ClearFlow
Consulting
BlogClient Access
Back to site

Privacy Policy

ClearFlow Consulting 86-90 Paul Street, London EC2A 4NE Email: hello@clearflowconsulting.io Last updated: April 2026

1. Who We Are

ClearFlow Consulting ("ClearFlow", "we", "us", "our") is a business process consulting firm registered in England and Wales. Our registered address is 86-90 Paul Street, London EC2A 4NE.

We are committed to protecting your personal data and processing it in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

For any privacy-related queries, contact us at hello@clearflowconsulting.io.

2. What Personal Data We Collect

We may collect and process the following categories of personal data:

Enquiry and contact data: name, email address, company name, job title or role, phone number, and any information you provide via our enquiry forms, including descriptions of your business processes and operational challenges.

Client portal data: account credentials (stored in hashed form), your Unique Client Reference (UCR), documents and files you upload through the client portal, and engagement-related communications.

Usage data: technical information such as your IP address, browser type, and pages visited on our website, collected via standard server logs.

We do not collect special category data (such as health information or financial data) in the ordinary course of our business.

3. How We Use Your Personal Data

We use your personal data for the following purposes:

  • Service delivery: to provide, manage, and administer the consulting services you have engaged us to perform, including communicating with you about your engagement.
  • Client communications: to respond to your enquiries, send engagement updates, deliver invoices, and provide post-engagement support.
  • Improving our services: to analyse patterns in our work (using anonymised and aggregated data only) to improve our methodology and service quality.
  • Legal compliance: to comply with applicable legal and regulatory obligations, including record-keeping requirements.

4. Legal Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

  • Contract performance (Article 6(1)(b)): processing is necessary to perform the contract we have with you, or to take steps at your request before entering into a contract.
  • Legitimate interests (Article 6(1)(f)): processing is necessary for our legitimate interests in operating and improving our business, where those interests are not overridden by your rights. This includes responding to enquiries, maintaining business records, and improving service quality.
  • Legal obligation (Article 6(1)(c)): where we are required to process data to comply with a legal obligation, such as tax and accounting laws.

5. Data Retention

We retain personal data for no longer than necessary for the purposes for which it was collected:

  • Client data (including engagement records, uploaded documents, and correspondence): retained for 6 years from the end of the engagement, in line with UK statutory record-keeping requirements under the Limitation Act 1980.
  • Enquiry data (where an enquiry does not convert to a client engagement): retained for 12 months from the date of submission, after which it is deleted.
  • Account credentials: password hashes are deleted upon account deletion. The UCR and account record are retained for 6 years in line with the above.

6. Third-Party Data Processors

We use a small number of trusted third-party services to operate our business. These processors act on our instructions and are contractually bound to process data only as directed:

Processor Purpose Data Processed
Supabase Database and file storage Client account data, uploaded documents, engagement records
Brevo (Sendinblue) Transactional email delivery Name, email address, email content

Both Supabase and Brevo maintain GDPR-compliant data processing agreements and appropriate technical and organisational security measures.

We do not sell, rent, or otherwise transfer your personal data to third parties for marketing, advertising, or any commercial purpose.

7. International Data Transfers

Supabase and Brevo may process data outside the UK. Where data is transferred internationally, we ensure that appropriate safeguards are in place in accordance with UK GDPR, including Standard Contractual Clauses (SCCs) or adequacy decisions as applicable.

8. Data Security

We take the security of your personal data seriously. Measures in place include:

  • Encrypted storage of all data at rest and in transit (TLS)
  • Password hashing using bcrypt — we never store passwords in plain text
  • Access controls limiting data access to authorised personnel only
  • Private cloud storage for uploaded documents with signed access URLs

No method of transmission over the internet is completely secure. In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay.

9. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of access: you may request a copy of the personal data we hold about you.
  • Right to rectification: you may ask us to correct inaccurate or incomplete data.
  • Right to erasure: you may ask us to delete your personal data, subject to our legal retention obligations.
  • Right to data portability: you may request your data in a structured, machine-readable format.
  • Right to object: you may object to processing based on legitimate interests.
  • Right to restrict processing: you may ask us to restrict processing in certain circumstances.

To exercise any of these rights, contact us at hello@clearflowconsulting.io. We will respond within one calendar month.

10. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO) Website: ico.org.uk Helpline: 0303 123 1113

We would, however, appreciate the opportunity to address your concerns directly before you contact the ICO. Please reach out to us at hello@clearflowconsulting.io.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The current version will always be available at clearflowconsulting.io/privacy. Continued use of our services after any update constitutes acceptance of the revised policy.

12. Governing Law

This Privacy Policy is governed by the law of England and Wales.

Contact

ClearFlow Consulting 86-90 Paul Street, London EC2A 4NE Email: hello@clearflowconsulting.io Website: clearflowconsulting.io