Privacy Policy

Who we are

...as architecture is Andrew Sutton, trading at 67 Maindy Road, Cardiff, CF24 4HL. For data protection purposes, we are the data controller for personal information collected in connection with this website and our consultancy services. You can reach us at hello@as-architecture.co.uk.

We are a small sole-trader consultancy. We do not have a Data Protection Officer, as we are not required to appoint one under UK GDPR. Where we process personal data, we do so carefully and in accordance with our legal obligations.

Most organisations that process personal data are required to register with the ICO and pay an annual data protection fee. We comply with this registration requirement where it applies to our processing activities.

What information we collect and why

This website (general browsing)

General browsing of this website does not require you to provide any personal information. There are no contact forms or analytics on the public pages. If you email us using the contact links on this site, your email address and the content of your message will be received by us — this is standard email communication and is handled outside this website by our email provider.

The site loads fonts from Google Fonts. This causes your browser to make a request to Google's servers, which may log your IP address for bandwidth measurement purposes. Google does not share this with us and no cookies are set. See our Cookies Policy for more detail.

Creating section (registered users)

The Creating section of this website is a private area where we share early-stage ideas with selected individuals under a Non-Disclosure Agreement. If you register for access, we collect the following:

• Registration: username, email address, and password (stored as an irreversible hash — we cannot read your password).
• NDA signing: full name, postal address, signing capacity (personal or on behalf of a company/organisation), company name and role (if applicable), drawn signature, and your IP address at the time of signing.
• Use of the section: any comments or feedback you leave on project pages, and the date and time of your last login.

We collect this information to fulfil the NDA (contract), to manage access to confidential material (legitimate interest), and to maintain a signed record of the agreement for both parties. A copy of the signed NDA is emailed to both you and us as a PDF at the time of signing.

A session cookie is set when you log in. This is strictly necessary for the login to work and expires when you close your browser or log out. See our Cookies Policy for more detail.

When you contact us by email

When you email us, we receive your name, email address, and message content. We use this to respond to your enquiry and, if we proceed to work together, to fulfil our contract with you. We retain email correspondence for as long as it is relevant to our business relationship and for up to six years thereafter for professional indemnity and contractual purposes.

In the course of professional engagements

Our Standard Terms & Conditions (clause 16) set out how we handle personal data shared in connection with a professional engagement. The short version: we do not accept personal data without prior written agreement, and we do not share it with third parties.

Our lawful basis for processing

We only process personal data where we have a lawful basis to do so:

• Contract — where processing is necessary to perform or prepare for a contract with you.
• Legitimate interests — where we have a legitimate business interest (for example, responding to email enquiries) that does not override your rights.
• Legal obligation — where we are required to retain records by law (for example, for tax or professional indemnity purposes).
• Consent — where you have specifically agreed to us processing data in a particular way.

Who we share information with

We do not sell, rent, or trade personal information. We may share it with:

• Our email provider (Microsoft / Outlook), who processes messages on our behalf under their own privacy terms.
• Professional advisers (accountant, insurer, solicitor) where necessary, each bound by confidentiality obligations.
• Any other party only where you have consented or where we are legally required to do so.

How long we keep information

We retain personal data only as long as necessary for the purpose it was collected, and in accordance with our legal and professional obligations. We apply different retention periods depending on the nature of the contact and the work involved:

• Enquiries that did not lead to an engagement — up to 2 years. After this, we have no legitimate basis to retain contact details.
• Business contacts and clients — for the duration of the relationship and for 6 years thereafter. This reflects the standard limitation period for contract claims under the Limitation Act 1980, and aligns with professional indemnity insurance expectations for consultancy work.
• Records relating to building or design work on residential properties — up to 15 years from the date of last active work. This reflects the extended limitation periods introduced by the Building Safety Act 2022 for residential buildings, and the longer tail of potential liability for work connected to people's homes.
• Creating section accounts and NDA records — your account and personal data are retained for 6 years beyond the term of the NDA (which runs for 3 years from the date of signing), or for 6 years from the date of your last login to the Creating section, whichever is later. This ensures we retain the signed NDA for the full limitation period after the confidentiality obligations expire. You will receive an email notification 14 days before your data is due to be deleted. If you wish to retain access, simply log in before the deletion date.
• Financial records (invoices, payments) — 6 years, as required by HMRC.

Where contact details are retained beyond 2 years, we treat them as professional business relationship records and rely on legitimate interests as our lawful basis. We review retained records periodically and delete them when retention is no longer justified.

Data breaches

In the event of a personal data breach, we will assess the nature and risk of the incident. Where a breach meets the threshold for reporting under UK GDPR — generally where it is likely to result in a risk to the rights and freedoms of individuals — we will notify the Information Commissioner's Office within 72 hours of becoming aware of it. Where a breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay.

We maintain records of all data breaches, whether or not they are reportable.

Your rights

Under UK GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — ask us to delete your data, subject to our legal obligations to retain certain records.
• Restriction — ask us to restrict processing in certain circumstances.
• Objection — object to processing based on legitimate interests.
• Portability — request your data in a structured, machine-readable format where applicable.

To exercise any of these rights, please contact us at hello@as-architecture.co.uk. We will respond within one month.

Complaints

If you are unhappy with how we have handled your personal data, you have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection regulator, at ico.org.uk or by calling 0303 123 1113.

We would always prefer to address concerns directly first — please do contact us before escalating to the ICO.

Changes to this policy

We may update this policy from time to time. The date at the top of this page reflects the most recent update. We will not make retrospective changes that reduce your rights without notifying you directly.

Contact

Any questions about this policy should be sent to hello@as-architecture.co.uk.