Klientscale – Privacy Policy
Effective Date: 1st May 2025
Our Commitment to Your Privacy Choices
We, Klientscale Ltd, located at 86-90 Paul Street, London, EC2A 4NE, take the protection of your personal data extremely seriously. Your trust is vital to us. We are committed to processing your personal data fairly, lawfully, and transparently, strictly adhering to the core principles of data protection set out in data protection laws including the General Data Protection Regulation (GDPR-EU and GDPR-UK). Our staff receive regular data protection training to ensure these principles are embedded in our culture. Our leadership team, overseen by our CEO, is accountable for ensuring compliance.
This Privacy Policy explains how we collect, use, share, and protect your personal data. We are committed to transparency and user control. Depending on the specific service you use and your relationship with us, we may rely on different lawful basis for processing your data, including obtaining your explicit consent (‘Hard Opt-In’). We will always seek your explicit ‘Hard Opt-In’ consent for certain activities, particularly before sharing your data with partners for new quotes or conducting processing considered higher risk. Where ‘Hard Opt-In’ applies, this will be made explicitly clear at the point your data is collected. In other specific, limited circumstances permitted by law (such as marketing similar services to existing contacts), we may operate on an ‘opt-out’ basis, as detailed further in this policy.
This policy provides clear information on how we request your permission, collect your data, use it, share it, protect it, and how you can exercise your rights.
Data Protection Officer (DPO): Our appointed Data Protection Officer can be contacted directly with any privacy-related questions or requests:
Email: dpo@klientscale.com
Post: Data Protection Officer, Klientscale Ltd, 86-90 Paul Street, London, EC2A 4NE
UK ICO Registration: We are registered as a data controller with the UK Information Commissioner’s Office (ICO). Our registration number is: ZB324605.
Contents
Definitions
What Personal Data We Collect and Why
Lawful Basis for Processing
Our Roles under GDPR (Controller and Processor)
How We Collect Your Personal Data
Special Category Data (Not Currently Collected)
Use of AI (Artificial Intelligence) – Requires Your Opt-In
Cookies and Similar Technologies – Requires Your Opt-In
Automated Decision Making
Data Sharing with Third Parties – Requires Your Explicit Consent for Key Sharing
International Data Transfers – Requires Consent & Safeguards
How Long We Keep Your Information (Data Retention)
Security of Your Personal Information
Data Breach Handling
Data Protection by Design
Children’s Information
Your Data Protection Rights
Your Consent and Choices: Opt-In and Opt-Out
Consequences of Not Providing Consent or Information
Change of Control or Sale
Links to Other Websites
Right to Complain
Contact Us
Policy Review and Amendments
1. Definitions
Personal Data: Any information relating to an identified or identifiable living individual.
Processing: Any operation performed on Personal Data, such as collection, recording, storage, use, disclosure, or erasure.
Consent / Explicit Consent (‘Hard Opt-In’): Your freely given, specific, informed, and unambiguous agreement, indicated by a clear affirmative action (like ticking an unticked box), to the processing of your Personal Data for a specific purpose.
Soft Opt-In Exemption: A specific legal basis under regulations like PECR (UK) allowing marketing of similar products/services via email/SMS to existing contacts whose details were obtained during a sale, provided a clear opt-out was offered then and in every message.
Controller: The organisation that determines the purposes and means of processing Personal Data (In this policy, “we”, “us”, “our”, Klientscale Ltd).
Processor: An organisation that processes Personal Data on behalf of the Controller.
Third Party: Any individual or organisation other than you, the Controller, or authorised Processors. This includes our clients or partners with whom data might be shared (requiring your explicit consent for quote purposes).
GDPR: General Data Protection Regulation ((EU) 2016/679) and the UK equivalent (UK GDPR).
PECR: The Privacy and Electronic Communications Regulations (UK).
ICO: UK Information Commissioner’s Office, the data protection regulator.
EEA: European Economic Area.
2. What Personal Data We Collect and Why
We collect and process Personal Data for specific purposes, relying on appropriate lawful bases as explained in Section 3. We are transparent about why we need the data at the point of collection. The table below outlines the main categories of data we might collect and typical purposes.
Marketing Communications:
We will seek your explicit opt-in consent before sending you direct marketing communications if you are a new contact, or if required by law for specific channels or types of marketing.
