Privacy Policy
GMMETRICS collects only the information needed to respond to your enquiry and, where you engage us, to deliver our services. We do not sell your data. We do not share it with third parties for marketing. We retain it only for as long as necessary, and we will honour valid deletion requests where we are not required or entitled to retain it. If you have any questions about how we handle your information, contact us at info@gmmetricsltd.com.
Who We Are
GMMETRICS LTD is a governance-led IT consulting and managed operational assurance practice based in North East England, registered in England and Wales (Company No. 11908538). We serve organisations in regulated and professionally demanding sectors including financial services, legal, and professional services.
As the organisation that determines the purposes and means of processing your personal data, GMMETRICS LTD is the Data Controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
GMMETRICS LTD is registered with the Information Commissioner's Office (ICO) as a Data Controller. Our ICO registration number is ZC115376 (registered 3 April 2026, renewal due 2 April 2027). All data protection obligations under UK GDPR apply in full.
ICO Registered Data Controller
Registration No. ZC115376 — Click to verify on the ICO register
Our designated point of contact for all data protection matters is:
Srikanth Kota
Founder & Principal Consultant
info@gmmetricsltd.com
North East England, UK
What Personal Data We Collect and Why
We collect personal data through the following channels: direct email enquiry (info@gmmetricsltd.com), Microsoft Outlook Bookings (discovery call scheduling), LinkedIn messaging, and in-person or networking engagements.
The table below sets out the personal data we collect, the purpose for which it is collected, and the lawful basis under UK GDPR.
| Data Type | Purpose | Lawful Basis |
|---|---|---|
| Full name | To identify and address you correctly in correspondence and engagement | Legitimate interests |
| Email address | To respond to your enquiry and communicate regarding potential or active engagements | Legitimate interests / Contract |
| LinkedIn profile | To establish and maintain professional relationships, respond to relevant business enquiries, and share practice-related insights, sector commentary, and cybersecurity or operational governance updates where appropriate | Legitimate interests |
| Phone number (optional) | To contact you directly where email communication is not possible or where urgency requires it | Legitimate interests |
| Postal address (optional) | To understand your location and, where appropriate, to send physical correspondence or materials | Legitimate interests / Consent |
| Accessibility requirements (optional) | To accommodate any accessibility requirements or health-related adjustments voluntarily disclosed for the purposes of in-person or online meeting arrangements | Explicit consent (special category data) |
We collect only the minimum personal data necessary for the stated purpose. We do not knowingly collect special category data as part of normal enquiries, except where voluntarily provided for accessibility or meeting arrangements as described above.
Where personal data is transferred outside the UK or European Economic Area — for example where a sub-processor such as LinkedIn or Zoom operates infrastructure in the United States — we rely on appropriate safeguards including adequacy regulations or standard contractual clauses approved by the relevant supervisory authority.
Lawful Basis for Processing
Under UK GDPR, we are required to have a lawful basis for processing personal data. Depending on the nature of our interaction, we rely on one or more of the following:
- Legitimate interests — where processing is necessary for our legitimate business interests in responding to enquiries, developing professional relationships, and delivering our consulting services, and where those interests are not overridden by your rights and freedoms.
- Contract — where processing is necessary to perform a contract with you or to take steps at your request before entering into a contract.
- Explicit consent — for special category data (such as accessibility needs) and for certain marketing communications where consent is the appropriate basis.
Where we rely on legitimate interests, we have assessed that our interests do not override your rights. You have the right to object to processing based on legitimate interests at any time — see Section 7.
How We Store Your Data
Personal data collected by GMMETRICS is stored in the following systems:
- Microsoft 365 — email correspondence and calendar data held within our Microsoft Outlook environment
- Microsoft Excel (via OneDrive / SharePoint) — contact records maintained in our internal contact register
- LinkedIn — professional connection and message data held on the LinkedIn platform, subject to LinkedIn's own privacy policy
We use Microsoft 365 services with data handling and storage configurations intended to align with UK and EU data residency requirements, subject to Microsoft's service architecture and applicable contractual safeguards. We do not knowingly store personal data outside the UK or European Economic Area without appropriate safeguards in place.
