top of page
Gradient Bar.jpg
Homepage

Privacy Policy and Fair Usage Notice

1. Introduction

Scope: This policy applies to all personal and sensitive personal data processed by Promethean Human Designs Ltd, whether held electronically or in paper form, and to all staff, contractors and third‑party processors acting on our behalf.

Data Protection Lead: Steve Franklin, Managing Director is the nominated Data Protection Lead.

 

2. Principles and lawful basis for processing

Core principles: We process personal data in line with the Data Protection Act 2018 and GDPR principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

Lawful bases we rely on:

  • Consent — where individuals have given clear permission.

  • Contract — to perform obligations under a contract.

  • Legal obligation — where the law requires processing.

  • Vital interests — to protect life in emergencies.

  • Public task — where processing is necessary for a public function.

  • Legitimate interests — where our interests do not override individual rights (we document Legitimate Interest Assessments).

A copy of our Information Asset Register, retention schedules, Legitimate Interest Assessments and Data Protection Impact Assessments (DPIAs) is available on request.

 

3. What data we collect and why

Categories of data we may hold:

  • Employees / prospective employees: identity, contact, payroll, tax identifiers, employment records, training, emergency contacts, absence and accident records.

  • Clients / prospective clients / training participants / suppliers / newsletter subscribers: identity and contact details, billing and contract information, communications, service records, training records, marketing preferences.

  • Sensitive data: only collected where strictly necessary (e.g., health information for workplace adjustments) and processed under an appropriate legal basis.

Purpose: We collect data to deliver services, manage contracts, meet legal obligations (tax, employment law), provide training, communicate with stakeholders, and improve our services.

4. Retention, transfer and disposal

Retention periods (summary):

  • Financial records: retained for 6 years after the end of the relevant financial year.

  • Employee records: retained for the duration of employment plus 24 months (unless longer retention is required by law).

  • Client records: retained for the duration of the relationship plus 12 months (unless otherwise agreed).

  • Prospective client enquiries: removed after 24 months of inactivity.

  • Training participant records: retained for the duration of the relationship plus 24 months. Where specific legal or contractual obligations require longer retention, we will retain records only for the minimum period required.

Transfers: Personal data must not be transferred outside the UK/EEA without guidance from the Data Protection Lead. Where third‑party tools transfer data internationally, we ensure appropriate safeguards (e.g., standard contractual clauses, adequacy decisions) are in place.

Secure disposal: When retention periods expire, data will be securely deleted or destroyed in line with our disposal procedures.

5. Data subject rights and subject access requests

Your rights: the right to be informed; access; rectification; erasure (in certain circumstances); restriction; objection (including to direct marketing and processing based on legitimate interests); portability; and to object to automated decision‑making/profiling.

How to exercise rights: Email contact@prometheanhd.com. We will verify identity and respond without undue delay and in any event within one month (extensions apply where permitted by law).

Subject access requests: We aim to provide requested information promptly and within the statutory timeframe. We may ask for proof of identity before releasing personal data.

6. Security, breaches and disclosure

Security measures: We use appropriate technical and organisational measures to protect data (encryption, access controls, secure backups, staff training, anti‑malware and secure email transport such as TLS). We review security regularly.

Data breaches: In the event of a personal data breach we will: investigate, contain and remediate; notify the Information Commissioner’s Office (ICO) within 72 hours where required; and inform affected individuals where there is a high risk to their rights and freedoms. Notifications will include the nature of the breach, categories and approximate numbers affected, contact details for the Data Protection Lead, likely consequences and mitigation measures.

Law enforcement requests: We will only disclose personal data to law enforcement or other public authorities where required by law or after verifying the legitimacy of the request.

7. Data processors and third parties

Processor obligations: We use third‑party processors under written Data Processing Agreements that require them to: process data only on our instructions; implement appropriate security; report breaches; and assist with data subject requests. We carry out due diligence before appointing processors.

Sharing and social media: If you share our content via social networks, your information may be visible to those platforms; please check your social network privacy settings.

8. Fair Usage Notice

Purpose: To ensure equitable, secure and lawful use of Promethean HD services and communications.

Scope: Applies to all users of Promethean HD services, including email, training platforms, client portals and support channels.

Acceptable use:

  • Use services only for lawful, authorised purposes related to your relationship with Promethean HD.

  • Do not attempt to access or interfere with other users’ data or Promethean HD systems.

  • Do not upload or transmit material that is unlawful, abusive, defamatory, obscene, or infringes intellectual property rights.

  • Respect bandwidth and storage limits; avoid excessive automated requests or bulk downloads that could degrade service for others.

Unacceptable use and consequences: Repeated or serious misuse (including security testing without authorisation, bulk harvesting of data, sending spam or malware) may result in temporary suspension, termination of access, and where appropriate, legal action. We will investigate suspected misuse and may report criminal activity to the relevant authorities.

Reasonable exceptions: We will consider legitimate business needs (e.g., large data transfers for agreed projects) where prior authorisation is obtained from the Data Protection Lead and appropriate safeguards are in place.

9. Changes, review and contact

Policy review: This policy is reviewed at least annually or when business practices or law change. Date of last review: 22 April 2026 (original); this revised policy should be dated on adoption.

Contact: For questions, to exercise your rights, or to request copies of the Information Asset Register, DPIAs or Legitimate Interest Assessments, email contact@PrometheanHD.com

Complaints: You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) if you believe your data protection rights have been breached.

bottom of page