Privacy Policy
Oxygen Elements Privacy Policy
Aligned to the UK Data (Use & Access) Act 2025, UK GDPR and the Data Protection Act 2018
Data Protection Officer: info@oxygenelements.co.uk
Oxygen Elements
Dollman Road, Clifton-Upon-Dunsmore, Rugby,
CV23 1AL
- Who We Are
Oxygen Elements (“Oxygen Elements”, “we”, “our”, “us”) is a UK-based provider of subscription-based data, insights and business intelligence services to corporate clients, professionals and industry stakeholders.
We are the data controller for the personal data we process in connection with our services, website, marketing activities and business operations. We apply data protection controls proportionate to our size, operational complexity and the nature of the data we process.
- Personal Data We Collect
We may collect, store and process the following categories of personal data:
→ Identity and contact details (name, job title, company, email, telephone number, business address)
→ Account and subscription data (login credentials, access history, subscription records)
→ Professional and published data (publicly available business information relating to industry professionals)
→ Communications data (emails, calls, correspondence, support queries)
→ Marketing and preferences data (subscriptions, consent records, engagement history)
→ Technical and usage data (IP address, device identifiers, browser type, usage analytics)
→ Cookie and consent data (cookie preferences and consent records)
- How We Use Your Data and Lawful Bases
We process personal data only where a lawful basis applies under Article 6 UK GDPR.
Purpose | Data Categories | Lawful Basis | DUAA Context |
Deliver subscription services and manage accounts | Identity, account data | Contract | Core service delivery |
Provide customer support and communications | Contact, communications data | Legitimate Interests | Expected business interaction |
Monitor usage and improve services | Technical and usage data | Legitimate Interests / Consent | Service quality improvement |
Send marketing communications | Contact and marketing data | Consent / Soft opt-in | PECR compliant engagement |
Maintain business relationships and prospecting | Professional data | Legitimate Interests | B2B engagement |
Billing, invoicing and financial management | Identity, transaction data | Legal Obligation | HMRC compliance |
Security, fraud prevention and system integrity | Technical data | Recognised Legitimate Interests | DUAA security basis |
Regulatory and audit compliance | Various records | Legal Obligation | Accountability |
- Data Minimisation
We apply the data minimisation principle under Article 5 UK GDPR and DUAA requirements:
→ Data collected is adequate, relevant and limited to what is necessary
→ Only information required for service delivery, legal compliance or legitimate business purposes is processed
→ Data collection processes are reviewed regularly to remove unnecessary fields
→ Access to personal data is restricted based on role and business need
→ Data is not retained unnecessarily and is subject to defined retention periods
- Marketing and Communications (PECR Compliance)
We send marketing communications:
→ Where consent has been provided
→ Where the soft opt-in applies for existing customers
You can opt out at any time via unsubscribe links or by contacting us directly. We do not send unsolicited marketing where consent is required and not obtained.
- Cookies and Online Tracking (PECR & DUAA)
Our website uses cookies and similar technologies in accordance with PECR and DUAA.
→ Strictly necessary cookies are used without consent
→ Analytics and preference cookies are used with consent or applicable exemption
→ Marketing cookies are used only with consent
We provide:
→ A cookie banner with clear and granular choices
→ A preference centre to manage or withdraw consent
→ Transparency on cookie use in our Cookies Policy
- Who We Share Your Data With
We may share personal data with trusted third parties, including:
→ Cloud hosting and IT service providers
→ CRM, analytics and marketing platforms
→ Professional advisers (legal, financial, audit)
→ Business partners where necessary to deliver services
→ Regulatory authorities where required
All processors are subject to contracts compliant with Article 28 UK GDPR.
- International Data Transfers
Where personal data is transferred outside the UK, we apply appropriate safeguards:
→ UK International Data Transfer Agreement (IDTA) or UK Addendum
→ Transfer Risk Assessments (TRA)
→ Encryption and access controls
→ Adequacy decisions where applicable
- Information Security
We implement proportionate technical and organisational measures, including:
→ Role-based access controls
→ Secure authentication and system controls
→ Encryption where appropriate
→ Secure cloud infrastructure
→ Incident and data breach response procedures
Security measures are reviewed regularly and updated where required.
- Records Management and Data Retention
We maintain records in line with UK GDPR accountability principles and DUAA requirements.
10.1 Records of Processing
We maintain Records of Processing Activities (ROPA), including:
→ Categories of personal data processed
→ Processing purposes and lawful bases
→ Categories of data subjects and recipients
→ International transfers and safeguards
→ Retention periods
→ Security measures
10.2 Record Retention Schedule
Record | Retention | Rationale | Disposal |
Customer account and subscription records | Duration of contract + 6 years | Contractual and legal obligations | Secure deletion |
Prospective customer data | Up to 3 years from last interaction | Business development | Secure deletion |
Marketing and consent records | Until withdrawal + audit period | PECR compliance | Secure deletion |
Financial and invoicing records | 6 years | HMRC requirements | Secure deletion |
Communications and support records | Up to 6 years | Service accountability | Secure deletion |
Published professional data | While relevant + periodic review | Service delivery | Secure deletion |
Website analytics data | 12–24 months | Proportionate analysis | Automatic deletion |
Cookie consent records | As required to evidence consent | Compliance | Secure deletion |
Data subject rights requests | 3 years | Accountability | Secure deletion |
Security and incident logs | 6 years | Risk management | Secure deletion |
Supplier and partner records | Duration of relationship + 6 years | Contractual purposes | Secure deletion |
10.3 Secure Storage and Disposal
→ Electronic data is stored in secure systems with controlled access
→ Paper records (where applicable) are securely stored
→ Data is disposed of using secure deletion or certified destruction
→ Minimal suppression data may be retained to honour opt-out requests
- Your Rights (UK GDPR & DUAA)
You have the right to:
→ Access your personal data
→ Rectify inaccurate data
→ Request erasure where applicable
→ Restrict processing
→ Data portability
→ Object to processing (including direct marketing)
→ Not be subject to solely automated decisions with significant effects
In line with DUAA:
→ We may pause response timelines to verify identity or clarify scope
→ We apply reasonable and proportionate search standards
Requests should be submitted to: info@oxygenelements.co.uk
- Complaints
If you have concerns about how we handle your personal data:
→ Contact us using the details above
→ We will investigate and respond within a reasonable timeframe
You also have the right to complain to the Information Commissioner’s Office:
www.ico.org.uk
- Changes to This Policy
We may update this Privacy Policy from time to time to reflect legal or operational changes. Updates will be published with a revised date.
