DataOpsIT Privacy Policies
Introduction
Our platform is built on a Zero-Knowledge Operational Model, enforced both technically and contractually:
- Infrastructure, Not Content
We provide a secure environment; you control the data. We do not inspect, index, analyse, or profile the contents of your databases. - Restricted Visibility by Design
System architecture intentionally limits our access to your environments. Any exceptional access for support is strictly time-bound, audited, and logged. - No Commercialisation
We do not sell, lease, analyse, or monetise customer data. Our revenue is derived solely from infrastructure services.
1 . ROLE DEFINITIONS & ALLOCATION OF RISK
To eliminate ambiguity, roles are clearly defined under UK GDPR:
- DataOpsIT as Data Controller
We act as Controller for Account & Metadata, including identity details, billing information, and operational telemetry required to deliver and secure the service. - DataOpsIT as Data Processor
We act as Processor for all Hosted Content stored within customer-managed databases. - The Allocation Principle
You remain the Data Controller for all Hosted Content. You are responsible for ensuring a lawful basis for processing and compliance with data protection laws. You agree to indemnify DataOpsIT against any claims, liabilities, or regulatory actions arising from your data or its use.
2. DATA COLLECTION: MINIMAL AND PURPOSE-BOUND
We apply strict data minimisation. Only essential data is collected to operate, secure, and bill our services.
Data Category | Scope | Legal Basis |
Identity Data | Name, email, organisation details | Contractual Necessity |
Financial Data | Billing address, transaction history | Legal Obligation (HMRC) |
Technical Data | IP addresses, API logs, system activity | Legitimate Interest (Security) |
Support Data | Helpdesk records and communications | Legitimate Interest (Service Delivery) |
Exclusion
We do not use advertising trackers, third-party cookies, or behavioural profiling mechanisms.
3. DATA SOVEREIGNTY & SUB-PROCESSORS
- Regional Lockdown
Hosted Content remains within the region selected at deployment. We do not transfer or relocate data across jurisdictions without explicit written instructions. - Sub-Processors
We engage vetted Tier-1 providers (e.g. AWS, Stripe) under strict contractual controls. - Authorisation & Control
By using our services, you grant general written authorisation for such engagement. You will be notified of any material changes, with a 10-business-day objection window. Continued use constitutes acceptance of the updated sub-processor framework.
4. INTERNATIONAL DATA TRANSFERS
Where Account Data (excluding Hosted Content) is processed outside the UK:
- Transfers are governed by UK Standard Contractual Clauses (SCCs)
- Or limited to jurisdictions recognised under a UK Adequacy Decision
All transfers are structured to maintain equivalent data protection standards.
5. RETENTION: THE “CLEAN SLATE” POLICY
We enforce a defined, non-accumulative retention model:
- Hosted Content: Permanently deleted within 30 days of account termination
- Technical Logs: Deleted or irreversibly anonymised within 90 days
- Billing Records: Retained for 7 years to comply with HMRC obligations
Data is not retained beyond operational or legal necessity.
6. YOUR STATUTORY RIGHTS (SAR PROTOCOL)
Under UK GDPR, you have the right to:
- Access your data
- Rectify inaccurate information
- Erase data (subject to legal constraints)
Requests: dataops.it.uk@gmail.com
Response Time: Within 30 days of a valid request
We may charge a reasonable fee for requests deemed manifestly unfounded, excessive, or repetitive.
7. DATA SECURITY & INCIDENT RESPONSE
Security is enforced through a shared responsibility model:
Our Controls
- Encryption at rest (AES-256)
- Encryption in transit (TLS 1.2+)
- Network isolation and infrastructure hardening
Your Responsibilities
- Access control and credential security
- Application-layer protection
- API key management
72-Hour Breach Protocol
In the event of a confirmed infrastructure-level breach, we will notify the UK supervisory authority and affected users within 72 hours, in line with regulatory obligations. Such notification does not constitute an admission of liability.
8. UPDATES: THE 14-DAY OBJECTION RULE
We operate an explicit consent model for policy updates:
- Notice: Provided via registered administrative email
- Objection Window: 14 calendar days
- Acceptance Mechanism: Continued use of the platform beyond this period constitutes affirmative and binding acceptance of the updated Policy
