Privacy Policy. From strategy to delivery - we build, secure, and scale data platforms where compliance is not an afterthought.
| Field | Detail |
| Document | Privacy Policy (Privacy Notice) |
| Version | 2.0 |
| Effective date | 13 June 2026 |
| Supersedes | Version 1.0 (1 August 2025) |
| Owner | Parag Shah, Data Protection Officer |
| Classification | Public |
| Next review | June 2027 |
1. Introduction
Thornacre Engineering Ltd (“we”, “us” or “our”) is committed to protecting the privacy and security of personal data. We are a UK-based software engineering consultancy that builds and operates data management platforms, websites and CMS solutions for public sector organisations, delivered as managed services.
This policy explains how we collect, use, share, store and protect personal data, and the rights available to individuals, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Who We Are and How to Contact Us
Thornacre Engineering Ltd is the entity responsible for the personal data described in this policy where we act as controller.
- Registered office: 173 Barnet Road, London, EN5 3JZ
- ICO registration number: ZB296366
- Data Protection Officer: Parag Shah, parag@thornacre.com
- General data protection enquiries: support@thornacre.com
3. Our Role: Controller and Processor
Our role under data protection law depends on the activity:
- We are the data controller for personal data of our website visitors, our employees, contractors and job applicants, and the procurement and contract staff we deal with during tenders.
- We are usually the data processor for personal data held within the platforms, websites and CMS solutions we build for customers. In these cases our public sector customer is the controller and we act on their documented instructions under a written contract (UK GDPR Article 28).
Our exact position as controller, processor or joint controller, and the data we hold, is defined in each individual customer contract.
4. The Personal Data We Process
The table below summarises the categories of personal data we handle and our role for each.
| Whose data | What we process | Our role |
| Website visitors | Analytics data (via Google Analytics) and contact form submissions such as name, email address, phone number and message content. | Controller |
| Customer staff and end users | Personal data held within the platforms, websites and CMS solutions we build and operate, as defined in each customer contract. | Processor (occasionally controller, per contract) |
| Prospective customers and procurement contacts | Names, job titles, email addresses and phone numbers of procurement and contract staff, supplied with tender and bid documentation. | Controller |
| Employees, contractors and job applicants | Recruitment, employment, payroll and pre-employment screening data, including BPSS check information. | Controller |
4.1 Website Visitors
When you visit our website we collect analytics data through Google Analytics, but only after you give consent through our cookie banner. This may include usage statistics, pages viewed, approximate location, browser and device information. If you complete a contact form we collect the details you provide, such as your name, email address, phone number and message.
4.2 Customer Staff and End Users
We process personal data held within the systems we build and manage for customers, as defined in each contract. This typically includes contact form submissions, CMS user credentials and login records, and any other personal data the customer collects through its service. We process this data only on the customer’s documented instructions and do not use it for our own purposes.
4.3 Prospective Customers and Procurement Contacts
When we respond to invitations to tender we receive and retain tender documentation. This may include the names, job titles, email addresses and phone numbers of procurement and contract staff that the organisation provides with the documents. We use this information to participate in the procurement and to manage any resulting contract.
4.4 Employees, Contractors and Job Applicants
We process personal data to recruit, employ and pay our staff and contractors. Because we deliver services to public sector organisations, we carry out Baseline Personnel Security Standard (BPSS) checks, which involve verifying identity, right to work, employment history and a basic criminal record check. Where this involves criminal offence information, we process it under a condition in Schedule 1 of the Data Protection Act 2018.
5. Our Lawful Bases for Processing
We identify and record a lawful basis under Article 6 of the UK GDPR before processing personal data. Where we act as processor for a customer, the customer determines the lawful basis. The bases we rely on are set out below.
| Processing activity | Lawful basis (UK GDPR Article 6, and Article 9/10 where relevant) |
| Website analytics (Google Analytics) | Consent. Analytics cookies run only after you opt in through our cookie consent banner (Article 6(1)(a), and Regulation 6 of PECR). |
| Responding to website enquiries | Legitimate interests, namely responding to and managing enquiries you send us (Article 6(1)(f)). |
| Delivering services to customers | Performed on documented instructions from the customer under a written contract. The customer determines the lawful basis as controller; we process under Article 28. |
| Managing tenders, bids and prospective customers | Legitimate interests in pursuing and managing business opportunities and keeping accurate bid records (Article 6(1)(f)), and legal obligation for record retention (Article 6(1)(c)). |
| Recruitment and employment | Contract (Article 6(1)(b)), legal obligation (Article 6(1)(c), e.g. right to work, tax and employment law), and legitimate interests for business administration (Article 6(1)(f)). |
| BPSS and pre-employment screening | Legal obligation and legitimate interests. Where screening involves criminal offence information, we rely on a condition in Schedule 1 of the Data Protection Act 2018. |
6. Cookies and Analytics
Our website uses cookies. Strictly necessary cookies are set automatically because they are essential for the site to work. Analytics cookies, including those used by Google Analytics, are non-essential and are set only after you opt in through our cookie consent banner. You can change or withdraw your consent at any time through the banner or your browser settings.
