Privacy Policy — Right Advance Digital

Your privacy matters. This Privacy Policy explains how Right Advance Digital Ltd collects, uses, stores, and protects your personal data. We are committed to transparency and to safeguarding your privacy rights under UK, EU, and US law.

1. Who We Are

1.1 Data Controller

Right Advance Digital Ltd ("Company", "we", "us", "our") is the data controller responsible for your personal data. We are a company incorporated in England and Wales providing custom software development, technical consultancy, product design, cloud and DevOps services, API integration, and legacy system modernisation.

1.2 Contact Details

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, you may contact us at:

Right Advance Digital Ltd
Website: rightadvancedigital.com
Email: privacy@rightadvancedigital.com

1.3 ICO Registration

Right Advance Digital Ltd is registered with the UK Information Commissioner's Office (ICO) as a data controller. Our ICO registration reference is ZC102846. Our lead supervisory authority for data protection purposes is the ICO. You have the right to lodge a complaint with the ICO or, where applicable, with your local data protection authority in the EU or relevant regulatory body in the United States.

2. Information We Collect

2.1 Information You Provide to Us

We collect personal data that you voluntarily provide when you engage with us, including:

Contact information such as your name, email address, telephone number, postal address, and job title
Business information including your company name, industry, and business requirements
Communications data including correspondence, enquiries, feedback, and any information you provide via our contact forms, email, or telephone
Contractual information including details contained in Statements of Work, invoices, payment records, and other engagement documentation
Technical information you provide to us in the course of a project engagement, such as system credentials, API keys, or access to your infrastructure (handled in accordance with our security protocols)

If you take our diagnostic and choose to receive your result by email, we collect your email address and your individual answers to process and deliver your result. Legal basis: your consent (given by voluntarily submitting your email). You may request deletion of this data at any time by contacting us at the details in Section 1.2.

2.2 Information We Collect Automatically

When you visit our website, we may automatically collect certain technical data, including:

Device and browser information such as your IP address, browser type and version, operating system, and device identifiers
Usage data including pages visited, time spent on pages, click patterns, referring URLs, and navigation paths
Aggregate analytics data as described in Section 10 of this Policy (no cookies or personal data are collected)

2.3 Information from Third Parties

We may receive personal data about you from third-party sources, including publicly available business directories and professional networking platforms, referrals from existing clients or business partners, credit reference agencies for the purposes of financial due diligence, and analytics providers who assist us in improving our website and services.

2.4 Sensitive Personal Data

We do not intentionally collect or process special categories of personal data (such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data). If you provide such data to us incidentally, we will only process it with your explicit consent or as otherwise permitted by law.

3. How We Use Your Information

3.1 Purposes of Processing

We process your personal data for the following purposes:

Service delivery: to provide, manage, and administer the services you have engaged us for, including project management, software development, technical consultancy, and support
Contract management: to enter into and perform our contractual obligations, issue invoices, process payments, and manage our business relationship with you
Communication: to respond to your enquiries, provide project updates, send service-related notices, and communicate about changes to our terms or policies
Marketing: to send you information about our services, industry insights, case studies, and events that may be of interest to you (only where we have your consent or a legitimate interest to do so, and always with the ability to opt out)
Website improvement: to analyse how visitors use our website, improve its functionality and content, and ensure its security
Legal compliance: to comply with our legal obligations, respond to legal processes, enforce our terms, and protect our rights and the rights of others
Business operations: for internal administration, quality assurance, training, financial reporting, and business planning

3.2 Legal Bases for Processing (UK and EU)

Under the UK GDPR and EU GDPR, we rely on the following legal bases for processing your personal data:

Performance of a contract: where processing is necessary to perform a contract with you or to take steps at your request prior to entering into a contract (Article 6(1)(b))
Legitimate interests: where processing is necessary for our legitimate business interests (such as marketing, business development, fraud prevention, and network security), provided these interests are not overridden by your rights and freedoms (Article 6(1)(f))
Consent: where you have given clear, informed consent for us to process your personal data for a specific purpose (Article 6(1)(a)). You may withdraw your consent at any time
Legal obligation: where processing is necessary to comply with a legal obligation to which we are subject (Article 6(1)(c))

3.3 US Privacy Law Compliance

For individuals in the United States, we process personal information in accordance with applicable US federal and state privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable state privacy legislation such as the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and any other state privacy laws that may apply. Additional rights specific to US residents are detailed in Section 8 of this Policy.

