Privacy Policy
Last updated: April 2026
Published at: rabconsultingservices.com/privacy
Scope — UK, EU and International
This Privacy Policy complies with UK GDPR (Data Protection Act 2018), EU GDPR (Regulation 2016/679), and the data protection principles applicable in most international jurisdictions. Where we refer to "GDPR" we mean both UK GDPR and EU GDPR unless otherwise specified. For California residents, Section 1.11 covers CCPA rights. For Canadian residents, Section 1.12 covers PIPEDA. For other jurisdictions, the principles in this policy reflect internationally recognised data protection standards.
1.1 Who We Are and How to Contact Us
RAB Consulting Services Ltd ("RAB Consulting", "we", "us", "our") is a company registered in England and Wales under company number 13683901. Our registered office is Mansion House, Manchester Road, Altrincham, Cheshire, WA14 4RW, United Kingdom.
We are the data controller for all personal data processed in connection with our website and services. Data protection queries: rboukhiar@rabconsultingservices.com.
ICO Registration Number: [INSERT ICO REGISTRATION NUMBER — register at ico.org.uk before publication]
EU GDPR Article 27 Representative: [INSERT EU REPRESENTATIVE if processing EU personal data at scale — see Section 3.9]
1.2 What Personal Data We Collect and How
| Category | Data Elements | How Collected |
|---|---|---|
| Identity data | Full name | Lead capture form after completing the free diagnostic |
| Contact data | Work email address; phone number (optional) | Lead capture form; direct correspondence |
| Professional data | Organisation name; job role (where provided); regulatory context of your organisation | Lead capture form and engagement correspondence |
| Diagnostic response data | Your responses to PIR or SIR assessment questions (self-reported); overall score; pillar or domain scores; regulatory context selected; delivery stage; service context | The diagnostic platform — by you completing the questions. This data is commercially sensitive and treated as strictly confidential. See Section 1.3. |
| Engagement data | Evidence notes, interview content, documents provided during a paid engagement | Directly from you during a consultant-led engagement |
| Communication data | Content of emails, calls, or messages | Direct correspondence |
| Technical data | IP address; browser type; device type; pages visited; time on site; referring URL | Website server logs and cookies — see Section 3 (Cookie Policy) |
1.3 Special Notice: Diagnostic and Assessment Data
Your diagnostic responses and assessment scores contain commercially sensitive information about your organisation's programme or service health. We treat all such data as strictly confidential.
We will not:
- Share your individual diagnostic results with any third party without your explicit written consent
- Use your specific results for marketing or promotional purposes without your consent
- Publish or reference your organisation's results without your prior written consent
We may use aggregated, fully anonymised statistical data (with no identifying information whatsoever) for product improvement purposes. This anonymisation is irreversible before any such use.
1.4 What We Do NOT Collect
We do not collect: financial account data; payment card details; national insurance numbers or equivalent; government-issued identification; special category personal data (health, ethnicity, religion, biometric, criminal records); data from children under 18. Our services are directed at business professionals only. If you believe we have inadvertently collected any of the above, contact us immediately.
1.5 Lawful Basis for Processing (UK GDPR Article 6 / EU GDPR Article 6)
| Purpose | Lawful Basis | Data Used |
|---|---|---|
| Delivering the free diagnostic and sending the Intelligence Briefing report | Legitimate interests (Article 6(1)(f)) — you have requested the service and have a reasonable expectation to receive the output. Our interests in providing the service do not override your fundamental rights. | Identity, contact, diagnostic response data |
| Contacting you about your results and related advisory services | Legitimate interests (Article 6(1)(f)) for business-to-business marketing of directly related services. You have an absolute right to object at any time by emailing us. | Identity and contact data |
| Performing a paid advisory engagement | Contract (Article 6(1)(b)) — processing is necessary to perform the services you have engaged us for. | All relevant categories |
| Improving the diagnostic platform | Legitimate interests (Article 6(1)(f)) using fully anonymised aggregate data only. No personal data used for this purpose. | Anonymised statistical data only — no personal identifiers |
| Legal and regulatory compliance | Legal obligation (Article 6(1)(c)) | As required by applicable law |
| Marketing follow-up where explicitly opted in | Consent (Article 6(1)(a)) | Identity and contact data — withdrawn at any time |
1.6 Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Diagnostic responses and scores | 24 months from assessment completion, unless you are an active retainer client (retained until 12 months after retainer end) | Enables follow-on comparison and trend analysis within the engagement lifecycle |
| Lead and contact data | 36 months from last contact, or until consent is withdrawn or objection is made | Standard B2B prospective client retention period |
| Active paid engagement records | 7 years from engagement completion | Professional services standard; legal and tax obligations |
| Email and direct correspondence | 3 years from last contact | Standard business record retention |
| Website technical logs | 90 days | Security monitoring and debugging; standard web practice |
| Cookie data | See Section 3 | Varies by cookie type and purpose |
| Anonymised aggregate data | Indefinitely | No personal data; used for methodology improvement |
1.7 Who We Share Data With
