Graeme KerrCONSULTING

Privacy Policy

Last updated: June 2026

This privacy policy explains how Stannard McKinnon Consultancy Ltd, trading as Graeme Kerr Consulting ("we", "us", "our"), collects, uses, and protects personal information when you visit graemekerr.co.uk or engage our services.

We are committed to compliance with the UK GDPR, the EU GDPR, the UK Data Protection Act 2018, and applicable US state privacy laws including the California Consumer Privacy Act (CCPA) as amended by the CPRA, and equivalent laws in Virginia, Colorado, Connecticut, Utah, and other US states with comprehensive privacy legislation.

1. Who we are (data controller)

Stannard McKinnon Consultancy Ltd, a company registered in Scotland (Company Number SC660735). Registered office: 5 Canniesburn Toll, Glasgow, Scotland, G61 2QU. Contact: gk@graemekerr.co.uk.

We are the "data controller" under UK and EU GDPR and the "business" under US state privacy laws for the personal information described in this policy.

2. Information we collect

We collect the following categories of personal information:

  • Contact details you provide — name, email address, company name, phone number (if supplied), and the contents of any message you send us via the contact form, email, or scheduled call.
  • Booking information — calendar availability and meeting details when you book a call.
  • Engagement information — records of correspondence, project briefs, invoices, and contractual details when we work with you.
  • Technical data — IP address, browser type, device information, and basic request logs collected automatically by our hosting infrastructure for security and reliability.
  • Cookie data — see our Cookie Policy for details.

We do not knowingly collect information from children under 16, and we do not collect "sensitive" or "special category" personal data unless you choose to share it in correspondence.

3. How we use your information and our legal bases

We use personal information for the following purposes, relying on the legal bases shown:

  • Responding to enquiries — to reply to messages and arrange calls. Legal basis: legitimate interests (responding to your request) or steps to enter into a contract.
  • Providing services — to deliver consulting and build work you have engaged us for. Legal basis: contract performance.
  • Invoicing and accounting — to bill clients and meet tax and record-keeping obligations. Legal basis: legal obligation and legitimate interests.
  • Security and site operation — to keep the site secure and functioning. Legal basis: legitimate interests.
  • Optional analytics or marketing — only with your consent via the cookie banner. Legal basis: consent.

4. Sale or sharing of personal information

We do not sell your personal information, and we do not "share" it for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA. We have not done so in the preceding 12 months.

5. Who we share information with

We share personal information only with trusted service providers acting on our instructions, including:

  • Hosting and infrastructure providers that run this website and store form submissions.
  • Email providers used to send and receive correspondence.
  • Scheduling tools (e.g. Google Calendar) used to book calls.
  • Google Analytics 4 (Google LLC / Google Ireland Ltd) — only if you opt in to analytics cookies. Configured with IP anonymisation and with Google Signals and ad personalisation disabled.
  • Accounting and invoicing providers.
  • Professional advisers (e.g. accountants, lawyers) where strictly necessary.

We may also disclose information where required by law, court order, or to protect legal rights.

6. International transfers

Some of our service providers are based outside the UK and EEA, including in the United States. Where personal data is transferred internationally, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, the UK Extension to the EU-US Data Privacy Framework, or adequacy decisions where available.

7. How long we keep information

  • Contact form enquiries: up to 24 months from last contact.
  • Client records, contracts and correspondence: 7 years after the end of the engagement (to meet UK tax and accounting requirements).
  • Invoicing and accounting records: 7 years.
  • Server logs: typically 30 to 90 days.

8. Your rights (UK / EU)

Under UK and EU GDPR you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request erasure ("right to be forgotten") where applicable.
  • Restrict or object to our processing.
  • Request portability of data you have provided.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local EU data protection authority.

9. Your rights (US residents)

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or another US state with a comprehensive privacy law, you have the right to:

  • Know what personal information we collect, use, and disclose about you.
  • Request access to and a copy of your personal information.
  • Request correction of inaccurate personal information.
  • Request deletion of your personal information.
  • Opt out of the sale or sharing of personal information (we do not sell or share).
  • Opt out of targeted advertising and profiling that produces significant effects (we do not engage in these).
  • Not be discriminated against for exercising your rights.
  • Designate an authorised agent to exercise these rights on your behalf.

California residents may also request the categories of personal information disclosed for a business purpose in the preceding 12 months under the "Shine the Light" law.

10. How to exercise your rights

Email us at gk@graemekerr.co.uk with your request. We will respond within one month (UK/EU) or 45 days (US), and we may need to verify your identity before acting. There is no fee unless your request is manifestly unfounded or excessive.

11. Security

We use appropriate technical and organisational measures including encryption in transit (HTTPS), access controls, and limited data retention. No system is perfectly secure, but we work to protect personal information from loss, misuse, and unauthorised access.

12. Automated decision-making

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on you.

13. Do Not Track and Global Privacy Control

Our site does not currently respond to browser "Do Not Track" signals because there is no consistent standard. Where required by law, we honour the Global Privacy Control (GPC) signal as an opt-out of sale or sharing — and in any event we do not sell or share personal information.

14. Changes to this policy

We may update this policy from time to time. The "Last updated" date above will reflect the latest revision. Material changes will be highlighted on the site.

15. Contact us

Questions or requests: gk@graemekerr.co.uk
Postal: Stannard McKinnon Consultancy Ltd, 5 Canniesburn Toll, Glasgow, Scotland, G61 2QU, United Kingdom.