In the specific case of sending marketing via email or SMS about similar products or services to individuals whose contact details we obtained in the course of a previous interaction or service provision (i.e., existing contacts), we may rely on the ‘Soft Opt-In’ exemption under PECR where legally permissible. This means we may send such communications unless you opted out at the time your details were collected, and you will always have a clear option to opt-out in every subsequent message. We rely on Legitimate Interest for this specific type of marketing.
Sharing data with third parties for their marketing always requires your explicit opt-in consent.
3. Lawful Basis for Processing
We only collect and use Personal Data when the law allows us to. The lawful basis we rely on depends on the specific processing activity and your relationship with us. We will make the basis clear at the point of collection where appropriate. Our potential lawful bases include:
Consent (Article 6(1)(a) GDPR): Where you have given us your clear, affirmative agreement (‘Hard Opt-In’) for processing for a specific purpose. This is our primary basis for:
Sharing your data with clients/partners for quotes on additional products/services.
Sending direct marketing to new contacts or where otherwise required.
Using non-essential cookies and tracking technologies.
Processing sensitive data (if ever applicable).
Specific AI interactions (e.g., proactive AI calls).
International data transfers (in combination with safeguards).
Performance of a Contract (Article 6(1)(b) GDPR): Where processing is necessary to fulfil a service you have requested or to perform a contract we have entered into with you (or to take steps at your request before entering a contract).
Legal Obligation (Article 6(1)(c) GDPR): Where processing is necessary for compliance with a legal duty to which we are subject (e.g., responding to legal authorities, tax obligations).
Legitimate Interests (Article 6(1)(f) GDPR): Where processing is necessary for our legitimate interests (or those of a third party), provided these interests are not overridden by your fundamental rights and freedoms. We use this basis carefully and conduct assessments (LIAs) where appropriate. Examples include:
Essential website security monitoring and fraud prevention.
Basic server logging for diagnostics.
Internal analysis of aggregated/anonymised data to improve services.
Marketing similar products/services via email/SMS to existing contacts under the ‘Soft Opt-In’ exemption (PECR), where applicable and subject to your right to opt-out (see Section 2).
Managing our relationship with business clients (e.g., CRM, service updates).We do not rely on legitimate interests for sharing your data with third parties for their marketing, using non-essential tracking cookies, or processing sensitive data.
4. Our Roles under GDPR (Controller and Processor)
Depending on the specific service, Klientscale Ltd may act as either a ‘Controller’ or a ‘Processor’ under GDPR.
We act as a Controller for the Personal Data we collect directly from you via our website for our own purposes (like managing your requests or sending marketing you consented to).
We may act as a Processor when we handle Personal Data strictly on behalf of and under the instruction of our business clients as part of a contracted service.
This policy primarily addresses our activities as a Controller, but the principles of data protection apply to all processing we undertake.
5. How We Collect Your Personal Data
We collect Personal Data through various methods, depending on the context:
Directly from you: When you actively provide it by filling in forms, interacting with consent mechanisms (opt-in boxes), contacting us, or using interactive features.
Automatically: Essential technical data is collected when you browse our website. Non-essential data via cookies/trackers is only collected after your explicit opt-in via our consent banner.
From Third Parties: We may receive data from:
Third-party platforms and sources: We may receive data via platforms such as Facebook, LinkedIn, Instagram, advertising partners (e.g., PPC, SEO, Taboola, Criteo), or affiliates, but only if you have explicitly consented (either via the platform’s settings, directly on an advertisement form linked to us, or through other clear means) for your information to be shared with Klientscale Ltd for a specific purpose.
Clients/Partners: (e.g., providing contact details for us to act as a Processor on their behalf, under contract).
Publicly available sources: (rarely, and typically only for B2B contact verification, relying on Legitimate Interests where appropriate and compliant).
6. Special Category Data (Not Currently Collected)
We do not currently collect ‘special category’ data (e.g., health details, ethnicity, political opinions). If we ever need to collect such data for a specific service in the future, we will only do so with your explicit prior consent under the strict conditions of Article 9 GDPR, for a clearly stated purpose.
7. Use of AI (Artificial Intelligence) – Requires Your Opt-In
We may use AI technologies to enhance efficiency and communication. Your control and consent are paramount:
AI Chatbots/Messaging: Use of AI bots for web chat, WhatsApp, SMS etc. requires your prior interaction and/or consent. You typically initiate the chat or agree to communicate via that channel knowing AI may assist. AI assistance will be made clear where possible.
AI-Powered Calling & Voice Bots: We will only use AI-powered calling or voice bots to contact you (e.g., for confirmations, follow-ups) if you have explicitly consented to this method of communication.
