Privacy Policy

Version 1 · Last updated 7 May 2026

This policy explains how CETA Professional Services Limited (“we”, “us”, “our”) looks after personal data when you visit our website, get in touch with us, or work with us as a client. We aim to keep it short, clear, and honest about what we actually do.

Who we are

CETA Professional Services Limited is the data controller for personal data described in this policy. We are a company registered in England & Wales (company no. 17189274), with our registered office at 3 Meadow Court, High Street, Witney, OX28 6ER. We are not currently required to appoint a Data Protection Officer; questions about this policy can be sent to us by post at the address below.

What this policy covers

This policy covers personal data we collect through cetaprofessionalservices.com, through correspondence with prospective and existing clients, and in the course of running our business. Where we process personal data inside systems we have built and operate on behalf of a client, that client is the controller and their own privacy notice applies; this policy does not cover that processing.

What we collect

When you contact us — for example by post or, in future, by email or a form: your name, your work contact details, your employer, and the contents of your message and any later correspondence.

When we work with you as a client — in addition to the above: billing and accounting details for you and your colleagues, the access credentials and configuration we need to deliver the project (only what is needed, only for as long as needed), and the working artefacts of the engagement such as meeting notes, designs, and requirement documents.

When you visit this website — our hosting and CDN providers automatically log basic technical information when your browser loads pages: IP address, user-agent, request path, response status, and timestamp. We use this to operate, secure, and troubleshoot the site.

Cookies

This site does not currently set marketing, advertising, or analytics cookies, and we do not use any third-party tracking. Our CDN (Cloudflare) may set technical cookies that are strictly necessary for security and performance — these are exempt from consent under PECR. If we add analytics or any non-essential cookies in future, we will update this section and present a cookie notice before doing so.

How we use personal data

To answer enquiries and discuss potential work.
To deliver and bill for services we have agreed to provide.
To run our business — accounting, record-keeping, and routine administration.
To meet our legal and regulatory obligations.
To operate, secure, and improve this website.

Legal bases

Under UK GDPR we rely on the following lawful bases:

Performance of a contract, when delivering work to a client or taking steps before entering into a contract.
Legitimate interests, when running and protecting our business — including operating this website, responding to enquiries, and routine administration. We have considered the impact on you and concluded our use is reasonable and not overridden by your rights.
Legal obligation, where the law requires us to process data (for example, statutory tax record-keeping).
Consent, where required — which you can withdraw at any time.

Who we share personal data with

We share personal data only as needed to run our business and deliver our work, with providers under written agreements where applicable. We do not sell personal data, and we do not share it for advertising or marketing by third parties.

Recipient	Role & purpose	Personal data	Location	Safeguard
Cloudflare, Inc.	DNS, CDN, WAF, TLS termination for this website	IP addresses, request metadata	US / global edge	UK IDTA / SCCs
UpCloud Ltd	Server hosting	All data stored on or transmitted through our servers	Finland / UK	UK / EU adequacy
Mailgun Technologies, Inc.	Outbound and transactional email	Email addresses, message contents and headers	US	UK IDTA / SCCs
Xero Limited	Accounting and invoicing	Names, work contact details, billing information	UK / New Zealand	UK adequacy regulations
Bodle Law Limited	Legal and regulatory advice	Information shared in the course of seeking advice	UK	n/a (UK)
CETA Software Limited	Affiliated company — shared back-office functions and occasional resourcing on engagements	Information needed to coordinate work and run shared functions	UK	n/a (UK)
Subcontractors and freelancers	Where we engage a third party to deliver part of an engagement, on terms equivalent to ours	Only what is needed for their part of the work	Varies	UK IDTA / SCCs as applicable

We may also disclose personal data where required by law, court order, or to a regulator; to enforce our terms; or in connection with a corporate transaction (such as a sale of the business), in which case data protection commitments would be passed on to the acquirer.

International transfers

Where personal data is transferred outside the UK, we rely on UK adequacy regulations (for transfers to the EEA and other adequate countries), the UK International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses, or other lawful safeguards. The applicable mechanism for each provider is shown in the table above.

How long we keep data

Enquiries that don’t lead to engagement: kept for up to two years for record-keeping, then deleted.
Client records: kept for the duration of the engagement and for at least six years afterwards, to meet UK statutory and tax obligations.
Website logs: kept for a short period (typically 30–90 days) by our hosting and CDN providers, for security and troubleshooting.
Backups: encrypted backups may extend the effective retention period by a short rolling window.

We delete or anonymise personal data once it is no longer needed.

Security

We take reasonable technical and organisational measures to protect personal data — including TLS for all web traffic, access control on systems holding client data, vetted suppliers under written agreements, and limited retention. No transmission or storage system is completely secure; if a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will tell you and the ICO as required by law.

Your rights

Under UK GDPR you have the right to:

access the personal data we hold about you;
have inaccurate data corrected;
have your data erased, in certain circumstances;
restrict or object to our processing, in certain circumstances;
data portability, where applicable;
withdraw consent at any time, where we relied on it.

To exercise any of these, write to us at the postal address shown below. We aim to respond within one calendar month and will not charge for reasonable requests.

You also have the right to complain to the UK Information Commissioner’s Office — ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; ico.org.uk; 0303 123 1113.

Marketing

We do not currently run any marketing campaigns. If we begin doing so, we will only contact people who have asked to hear from us, and every such message will include a clear way to unsubscribe.

Children

This website and our services are aimed at businesses; they are not directed at children, and we do not knowingly collect personal data from anyone under 18.

Changes to this policy

We may update this policy from time to time. The current version is always available at this URL, with the version number and last-updated date shown at the top.

Contact

Questions about this policy or how we handle personal data, by post:

CETA Professional Services Limited
3 Meadow Court, High Street
Witney, OX28 6ER, England