Privacy Policy

Last updated: 23 May 2026

Notice: This policy is published for transparency and is currently under review by our solicitor. The substantive commitments are accurate and binding; specific clauses may be refined.

1. Who we are

Bluewater Associates Limited ("we", "our", "us") is the data controller for personal data collected through this website and in the course of providing our services. We are registered in England and Wales, company number 16663061. Our registered office is [insert registered office address].

For any privacy enquiry, contact privacy@bluewaterassociates.co.uk.

2. What we collect

We collect personal data only where you provide it or where it is necessary for us to deliver a service you have requested.

Information you provide directly

Name, work email, company name, phone number, and any context you share when booking a call or completing our Cyber Essentials readiness check.
Information shared during the course of a client engagement (asset inventories, security configurations, system documentation).
Billing details and correspondence relating to invoices.

Information collected automatically

We use Plausible Analytics, a privacy-focused analytics tool that does not use cookies and does not collect personal data. Plausible reports aggregate page views, referrers and device types only.
Server logs from our hosting provider may include IP addresses and request metadata for security and abuse prevention.

3. Why we use it (legal bases)

Contract: to deliver the services you have engaged us for and to manage our client relationship.
Legitimate interests: to respond to enquiries, send relevant follow-up to leads who have actively contacted us, and to operate, secure and improve our website.
Legal obligation: to keep accounting records, comply with HMRC requirements, and respond to lawful requests from regulators.
Consent: where we ask for explicit consent (e.g. marketing emails beyond direct follow-up to an enquiry).

4. Who we share it with

We do not sell personal data. We share it only with carefully selected processors that help us run the business, under written contracts that bind them to UK GDPR standards. These include:

Microsoft (Microsoft 365 - email, calendar, file storage)
Cal.com (appointment booking)
Formspree (lead form processing)
Plausible Analytics (privacy-focused, aggregate analytics)
GitHub (website hosting via GitHub Pages)
Our accountant and bank for invoicing and payment
Our professional advisors (legal, insurance) where necessary and confidentially

Where a processor is located outside the UK/EEA, we rely on adequacy decisions or Standard Contractual Clauses as required by UK GDPR.

5. How long we keep it

Enquiries that don't convert: 24 months from last contact, then deleted.
Active client records: for the life of the engagement plus 7 years (HMRC and professional indemnity insurance requirements).
Readiness check submissions: 12 months from submission, unless you become a client.
Analytics: aggregate only, retained indefinitely; contains no personal data.

6. Your rights

Under UK GDPR you have the right to:

Access the personal data we hold about you
Request correction of inaccurate data
Request erasure where there is no compelling reason to retain it
Object to or restrict processing based on legitimate interests
Withdraw consent at any time where consent is the legal basis
Data portability for data you have provided directly
Lodge a complaint with the Information Commissioner's Office (ico.org.uk)

To exercise any of these rights, email privacy@bluewaterassociates.co.uk. We will respond within one calendar month.

7. Security

We hold ourselves to the same standards we ask our clients to meet. We use multi-factor authentication on all administrative accounts, encrypted devices, hardened Microsoft 365 configurations aligned to the Cyber Essentials technical controls, and the principle of least privilege across our systems.

8. Cookies

This site uses no tracking cookies. Plausible Analytics is cookie-free. Functional cookies may be set by embedded third-party services (Cal.com) only when you actively interact with them.

9. Changes

We may update this policy from time to time. The "last updated" date at the top of this page reflects the most recent version. Material changes will be communicated to existing clients directly.

10. Contact

Bluewater Associates Limited
Company number 16663061
[Registered office address]
privacy@bluewaterassociates.co.uk