Privacy Policy

Privacy Policy YUPL Digital

Last updated: 17 April 2026

At YUPL we are committed to protecting your privacy and the security of your personal data. This Privacy Policy explains how we collect, use, store, share, and protect information when you visit yupl.com, enquire about our services, subscribe to our newsletter, or engage us under a statement of work. It is drafted to comply with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 ("PECR").

1. Who We Are & Our Role

YUPL Digital is a UK-based digital agency providing software development, penetration testing, consulting, and digital transformation services.

• Company: YUPL Digital
• Address: 24 Holborn Viaduct, London EC1A 2BN
• Privacy contact: [email protected]
• Phone: 0330 229 4580

Our role under UK GDPR. YUPL acts as a data controller in respect of personal data we collect directly from you — for example when you enquire about our services, sign up to our newsletter, are employed by a client, or browse yupl.com. YUPL acts as a data processor in respect of personal data we handle on a client's behalf while delivering Services (for example during a penetration test, data migration, or while operating bespoke software for that client). Where we act as a processor, processing is governed by the client's instructions, a statement of work, and, where applicable, a separate Data Processing Agreement.

2. Information We Collect

We collect information in the following ways:

Information You Provide Directly

• Contact Information: Name, email address, phone number, company name when you contact us or request a quote
• Project Information: Details about your project requirements, business needs, and technical specifications
• Communication Records: Emails, messages, and notes from our interactions
• Payment Information: Billing details for invoicing (processed securely via our payment providers)

Information Collected Automatically

• Device Information: Browser type, operating system, device type
• Usage Data: Pages visited, time spent on pages, click patterns
• Technical Data: IP address, referring URLs, access times
• Cookie Data: Information collected through cookies (see Cookies section)

Newsletter Signups

If you submit the newsletter form we record your email address, the IP address, user-agent, and referrer of the submission, and the timestamp. This data is held for anti-abuse purposes and to service the subscription. You can unsubscribe at any time by emailing [email protected].

Security Logs

Like most websites, our servers automatically log requests (IP address, timestamp, URL, user-agent) for security, fraud-prevention, and abuse-detection purposes. These logs are rotated and retained for no longer than reasonably necessary, typically 90 days.

3. How We Use Your Information

We use your personal data to:

• Respond to your enquiries and provide requested information
• Deliver our services and manage project engagements
• Process payments and maintain financial records
• Send relevant updates about your projects or our services
• Improve our website and services based on usage patterns
• Comply with legal obligations and protect our legitimate interests
• Send marketing communications (only with your consent)

4. Legal Basis for Processing

Under UK GDPR, we process your data based on the following legal grounds:

• Contract: Processing necessary to fulfil our contractual obligations to you
• Consent: Where you have given explicit consent (e.g., marketing communications)
• Legitimate Interests: Processing necessary for our legitimate business interests, provided these don't override your rights
• Legal Obligation: Processing required to comply with UK law

5. Marketing & Newsletter

We may send you marketing communications about our services where you have consented (for example by subscribing to our newsletter) or where we have a soft-opt-in right under PECR — i.e. you are an existing customer, the communications relate to similar services, and you were given a clear opportunity to object when your details were collected.

Every marketing email we send includes a one-click unsubscribe link. You can also withdraw consent at any time by emailing [email protected]. Withdrawal does not affect the lawfulness of processing before the withdrawal.

We do not engage in automated profiling for marketing purposes.

6. Data Sharing & Sub-processors

We do not sell your personal data. We may share your information with:

• Service Providers / Sub-processors: Trusted third parties who assist in delivering our services (including hosting providers, email delivery providers, payment processors, and analytics tools). A current list of our sub-processors is available on request.
• Professional Advisors: Lawyers, accountants, and auditors where reasonably necessary.
• Law Enforcement & Regulators: When required by law, to comply with legal process, or to protect our or a third party's legal rights, property, or safety.
• Business Transfers: In connection with any merger, sale, restructuring, insolvency, or acquisition, subject to the new owner being bound by terms no less protective than this Policy.

All third-party recipients are bound by written agreements containing confidentiality and, where processing personal data on our behalf, Article 28 UK GDPR processor obligations.

7. International Transfers

Your personal data is primarily stored and processed within the United Kingdom or the European Economic Area ("EEA"). Where a sub-processor is located outside the UK/EEA, we ensure one of the following safeguards is in place before transfer:

• an adequacy decision issued by the UK Government or European Commission;
• the UK International Data Transfer Agreement ("IDTA"), or the European Commission's Standard Contractual Clauses together with the UK Addendum; or
• any other lawful transfer mechanism recognised under UK GDPR.

Details of the safeguards used for any specific transfer are available on request.

8. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

• Client Records: 7 years after project completion (for legal and accounting purposes)
• Marketing Data: Until you withdraw consent or unsubscribe
• Website Analytics: 26 months
• Enquiry Records: 2 years if no engagement follows

After the retention period, data is securely deleted or anonymised.

9. Your Rights

Under UK GDPR, you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your data (subject to legal obligations)
• Right to Restrict Processing: Request limitation of how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for marketing
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at [email protected]. We will respond within one month.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (see section 14). Exercising these rights is free of charge in most cases; we may charge a reasonable fee or refuse to act on a request that is manifestly unfounded or excessive. We may need to verify your identity before responding.

10. Cookies

Our website uses cookies and similar technologies (such as local storage) to enhance your browsing experience, keep sessions secure, and understand how visitors use the site.

Categories of Cookies We Use

• Strictly Necessary: Required for the website to function properly (session, CSRF protection, load-balancing). Cannot be switched off.
• Functional: Remember your preferences (e.g. cookie-consent choice, UI settings).
• Analytics/Performance: Help us understand aggregate usage patterns to improve the site. These are only set where we have your consent, where consent is required by PECR.

We do not use advertising cookies or third-party tracking for behavioural ad targeting.

Under PECR, we rely on consent for all non-essential cookies. Strictly-necessary cookies operate on the basis of Article 6(1)(f) UK GDPR (legitimate interests). You can manage or withdraw consent at any time through your browser settings or by clearing our cookies. Disabling strictly-necessary cookies may affect website functionality.

11. Children's Data

Our services are offered to businesses and are not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact [email protected] and we will take steps to delete it.

12. Automated Decision-Making & Profiling

We do not use your personal data to make solely automated decisions that produce legal or similarly significant effects concerning you. Where AI or automated tooling is used to assist a process (for example, content classification or security analytics), the final decision always involves meaningful human review.

13. Data Security & Breach Notification

We implement robust security measures to protect your personal data:

• SSL/TLS encryption for all data transmission
• Secure, encrypted storage systems
• Regular security audits and penetration testing
• Access controls limiting data access to authorised personnel
• Staff training on data protection best practices
• Incident response procedures for potential data breaches

While we take all reasonable precautions, no data transmission or storage system is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to a high professional standard.

Breach notification. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office without undue delay and, where feasible, within 72 hours of becoming aware. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay.

14. Contact & Complaints

If you have questions about this Privacy Policy or how we handle your data, or if you wish to exercise any of your rights, please contact us:

Complaints to the ICO. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office:

• Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
• Helpline: 0303 123 1113
• Website: ico.org.uk

We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please do contact us in the first instance.

Changes to This Policy

We may update this Privacy Policy periodically. Any changes will be posted on this page with an updated revision date. We encourage you to review this policy regularly. Continued use of our website or services after changes constitutes acceptance of the updated policy.