the purposes of UK GDPR, Polished Joist is the data controller responsible for your personal data.

Contact details:
Polished Joist
42 Meadow Lane
Glastonbury, Somerset BA6 9BY
United Kingdom
Email: [email protected]

Lawful basis for processing

We process personal data under the following lawful bases as defined by UK GDPR:

1. Consent (Article 6(1)(a))

We obtain your explicit consent before processing your data for marketing communications or non-essential cookies. You can withdraw consent at any time.

2. Contract (Article 6(1)(b))

Processing is necessary to fulfill our contractual obligations when providing environmental consulting services.

3. Legal obligation (Article 6(1)(c))

We process data when required by law, including professional indemnity requirements and regulatory compliance.

4. Legitimate interests (Article 6(1)(f))

We process data for legitimate business interests, such as service improvement, fraud prevention, and business operations, provided your rights are not overridden.

Your data protection rights

Under UK GDPR, you have the following rights regarding your personal data:

Right to be informed

You have the right to clear information about how we collect and use your personal data. This is provided through our Privacy Policy and this GDPR statement.

Right of access

You can request a copy of the personal data we hold about you. We will provide this within one month of your request, free of charge.

Right to rectification

If your personal data is inaccurate or incomplete, you have the right to request that we correct or complete it.

Right to erasure (right to be forgotten)

You can request deletion of your personal data in certain circumstances, such as when the data is no longer necessary or you withdraw consent.

Right to restrict processing

You can request that we limit how we use your personal data in specific circumstances, such as when you contest the accuracy of the data.

Right to data portability

You can request a copy of your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

Rights related to automated decision-making

We do not use automated decision-making or profiling that produces legal effects concerning you.

How to exercise your rights

To exercise any of your data protection rights, please contact us:

  • Email: [email protected]
  • Post: Polished Joist, 42 Meadow Lane, Glastonbury, Somerset BA6 9BY, United Kingdom

We will respond to your request within one month. If your request is complex or we receive multiple requests, we may extend this period by two months, and we will inform you of any extension.

Data security measures

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security assessments
  • Staff training on data protection
  • Secure backup procedures
  • Incident response protocols

Data breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach.

If the breach poses a high risk to you, we will also notify you directly without undue delay, providing information about the nature of the breach and steps you can take to protect yourself.

International data transfers

We primarily store and process your data within the United Kingdom. If we need to transfer data outside the UK, we will ensure appropriate safeguards are in place, such as:

  • Adequacy decisions by the UK government
  • Standard contractual clauses
  • Binding corporate rules

Data retention periods

We retain personal data only for as long as necessary:

  • Enquiry data: 2 years after last contact
  • Client project data: 7 years after completion (professional indemnity requirement)
  • Financial records: 7 years (legal requirement)
  • Marketing consent: Until consent is withdrawn
  • Website analytics: 26 months

Children's data

Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

Third-party processors

When we use third-party service providers who process personal data on our behalf, we ensure:

  • Written contracts are in place
  • They only process data according to our instructions
  • They implement appropriate security measures
  • They assist with data subject rights requests
  • They notify us of any data breaches

Complaints and supervisory authority

If you believe we have not complied with UK GDPR or have concerns about how we handle your data, you can lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom

Website: ico.org.uk
Helpline: 0303 123 1113
Email: [email protected]

Updates to this statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. The "Last updated" date at the top of this page indicates when the statement was last revised.

Contact us

If you have questions about our GDPR compliance or data protection practices, please contact us at [email protected].