CAP.CO – Creating Adventurous Places Ltd is committed to protecting the personal data of our clients, suppliers, employees, and website visitors. This policy sets out how we fulfil our obligations as a data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This policy should be read alongside our Privacy Policy, which explains in plain terms what personal data we collect, why we collect it, and how individuals can exercise their rights.
This policy applies to all personal data processed by CAP.CO, whether held digitally or in paper form, and covers all employees, contractors, and third parties acting on our behalf.
CAP.CO – Creating Adventurous Places Ltd is the data controller for all personal data we process. Our registered address is 139 Spitfire Way, Scottow Enterprise Park, Badersfield NR10 5FB.
Queries relating to data protection should be directed to: hello@wearecapco.com
We process personal data in accordance with the following principles. Personal data must be:
– processed lawfully, fairly, and transparently
– collected for specified, explicit, and legitimate purposes, and not processed in a manner incompatible with those purposes
– adequate, relevant, and limited to what is necessary
– accurate and kept up to date where necessary
– kept in an identifiable form no longer than necessary
– processed securely, protecting against unauthorised or unlawful processing, accidental loss, destruction, or damage
We only process personal data where we have a lawful basis to do so. The lawful bases we rely on include:
– Contract: where processing is necessary to fulfil a contract with the individual, or to take steps at their request before entering a contract
– Legitimate interests: where processing is necessary for our legitimate business interests, provided those interests are not overridden by the rights of the individual
– Consent: where the individual has given clear, informed consent for a specific purpose, such as receiving our newsletter
– Legal obligation: where processing is required to comply with a legal or regulatory obligation
Individuals whose data we hold have the following rights under UK GDPR:
– the right to be informed about how their data is used
– the right to access the personal data we hold about them
– the right to rectification of inaccurate or incomplete data
– the right to erasure (‘right to be forgotten’) in certain circumstances
– the right to restrict processing in certain circumstances
– the right to data portability in certain circumstances
– the right to object to processing based on legitimate interests or for direct marketing
– rights in relation to automated decision-making and profiling
To exercise any of these rights, please contact us at hello@wearecapco.com or in writing to the address above. We will respond within one calendar month.
We retain personal data only for as long as is necessary for the purposes for which it was collected. Retention periods are reviewed regularly and data is securely deleted or anonymised when it is no longer required. Specific retention periods are determined by the nature of the data and any applicable legal obligations.
We take appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, alteration, or disclosure. These measures include access controls, secure data storage, and regular review of our systems and processes.
All employees and contractors with access to personal data are required to handle it in accordance with this policy and receive appropriate guidance.
Where we share personal data with third parties acting as data processors on our behalf (such as our website provider, newsletter platform, or CRM system), we ensure appropriate contractual safeguards are in place. We do not sell personal data to third parties, and we do not share it for marketing purposes without the individual’s prior consent.
Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR requirements. This may include transfers to countries with an adequacy decision, or transfers subject to appropriate contractual protections.
In the event of a personal data breach, we will assess the risk to individuals and, where required, notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. Where a breach is likely to result in a high risk to individuals, we will also notify the affected individuals directly without undue delay.
All suspected or confirmed data breaches must be reported internally to hello@wearecapco.com immediately.
If you have concerns about how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office:
– Website: ico.org.uk
– Helpline: 0303 123 1113
We would always welcome the opportunity to address your concerns directly before you contact the ICO, so please feel free to get in touch with us first.
This policy will be reviewed annually to ensure it remains accurate, relevant, and compliant with current legislation and ICO guidance.
Johnny Lyle
Director
CAP.CO – Creating Adventurous Places Ltd
Last updated: June 2026