AI-Driven Analysis: Analysis of interaction data linked to your Personal Data (beyond aggregated/anonymised statistics for general service improvement) requires your explicit consent.
Your Rights: You have the right not to consent or to opt-out of specific AI interactions (like AI calls) at any time without penalty. You can request human intervention. All your standard data rights apply. See Section 17 for details.
8. Cookies and Similar Technologies – Requires Your Opt-In
Our website uses cookies and may use similar technologies (like pixels or scripts).
Strictly Necessary Cookies: We only use cookies essential for basic website functionality by default. These do not require your consent but do not collect identifiable tracking information.
Non-Essential Cookies & Technologies: For all other cookies and tracking technologies (e.g., analytics, marketing, performance, third-party embeds), we require your explicit, affirmative opt-in consent via our cookie banner/management tool before they are placed or activated on your device.
Managing Preferences: You can review the types of cookies used and manage your preferences at any time via our cookie banner/management tool. Refusing non-essential cookies will not prevent you from using the core functionality of our website.
Please see our separate Cookie Policy at https://klientscale.com/cookie-policy/ for full details.
9. Automated Decision Making
We do not currently use your Personal Data for fully automated decision-making (decisions made solely by machines without human involvement) that produces legal or similarly significant effects on you. If AI assists in initial filtering or qualification for services, significant decisions involve human oversight. Should this change, we would only implement such systems with your explicit prior consent and provide clear information and rights to contest decisions or request human intervention.
10. Data Sharing with Third Parties – Requires Your Explicit Consent for Key Sharing
Your trust is paramount. We limit data sharing and are transparent about when it occurs.
Sharing with Clients/Partners for Quotes (Requires Explicit Consent): As highlighted previously, if you request a quote or service for an additional product (e.g., at ‘Stage 2’), we will always ask for your explicit, granular opt-in consent for each specific product/service before sharing your necessary details with the relevant client(s) or partner(s) solely for that purpose. This type of sharing always requires your ‘Hard Opt-In’.
Service Providers (Processors): We use trusted third-party service providers who process data on our behalf under strict contractual agreements (Data Processing Agreements) and only on our instructions. Examples include:
IT support, Cloud Hosting providers, and providers of telecommunications equipment (e.g., secure cloud servers primarily located in the UK/EEA).
CRM system providers (e.g., Customer Relationship Management systems).
Email marketing/communication platforms (e.g., platforms to manage email communications you have consented to or based on soft opt-in where applicable).
Analytics providers (e.g., Google Analytics – data collected only with your explicit consent via cookie banner).
(e.g., payment processors if you make a purchase, identity verification services where necessary for security or legal reasons, recruitment service providers if you apply for a role with us).These processors do not have permission to use your data for their own purposes.
Marketing Service Providers: We only share data with third parties for their marketing purposes if you have explicitly opted-in to this specific sharing.
Legal Requirements / Vital Interests: We may be required to disclose your Personal Data to comply with a legal obligation or, in rare circumstances, to protect vital interests.
Controller Relationships: When we share your data with clients/partners based on your explicit consent, those partners typically become independent Controllers. Their handling of your data will be governed by their own privacy policy.
11. International Data Transfers – Requires Consent & Safeguards
Your Personal Data is primarily stored and processed within the United Kingdom (UK) and the European Economic Area (EEA).
We will only transfer your Personal Data outside the UK/EEA if:
You have explicitly consented to the specific processing activity that necessitates such a transfer, having been informed of the potential risks; AND
Appropriate safeguards are in place (e.g., Adequacy Decision, Standard Contractual Clauses/IDTA, BCRs).
Any transfer will be made securely and only for the consented purpose or necessary contractual step.
12. How Long We Keep Your Information (Data Retention)
We retain your Personal Data only for as long as is reasonably necessary to fulfil the specific purpose(s) for which it was collected (based on consent or another lawful basis), or as required by law. Our internal data retention schedule guides specific periods.
Consent-Based Data: Kept until consent is withdrawn or purpose fulfilled, then deleted/anonymised (unless legal hold applies).
Illustrative Periods:
Data for providing a quote/service might be kept for a reasonable period post-interaction.
Marketing contact data: Kept while consent is active or soft opt-in applies. Opt-outs are moved to a suppression list (kept indefinitely only to respect the opt-out). Other data deleted/anonymised after a reasonable period of inactivity.
Legal Compliance Data: Kept for legally mandated periods
Review & Secure Disposal: We periodically review data holdings and have processes for secure disposal when data is no longer required.
