This policy explains what personal data The CAIO Limited collects when you use this website, book a discovery call, or engage us for an audit or embed. It covers the lawful bases we rely on, how long we keep data, your rights under UK GDPR, and how to complain if any of it goes wrong.

Who we are.

Data controller: The CAIO Limited, a company registered in England and Wales, operating from Sheffield.

Contact: leeroy@thecaio.co.uk

We're a small operator-led practice, not a tech platform. There's no privacy team — there's me, and any data you share goes through me.

What we collect, and when.

When you visit this website — your IP address and basic technical information (browser, screen size, referrer) are processed by our hosting provider to serve the page and prevent abuse. We don't run analytics, tracking pixels, or advertising identifiers on this site.

When you book a discovery call — the booking is handled by Cal.com (Cal.eu, our European booking platform). They collect your name, email address, scheduled time, and any notes you add to the booking. Cal.com is the data processor for the booking; we are the controller for what we then do with the data.

When you subscribe to The Operator's Note — we collect your email address. Once we wire up our newsletter platform (Kit), they will be the processor for delivery; we remain the controller. You can unsubscribe at any time using the link in any email we send.

When you become a client — we collect what's reasonably needed to deliver the engagement: company information, named contacts, briefing materials you share, anything you choose to send during the work. This data lives in our shared Google Drive folder and our internal Notion workspace, both protected by 2FA.

When you email us — we keep the email and any attachments for the period set out below.

Lawful bases we rely on.

Under UK GDPR we need a lawful basis for every kind of processing. The ones we use:

  • Contract — when you engage us for an Audit, Embed, or Build, the processing of your data is necessary to deliver the engagement and is performed under our written contract with you.
  • Consent — when you subscribe to The Operator's Note. You give consent by submitting the form; you can withdraw it any time by unsubscribing.
  • Legitimate interests — when you book a discovery call or send us a business enquiry. Our legitimate interest is in evaluating whether we can help, and yours is in receiving a useful response. We don't use this basis for marketing; only for replying to enquiries you initiated.
  • Legal obligation — when we have to keep records for tax, accounting, or regulatory reasons.

How long we keep it.

  • Discovery call data — 12 months from the last contact, then deleted unless you've become a client.
  • Newsletter subscriber data — for as long as you remain subscribed. Deleted within 30 days of unsubscribing.
  • Client engagement data — for the duration of the engagement and for 7 years after, to meet HMRC and accounting record-keeping requirements.
  • General email correspondence — up to 24 months unless it forms part of a client record, in which case it follows the engagement retention period.
  • Server logs — kept by our hosting provider for up to 30 days for security and operational purposes.

Who we share data with.

We use a small number of named processors, each chosen because they're appropriate for the work and because their data protection terms are credible. Current processors:

  • Cal.com (Cal.eu) — discovery call booking. EU-based.
  • Kit — newsletter delivery (when active).
  • Stripe — payment processing for Audit and Embed engagements. PCI-DSS Level 1 compliant.
  • Google Workspace — email and shared engagement Drive folders.
  • Our hosting provider — for serving this website.

We don't sell data. We don't share data with advertisers, data brokers, or third-party analytics platforms. If we ever add analytics (Plausible or Fathom are the candidates), they'll be cookieless and privacy-respecting, and this policy will be updated before they go live.

Some processors transfer data outside the UK. Where they do, transfers are protected by UK adequacy decisions, the UK International Data Transfer Agreement, or Standard Contractual Clauses, depending on the processor.

Your rights.

Under UK GDPR you have the right to:

  • Ask what personal data we hold about you (subject access request)
  • Ask us to correct it if it's wrong
  • Ask us to delete it (right to erasure), subject to our legal retention obligations
  • Ask us to restrict processing while a question is resolved
  • Object to processing we do under legitimate interests
  • Receive a copy of data you've given us in a portable format
  • Withdraw consent at any time, where consent is the basis we rely on

Email leeroy@thecaio.co.uk with any of these requests. We'll respond within one calendar month, normally much faster.

How to complain.

If you think we've handled your data badly, please tell us first — we'd rather fix it than have you complain about us. If we can't resolve it, you can complain to the UK regulator:

Information Commissioner's Office (ICO)
ico.org.uk
Helpline: 0303 123 1113

Cookies and tracking.

This site uses a small number of strictly necessary cookies plus third-party cookies on specific pages (the booking page loads Cal.com's embed). We don't use advertising or analytics cookies on the main site. Full detail and how to control them lives on our cookie policy.

Changes to this policy.

If we change this policy, we update the "last updated" date at the top and, for material changes, email anyone with active engagements or active newsletter subscriptions before the change takes effect.