DR7  /  Privacy

Privacy notice.

How we collect, use, and protect personal data. Aligned to UK GDPR, the Data Protection Act 2018, and PECR.

Last updated: Effective date:

1. Who we are

DR7 LTD. Registered in England & Wales. Company No. 15701744. DR7 LTD ("DR7", "we", "us", "our") is the data controller for the personal data described in this notice.

The privacy contact is reachable at info@dr7.co.uk. We are not currently required to designate a Data Protection Officer under UK GDPR Article 37 because our core activities do not consist of large-scale, regular and systematic monitoring of data subjects, nor of large-scale processing of special-category data. A designated privacy contact is, however, reachable at the email address above.

2. Scope of this notice

This notice applies to personal data we process in the following contexts:

  • visitors to this website (dr7.co.uk and any sub-paths);
  • individuals submitting enquiries via the website's contact route or by email;
  • prospective and current commercial counterparties — including clients, suppliers, and subcontractors — and their personnel;
  • prospective and current employees, contractors, and applicants for advertised roles;
  • recipients of marketing communications, where they have opted in.

It does not cover the processing of personal data carried out by third-party sites we link to, or by clients in respect of their own customers and operations where DR7 acts as a processor under a separate contract.

3. Categories of personal data we collect

We collect only the categories of data we need to operate the relationship in question. The categories below describe what may be collected and what is not:

Identity data

Name and job title. We do not collect government-issued identifiers (e.g. National Insurance numbers) outside an employment or contractor onboarding context.

Contact data

Business email address, business telephone number, and business postal address. We do not require a personal home address for general enquiries.

Commercial / account data

Counterparty name, purchase orders, invoices, payment references, and credit-control correspondence. Bank-account details where required for invoicing. We do not collect full payment-card data; payment-card processing, where it occurs, is handled by regulated banks and payment processors.

Communications data

The content of correspondence with us, including emails, contact-form submissions, and meeting notes. We do not record telephone calls without prior notice and consent where required.

Technical and usage data

IP address, user-agent, request URL, and referrer information collected at the web-server layer for security, abuse prevention, and reliability. We do not build behavioural profiles, fingerprint visitors, or share this data with advertising networks.

Recruitment data

CV, cover letter, references with the candidate's permission, and right-to-work confirmation where a role is offered. We do not require photographs at application stage.

Sensitive / special-category data

We do not knowingly collect special-category data (for example data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation) outside of narrowly-scoped employment contexts where it is necessary and a separate, more specific privacy notice applies.

Children

Our services are business-to-business. We do not knowingly collect personal data from children under 18. If you believe a child has supplied us with personal data, please contact info@dr7.co.uk and we will delete it.

4. Sources

We obtain personal data from:

  • the data subject directly (e.g. enquiries, applications, business-card exchange);
  • publicly available sources used for legitimate business-to-business prospecting, such as Companies House and professional networking sites including LinkedIn;
  • our clients in the course of project delivery, where the client is the controller and we act as a processor or joint controller as agreed in a separate contract;
  • third-party recruitment platforms, where a candidate has applied to a role we have advertised.

5. Lawful bases

Under UK GDPR Article 6, and Article 9 where relevant, we rely on the following lawful bases:

  • Performance of a contract (Art 6(1)(b)) — to deliver services, manage accounts, and respond to requests from a counterparty with which we have, or are about to enter, a contract.
  • Compliance with a legal obligation (Art 6(1)(c)) — to meet statutory record-keeping obligations under HMRC, the Companies Act, employment law, and waste-carrier regulatory regimes.
  • Legitimate interests (Art 6(1)(f)) — for site security, abuse prevention, fraud detection, business administration, business-to-business marketing to corporate contacts in roles relevant to our services, and for aggregated analytics that improve the service. We have carried out a Legitimate Interests Assessment ("LIA") balancing our interests against the rights and freedoms of data subjects, taking into account the limited categories of data, the business-to-business context, and the availability of an objection right.
  • Consent (Art 6(1)(a)) — only where required, for example to set non-essential cookies, or to send direct marketing to individuals where the corporate-subscriber and "soft opt-in" routes under PECR are not available.
  • Substantial public interest / employment law (Art 9(2)(b) and (g)) — only where special-category data is processed in an employment context and a separate, more specific notice applies.

6. Purposes of processing

We use personal data for the following purposes:

  • responding to enquiries received via the website or email;
  • delivering services and managing client and supplier accounts;
  • commercial operations including invoicing, credit control, and fraud prevention;
  • statutory record-keeping under HMRC, the Companies Act, and applicable regulatory regimes;
  • recruitment, onboarding, and ongoing employment / contractor administration;
  • site security, abuse prevention, and incident investigation;
  • aggregated, privacy-respecting analytics to understand and improve the service;
  • business-to-business marketing to corporate contacts whose roles are relevant to our services, and direct marketing to individuals only where they have opted in.

