Website Privacy Notice

Last updated: March 2026

Data Access Office Ltd (“Data Access Office”, “DAO”, “we”, “us”, “our”) is committed to protecting the privacy of everyone who visits our website or uses our services. We take our responsibilities seriously and handle all personal information lawfully, transparently and with care. This notice explains what information we collect, how we use it, the systems that protect it, and the rights you have under UK data protection law, including the UK GDPR, the Data Protection Act 2018 and the Data Use and Access Act 2025.

Our service supports organisations with the management and processing of Subject Access Requests (SARs). In doing so, we only collect the information we genuinely need to provide and maintain the service safely and effectively.

  1. Who we are

Data Access Office Ltd is the Data Controller for personal data collected through our website and subscription platform. We operate from Errwood House, 212 Moss Lane, Bramhall, Cheshire, SK7 1BD.

We have appointed a Data Protection Officer, Matthew Keeffe, who oversees our compliance obligations and ensures that personal information is handled correctly. You can contact the DPO at hello@dataaccessoffice.co.uk  or by telephone on 0161 524 7310.  should you have any questions or wish to exercise any of your rights.

  1. Information we collect and why

When you visit our website, we automatically collect a small amount of technical information, including your IP address, the type of device and browser you are using, and the pages you access. This helps us understand whether the website is performing properly, which areas are most visited, and where improvements may be needed. It also helps us monitor for security or performance issues.

If you contact us, request a demonstration or make an enquiry, we will collect the details you provide so that we can respond. This typically includes your name, your organisation, your email address and your telephone number.

Should you proceed to subscribe to Data Access Office, we collect the information required to create and administer your account. Payment information is handled securely by Stripe. Your bank details are never seen or stored by us; we only receive confirmation of your payment status so we can manage your subscription.

If you upload documents, case files or SAR‑related materials into the DAO platform, these are stored in Clio, our secure case management and document system hosted in the Microsoft Azure cloud. The platform uses strong encryption, detailed access controls and full audit trails so that only authorised individuals can view or work on your materials. We use these documents solely to support your organisation’s SAR activity and provide the functionality your subscription offers.

  1. How we use your information

We use your information to set up and manage your subscription, to facilitate access to the platform, to respond to enquiries and requests for support, and to ensure the website and systems operate securely and efficiently. Information uploaded to Clio is used purely to enable your organisation to manage SAR‑related work within the platform.

Technical information gathered from your website use helps us understand how the service is performing and whether any changes are needed to maintain a reliable and user‑friendly experience. All processing is carried out in line with our legal obligations and only where a lawful basis exists, such as the need to perform our contract with you, our legitimate interest in maintaining a secure and operational system, your consent where that applies, or compliance with a legal requirement.

  1. How we store and protect your information

All personal data and uploaded documents are stored within Clio’s Microsoft Azure environment. This is a secure cloud platform with robust protections, including encryption both in transit and at rest, multi‑layer authentication, access logging, and clear permissions so that only the correct people have access. Our staff can only access your account where required to provide technical support or to carry out a legitimate business function, and all access is recorded.

Payment information is stored exclusively by Stripe and is never processed or stored on DAO systems. Stripe’s infrastructure is independently audited and certified to the highest security standards used in the financial sector.

If, on rare occasions, data must be transferred outside the UK through our service providers, we ensure that appropriate safeguards are in place so that your information remains fully protected and compliant with UK law.

  1. Sharing your information

We do not sell personal information and do not share it for unrelated marketing purposes. We only share your information where it is essential for the operation of the service. This includes Clio for account and document management, Stripe for payment handling, and professional advisers where legally required. We may also share information with regulators, courts or law enforcement if the law compels us to do so.

Any organisation handling your data on our behalf must do so under strict contractual and security controls.

  1. How long we keep your information

We retain personal information for the duration of your subscription and for three years after it ends. This enables us to respond to enquiries, manage audit and compliance responsibilities and meet any legal obligations that may arise after your subscription concludes.

Documents stored within Clio follow the same principle. When your subscription ends, we will discuss with you which documents, if any, must be kept for regulatory reasons. After the retention period expires, information is securely and permanently deleted.

  1. Your rights

You have the right to know whether we hold information about you, and to request access to it. You may also ask us to correct inaccurate information, delete it where appropriate, restrict how it is used, object to certain uses, or request that it be transferred to another provider. Where processing is based on consent, you may withdraw that consent at any time.

You can exercise any of these rights by contacting our Data Protection Officer using the details provided earlier. You also have the right to raise a concern with the Information Commissioner’s Office, although we encourage you to contact us first so that we can resolve matters directly wherever possible.

  1. Cookies

Our website uses essential cookies to ensure that it operates correctly. We may also use analytics cookies to understand general usage patterns and improve the site. You can adjust your browser settings at any time if you wish to limit or disable non‑essential cookies.

  1. Changes to this notice

We review and update this privacy notice whenever necessary, particularly where our practices change or where legislation or guidance is updated. The date at the top of this page will always indicate when the notice was last revised.