We do not sell your data. We do not share your data with third parties for their own marketing. We share only as follows:
| Recipient | Data Shared | Safeguards |
|---|---|---|
| AI processing provider (provider-agnostic — configured via platform environment variable) | Your diagnostic scores and evidence notes are transmitted to generate the AI-powered report summary. The provider is configured with zero data retention — no data is stored, logged, or used for training after the response is returned. | Zero data retention policy confirmed in writing with provider before use. Processing agreement in place. Provider operates under UK GDPR/EU GDPR standard contractual clauses where applicable. |
| CRM and email platform (webhook and transactional email service) | Name, email, company, score, action indicator, regulatory context — to deliver your report and manage follow-up communications. | Data processing agreement in place. Data processed within UK/EU or under adequate safeguards. |
| Sub-contractors or associate consultants (where used for delivery) | Only the minimum data necessary to deliver the engagement. | Bound by confidentiality agreement. NDA required before any access to client data or methodology. |
| Professional advisers (solicitors, accountants) | Only where necessary for legal or financial advice in connection with our business. | Subject to professional confidentiality obligations. |
| Regulators or law enforcement | Only where required by applicable law. We will notify you wherever legally permitted to do so. | Legal obligation. |
1.8 International Data Transfers
Where data is processed outside the UK or EU (for example, by an AI provider), we ensure that appropriate safeguards are in place. These include: the UK International Data Transfer Agreement (IDTA); EU Standard Contractual Clauses (SCCs) under EU GDPR; or reliance on adequacy decisions where applicable. Our AI processing provider operates a zero data retention policy — data does not reside on their infrastructure after the API response is returned, materially limiting transfer risk.
1.9 Your Rights
| Right | What It Means | How to Exercise |
|---|---|---|
| Access (Article 15) | Request a copy of all personal data we hold about you. | Email rboukhiar@rabconsultingservices.com. Response within 1 calendar month. We will ask you to verify your identity. |
| Rectification (Article 16) | Ask us to correct inaccurate or incomplete personal data. | Email us with the correction requested. |
| Erasure (Article 17) | Ask us to delete your personal data. Subject to legal obligations requiring retention (e.g. 7-year engagement records for tax purposes). | Email us. We will confirm what can be deleted and what must be retained with reasons. |
| Restrict processing (Article 18) | Ask us to pause processing your data in specific circumstances (e.g. while accuracy is contested). | Email us with the restriction requested. |
| Data portability (Article 20) | Receive your personal data in a structured, commonly used, machine-readable format. Applies to data processed under consent or contract. | Email us. We will provide data in JSON or CSV format. |
| Object (Article 21) | Object to processing based on legitimate interests at any time. You have an absolute right to object to direct marketing. | Email us or click unsubscribe in any email. We will stop immediately. |
| Automated decisions (Article 22) | The diagnostic produces a scored output based on your responses. This is not a fully automated decision with legal effect — it is a starting point for a human-led advisory conversation. No solely automated decision-making is applied to you. | Not applicable — human review always involved. |
| Withdraw consent | Where processing is based on consent, withdraw at any time without affecting prior lawful processing. | Email us or click unsubscribe. |
To exercise any right, contact: rboukhiar@rabconsultingservices.com. We aim to respond within 30 calendar days. You also have the right to complain to a supervisory authority — in the UK, the Information Commissioner's Office (ICO) at ico.org.uk, telephone 0303 123 1113. EU residents may complain to their national data protection authority.
1.10 Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. Measures include: HTTPS throughout the platform (TLS 1.2 minimum); encrypted database backups with access-controlled key management; zero data retention on all AI processing calls; role-based access controls (consultant portal accessible by Reda Boukhiar only); regular security reviews of third-party processors. No transmission method is completely secure. In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by UK GDPR Article 33 and EU GDPR Article 33.
1.11 California Residents — CCPA Rights
If you are a California resident, you have rights under the California Consumer Privacy Act 2018 (CCPA) as amended by the CPRA 2020. These include: the right to know what personal information we collect, use, disclose, and sell; the right to delete personal information (subject to exceptions); the right to opt out of the sale or sharing of personal information. We do not sell personal information. We do not share personal information for cross-context behavioural advertising. To exercise CCPA rights, contact us at the address in Section 1.1. We do not discriminate against you for exercising your rights.
1.12 Canadian Residents — PIPEDA
If you are resident in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies. We collect, use, and disclose personal information only with your knowledge and consent, for purposes that a reasonable person would consider appropriate, and only as necessary for those purposes. You have the right to access and correct personal information we hold about you. To exercise these rights, contact us at the address in Section 1.1.
1.13 Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by email where we hold your contact details, and update the "Last updated" date at the top. Continued use of our services after a notified material change constitutes acceptance of the updated policy.