Privacy Policy

Last updated: 20 October 2025. This notice explains how we handle personal data for leancrest.com and when you interact with us. We comply with the UK GDPR and the Data Protection Act 2018.

Controller: Leancrest Limited (Company No. 16775287)

Registered office: Newtown House, 38 Newtown Road, Liphook, United Kingdom, GU30 7DX

Contact: privacy@leancrest.com

What data we collect

Website technical data: IP address, user-agent, pages viewed, timestamps and similar diagnostics for security and performance.
Contact data: your name, contact details and message content when you email us or request information.
Client/service data: when instructed by a client, we process data under a Data Processing Agreement (DPA) and the client's documented instructions.

Purposes and lawful bases

Operate and secure our website – legitimate interests.
Respond to enquiries and manage relationships – legitimate interests and contract performance where applicable.
Legal and regulatory compliance – legal obligation (e.g., record-keeping, responding to lawful requests).

Sharing and processors

We use reputable service providers (acting as processors) to host, store and secure our systems, under written terms that meet UK GDPR Article 28. We do not sell personal data. Where we appoint sub‑processors for client work, these are disclosed and governed within the relevant DPA or contract schedule.

International transfers

If data is transferred outside the UK/EEA, we use appropriate safeguards (e.g., UK International Data Transfer Agreement or Addendum, EU Standard Contractual Clauses, adequacy regulations) and apply supplementary measures where appropriate.

Retention

Website diagnostics: up to 12 months unless required longer for security investigations.
Enquiries and business development: typically 24 months after last contact.
Client data: as set out in the DPA/contract (often 3–7 years for compliance) then deleted or anonymised.

Your rights

You have rights to access, rectification, erasure, restriction, objection, and data portability, plus the right to complain to the UK Information Commissioner’s Office (ICO). To exercise your rights, contact privacy@leancrest.com. You can contact the ICO at ico.org.uk/make-a-complaint/.

Security

Role‑based access control and least‑privilege.
Encryption in transit and at rest where supported.
Change control for prototypes and agents; supplier due diligence and confidentiality.
Joiners/movers/leavers and off‑boarding procedures.

Public‑sector & regulated engagements

Where an engagement imposes additional requirements (e.g., specific breach notification timelines, data location restrictions, DPIAs, audits), we comply as set out in the contract and DPA. We maintain records of processing and support reasonable assurance requests.

Changes

We may update this notice to reflect changes in law or practice. The “Last updated” date will change and the new version will apply from publication.

This website notice does not replace or limit any client DPA or contract, which prevails for commissioned work.