Last reviewed 15 May 2026
Data protection notice
Written correspondence: Tamazia Ltd, C1, Barking Wharf Square, London, IG11 7ZQ.
This notice is the statutory disclosure under UK GDPR Articles 13 and 14, the Data Protection Act 2018, and the EU GDPR Articles 13 and 14 for visitors and clients reachable by Tamazia from any jurisdiction.
Controller identity and contact
Tamazia is operated by Tamazia Ltd, a private limited company registered in England and Wales. The work address for written correspondence on data protection matters is published at tamazia.co.uk/contact.
The controller's contact for data protection enquiries is dpo@tamazia.co.uk. Subject access requests, rectification, erasure, restriction, portability, and objection requests are routed through this address and acknowledged within seventy-two hours.
UK Representative under Article 27 UK GDPR
As a controller established outside the United Kingdom that offers services to data subjects in the United Kingdom, Tamazia falls within the scope of Article 27 UK GDPR. The appointment of a UK Representative is in progress; the appointment will be published at this section once the contract is executed. Until that point, all UK data subject communications should be addressed to dpo@tamazia.co.uk, which is monitored by the controller daily.
EU Representative under Article 27 GDPR
As a controller established outside the European Union that offers services to data subjects in the EEA, Tamazia falls within the scope of Article 27 GDPR. The appointment of an EU Representative is in progress and will be published at this section once executed.
Categories of personal data processed
- Identification data: name, business email address, employer name, role title, business country.
- Contact data: telephone number where supplied, scheduled meeting times, the content of messages sent through the contact form, the briefings form, the audit form, or by direct email to a Tamazia inbox.
- Technical data: truncated IP address (final octet redacted), country derived from the IP address, user agent string, referring URL, the request identifier issued at submission.
- Marketing data: source of arrival where supplied through UTM parameters, the subscription status to the regulatory briefings list.
Sources of personal data
The data is collected directly from the data subject through the website, by email, or in scheduled meetings. Where personal data is enriched through public registers, professional directories, or commercial enrichment platforms (Apollo, ZoomInfo, Hunter, Common Room) the source is recorded against the subject's record. Article 14 disclosure to the data subject is provided on first contact through the email signature line and at this notice.
Lawful basis
- Performance of a contract or steps requested by the data subject prior to entering into a contract under Article 6(1)(b) UK GDPR for clients and prospects who have requested a proposal, a strategy call, or a briefing.
- Legitimate interests under Article 6(1)(f) UK GDPR for the operation of the website, the security of the systems, the prevention of fraud, the management of the briefings list, the response to enquiries, and outbound research-led contact made to senior commercial decision-makers within Tamazia's stated target sectors.
- Consent under Article 6(1)(a) UK GDPR for the optional analytics cookies, the regulatory briefings subscription, and any direct marketing communications outside the legitimate-interests scope.
- Compliance with a legal obligation under Article 6(1)(c) UK GDPR for tax, accounting, anti-money-laundering, and statutory record retention.
Recipients of personal data
The data is processed by Tamazia and the following processors acting on Tamazia's documented instructions:
- Cloudflare, Inc. for content delivery, edge functions, KV storage, web analytics, email routing, and security services.
- Resend Co. for the transactional acknowledgement and the internal alert email.
- Cal.com, Inc. for scheduling and booking management.
- Postmark (for DMARC reporting), Google LLC (for analytics where consent is granted), and Microsoft Corporation (for inbox routing where used).
- Email validators ZeroBounce, Hunter, and NeverBounce for the verification of submitted email addresses prior to persistence.
- Professional advisers under contractual confidentiality where required for accounting, tax, or legal advice.
A current Article 30 record of processing activities is maintained by the controller and is supplied to the supervisory authority on request.
International transfers
Personal data may be transferred to processors located outside the United Kingdom and the European Economic Area, including the United States, India, and Singapore. Each such transfer is governed by either an adequacy decision, the United Kingdom International Data Transfer Addendum to the European Commission Standard Contractual Clauses, or the EU Standard Contractual Clauses with appropriate supplementary measures. Copies of the executed transfer instruments are available to data subjects on written request.
Retention
The default retention for form submissions held in Cloudflare KV is twenty-four months from the date of submission, after which the record is automatically deleted by the platform's TTL. Bookings and meeting notes are retained for the duration of the engagement plus the statutory retention period for tax and accounting records of seven years. The briefings list retains the subscription record for as long as the subscription is active and for thirteen months after unsubscribe to evidence the unsubscribe.
Rights
Data subjects in the United Kingdom and the European Economic Area have the right to access their personal data, to obtain rectification of inaccurate data, to obtain erasure where the lawful basis no longer applies, to restrict processing, to object to processing, to data portability where the lawful basis is consent or contract, to withdraw consent at any time without affecting prior lawful processing, and to lodge a complaint with the supervisory authority in their place of residence or work. The supervisory authority for the United Kingdom is the Information Commissioner's Office at ico.org.uk.
Automated decision-making
Tamazia does not engage in automated decision-making producing legal or similarly significant effects on data subjects within the meaning of Article 22 UK GDPR.
Retention schedule
| Category | Retention | Lawful basis |
|---|---|---|
| Contact form submissions (KV) | 24 months | Article 6(1)(b) and (f) |
| Briefings list subscriptions (KV) | active + 13 months | Article 6(1)(a) |
| Audit form submissions (KV) | 24 months | Article 6(1)(b) |
| Booking records (KV) | 24 months · client engagements 7 years | Article 6(1)(b) and (c) |
| NEL + CSP violation reports (KV) | 30 days | Article 6(1)(f) |
| Erasure audit log (KV) | 7 years | Article 6(1)(c) compliance evidence |
| Outbound research (CRM) | 36 months from last interaction | Article 6(1)(f) |
| Tax and accounting records | 7 years from end of accounting period | Companies Act 2006 + HMRC |
Breach response
In the event of a personal data breach, Tamazia will notify the Information Commissioner's Office without undue delay and, where feasible, not later than seventy-two hours after becoming aware of the breach, in accordance with UK GDPR Article 33. Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, Tamazia will communicate the breach to the affected data subjects without undue delay, in accordance with Article 34. The breach record is maintained at references/breach-register.md internally.
Cookies and analytics
Cookies and the Consent Mode v2 deployment are described at tamazia.co.uk/cookie-policy. Analytics cookies are not set unless the data subject grants consent through the cookie banner. The consent record is retained for thirteen months in accordance with Information Commissioner's Office guidance and is then re-prompted.
Complaints
Concerns about Tamazia's processing should first be raised with dpo@tamazia.co.uk. If the response is unsatisfactory, the data subject is entitled to lodge a complaint with the Information Commissioner's Office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom (telephone +44 303 123 1113, online at ico.org.uk/make-a-complaint); the Commission Nationale de l'Informatique et des Libertés (France); the Garante per la Protezione dei Dati Personali (Italy); the Agencia Española de Protección de Datos (Spain); or the supervisory authority of the data subject's habitual residence within the European Economic Area.