7. Sharing Your Data and Sub-processors
We do not sell personal data. We do not share personal data with third parties without a lawful basis, and where we act as processor we do not share customer data without the customer’s instruction or consent. We use the following sub-processors:
- Microsoft Azure, for UK-based hosting and infrastructure.
- Google Analytics, for website analytics where you have consented.
We may also share personal data where required by law, regulation or a valid request from a public authority.
8. International Transfers
Customer data we host is stored in UK Microsoft Azure regions (London as primary and Cardiff as failover) and does not leave the UK unless a customer instructs otherwise. Where Google Analytics processes data outside the UK, that transfer is protected by appropriate safeguards, such as the UK International Data Transfer Addendum or a UK adequacy decision.
9. Data Retention
We keep personal data only for as long as necessary for the purpose we collected it, or as required by law or contract. Our retention periods are summarised below.
| Data type | Retention period |
| Website analytics data | Held in Google Analytics for between 2 and 14 months depending on the data type, then automatically deleted by Google. |
| Website enquiry / contact form data | Up to 24 months after our last contact with you, unless the enquiry leads to a contract, in which case it is retained under the relevant contract. [Confirm period] |
| Customer data (as processor) | For the duration agreed in the individual customer contract. On contract completion the data is deleted or returned to the customer, with backups securely deleted within 30 days. |
| Tender and bid documentation | 7 years from the close of the procurement or contract, including procurement contact details supplied with the documentation. |
| Employee, contractor and applicant data | For the duration of employment or engagement and for the statutory and contractual periods required afterwards. Unsuccessful applicant data is held for a short period and then deleted. [Confirm periods] |
10. Data Security
We maintain an ISO 27001:2022 certified information security management system and hold Cyber Essentials Plus certification. Our technical and organisational measures include:
- Encryption at rest (AES-256) and in transit (TLS 1.3).
- Access controls, least-privilege access and multi-factor authentication.
- Regular security assessments and penetration testing.
- Staff data protection and security training during onboarding and annually.
- Documented incident and breach response procedures.
11. Your Rights
Under the UK GDPR you have the following rights in relation to your personal data.
| Right | Description | Article |
| Right of access | Confirmation of whether we process your data and a copy of it. | 15 |
| Right to rectification | Correction of inaccurate or incomplete personal data. | 16 |
| Right to erasure | Deletion of your data where there is no compelling reason to keep it. | 17 |
| Right to restrict processing | Limiting how we use your data in certain circumstances. | 18 |
| Right to data portability | Receiving your data in a structured, machine-readable format. | 20 |
| Right to object | Objecting to processing based on legitimate interests or to direct marketing. | 21 |
| Automated decision-making | Not being subject to solely automated decisions with significant effects. | 22 |
To exercise any of these rights for data we hold as controller, contact our Data Protection Officer at parag@thornacre.com or email support@thornacre.com. We will acknowledge your request within 2 working days and respond within one month, as set out in our Subject Access Request Policy.
Where your request concerns data we process on behalf of a customer, please contact that customer directly as the controller. We will assist them in responding.
12. Complaints
If you have a concern about how we handle your personal data, please contact our Data Protection Officer first so we can try to resolve it. You also have the right to complain to the Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
13. Changes to This Policy
We may update this policy from time to time. Any changes will be published on this page with a revised version number and effective date.
14. Policy Review
This policy is reviewed annually, after any relevant ICO guidance update, and following any incident or complaint relating to personal data. The next scheduled review is June 2027.
15. Relationship to Other Policies
This policy operates alongside our:
- Information Governance Policy, which sets out our overall data protection framework.
- Subject Access Request Policy, which covers how we handle data subject rights requests.
- Data Breach Policy, which covers how we identify, manage and report personal data breaches.
- Cyber Security Policy, which sets out our information security controls.