Information we process
There are only two types of information that we need to process; information about you as a customer and information that you choose to provide to us so that we can provide our services.
The ‘customer information’ will include the name of the company or individual as applicable, named individual(s) responsible for contracts or payments, financial information in order to process invoices, business addresses, email addresses and phone numbers.
For services that we provide to you, the information that we process will be up to you. We may request certain information in order to provide the most holistic and complete advice; however, you are the data controller of your own information and will decide what should be shared.
As Information Governance professionals, we are used to completing Data Protection Impact Assessments (DPIAs) and can help you draft one for any work that we are commissioned to undertake. In the event that we need to see sensitive data as part of the service then we are more than happy to sign a confidentiality agreement and can provide templates if you do not have your own.
How we use your information
We will use and store some personal and business information in order to contact potential clients. This information will never be purchased, sold or traded. Information processed will be publicly available information and will be processed under the lawful basis of legitimate interests. This is Article 6(1)(f) of the GDPR and covers contacting individuals about our services.
If you are interested in our services, then the lawful basis for using your data will be under Article 6(1)(b) of the GDPR – entering into or performing the duties or obligations of a contract. Article 6(1)(b) states:
“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
In the unlikely event that we hold information which is requested under a legal obligation, such as a Court Order, then this will be provided in accordance with Article 6(1)(c) of the GDPR.
‘Customer information’ will be retained for 8 years for accounting purposes.
‘Service information’ that you have provided to us will not be retained.
Information will never be re-used, sold, used for marketing or any other secondary uses unless you have expressly given permission for us to do so. We may however, use statistical information internally to help us improve as a company.
About our company
We are a UK based company, predominantly operating in the South West and South Central regions. We are registered with the ICO under the following registration: ZA711965
We do not need to assign a Data Protection Officer as we are not a public authority, we do not use CCTV and we do not process special category data on a large scale. However, be assured that both Graeme and Mark are Data Protection Officers for Acute NHS Trusts and despite not officially needing a DPO, they apply the same high quality standards to the Stabe business. If you have any queries on this please contact us on
We use Zoho mail as our email provider. Zoho Mail have a head office in the United States and also have an office in the Netherlands. The provider has ISO 27001 certification. We do not rely on the now invalid EU-US privacy shield. We have a contract to ensure adequate safeguards for data processed in the EU and that the service will continue following the UK's exit.