Pax Foster Limited

Sustainability with Purpose – helping businesses turn sustainability goals into practical action

Privacy Policy / Privacy Notice

Purpose:

This notice explains how Pax Foster Ltd (“we”, “us”, “our”) collects, uses, stores and protects personal data through our website and related communications. It complies with the UK General Data Protection Regulation (UK-GDPR), the Data Protection Act 2018, and ICO guidance.

Who we are:

Pax Foster Limited (SC798894)

Registered office: 272 Bath Street, Glasgow, G2 4JR

Business Address: Suite RA01, 195 – 197 Wood Street, London, E17 3NU.

Data controller contact: info@pax-foster.co.uk.

We are the data controller for the personal information we collect.

What we collect

  • Identity & contact data (name, job title, email, phone, address).
  • Service data (contract details, project notes, invoices).
  • Marketing preferences.
  • HR & payroll data for co-directors (including limited health info where needed).
  • Company data for Clients
  • Website data: cookies, IP address, browsing data (see Cookies section).
  • Enquiry data: information you provide through forms or email

How we obtain it
Directly from you (via forms, emails, telephone calls)

Automatically through cookies and analytics

From public sources (e.g., Companies House) or partners where permitted

How we use personal data and lawful bases

PurposeLawful Basis for Processing
Responding to enquiries and providing servicesContract / Legitimate Interest
Managing client relationships and projectsContract
Sending updates and marketing information with consentConsent / Soft Opt-In (PECR)
Analysing website traffic and improving user experienceConsent for non-essential cookies
Meeting legal and regulatory obligationsLegal Obligation

Sharing of data

We only share personal data with:

  • Service providers acting as data processors (e.g., web hosting, email services)
  • Professional advisers (e.g., accountants, legal advisers)
  • Regulators where legally required

All processors are bound by written agreements requiring compliance with UK data protection law.

Special category data
We will only collect special category data (e.g., health) when strictly necessary (e.g., for staff occupational health) and with an appropriate additional lawful condition.

International transfers

If data is transferred outside the UK, we use lawful safeguards (such as the UK International Data Transfer Agreement or adequacy decisions).

How long we keep data
We keep personal data only as long as necessary. Example retention periods (subject to change for specific records):

  • Client projects & contracts: 7 years after project end (financial & tax recordkeeping).
  • Marketing contacts (consent-based): until consent withdrawn.
  • Website analytics: 26 months (maximum)
  • Employee records: as required by employment law (typically up to 6 years for contractual claims, payroll 6–7 years).
    Exact retention depends on legal, contractual or regulatory requirements — Data is securely deleted or anonymised once the retention period expires.

Sharing & transfers
We may share data with processors (accountants, CRM/marketing tools, cloud hosts, waste partners). We use contracts requiring GDPR compliance. If we transfer data outside the UK/EEA we will ensure lawful transfer mechanisms (UK adequacy decisions, or appropriate safeguards such as Standard Contractual Clauses).

Your rights
You can request:

Portability of your data

Access to your data (Subject Access Request)

Correction or erasure

Restriction of processing

Objection to processing or marketing

To exercise your rights, email:

info@pax-foster.co.uk

Cookies & electronic marketing
We use cookies and similar technologies. For non-essential cookies we will obtain consent in line with PECR and ICO guidance. You can change cookie preferences in your browser or via our cookie banner. For electronic marketing we will follow consent / soft opt-in rules as required by PECR.

Automated decision-making & profiling
We do not carry out automated decision-making which has legal or similarly significant effects on individuals (or if we do, we will disclose details and rights).

Children
If you are under 13 we require parental authorisation for information society services where we rely on consent. We do not knowingly market services to children under 13. (If you believe we hold data about a child under 13, contact us.)

Data security & breach reporting
We use technical & organisational measures to protect data. In the event of a personal data breach we will follow legal obligations to notify the ICO (generally within 72 hours where required) and affected individuals where there is high risk to their rights and freedoms.

Changes to this policy

We may update this policy from time to time. Latest version will be dated at the top of this page.
Last updated: [31st October 2025].