Third Parties and Sub-Processors
We use a limited number of trusted third-party services that may process personal data on our behalf as sub-processors. We have ensured that each operates in accordance with UK GDPR and maintains appropriate data protection standards.
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Microsoft 365 | Email, calendar, document storage, video meetings | UK / EU |
| Hostinger | Website hosting for gmmetricsltd.com | EU-based infrastructure, subject to Hostinger's service architecture and support operations |
| Professional networking and messaging | EU / US (Standard Contractual Clauses) | |
| Zoom | Video conferencing for client meetings | UK / EU |
| Xero | Accounting and financial records | UK / EU |
| Microsoft Teams | Internal and client video communication | UK / EU |
We do not sell, rent, or otherwise disclose your personal data to any third party for their own marketing or commercial purposes.
How Long We Keep Your Data
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, subject to any legal or regulatory retention obligations.
| Data Category | Retention Period |
|---|---|
| Enquiry — not converted | 6 months from date of last contact, then reviewed and deleted unless there is active ongoing interest |
| Active client records | Duration of engagement plus 6 years in accordance with standard contractual limitation periods |
| Accounting records | 6 years minimum in accordance with HMRC requirements (held in Xero) |
| LinkedIn connections | Governed by LinkedIn's own retention policies; data extracted or stored by GMMETRICS follows the same retention periods above |
At the end of each retention period, personal data is securely deleted from all systems in which it is held, including email archives, contact registers, and any associated records.
Your Rights
Under UK GDPR, you have the following rights in relation to your personal data. We will respond to all valid requests within 30 calendar days of receipt.
- Right of access — you may request a copy of all personal data we hold about you.
- Right to rectification — you may ask us to correct any inaccurate or incomplete data.
- Right to erasure — you may ask us to delete your personal data where there is no legitimate reason for us to continue holding it.
- Right to restriction — you may ask us to restrict the processing of your data in certain circumstances.
- Right to portability — you may request your data in a structured, machine-readable format.
- Right to object — you may object to processing based on legitimate interests at any time. We will cease processing unless we can demonstrate compelling legitimate grounds.
- Rights related to automated decision-making — GMMETRICS does not carry out automated decision-making or profiling.
To exercise any of these rights, please contact us at info@gmmetricsltd.com. We aim to acknowledge your request promptly and within 72 hours where reasonably practicable, and will respond fully within 30 calendar days. We may ask you to verify your identity before processing your request.
Data Security
GMMETRICS takes the security of your personal data seriously. We apply the following technical and organisational measures to protect data against unauthorised access, loss, or disclosure:
- All data is held within Microsoft 365 services protected by multi-factor authentication and role-based access controls
- Access to personal data is restricted to authorised personnel only
- Email communications containing sensitive information are conducted over encrypted channels
- We conduct periodic reviews of access permissions and data holdings in line with our governance practice
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware, and will notify affected individuals without undue delay where required.
Cookies
The GMMETRICS website (gmmetricsltd.com) is a static HTML site. We are committed to minimising data collection through our web presence. At the time of publication, the website does not deploy analytics tracking or behavioural cookies.
Where any cookies or tracking technologies are introduced in future (for example, Google Analytics), this policy and any relevant cookie notice will be updated prior to deployment, and appropriate consent mechanisms will be implemented.
Children's Data
GMMETRICS operates exclusively in a business-to-business context. We do not knowingly collect or process personal data relating to individuals under the age of 18. If you believe we have inadvertently received data relating to a minor, please contact us immediately at info@gmmetricsltd.com.
Changes to This Policy
We review this Privacy Policy at least annually and whenever there is a material change to our data processing activities. The version number and effective date at the top of this document will be updated accordingly.
The current version of this policy is always available at gmmetricsltd.com/privacy-policy. Where changes are material, we will take reasonable steps to notify individuals whose data we hold.
How to Complain
If you are unhappy with how we have handled your personal data, we ask that you contact us in the first instance so that we can seek to resolve the matter:
Email: info@gmmetricsltd.com
Response commitment: We aim to acknowledge complaints within 72 hours where reasonably practicable, and respond fully within 30 days.
If you remain dissatisfied after contacting us, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the supervisory authority for data protection in the UK:
ICO Website: ico.org.uk
ICO Helpline: 0303 123 1113
ICO Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF