Plain-English website policy. Client work is also governed by a signed statement of work and, where needed, a data processing agreement.

Privacy Policy

Last updated: 14 July 2026 Effective from: 14 July 2026

This policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over it. It's written in plain English. If anything's unclear, email info@runation.co.uk — we'll explain.

This policy includes the operational detail on subprocessors, retention periods and technical controls.


Who we are

Runation is the trading name of Runation Ltd, company number 17337737.

For the purposes of UK GDPR and the Data Protection Act 2018, we are the data controller for personal data we collect through this website and our marketing activity. When we process personal data on behalf of a client as part of a paid delivery or support engagement, we are the data processor and the client is the controller — those arrangements are governed by a separate Data Processing Agreement.


What personal data we collect

We collect the minimum necessary to do our work and stay in touch. Specifically:

From you, when you contact us or book an audit

From you, when you become a client

Automatically, when you visit the site

From third parties

We don't buy personal data. We may receive contact details from a referrer (an existing client or partner) when they introduce you, but only with their explicit knowledge.

We do not collect special category data (health, ethnicity, sexual orientation, religious belief, biometric, political opinion, trade union membership) through this website. If a client engagement requires processing special category data, that's handled separately under our DPA with a specific lawful basis recorded.


Why we collect it (lawful basis)

UK GDPR requires us to have a lawful basis for every kind of processing. Ours are:

Processing activityLawful basis
Responding to enquiries you initiateContract (or steps prior to entering one) — UK GDPR Article 6(1)(b)
Running a free AuditContract (steps prior to entering one) — Article 6(1)(b)
Sending you our quarterly update if you opted inConsent — Article 6(1)(a)
Sending occasional updates to existing clientsLegitimate interest — Article 6(1)(f)
Cold outbound messages to business contactsLegitimate interest — Article 6(1)(f), subject to PECR for marketing emails
Keeping client records after engagementLegal obligation — Companies Act 2006 record-keeping
Detecting fraud, abuse, or technical issuesLegitimate interest — Article 6(1)(f)

We've documented our legitimate interests assessments (LIAs) where they're relied on. You can ask for a summary by emailing info@runation.co.uk.

You can withdraw consent or object to processing based on legitimate interests at any time. See "Your rights" below.


How we use your data

To do the work you've asked us to do, and only that.

If you book an Audit:

If you become a client:

If you've opted in to our quarterly update:

We don't use personal data for:


Who we share it with

We share personal data with three categories of recipient:

Our subprocessors

The third-party tools that help us run our operations. The services currently used by this website include Attio (CRM), Cal.com (booking), Vercel (hosting), Cloudflare (DNS and analytics), Google Workspace (email and calendar), and Slack (internal lead alerts).

Our professional advisers

Where strictly necessary — accountants, solicitors, insurers — under their own confidentiality obligations.

Authorities, if legally required

We will share data with law enforcement, courts, or regulators if compelled by law (e.g. a court order or HMRC investigation). We will challenge requests we consider overreaching.

We do not share personal data with:


International transfers

Some of our subprocessors are based outside the UK. Specifically:

Where Enterprise tiers offer UK or EU residency, we elect them.


How long we keep it

Our current retention summary:

You can ask for earlier deletion at any time (see "Your rights").


Your rights

Under UK GDPR you have the right to:

To exercise any of these rights, email info@runation.co.uk. We'll respond within 30 days, usually faster. There's no fee unless requests are excessive or repetitive (UK GDPR Article 12).

We may need to verify your identity before disclosing data — usually a simple confirmation from the email address we have on file.


Cookies

We do not set non-essential cookies on this website. Cloudflare Web Analytics is cookieless. See the Cookie Policy for the current position.


Children

This is a B2B service. Our website and services are not directed at children. We don't knowingly collect personal data from anyone under 18. If you become aware that a child has provided us with personal data, please contact us and we'll delete it.


Security

We take reasonable technical and organisational measures to protect personal data, including MFA, credential management and access controls. No system is 100% secure; we don't claim otherwise. If a breach occurs that affects you, we will notify you in line with UK GDPR Article 33 / 34.


Changes to this policy

If we make material changes, we'll update the "Last updated" date and notify clients with active engagements by email. Minor wording changes may be made without notification. The current version is always the authoritative one — we don't keep historical versions on the public site, but you can ask for one.


Complaints to the ICO

You have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO) Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF ico.org.uk 0303 123 1113

We'd appreciate the chance to address concerns first — email info@runation.co.uk — but you don't have to come to us before going to the ICO.


Contact

For any privacy question, request, or concern:

Email: info@runation.co.uk Subject line tag: "Privacy" or "Data request" speeds routing.