1. Who we are

Gemstone IT Services Ltd
West Clayton Business Centre
Berry Lane, Chorleywood
Rickmansworth, Hertfordshire
WD3 5EX, United Kingdom

We are the data controller responsible for processing your personal data when you visit our website. If you have any questions about this policy or how we handle your data, please contact us:

Although we are not legally required to appoint a Data Protection Officer, we take all privacy matters seriously and are happy to assist.

2. Purpose of this notice

This privacy policy explains what personal information we collect, why we collect it, how long we keep it, how we keep it secure, and the rights you have under UK data protection law.

We are required under UK GDPR to provide this information in a clear and accessible way.

3. What data we collect

We may collect the following types of personal information:

  • Identity information: your name, job title, and employer

  • Contact information: email address, phone number, and postal address

  • Technical data: your IP address, browser type, and device information

  • Marketing preferences: whether you’ve opted into newsletters or updates

  • Recruitment information: CVs, covering letters, right-to-work documentation (which may include sensitive data)

This information may be collected directly from you when you fill in forms on our site, contact us, apply for a job, or interact with us via email, phone, social media or messaging platforms.

4. How and why we use your data

We use your personal data for several reasons:

  • To respond to enquiries and provide services you request

  • To administer our website and improve user experience

  • To contact you about services or information you’ve asked for

  • To send you marketing materials if you’ve opted in (with an unsubscribe option always available)

  • To ensure website security and prevent fraud

  • To evaluate job applications and perform right-to-work checks

  • To meet legal or regulatory obligations, such as tax compliance or responding to lawful requests from authorities

We process your data using lawful bases defined under UK GDPR, including:

  • Your consent (for marketing, cookies, etc.)

  • Our contractual obligations (e.g., providing services)

  • Our legitimate interests, where those do not override your rights

  • Legal obligations, where required by law

We do not make automated decisions that significantly affect your rights.

5. Cookies and similar technologies

We use cookies to enhance your experience on our website. Cookies are small text files stored on your device that help us:

  • Enable key site features (strictly necessary cookies)

  • Track site usage (performance cookies)

  • Remember your preferences (functionality cookies)

We ask for your consent to use cookies that are not essential. You can withdraw consent at any time by changing your browser settings.

For more information about cookies and how to manage them, visit: www.aboutcookies.org.

6. Sharing your information

We may share your personal data with trusted third parties who help us run our business, such as:

  • Cloud hosting providers like Microsoft 365 and AWS

  • Email and newsletter services like Mailchimp

  • Website analytics platforms like Google Analytics

  • Professional advisors such as lawyers or accountants

If any of your data is transferred outside the UK or European Economic Area (EEA), we ensure it is protected using legal safeguards such as Standard Contractual Clauses or the UK International Data Transfer Agreement.

We never sell your personal data.

7. How long we keep your data

We only keep your personal information for as long as necessary. For example:

  • Contact form submissions are stored for up to 24 months

  • Newsletter subscriptions are kept until you unsubscribe

  • Client and supplier records are retained for 7 years for legal compliance

  • Job applicant data (for unsuccessful candidates) is deleted after 12 months

  • Website analytics data is anonymised or deleted after 14 months

After the retention period ends, data is securely deleted or anonymised.

8. How we keep your data secure

We take appropriate security measures to protect your information, including:

  • Encryption of data in transit and at rest

  • Access control based on roles and responsibilities

  • Regular software updates and patching

  • Secure cloud infrastructure with backup procedures

Only authorised staff or trusted suppliers have access to your data, and only for legitimate purposes.

9. Your rights under UK GDPR

You have a number of legal rights in relation to your personal data:

  • Right to access – you can request a copy of the personal data we hold about you

  • Right to correct – you can ask us to correct any incorrect or incomplete data

  • Right to erase – you can ask us to delete your data in some circumstances

  • Right to restrict processing – you can limit how we use your data

  • Right to data portability – you can request your data in a machine-readable format

  • Right to object – you can object to our processing, especially if it’s based on legitimate interests

  • Right to withdraw consent – if you’ve previously consented, you can withdraw at any time

To exercise any of these rights, please contact us using the details in section 1. We will respond within one month.

10. Marketing preferences

You can opt out of marketing at any time by clicking the “unsubscribe” link in our emails or contacting us directly.

If our unsubscribe link ever fails to work, let us know and we will remove you manually without delay.

11. Contacting us or making a complaint

If you have questions, requests, or concerns about this privacy policy or how we handle your data, contact us:

  • Email: admin@gemstoneit.co.uk

  • Postal address: Gemstone IT Services Ltd, West Clayton Business Centre, Berry Lane, Chorleywood, Rickmansworth, Hertfordshire, WD3 5EX

You also have the right to complain to the UK data protection authority:

Information Commissioner’s Office (ICO)
Website: www.ico.org.uk
Phone: 0303 123 1113

12. Changes to this policy

We review this policy regularly and may update it from time to time. We’ll post the latest version on our website and will notify users where appropriate if significant changes are made.

Version 1.2 — effective 20 June 2025
(Supersedes version 1.1 dated 14 April 2025)