Data Protection & GDPR Policy

Our commitment to responsible, transparent, and lawful processing of your personal data under UK law.

Last Updated: 17 May 2026
UK GDPR & DPA 2018
Smart Nibble, United Kingdom
Key Point: Smart Nibble is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We process personal data only to the extent necessary to deliver our services.

1. Data Controller

Smart Nibble acts as the Data Controller for all personal data collected through our website and support services. As Data Controller, we determine the purposes and means of processing your personal information.

Point of Contact for Data Protection Matters:
Smart Nibble
Email: info@smartnibble.co.uk
United Kingdom

2. The Data Protection Principles

In accordance with Article 5 of the UK GDPR, we process all personal data in accordance with the following principles:

  • Lawfulness, fairness, and transparency: Data is processed lawfully, fairly, and in a transparent manner.
  • Purpose limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  • Data minimisation: We collect only the data that is adequate, relevant, and limited to what is necessary.
  • Accuracy: We take reasonable steps to ensure that personal data is accurate and kept up to date.
  • Storage limitation: Personal data is kept in a form that permits identification for no longer than necessary.
  • Integrity and confidentiality: Data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage.
  • Accountability: Smart Nibble is responsible for and can demonstrate compliance with all of the above principles.

3. Data Processing Activities

The following table summarises our primary data processing activities:

Activity Data Involved Legal Basis Retention
Support request processing Name, email, phone, issue description Contract (Art. 6(1)(b)) 12 months
Email / enquiry handling Name, email, message content Contract / Legitimate Interest 24 months
Session activity (screen content) Device activity visible during session Contract (Art. 6(1)(b)) Session duration only
Website analytics (anonymised) IP address, browser, pages visited Legitimate Interest (Art. 6(1)(f)) 90 days
Security & fraud prevention IP address, form submission metadata Legitimate Interest (Art. 6(1)(f)) 90 days
Legal compliance As required by law Legal Obligation (Art. 6(1)(c)) As legally required

4. Legal Bases for Processing

We rely on the following legal bases under Article 6 of the UK GDPR:

  • Article 6(1)(a) – Consent: Where you have given clear, unambiguous consent for a specific purpose (e.g., agreeing to our privacy policy when submitting a form, or accepting cookies). You may withdraw consent at any time.
  • Article 6(1)(b) – Contract: Processing is necessary to fulfil our contractual obligations to you when delivering remote IT support services.
  • Article 6(1)(c) – Legal Obligation: Processing is necessary to comply with UK legal requirements (e.g., tax records, responding to law enforcement requests).
  • Article 6(1)(f) – Legitimate Interests: We process certain data on the basis of legitimate business interests, having conducted a legitimate interests assessment (LIA) to confirm that such interests are not overridden by your rights and freedoms.

5. Your Rights Under UK GDPR

You have the following enforceable rights with respect to your personal data:

  • Right of Access (Art. 15): You may submit a Subject Access Request (SAR) at any time to obtain a copy of the personal data we hold about you. We will respond within one calendar month.
  • Right to Rectification (Art. 16): If any data we hold about you is inaccurate or incomplete, you have the right to request its correction.
  • Right to Erasure (Art. 17): Known as the "right to be forgotten", you can request that we delete your personal data where we no longer have a lawful basis to retain it.
  • Right to Restriction (Art. 18): You may request that we pause processing of your data in certain circumstances (e.g., whilst we verify its accuracy).
  • Right to Data Portability (Art. 20): Where processing is based on consent or contract, and is carried out by automated means, you have the right to receive your data in a portable, machine-readable format.
  • Right to Object (Art. 21): You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Rights in Relation to Automated Decision-Making (Art. 22): We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

To exercise any of these rights, please email us at info@smartnibble.co.uk. We do not charge a fee for exercising your rights and will respond within 30 days. In complex cases, we may extend this period by a further two months, in which case we will notify you.

6. Data Subject Access Requests (SARs)

To submit a Subject Access Request, please contact us at info@smartnibble.co.uk with the subject line "Subject Access Request". Please include sufficient information to allow us to identify you and locate your records. We may request identity verification before releasing personal data to ensure it is not disclosed to an unauthorised third party.

7. Automated Decision-Making and Profiling

Smart Nibble does not use any automated decision-making processes or profiling that produce legal or similarly significant effects on individuals.

8. Data Breaches

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Smart Nibble will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach.
  • Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
  • Document the breach, including its cause, effects, and the remedial actions taken.

9. International Data Transfers

Where personal data is transferred outside the United Kingdom, we ensure that appropriate safeguards are in place as required by UK GDPR. This may include Standard Contractual Clauses (SCCs), adequacy decisions, or other approved transfer mechanisms. We do not transfer personal data to countries without adequate data protection standards.

10. Lodging a Complaint with the ICO

If you are not satisfied with how we handle your personal data or respond to your data rights requests, you have the right to lodge a complaint with the UK's supervisory authority, the Information Commissioner's Office (ICO):

Information Commissioner's Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first.

11. Policy Review

This Data Protection Policy is reviewed at least annually and updated whenever there are material changes to our processing activities or applicable law. The most current version will always be published on this page.