Legal
GDPR Compliance Statement
Last updated: June 2026
This is a general template; have it reviewed by legal counsel before relying on it.
1. Our commitment to GDPR
SOHOON Technologies is committed to protecting the personal data of our website visitors, clients, partners and employees. We comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR 2016/679), and the Data Protection Act 2018 where applicable.
This statement explains how we meet our obligations under these regulations and outlines the rights available to data subjects whose data we process.
2. Data controller
SOHOON Technologies acts as the data controller for personal data collected through our website and in the course of our client and partner relationships. Our contact details for data protection matters are:
- Email: info@sohoon.com
- Phone: +44 7700 101360
We do not currently have a formally appointed Data Protection Officer (DPO) as we are not required by law to designate one at this time. Privacy and data protection queries are handled directly by our management team at the contact details above.
3. Principles we uphold
We process personal data in accordance with the following GDPR principles:
- Lawfulness, fairness and transparency: we have a lawful basis for every processing activity and communicate our practices clearly.
- Purpose limitation: data is collected for specified, explicit and legitimate purposes and not processed in ways incompatible with those purposes.
- Data minimisation: we collect only the data that is necessary for the stated purpose.
- Accuracy: we take reasonable steps to ensure personal data is accurate and up to date.
- Storage limitation: we retain data only for as long as necessary (see Section 7).
- Integrity and confidentiality: we implement appropriate technical and organisational measures to secure personal data.
- Accountability: we maintain records of processing activities and can demonstrate compliance.
4. Lawful basis for processing
We rely on the following lawful bases depending on the nature of the processing activity:
- Contract (Article 6(1)(b)): processing is necessary to perform our contractual obligations to clients, or to take pre-contractual steps such as preparing quotes and proposals at your request.
- Legitimate interests (Article 6(1)(f)): processing is necessary for our legitimate interests, including responding to website enquiries, improving our services, maintaining website security and preventing fraud, provided these interests are not overridden by the data subject’s rights.
- Consent (Article 6(1)(a)): we rely on consent for optional marketing communications and non-essential cookies. Consent can be withdrawn at any time.
- Legal obligation (Article 6(1)(c)): processing required to comply with applicable legal requirements, such as tax record-keeping obligations.
5. Data subject rights
Under the UK GDPR and EU GDPR, individuals whose data we process have the following rights:
- Right of access (Article 15): you may request a copy of the personal data we hold about you and information about how we process it.
- Right to rectification (Article 16): you may request correction of inaccurate or incomplete personal data.
- Right to erasure (Article 17): you may request deletion of your personal data where there is no overriding legal basis to retain it ("right to be forgotten").
- Right to restriction of processing (Article 18): you may ask us to restrict processing of your data in certain circumstances — for example, while you contest its accuracy.
- Right to data portability (Article 20): where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.
- Right to object (Article 21): you may object to processing based on legitimate interests or for direct marketing purposes at any time.
- Rights related to automated decision-making (Article 22): we do not carry out fully automated decision-making that produces legal or similarly significant effects. If we introduce such processing in future, we will provide appropriate safeguards.
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at info@sohoon.com. We will respond within one calendar month. Where requests are complex or numerous, we may extend this period by a further two months with prior notice. We will not charge a fee for reasonable requests.
You also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO) at ico.org.uk. In the EU, contact the supervisory authority in your member state.
6. International data transfers
SOHOON Technologies operates across the USA, UK, UAE, Canada, Australia and Pakistan. When personal data is transferred outside the UK or European Economic Area (EEA), we ensure appropriate safeguards are in place. These may include:
- Standard Contractual Clauses (SCCs) approved by the ICO or the European Commission.
- Transfer to countries that benefit from an adequacy decision.
- Other appropriate safeguards permitted under applicable data protection law.
You may request details of the safeguards applicable to any specific transfer by contacting us.
7. Data retention
We retain personal data for the following periods (or such longer period as required by law):
- Enquiry and contact form data: up to 24 months from last contact, unless a contractual relationship is formed.
- Client project data: for the duration of the project plus seven years from contract end to meet tax and legal record-keeping obligations.
- Financial records: as required by applicable tax law (typically six to seven years).
- Job application data: for the duration of the recruitment process and, for unsuccessful applicants, up to six months thereafter, unless you consent to longer retention for future opportunities.
- Website analytics data: in anonymised or aggregated form for up to 26 months.
8. Data security
We implement appropriate technical and organisational security measures including access controls, encrypted communications (HTTPS), and restricted access to personal data on a need-to-know basis. We require third-party processors to implement equivalent standards. In the event of a personal data breach that is likely to result in risk to individuals' rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay.
9. Third-party processors
We engage third-party service providers who may process personal data on our behalf (for example, cloud hosting, email delivery and analytics services). All processors are engaged under data processing agreements that require them to handle data in accordance with GDPR and to implement appropriate security measures. We do not allow processors to use personal data for their own purposes beyond what is necessary to provide services to us.
10. Updates to this statement
We review and update this GDPR Compliance Statement periodically to reflect changes in our practices or applicable law. The "Last updated" date at the top of this page indicates when the statement was most recently revised.
11. Contact
For any GDPR-related enquiries, to exercise your rights, or to raise a concern:
SOHOON Technologies
Email: info@sohoon.com
Phone: +44 7700 101360