13. Security of Your Personal Information
We take protecting your privacy and data security extremely seriously. We implement appropriate technical and organisational measures designed to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures are based on risk assessment and include:
Implementing technical measures like data encryption (in transit and at rest where appropriate), using up-to-date and supported secure software, deploying anti-malware solutions.
Applying organisational measures like role-based access controls (limiting access to personnel with a need-to-know), robust password policies, secure deletion procedures for data no longer needed, appropriate backup and disaster recovery solutions, storing physical documents securely (e.g., lockable cabinets), regular staff training on data security and confidentiality, and performing due diligence on our third-party processors.
While we strive for security, no system is 100% impenetrable.
14. Data Breach Handling
We have procedures in place to detect, investigate, and respond to potential personal data breaches. In the event of a breach likely to risk your rights and freedoms, we are committed to notifying the Information Commissioner’s Office (ICO) without undue delay (within 72 hours where feasible). Where a breach is likely to result in a high risk to you, we will also aim to inform you directly without undue delay, providing information about the breach and the steps you can take.
15. Data Protection by Design
We are committed to implementing ‘Data Protection by Design and by Default’. This means we integrate data protection considerations into the design and operation of our services, processes, and systems from the outset, aiming to minimise data collection and build in privacy safeguards.
16. Children’s Information
Our services are not for individuals under 16. We do not knowingly collect their data. Contact our DPO if you believe this has occurred.
17. Your Data Protection Rights
Under GDPR, you have rights including:
Be Informed: (This policy aims to do this).
Access: Request a copy of your data.
Rectification: Correct inaccurate data.
Erasure: Request deletion under certain conditions.
Restrict Processing: Request temporary halt on processing.
Data Portability: Obtain/reuse your data provided under consent/contract.
Object: Object to processing based on legitimate interests (absolute right for direct marketing).
Withdraw Consent: Withdraw consent easily at any time (see Section 18).
Rights re: Automated Decisions: Not be subject to solely automated decisions with significant effects.
Exercising Your Rights: Contact our DPO (Section 23). We aim to respond to all legitimate requests within one calendar month of receipt. We will need to verify your identity before processing your request. Access requests are usually free, but fees or refusals may apply to unfounded, excessive, or repetitive requests.
18. Your Consent and Choices: Opt-In and Opt-Out
We respect your choices about how your data is used.
Explicit Consent (‘Hard Opt-In’): As stated, this is required for key activities like sharing data for quotes with partners, specific AI uses, non-essential cookies, and generally for marketing to new contacts. Where required, we use clear, unticked opt-in boxes or similar affirmative actions.
Soft Opt-In Exemption / Opt-Out: In the limited case of marketing similar products/services via email/SMS to existing contacts (where details obtained during service provision and opt-out offered), we may rely on this exemption (based on Legitimate Interest) unless you opt-out.
Withdrawal / Opting Out: You have the absolute right to withdraw your consent or opt-out of marketing at any time. This is designed to be as easy as giving consent/not opting out initially. You can do so via:
‘Unsubscribe’ links in emails.
Replying ‘STOP’ to SMS messages.
Contacting our DPO directly (see Section 23).Withdrawal/opt-out is effective going forward and does not affect past lawful processing.
19. Consequences of Not Providing Consent or Information
You are not obliged to provide data or consent. However, choosing not to opt-in or provide necessary data may mean:
We cannot provide the specific service/information requiring that consent/data (e.g., share details for a quote).
We cannot fulfil related contractual elements.
We cannot send you marketing communications you haven’t opted into (unless the narrow soft opt-in exemption applies and you haven’t opted out).
We clarify necessities at the point of collection.
20. Change of Control or Sale
If Klientscale Ltd is sold or merged, user data may be transferred. The new entity must use your data according to this policy unless you agree otherwise or are notified of changes.
21. Links to Other Websites
Our site may link to third-party sites. We are not responsible for their privacy practices. Review their policies.
22. Right to Complain
Please contact our DPO first (Section 23) with any concerns. You also have the right to complain to the ICO (details below):
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: www.ico.org.uk
Phone: 0303 123 1113
Registered number: ZB324605
23. Contact Us
For questions, rights requests, or more information, contact our Data Protection Officer:
Email: dpo@klientscale.com
Post: Data Protection Officer, Klientscale, 86-90 Paul Street, London, EC2A 4NE
24. Policy Review and Amendments
This policy is reviewed regularly and may be updated.
We will notify you of substantial changes via email/notice on our Service where feasible. Please review periodically.