top of page
Gemini_Generated_Image_47n20147n20147n2_edited_edited.jpg
Gemini_Generated_Image_ek80meek80meek80.png

Legal Compliance

Privacy Policy

Last Updated: June 2026

1. Introduction

This Privacy Policy explains how [Insert Your Name or Business Name] ("we", "our", or "I") collects, uses, protects, and shares your personal data. As a self-employed Chartered Architectural Technologist and On-Construction Domestic Energy Assessor (OCDEA), I take data privacy seriously and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. The Data I Collect

To deliver architectural, SAP assessment, and sustainability services, I may collect and process the following personal information:

  • Identity Data: First name, last name, and professional title.

  • Contact Data: Billing address, site/property address, email address, and telephone numbers.

  • Project Data: Architectural drawings, building specifications, land registry details, and site photographs.

  • Financial Data: Bank account details for processing payments.

3. How I Use Your Personal Data

I will only use your data when the law allows me to. Most commonly, I use your data for:

  • Performance of a Contract: To calculate SAP assessments, issue EPCs, create architectural designs, and deliver sustainability consultations.

  • Legal & Regulatory Compliance: To lodge official energy certificates on national registers via approved accreditation schemes.

  • Legitimate Interests: For standard business operations, invoicing, and keeping financial records for HMRC tax compliance.

4. Who I Share Your Data With

I do not sell your personal data. However, to complete your project, I must share relevant information with specific third parties:

  • Accreditation Bodies: Your property data and energy calculations will be shared with my government-approved accreditation scheme (e.g., Elmhurst Energy) to officially lodge your On-Construction Energy Performance Certificate (EPC).

  • Local Authorities / Building Control: If required as part of your architectural or planning application process.

  • Software Providers: Your project data is processed using approved, secure SAP calculation and CAD/BIM software.

  • Professional Regulators: If strictly required by the Chartered Institute of Architectural Technologists (CIAT) for professional auditing.

5. Data Security and Retention

I have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way.

  • Retention: I keep your project and identity data for as long as necessary to fulfill the purposes I collected it for, including satisfying any legal, accounting, or professional indemnity insurance requirements (which often mandate holding structural and assessment data for up to 10 years).

6. Your Legal Rights

Under the UK GDPR, you have rights regarding your personal data, including the right to access it, correct it, request its deletion, or restrict its processing. If you wish to exercise any of these rights, please contact me using the details below.

7. Contact Details and Complaints

If you have any questions about this privacy policy or how your data is handled, please contact me at:

  • Name: [Insert Your Name]

  • Email Address: [Insert Your Business Email]

  • Phone Number: [Insert Your Business Phone Number]

You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).

GDPR

Last Updated: June 2026

Internal Data Protection Policy & Data Breach Plan

Business Name: [Insert Business Name]

Data Protection Lead: [Insert Your Name]

Date of Adoption: [Insert Date]

1. Purpose of this Policy

This policy outlines how I, as a self-employed Chartered Architectural Technologist and OCDEA, handle personal data internally to maintain compliance with UK GDPR and the Data Protection Act 2018.

2. Our Core Data Principles

I commit to the six mandatory UK GDPR principles. Data must be:

  1. Processed lawfully, fairly, and transparently.

  2. Collected only for specific, explicit, and legitimate purposes (e.g., executing architectural contracts or energy lodgements).

  3. Adequate, relevant, and limited to what is necessary.

  4. Accurate and kept up to date.

  5. Retained only for as long as necessary.

  6. Processed securely using appropriate technical measures.

3. Lawful Basis for Processing Data

Under UK GDPR, I rely on the following legal grounds to handle client data:

  • Contractual Necessity: To carry out architectural drawings, produce SAP calculations, and complete structural designs as requested by the client.

  • Legal Obligation: To lodge legal documents (EPCs) on the central government register via my accreditation scheme.

  • Legitimate Interests: To maintain normal business invoicing, project track records, and professional communication.

4. Operational Data Security Measures

To keep architectural data, floor plans, and client contact information safe, I will enforce the following controls:

  • Device Security: All laptops, tablets, and smartphones used for business operations must be password-protected and utilize biometric login or strong encryption where possible.

  • Software Protection: CAD/BIM software, SAP calculation tools, and business emails must be accessed via secure, licensed platforms using unique passwords.

  • Physical Security: Any printed blueprints, site survey notes, or signed physical contracts must be kept in a secure, locked filing location when not in use.

  • Secure File Transfer: Large files, site images, and architectural specifications should be shared with developers or local authorities using password-protected cloud storage or secure email channels.

5. Third-Party Data Disclosures

I will only share data with relevant third parties strictly required to deliver my services:

  • Energy Accreditation Schemes (e.g., Elmhurst) for lodging EPCs.

  • Local Authority Building Control & Planning Departments for submission of structural or sustainability packages.

