Privacy Policy — Lloyd-Thomas Architects Ltd (Updated 2025)

Effective date: [20 August 2025]
Last reviewed: [20 August 2025]

1. Introduction

1.1 We are committed to safeguarding the privacy of our website visitors and service users.

1.2 This policy explains:

  • who we are and how to contact us;

  • what personal data we collect and why;

  • the lawful basis we rely on to process that data;

  • who we share that data with and where it may be transferred;

  • how long we keep personal data; and

  • your rights and how to exercise them.

Controller: Lloyd-Thomas Architects Ltd (company registration number 4433867).
Registered office / principal place of business: Pentelowes Barn, Fosse Way, Hunningham, Leamington Spa, Warks. CV33 9EQ.
Contact: Roland Lloyd-Thomas — email: mail@lloyd-thomas.co.uk; postal: address above; telephone: 01926 633 600.

2. Scope

2.1 This policy applies where Lloyd-Thomas Architects Ltd acts as a data controller (i.e. decides how and why personal data is processed). It covers personal data collected via our website, contact forms, emails, telephone, written correspondence, and during the delivery of our services.

3. Personal data we collect (high-level)

We may collect and process:

A. Identity & contact data — name, job title, company, postal address, email, telephone.

B. Service data / contract data — information you provide to instruct or contract us (drawings, project details, specifications).

C. Enquiry data — messages and attachments submitted by contact form, email, phone notes.

D. Usage / analytics data — IP address, device/browser details, pages visited, referral source, session length, where captured by analytics tools.

E. Transactional / billing data — where applicable (invoices, payment confirmations).

F. Other data — where you provide third-party contacts or project stakeholder details.

We do not collect or keep special category (sensitive) personal data (e.g. health, race) except where you provide it and explicitly agree it’s necessary for a project. If that happens we will treat it separately and only on an appropriate legal basis.

4. How we use your personal data and the lawful basis

For each purpose we identify a single lawful basis under UK GDPR (Article 6). Below are the common purposes and the lawful bases we rely on:

  • To respond to enquiries and provide services — personal data used to contact you, prepare quotes, perform design/contract work.
    Lawful basis: Performance of a contract / taking steps at your request prior to entering a contract.

  • To manage contracts, billing and payments — process invoices, tax records, and legal obligations.
    Lawful basis: Performance of a contract; legal obligation (tax/accounting).

  • Website analytics (to monitor and improve our site) — analyse anonymised/aggregated usage to improve user experience.
    Lawful basis: Legitimate interests (to monitor and improve our website) OR consent where required by cookie law (see Cookies section). If relying on legitimate interests we document an LIA. ICO+1

  • Marketing communications (e.g. newsletters, news, events) — we only send marketing emails where you have given consent, or where we have a clear legitimate interest and you have not objected and where PECR allows. You can withdraw consent or object at any time.

  • Security, backups and fraud prevention — to keep systems secure and to maintain back-ups.
    Lawful basis: Legitimate interests (security and resilience).

  • Legal compliance, dispute handling and insurance — to comply with court orders, local authority queries, or to obtain/maintain insurance.
    Lawful basis: Legal obligation / legitimate interests.

If we need to rely on multiple lawful bases for an activity (e.g. analytics + marketing), we will make the basis clear in the more detailed section of this notice (or in our privacy dashboard). For guidance on selecting lawful bases, see ICO guidance. ICO

5. Cookies & similar technologies

We use cookies and similar technologies. Non-essential cookies (analytics, advertising, tracking) are only set after you give explicit consent via our cookie settings. Essential cookies required for the site to function are set automatically. You can change or withdraw consent at any time using the Cookie settings link on our site.

Key points:

  • We provide a cookie table (below) listing each cookie, purpose, provider and expiry.

  • We do not use dark patterns: no pre-ticked boxes for non-essential cookies; users must opt in.

  • You can manage cookies via your browser, but that may affect site functionality. See ICO guidance on cookies for details. ICO+1

Example cookie table

Cookie name / category Purpose Provider Expires
session_id (essential) Keeps you logged-in / session state [OUR SITE] session
_ga, _gid (analytics) Google Analytics: user/session identifiers (only if consented) Google LLC 2 years / 24 hours
cookie_consent (essential) Stores your cookie preferences [OUR SITE] 1 year

6. Third parties, processors and international transfers

6.1 We may share personal data with service providers and processors who act on our behalf to provide hosting, analytics, email marketing, payment processing, and professional services. Typical categories include:

  • Hosting provider(s);

  • Analytics provider(s);

  • Professional advisors, insurers, and legal advisers.

6.2 Named processors: we publish an up-to-date list of our key processors and the purposes for which we share data at: [INSERT LINK or page path]. Please contact us at [INSERT EMAIL] for a current list.

6.3 International transfers: where we transfer personal data outside the UK/EEA (for example if a cloud or analytics provider is based in the US), we will only do so if:

  • there is an adequacy decision for the recipient country, or

  • we have appropriate safeguards (e.g. the ICO’s International Data Transfer Agreement (IDTA), addendum, or standard contractual clauses where applicable), and we have completed a documented transfer risk assessment (TIA). ICO+1

6.4 Note on analytics & US transfers: the use of some analytics services that transfer data to the US (e.g. Google Analytics) has been subject to regulatory scrutiny in Europe. We document the transfer safeguards in place and will provide details on request.

7. Retention

7.1 We retain personal data only for as long as necessary for the purpose collected and to meet legal and business needs. Typical retention periods (examples — please customise):

  • Contact form / enquiry data: 24 months after last contact (unless a contract is agreed).

  • Client project records and contractual documents: 7 years after project completion (to meet tax and record keeping obligations).

  • Website analytics: retained for up to 26 months or anonymised/aggregated sooner.

  • Job applications: 6 months after the closing date (unless you agree to longer retention).

7.2 Where we cannot anonymise data we securely delete or archive it. If you need specific retention information for a category of data, contact mail@lloyd-thomas.co.uk.

8. Your rights

You have rights under data protection law. Subject to certain exemptions, these include:

  • the right to be informed about processing (this notice);

  • the right to access the personal data we hold about you (subject access request);

  • the right to rectification of inaccurate data;

  • the right to erasure (right to be forgotten) in limited circumstances;

  • the right to restrict processing in certain situations;

  • the right to data portability (where processing is by automated means and based on consent or contract);

  • the right to object to processing based on legitimate interests or direct marketing; and

  • the right to withdraw consent at any time (where processing is based on consent).

To exercise any right, contact mail@lloyd-thomas.co.uk or write to Lloyd-Thomas Architects Ltd at the postal address above. We reply to subject access requests within one month (extensions permitted for complex requests). You have the right to complain to the UK Information Commissioner’s Office (ICO) if you believe we have not complied with data protection law. ICO

9. Security

We use reasonable technical and organisational measures to protect personal data from loss, misuse, and unauthorised access, disclosure, alteration and destruction. These include secure hosting, TLS/HTTPS, regular back-ups, access controls and staff training. No internet transmission can be guaranteed 100% secure — if you have particularly sensitive information to send, contact us first to arrange a secure method.

10. Changes to this policy

We will update this policy from time to time. The latest version and effective date will always be published on this page. Material changes that affect fundamental rights will be notified by email or by notice on the website where appropriate. ICO

11. Contact details

This website is owned and operated by Lloyd-Thomas Architects Ltd.
Company number: 4433867
Registered office: Pentelowes Barn, Fosse Way, Hunningham, Leamington Spa, Warks. CV33 9EQ.
For privacy requests and questions: mail@lloyd-thomas.co.uk.