GDPR Policy

This policy sets out how PreCheck complies with the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation where applicable.

Last updated: 21 April 2026

1. Scope

This GDPR Policy applies to all personal data that PreCheck processes as a data controller or data processor when providing our pre-audit services. It complements our Privacy Policy, which describes what we collect and why.

2. Our data protection principles

PreCheck processes personal data in accordance with the following principles:

  • Lawfulness, fairness, and transparency: we process data with a lawful basis and in a way you would reasonably expect.
  • Purpose limitation: we collect data only for specified, explicit, and legitimate purposes.
  • Data minimisation: we collect only what is necessary for the purposes for which it is processed.
  • Accuracy: we take reasonable steps to keep personal data accurate and up to date.
  • Storage limitation: we do not retain personal data longer than necessary.
  • Integrity and confidentiality: we apply appropriate security measures against unauthorised processing and accidental loss.
  • Accountability: we maintain records of our processing and can demonstrate compliance.

3. Controller and processor roles

PreCheck acts as a data controller for personal data we collect about our Account holders and website visitors.

PreCheck acts as a data processor when we review survey data on behalf of an installer, where the installer determines the purposes and means of processing.

Where PreCheck acts as a processor, we do so under documented written instructions from the controller and under a data processing agreement (DPA) where applicable.

4. Lawful bases for processing

We rely on one or more of the following lawful bases under Article 6 UK GDPR:

  • Contract – to deliver the Services you have requested.
  • Legal obligation – where we must process data to meet a legal requirement.
  • Legitimate interests – to operate, secure, and improve our Services, balanced against your rights.
  • Consent – for activities that require your clear affirmative agreement, e.g. certain marketing communications or non-essential cookies.

We do not knowingly process special category data (Article 9 UK GDPR) through our Services. If you provide such data, please do so only where necessary and with appropriate justification.

5. Data subject rights

You have the following rights under the UK GDPR:

  • Right of access – request a copy of the personal data we hold about you.
  • Right to rectification – ask us to correct inaccurate or incomplete data.
  • Right to erasure – request deletion of your data in specific circumstances.
  • Right to restriction – ask us to limit how we use your data.
  • Right to data portability – receive your data in a structured, commonly used, machine-readable format.
  • Right to object – object to processing based on legitimate interests, or to direct marketing.
  • Rights related to automated decision-making – we do not make decisions affecting you based solely on automated processing.

To exercise any of these rights, email [email protected]. We will respond within one calendar month.

6. International data transfers

Where we transfer personal data outside the UK, we rely on appropriate safeguards, including:

  • UK adequacy regulations.
  • The UK International Data Transfer Agreement (IDTA) or the Addendum to EU Standard Contractual Clauses.
  • Binding Corporate Rules where applicable.

7. Security measures

Our security controls include:

  • TLS encryption for all data in transit.
  • Encrypted storage of credentials and sensitive fields.
  • Role-based access controls and least-privilege principles.
  • Multi-factor authentication for administrative access.
  • Audit logging of sensitive operations.
  • Regular backups and disaster recovery testing.
  • Vendor due diligence and data processing agreements with sub-processors.

8. Data breach procedure

We maintain an incident response process. In the event of a personal data breach likely to result in a risk to individuals' rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) without undue delay, and within 72 hours where feasible.
  • Notify affected individuals where the breach is likely to result in a high risk.
  • Document the facts, effects, and remedial action taken.

9. Retention

Retention periods are set according to legal, regulatory, and contractual requirements. See our Privacy Policy for details.

10. Complaints

If you believe we have not handled your personal data in accordance with data protection law, please contact us first so we can address your concerns. You also have the right to lodge a complaint with:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Phone: 0303 123 1113

11. Contact us

For any data protection enquiries:

Related documents

Terms & Conditions Privacy Policy GDPR Policy Cookie Policy