  • HMRC & Accountants for standard business financial auditing.

6. Retention & Data Erasure

  • Active Project Data: Retained for the duration of the design and assessment process.

  • Archived Technical Files: Because architectural liability and professional indemnity insurance policies often feature extended claims windows, project files, drawings, and SAP records will be securely archived for 10 years following project completion, after which digital files will be permanently deleted and paper records shredded.

7. Handling Subject Access Requests (SARs)

If a client requests to see, amend, or delete the data I hold on them, I will:

  1. Verify their identity to prevent unauthorized data exposure.

  2. Provide the data free of charge.

  3. Respond and fulfill the request within the statutory one calendar month deadline.

8. Data Breach Response Plan (Schedule A)

A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data (e.g., a stolen work phone, an unencrypted laptop theft, or a malware/ransomware attack on your CAD/SAP files).

If a data breach occurs or is strongly suspected, I will execute the following four steps immediately:

Step 1: Containment and Recovery

  • Action: Take immediate technical steps to stop the breach from worsening.

  • Examples: Remotely wipe a lost/stolen device, disconnect an infected computer from the internet, change all cloud and software passwords immediately, or request that an incorrectly addressed email be deleted by the recipient.

Step 2: Risk Assessment

  • Evaluate what data was exposed and determine if there is a "risk to the rights and freedoms" of the individuals affected (e.g., could it lead to identity theft, financial loss, or fraud?).

  • Low Risk: An encrypted laptop is lost. No action is required to notify the ICO because the data cannot be read.

  • Medium/High Risk: Unencrypted client phone numbers, home addresses, and bank details are accessed by a hacker. This must be reported.

Step 3: ICO Notification (The 72-Hour Rule)

  • If the risk assessment reveals a likelihood of risk to individuals, I am legally required to report the breach to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it.

  • How to Report: Submit a data breach report online through the ICO portal (ico.org.uk) or call their helpline at 0303 123 1113.

  • Information to Provide:

    1. The nature of the breach (what happened).

    2. The categories and approximate number of individuals/records affected.

    3. The likely consequences of the breach.

    4. The measures taken or proposed to fix and mitigate the damage.

Step 4: Notifying Affected Individuals

  • If the breach presents a high risk to individuals (e.g., direct banking details or passwords are leaked), I must notify the affected individuals directly and without undue delay.

  • The notice must be written in clear, plain language and explain what happened, what data was involved, and what actions they should take to protect themselves (e.g., changing passwords or monitoring bank statements).

Step 5: Documenting the Log

  • I will maintain an internal data breach log. All breaches—even minor ones that do not meet the threshold for reporting to the ICO—must be documented in writing, detailing the facts, its effects, and the corrective actions taken.

Terms & Conditions

Last Updated: June 2026

 

Contractual Framework: Risk & Scale Calibration

Every formal appointment is dynamically tailored to the physical scale, financial value, and inherent risk profile of your specific development. Rather than utilizing rigid, "one-size-fits-all" templates, our contractual terms—derived from our baseline standard (Terms_and_Conditions_Business.pdf)—are calibrated to ensure proportional legal and commercial protection for all parties.

Liability & Risk Management

  • Indexed Indemnity Caps: Liability limitations and Professional Indemnity Insurance limits are scaled relative to the project’s capital valuation and structural complexity.

  • Defensible Exposure: This precise targeting ensures that legal and financial exposure remains balanced and directly proportional to the project's real-world footprint.

Fees & Milestone Frameworks

  • Critical Path Invoicing: Payment schedules are mapped directly to your project’s specific timeline and capital expenditure stages rather than arbitrary dates.

  • Phase-Gate Security: Invoicing milestones are aligned with defined technical handovers, local authority planning submissions, or statutory SAP/EPC lodgement phases.

Change Control & Technical Variations

  • Defined Variation Protocols: Clear mechanisms govern how design modifications, structural material changes, and iterative SAP modeling are processed.

  • Proportional Charging: Variation clauses ensure supplementary fees are strictly limited to the additional technical hours required for unforeseen revisions.

Intellectual Property & Data Licensing

  • Bespoke Usage Licensing: The copyright license granted for our CAD/BIM assets, technical specifications, and energy compliance models is customized to your exact objectives.

  • Replication Control: Terms explicitly define whether asset usage is restricted to a single plot or structured for multi-site replication.

By systematically aligning our contractual framework with the true scope of your instruction, we mitigate risk, eliminate financial ambiguity, and uphold the professional standards mandated by our regulating bodies.

Contact

Bridport, Dorset

07356 262096

matt.gray@spiresustainability.co.uk

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Opening Hours

Mon - Fri

Saturday

​Sunday

8:00 am – 8:00 pm

10:00am  4:00pm

10:00am  4:00pm

Thanks for submitting!

bottom of page