4. Data Sharing and Disclosure

4.1 Categories of Recipients

We may share your personal data with the following categories of recipients:

Service providers and subcontractors: trusted third parties who perform services on our behalf, such as cloud hosting providers, payment processors, accounting services, and IT support, all of whom are contractually bound to protect your data
Professional advisers: including lawyers, accountants, auditors, and insurers who provide professional services to us
Regulatory and law enforcement bodies: where we are required to do so by law, regulation, or legal process, or to protect our rights, privacy, safety, or property
Business transfers: in connection with any merger, acquisition, reorganisation, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change

4.2 No Sale of Personal Data

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. For the purposes of the CCPA/CPRA, we confirm that we do not "sell" or "share" (as those terms are defined under California law) your personal information.

4.3 Aggregated and Anonymised Data

We may share aggregated or anonymised data that cannot reasonably be used to identify you for purposes such as industry analysis, benchmarking, and marketing. This data is not considered personal data under applicable privacy laws.

5. International Data Transfers

5.1 Transfers Outside the UK and EEA

As a UK-based company that serves clients globally, we may transfer your personal data to countries outside the United Kingdom and the European Economic Area (EEA). Where we do so, we ensure that appropriate safeguards are in place to protect your data, including:

Transfers to countries recognised as providing an adequate level of data protection by the UK Secretary of State or the European Commission
The use of the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs)
The use of EU Standard Contractual Clauses approved by the European Commission
Binding Corporate Rules where applicable
Any other legally recognised transfer mechanism under applicable data protection law

5.2 US Data Transfers

Where personal data is transferred to the United States, we implement appropriate contractual safeguards and supplementary measures as required by applicable UK and EU data protection law. We conduct transfer impact assessments where necessary to evaluate the level of protection afforded to personal data in the destination country.

5.3 Further Information

You may request a copy of the safeguards we have put in place for international data transfers by contacting us using the details set out in Section 1.2.

6. Data Retention

6.1 Retention Principles

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, regulatory, accounting, or reporting requirements. In determining the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process the data, and whether we can achieve those purposes through other means.

6.2 Specific Retention Periods

Client engagement records: retained for six (6) years after the end of the engagement, in line with the UK limitation period for contractual claims
Financial and tax records: retained for a minimum of six (6) years as required by HMRC and applicable tax legislation
Marketing data: retained until you withdraw your consent or opt out, after which we will suppress your data to ensure we do not contact you again
Website analytics data: retained for up to twenty-six (26) months
Enquiry and correspondence data: retained for two (2) years after the last communication unless a business relationship is established

6.3 Deletion and Anonymisation

When personal data is no longer required, we will securely delete or anonymise it. Where anonymisation is used, the data will no longer constitute personal data and may be retained and used for analytical purposes indefinitely.

7. Your Rights Under UK and EU Law

If you are located in the United Kingdom or the European Economic Area, you have the following rights under the UK GDPR and EU GDPR. You may exercise these rights free of charge by contacting us at the details provided in Section 1.2.

7.1 Right of Access

You have the right to request confirmation of whether we process your personal data and, if so, to obtain a copy of that data together with supplementary information about how it is processed. We will respond to your request within one (1) month, which may be extended by a further two (2) months where the request is complex or numerous.

7.2 Right to Rectification

You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data.

7.3 Right to Erasure

You have the right to request the deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purpose it was collected, where you withdraw your consent (and no other legal basis applies), or where the data has been unlawfully processed.

7.4 Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or where you have objected to processing pending verification of our legitimate grounds.

7.5 Right to Data Portability

Where processing is based on your consent or the performance of a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

7.6 Right to Object

You have the right to object to the processing of your personal data where we rely on legitimate interests as our legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You have an absolute right to object to processing for direct marketing purposes at any time.

7.7 Rights Related to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not currently engage in automated decision-making of this nature.

