GDPR & DATA PROTECTION

GDPR & DATA PROTECTION POLICY

Effective Date: 07.04.2026
Last Reviewed: 06.04.2026

1. Introduction

This GDPR & Data Protection Policy explains how Leaf & Dig Limited (“the Company”, “we”, “us”, “our”) collects, uses, stores, and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and related legislation.

We are committed to processing personal data lawfully, fairly, and transparently, and to protecting the rights and freedoms of individuals whose data we handle.

2. Data Controller

Leaf & Dig Limited is the Data Controller for personal data processed in the course of its business.

Registered Office:
Folly Row, 18 Point Road, Avening, Tetbury, Gloucestershire, GL8 8LY

Email: info@leafanddig.com

The Company Director is responsible for data protection compliance.

3. Lawful Bases for Processing

We only process personal data where at least one lawful basis applies, including:

  • Performance of a contract – to provide garden maintenance, design, and related services

  • Legitimate interests – for managing the business, record-keeping, quality assurance, and service communications

  • Legal obligation – to meet tax, accounting, health and safety, and regulatory requirements

  • Consent – for specific activities such as marketing communications or promotional photography

Where consent is relied upon, it may be withdrawn at any time.

4. Categories of Personal Data

We may collect and process:

  • Names, addresses, email addresses, and telephone numbers

  • Property and garden information relevant to service delivery

  • Subcontractor details, including insurance and qualification records

  • Financial and invoicing information

  • Records of communications

  • Photographs or videos of gardens and works carried out

We do not routinely collect special category data. Where such data is provided (for example, health or access information), it is handled with additional care.

5. Purposes of Processing

Personal data is used only for:

  • Delivering contracted services

  • Scheduling and managing work

  • Communicating with clients and subcontractors

  • Invoicing, accounting, and financial administration

  • Quality monitoring and service improvement

  • Marketing and promotional activities (with consent)

  • Compliance with legal obligations

We do not use personal data for incompatible purposes.

6. Data Storage & Security

Personal data is stored securely using appropriate technical and organisational measures.

Systems may include:

  • Google Workspace / Google Drive

  • SortScape (or equivalent scheduling software)

  • Xero (accounting and invoicing)

  • MailerLite or equivalent email systems

Access is limited to authorised personnel and subcontractors who require access to perform their duties. Physical records are kept to a minimum and stored securely.

7. Data Retention

Personal data is retained only as long as necessary:

  • Client and financial records: 6 years after the end of the relationship

  • Subcontractor records: 6 years after engagement ends

  • Internal service photographs: retained as needed for continuity

  • Marketing photographs: up to 5 years or until consent is withdrawn

Data is securely deleted or anonymised when no longer required.

8. Data Sharing & Third Parties

We may share personal data with trusted third parties where necessary, including:

  • Accountants and professional advisers

  • Software and IT service providers

  • Regulatory or governmental bodies where legally required

All third-party processors are required to comply with UK GDPR. We do not sell personal data.

Where data is processed outside the UK, appropriate safeguards are in place.

9. Photography & Media

Photographs or videos may be taken for:

  • Internal documentation and continuity of service

  • Marketing and promotional use only with explicit consent

We take all reasonable steps to ensure no personal identifiers are shown. Consent for marketing use may be withdrawn at any time.

10. Data Subject Rights

Individuals have the right to:

  • Access their personal data

  • Correct inaccurate or incomplete data

  • Request erasure where applicable

  • Restrict or object to processing

  • Request data portability

  • Withdraw consent at any time

Requests should be made to info@leafanddig.com. We respond within one month unless extended lawfully.

11. Data Breach Procedure

A personal data breach includes unauthorised access, loss, or disclosure of personal data.

In the event of a breach:

  • The issue will be assessed promptly

  • The ICO will be notified within 72 hours where required

  • Affected individuals will be informed where there is high risk

  • Remedial action will be taken and documented

12. Staff & Subcontractor Responsibilities

All personnel handling personal data must:

  • Follow this Policy

  • Use approved systems only

  • Maintain confidentiality

  • Report suspected breaches immediately

Failure to comply may result in termination of engagement.

13. Policy Review

This Policy is reviewed annually or when required by changes in law or business practices.