Privacy Policy

1. Data Controller

This website is operated by Andy Kemp Consulting Ltd, Microsoft 365 Security, Identity & Migration Specialist.

Andy Kemp Consulting Ltd is the data controller responsible for your personal data collected through this website.

2. What We Collect

Depending on how you use this website, we may collect the following categories of personal data:

• Name
• Email address
• Company information (for business enquiries, project scoping, and consultancy engagement)
• Any information you submit via contact forms

Contact Enquiries

When you submit a message through our contact form we collect your name, email address, company details (if provided), and the content of your message. This data is used solely to respond to your enquiry and scope consultancy support.

Newsletter & Email Subscriptions

If you choose to subscribe to our newsletter or blog update emails we collect your email address and your subscription preferences (which content lists you opt into). Consent is recorded at the time of sign-up and you may withdraw it at any time via the unsubscribe link in every email.

Comments

When you leave a comment on a blog post we collect your name, email address, and the comment text. Your email address is never displayed publicly. WordPress also stores your IP address at the time of submission as an anti-spam measure; this is retained for 18 months then deleted.

Account Registration & Authentication

If you register for an account we collect standard WordPress profile data (username, email, display name). Where you opt into passkey (WebAuthn) authentication, your device public key credential is stored securely in our database — no biometric data is ever transmitted to us. Single Sign-On (SSO) connections may provide your name and email from your identity provider.

Reading List / Bookmarks

Logged-in users may save articles to a personal reading list. We store a record of your user ID and the bookmarked post ID. This data is tied to your account and deleted when your account is removed.

Post Views & Reactions

We count page views on articles as aggregate totals only — no individual visitor profile is created. Post reactions (emoji responses) are tracked via browser session to prevent duplicate voting; no personally identifiable information is associated with a reaction.

Technical / Usage Data

Our web server logs standard technical data including your IP address, browser type, referring URL, and pages visited. These logs are retained for up to 30 days for security and operational purposes and are not used for marketing profiling.

3. Legal Basis for Processing

We process personal data only where we have a lawful basis under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018:

• Consent — newsletter subscriptions and optional cookies (analytics, marketing). You may withdraw consent at any time.
• Contract — processing necessary to fulfil a services engagement or respond to a service enquiry.
• Legitimate Interests — operating and securing the website, aggregate analytics to improve content, and fraud/spam prevention, where these interests are not overridden by your rights.
• Legal Obligation — retaining records where required by UK law (e.g. financial or tax records relating to professional services).

4. How We Use Your Data

• Responding to contact form enquiries and service requests
• Sending newsletters, blog updates, and content digests you have subscribed to
• Managing your account, bookmarks, and authentication credentials
• Moderating and displaying comments
• Analysing aggregate content performance to improve our articles and services
• Protecting the website from spam, abuse, and unauthorised access
• Complying with legal and regulatory obligations

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

5. Sharing & Data Processors

We use a small number of trusted third-party processors to operate this website. Each is bound by a data processing agreement and may only use your data on our documented instructions:

• Andy Kemp Cloud — web hosting and infrastructure. Servers are located in the United Kingdom.
• Email delivery (SMTP) — transactional emails (subscription confirmations, notifications) are sent via our configured SMTP provider.
• Analytics providers (for example Google Analytics, when enabled) — used to understand aggregate site usage and improve website performance.

These providers may process personal data on our behalf as data processors.

Aggregate, anonymised analytics data (page view counts) does not identify individuals and is not shared.

We may disclose personal data where required by law, court order, or to protect the rights, property, or safety of our company, clients, or the public.

6. Cookies & Tracking

This website uses cookies. When you first visit you are presented with a cookie consent banner through which you can choose which categories to accept:

• Strictly Necessary — essential cookies for WordPress sessions, security nonces, and login state. Cannot be disabled.
• Functional — cookies that remember your preferences (e.g. cookie consent choices, comment edit window).
• Analytics — cookies that help us understand how visitors use the site (e.g. Google Analytics, if enabled). Only set with your consent.

You can manage or withdraw your cookie consent at any time via the cookie preferences link in the footer. You can also control cookies through your browser settings.

If Google Analytics is active on this site, data is processed by Google LLC under a data processing addendum. You may opt out via the Google Analytics opt-out browser add-on.

7. Data Retention

We retain enquiry data only for as long as necessary to fulfil its purpose, unless we are required by law to retain it longer.

• Contact enquiries — retained for 2 years from last correspondence, then securely deleted.
• Newsletter subscriptions — retained until you unsubscribe or request deletion. Unsubscribed records are anonymised after 90 days.
• Comments — retained indefinitely unless removed by the author or an administrator. Comment IP logs: 18 months.
• Account data & reading lists — retained for the life of your account. Deleted within 30 days of an account deletion request.
• Passkey credentials — retained until you delete them via your account settings or your account is closed.
• Server access logs — 30 days, then automatically purged.
• Financial / services records — retained for 7 years as required by UK tax law.

8. Security

Andy Kemp Consulting Ltd implements appropriate technical and organisational security measures including:

• HTTPS encryption for all data in transit
• Server-side rate limiting and brute-force protection
• IP-based access controls for administrative areas
• Regular automated backups stored securely
• Passwordless authentication options (passkeys) to reduce credential-based risk

No method of transmission or storage is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay.

9. Your Rights

Under UK GDPR you have the following rights. To exercise any of them, please contact us using the details in Section 12:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data where there is no compelling reason to continue processing.
• Right to restrict processing — ask us to pause processing of your data in certain circumstances.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests or for direct marketing purposes.
• Rights in relation to automated decision-making — we do not carry out automated decision-making or profiling that produces legal or similarly significant effects.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

We will respond to all verified requests within one calendar month. We may need to verify your identity before fulfilling a request.

10. Complaints

If you have a concern about how we handle your personal data, please contact us in the first instance (see Section 12) and we will endeavour to resolve the matter promptly.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

• Website: ico.org.uk
• Helpline: 0303 123 1113

11. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our services, legal requirements, or best practices. When we make material changes we will update the "Last updated" date at the top of this page. Where changes significantly affect your rights we will take reasonable steps to notify you (e.g. via a notice on the website or an email to newsletter subscribers).

We encourage you to review this policy periodically.

12. Contact Us

For any questions about this privacy policy, to exercise your data rights, or to report a concern:

• Organisation: Andy Kemp Consulting Ltd
• Email: hello@andykemp.com
• Website: https://www.andykemp.com/
• Contact form: https://www.andykemp.com/contact
• Postal address: 6/4 West Powburn, Edinburgh, EH9 3EN

This privacy policy is written in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.