7. Cookies and tracking

The site is designed to work without setting non-essential cookies. We do not use third-party advertising or cross-site tracking. For full detail, including the audited list of cookies and storage keys observed on the site, see the Cookie policy.

8. Sharing and recipients

We share personal data only where necessary, and only with the following categories of recipient:

  • professional advisers — legal, accounting, audit, and insurance — bound by professional duties of confidentiality;
  • banks and regulated payment processors, strictly for the purpose of issuing or settling invoices;
  • subcontractors and other operating brands within the DR7 LTD group, where they are necessary to deliver the service the data subject has engaged us to deliver;
  • self-hosted infrastructure providers that host this website and our operational systems on our behalf, under written processor terms;
  • statutory recipients including HMRC, Companies House, and other regulators where we are required by law to disclose;
  • courts and law-enforcement authorities where we are compelled by valid legal process or where disclosure is necessary to protect our rights.

We do not sell personal data, and we do not share personal data for third-party advertising or behavioural marketing.

9. International transfers

Personal data is processed in the United Kingdom and the European Economic Area by default. Where personal data is transferred outside the UK, we rely on the UK government's adequacy regulations for the destination country, the International Data Transfer Agreement ("IDTA"), or the European Commission's Standard Contractual Clauses together with the UK Addendum, in each case supported by a transfer risk assessment where required. We do not engage in ad-hoc international transfers without a lawful transfer mechanism in place.

10. Retention

We keep personal data only for as long as we need it for the purpose for which it was collected, plus any period required by law or to defend legal claims:

  • Operational and commercial records — for the duration of the commercial relationship plus the period required by HMRC and Companies Act record-keeping obligations, typically six years.
  • Recruitment data — for twelve months from the close of the role, unless the candidate consents to a longer talent-pool retention period.
  • Web-server logs — for a short defined period sufficient for security investigation and abuse prevention, after which they are rotated and discarded.
  • Marketing consents — until the individual withdraws consent, after which we retain a minimal suppression record so we do not contact them again in error.

11. Security

We apply organisational and technical measures appropriate to the risks involved in our processing. These include role-based access controls, the principle of least privilege, encryption of personal data in transit, staff confidentiality undertakings, supplier due diligence and written processor terms with our service providers, an incident-response process with notification to the Information Commissioner's Office where the legal threshold is met, and periodic review of these measures.

12. Your rights under UK GDPR

You have the following rights, subject to the conditions and exemptions in UK GDPR:

  • the right to be informed about the processing of your personal data — this notice is intended to satisfy that obligation;
  • the right of access to your personal data;
  • the right to rectification of inaccurate or incomplete personal data;
  • the right to erasure ("right to be forgotten") in defined circumstances;
  • the right to restrict processing in defined circumstances;
  • the right to data portability for data you have provided to us where the lawful basis is consent or contract and processing is carried out by automated means;
  • the right to object to processing carried out on the basis of legitimate interests, and an unconditional right to object to direct marketing;
  • the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects concerning you or similarly significantly affects you. We do not engage in such solely-automated decision-making.
  • the right to withdraw consent at any time where consent is the lawful basis for processing.

13. How to exercise your rights

To exercise any of these rights, email info@dr7.co.uk. We may need to verify your identity before responding, in which case we will request only information proportionate to the request and will not retain it longer than necessary to confirm identity. We will respond within one calendar month of receiving a valid request, in line with UK GDPR Article 12. We may extend that period by a further two months for complex or numerous requests, and where we do we will notify you within the first month of the reason for the extension.

14. Right to complain to the ICO

If you are not satisfied with how we have handled your personal data or your request, you have the right to lodge a complaint with the Information Commissioner's Office (the "ICO"), which is the UK's supervisory authority for data protection.

We would, however, appreciate the chance to address your concerns first — please do contact us at the email above before approaching the ICO.

15. Changes to this notice

We may update this notice from time to time. The "Last updated" date at the top of this page will reflect the most recent revision. Material changes will be flagged on the homepage so that you have a fair opportunity to read them. Prior versions of this notice are available from us on request to info@dr7.co.uk.

16. Contact

For any question about this notice, or to exercise any of the rights described above, contact info@dr7.co.uk.

Postal correspondence may be sent to DR7 LTD; the registered-office address is on the public register at Companies House against company number 15701744.