Privacy policy

Who we are

Baaj Security Ltd is a company registered in England and Wales (company number 16353621) with its registered office at Suite A, 82 James Carter Road, Mildenhall, Bury St Edmunds, IP28 7DE.

For any questions about this policy or about your personal data, please contact us:

• Email: info@baajsecurity.com
• Phone: +44 7915 620609
• Post: Data Protection, Baaj Security Ltd, Suite A, 82 James Carter Road, Mildenhall, Bury St Edmunds, IP28 7DE

Personal data we collect

We collect and process the following categories of personal data:

Enquiry data — when you contact us through the enquiry form, by email, or by phone, we collect your name, email address, telephone number, the location and nature of the service required, the date(s) for which cover is needed, and any other information you choose to provide in your enquiry.

Communication data — records of our correspondence with you, including any quote details and follow-up communications.

Service data — where you become a client, we collect the information needed to provide the service you have asked for. This may include relevant addresses, access information you choose to share with us, and any specific instructions you provide.

Website usage data — IP address, browser type, device type, operating system, referring website, pages visited, time spent on each page, and similar technical information about how you use the Website.

We do not actively collect special category personal data (for example, data relating to health, race, religion, or sexual orientation) other than incidentally where you choose to disclose it. Where we receive such data we will process it only to the extent necessary to deliver the service requested, and on the basis of your explicit consent under Article 9(2)(a) UK GDPR.

How we use your personal data and our lawful bases

We use your personal data for the following purposes and on the following lawful bases under UK GDPR:

To respond to your enquiry — our lawful basis is Article 6(1)(b) UK GDPR (necessary for steps taken at your request prior to entering into a contract) or, where you are enquiring on behalf of a third party, Article 6(1)(f) UK GDPR (legitimate interests in responding to enquiries about our services).

To provide our services — where you become a client, we process your personal data to provide the services you have asked for and to communicate with you about them. Our lawful basis is Article 6(1)(b) UK GDPR (necessary for the performance of a contract).

To meet our legal obligations — including obligations under company law, employment law, tax law, and any lawful requests from regulators or law enforcement authorities. Our lawful basis is Article 6(1)(c) UK GDPR (compliance with a legal obligation).

To run, improve, and secure the Website — we analyse aggregated, anonymised usage data to improve the Website’s performance and user experience. Our lawful basis is Article 6(1)(f) UK GDPR (legitimate interests in operating and improving our services).

We do not use your personal data for direct marketing without your express, separately-obtained consent. We do not engage in profiling or automated decision-making.

Who we share your personal data with

We share personal data only where strictly necessary, and only with the following categories of recipient:

Our staff — Baaj Security Ltd staff who need access to personal data to do their work for us. All staff are bound by confidentiality obligations.

Our service providers (processors) — including our website hosting provider, our online enquiry-form and submission-notification provider (Web3Forms, which receives the name, phone number, email address, and message you submit through a form on this website and forwards it to us by email), email and productivity provider, customer relationship management system, accountants, and payroll provider. Each acts as a "processor" under UK GDPR and is contractually obliged to process your personal data only on our written instructions, with appropriate security measures and confidentiality undertakings.

Professional advisers — our legal advisers and accountants, where required for the operation of our business.

Regulators and authorities — regulators, HMRC, the police, the courts, and other regulatory or law enforcement bodies where required by law or where reasonably necessary to prevent or investigate crime.

In connection with a business transfer — if Baaj Security Ltd is sold, merged, or restructured, your personal data may be transferred to the new owner, who will be required to use it consistently with this policy.

We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes.

International transfers

We store and process personal data primarily within the United Kingdom. Where any of our service providers process personal data outside the United Kingdom, we ensure that appropriate safeguards are in place — including the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or transfers to jurisdictions covered by a UK adequacy regulation. You can request details of our international transfer safeguards by contacting us at the address in Section 1.

How long we keep your personal data

We retain personal data only for as long as is necessary for the purposes set out above. Our standard retention periods are:

• Enquiry data (where no contract is formed): twelve (12) months from the date of enquiry, after which the data is securely deleted.
• Client data: for the duration of the contractual relationship, and for six (6) years thereafter, to comply with HMRC record-keeping requirements and to defend potential legal claims.
• Correspondence and communication data: in line with the underlying enquiry or client data above.
• Website usage data: retained for up to twenty-four (24) months, after which it is deleted or anonymised.

After the applicable retention period, your personal data is securely deleted or anonymised.

Your rights

Under UK GDPR you have the following rights in relation to your personal data:

• Right of access — to obtain a copy of the personal data we hold about you.
• Right to rectification — to have inaccurate or incomplete personal data corrected.
• Right to erasure ("right to be forgotten") — to have your personal data deleted in certain circumstances.
• Right to restriction — to limit how we use your personal data in certain circumstances.
• Right to data portability — to receive certain of your personal data in a structured, commonly used, machine-readable format.
• Right to object — to object to processing carried out on the basis of our legitimate interests, including any direct marketing.
• Right to withdraw consent — where we rely on your consent, you may withdraw it at any time.
• Right to lodge a complaint — with the relevant supervisory authority.

To exercise any of these rights, please contact us using the details in Section 1. We will respond within one (1) month of receipt of your request. In some cases we may extend this period by up to two (2) further months and will inform you if we do so.

We may need to verify your identity before responding, particularly where the request relates to electronic data. There is no fee for exercising your rights, unless the request is manifestly unfounded or excessive.

Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction. These measures include access controls, encryption in transit, secure storage of physical records, password policies, supplier due diligence, and ongoing staff awareness. However, no method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of it and, where the risk is high, will notify you directly without undue delay.

Children

Our services are not directed to children. We do not knowingly collect personal data from children under the age of sixteen (16). If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete it.

Third-party links

The Website may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to read the privacy policies of any third-party websites you visit.

Automated decision-making and profiling

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.

Changes to this privacy policy

We may update this privacy policy from time to time. The latest version will always be available on the Website with the "last updated" date at the top. Where the change is material, we will take reasonable steps to bring it to your attention.

How to contact us

For any questions, concerns, or requests relating to your personal data, please contact us using the details in Section 1. We hope we can resolve any concern you may have about our use of your personal data.