7.8 Right to Withdraw Consent

Where we process your personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

8. Additional Rights for US Residents

If you are a resident of California or another US state with applicable privacy legislation, you may have the following additional rights:

8.1 California Residents (CCPA/CPRA)

Right to Know: you have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected the information, the business or commercial purposes for collecting the information, and the categories of third parties with whom we share the information
Right to Delete: you have the right to request that we delete the personal information we have collected about you, subject to certain exceptions
Right to Correct: you have the right to request that we correct inaccurate personal information
Right to Opt Out: you have the right to opt out of the sale or sharing of your personal information. As stated in Section 4.2, we do not sell or share your personal information
Right to Limit Use of Sensitive Personal Information: you have the right to limit the use and disclosure of sensitive personal information to purposes necessary to provide the services you have requested
Right to Non-Discrimination: we will not discriminate against you for exercising any of your privacy rights

8.2 Other US State Privacy Rights

If you are a resident of Virginia, Colorado, Connecticut, or another state with comprehensive privacy legislation, you may have similar rights to access, correct, delete, and port your personal data, as well as the right to opt out of targeted advertising, profiling, and the sale of personal data. You may also have the right to appeal a decision regarding your privacy request.

8.3 How to Exercise Your Rights

To exercise any of the rights described in this Section, please contact us at privacy@rightadvancedigital.com. We will verify your identity before processing your request. You may designate an authorised agent to make a request on your behalf, provided the agent provides proof of written authorisation. We will respond to verifiable requests within forty-five (45) days, which may be extended by an additional forty-five (45) days where reasonably necessary.

8.4 Do Not Track

Our website does not use cookies or tracking technologies that respond to "Do Not Track" browser signals. Our analytics service (Cloudflare Web Analytics) is cookie-free and does not track individual users.

9. Data Security

9.1 Security Measures

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include but are not limited to:

Encryption of data in transit using TLS/SSL and at rest where appropriate
Access controls and authentication mechanisms to restrict access to personal data to authorised personnel on a need-to-know basis
Regular security assessments, vulnerability testing, and monitoring of our systems
Secure software development practices aligned with industry standards
Employee training on data protection and information security
Incident response procedures for identifying, investigating, and responding to data security incidents

9.2 No Absolute Guarantee

While we strive to protect your personal data, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your data, but we are committed to promptly addressing any security breach in accordance with our obligations under applicable law.

10. Analytics and Tracking Technologies

10.1 Website Analytics

We use Cloudflare Web Analytics to understand how visitors interact with our website. Cloudflare Web Analytics is a privacy-first analytics service that does not use cookies, does not collect personal data, and does not track individual visitors across websites. It provides us with aggregate information such as page views, referral sources, and general geographic regions.

10.2 Cookies

Our website does not set any non-essential cookies. We do not use performance cookies, functionality cookies, or marketing cookies. No cookie consent mechanism is required because no non-essential cookies are placed on your device.

10.3 Third-Party Services

Our website uses the following third-party services, none of which set cookies on your device:

Cloudflare Web Analytics: aggregate website usage statistics with no personal data collection. Cloudflare Privacy Policy
Web3Forms: contact form submissions. Data is transmitted only when you submit the form. Web3Forms Privacy Policy
Google Fonts: font delivery. Google Privacy Policy

We also log anonymous events from our diagnostic and form pages — including the event name, timestamp, page URL, and limited non-personal contextual details such as which diagnostic path or result category was reached and an anonymous referral source (e.g. the referring website's domain or a campaign tag). No session identifiers, cookies, device storage, IP addresses, or personal data are stored with these events, and no consent mechanism is required. Used to measure aggregate funnel performance only.

11. Children's Privacy

Our services are not directed at individuals under the age of eighteen (18), and we do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete that data as soon as reasonably practicable. If you believe we have collected data from a child, please contact us immediately at privacy@rightadvancedigital.com.

12. Third-Party Links

Our website may contain links to third-party websites, services, or applications that are not operated or controlled by us. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through our website.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. Where changes are material, we will provide reasonable notice by publishing the updated Policy on our website with a revised "Last Updated" date and, where appropriate, by notifying you directly via email. We encourage you to review this Policy periodically. Your continued use of our website or services following the posting of changes constitutes your acceptance of those changes.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

Right Advance Digital Ltd
Email: privacy@rightadvancedigital.com
Website: rightadvancedigital.com

For complaints about our data protection practices, you may also contact the UK Information Commissioner's Office (ICO) at ico.org.uk, or your local data protection authority if you are based in the EU. US residents may contact the relevant state attorney general.