GDPR & Data Protection Policy

1. Purpose and Scope

This policy sets out how VacatAd Ltd ("VacatAd", "we", "us", "our") collects, processes, stores, and protects personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

It applies to all employees, contractors, clients, suppliers, and third parties who interact with VacatAd or whose personal data we process.

2. Who We Are

VacatAd Ltd
80-90 Paul Street, London, EC2A 4NA
Email: hello@vacatad.com
Tel: 0333 090 0443
Website: https://vacatad.com

VacatAd provides technology-first solutions for business rates relief and vacant property management through the installation of Wi-Fi routers and associated IoT devices that enable beneficial occupation, data-driven insights, and community connectivity.

3. Lawful Basis for Processing

VacatAd processes personal data under the following lawful bases:

• Contractual necessity – where processing is required to deliver our services or manage client relationships.
• Legal obligation – to comply with applicable laws or regulatory authorities.
• Legitimate interests – to operate and improve our services (e.g. Wi-Fi analytics, property monitoring, client communication).
• Consent – where individuals voluntarily opt in to communications or Wi-Fi access.

4. Data We Collect

Depending on the interaction, we may collect and process:

Clients and partners

• Names, contact details, job titles, company details
• Contractual and billing information
• Communications and correspondence records

Wi-Fi users

• Device MAC address and connection timestamps
• Bandwidth usage, session duration, and signal strength
• Optional demographic data if voluntarily provided (e.g. via Wi-Fi landing page form)
• User login information (name, email address)

Employees and contractors

• Identification and contact details
• Payroll, HR, and performance data
• Access logs to company systems

We do not collect or process special category (sensitive) data unless required by law.

5. How We Use Personal Data

Personal data is used solely for legitimate business purposes, including:

• Delivering and managing VacatAd's Wi-Fi and monitoring services
• Providing compliance evidence to local authorities (e.g. for beneficial occupation confirmation)
• Maintaining security and service quality across our network
• Managing customer relationships and responding to enquiries
• Complying with tax, legal, and regulatory requirements
• Improving our services and communications

We do not sell or share personal data for marketing purposes.

6. Data Sharing and Third Parties

We may share data with trusted third parties where necessary to deliver our services, such as:

• Telecommunications and IoT service providers (e.g. SIM connectivity, device monitoring)
• Local authorities (for verifying occupation and compliance evidence)
• Accountants, solicitors, or regulators (where legally required)
• Cloud service providers (for secure hosting, e.g. CRM, RMS, analytics)

All partners are bound by contractual data-processing agreements ensuring GDPR compliance and data security.

7. Data Retention

We retain data only for as long as necessary to fulfil the purposes outlined in this policy, unless a longer retention period is required by law or regulation.

Typical retention periods:

• Client contracts & financial records – 6 years
• Wi-Fi connection logs – up to 90 days
• CCTV or motion detection data – up to 30 days unless required for investigation
• Employee HR records – duration of employment + 6 years

After these periods, data is securely deleted or anonymised.

8. Data Security

VacatAd maintains appropriate technical and organisational measures to protect data, including:

• Encrypted communications (HTTPS, VPNs, and encrypted SIM tunnels)
• Password and access management protocols
• Regular security patching and network monitoring
• Role-based data access controls
• Staff GDPR and cybersecurity training

All devices deployed (routers, cameras, sensors) are managed remotely and protected through secure RMS (Remote Management System) access.

9. Individual Rights

Under the UK GDPR, individuals have the right to:

• Access their personal data
• Rectify inaccurate or incomplete data
• Request erasure ("right to be forgotten")
• Restrict processing
• Data portability
• Object to processing
• Withdraw consent (where applicable)

Requests can be made via email at hello@vacatad.com. We will respond within one calendar month.

10. Cookies and Wi-Fi Analytics

When using VacatAd's Wi-Fi network or visiting our website, cookies and analytics tools may collect usage data to improve performance and measure engagement.

Users can opt out of analytics cookies via browser settings or Wi-Fi landing page preferences.

11. International Data Transfers

VacatAd stores and processes all personal data primarily within the UK or EEA. If data is transferred outside these regions, it will be protected using appropriate safeguards such as UK International Data Transfer Agreements (IDTAs) or adequacy decisions.

12. Data Breach Management

In the event of a personal data breach, VacatAd will:

• Contain and assess the breach immediately
• Notify the Information Commissioner's Office (ICO) within 72 hours if required
• Inform affected individuals where there is a high risk to their rights or freedoms
• Maintain a breach log for all incidents

13. Roles and Responsibilities

• Data Protection Officer (DPO): Jordan Jones
• Managing Director: Alistair Oates

All VacatAd personnel are responsible for safeguarding data in line with this policy.

14. Contact and Complaints

For questions or complaints about this policy or our data processing, please contact:

Data Protection Officer
VacatAd Ltd
Email: hello@vacatad.com

If you are not satisfied with our response, you may contact the Information Commissioner's Office (ICO):
https://ico.org.uk/make-a-complaint/

15. Policy Review

This policy will be reviewed annually or sooner if there are significant regulatory, technological, or organisational changes.

Document Control