Data Protection
Our commitment to protecting your data rights under UK GDPR and data protection laws
Last updated: January 1, 2025
Data Protection
Last updated: January 1, 2025
The Cato Bot Company Limited is committed to protecting your personal data and respecting your privacy rights. This page explains our data protection practices and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Our Commitment to Data Protection
As a UK-registered company, we are subject to UK data protection laws and are committed to:
- Processing personal data lawfully, fairly, and transparently
- Collecting data only for specified, explicit, and legitimate purposes
- Ensuring data accuracy and keeping it up to date
- Limiting data retention to what is necessary
- Implementing appropriate security measures
- Respecting your rights as a data subject
2. Data Controller Information
Data Controller:
The Cato Bot Company Limited
Company Number: 10286653
Office 316, 5 Charter House
Lord Montgomery Way
Portsmouth, PO1 2SN
United Kingdom
Data Protection Officer:
Email: [email protected]
Phone: +44 (0) 23 9000 0001
3. Legal Basis for Processing
We process personal data based on the following legal grounds:
Consent (Article 6(1)(a))
- Marketing communications (with your explicit consent)
- Non-essential cookies and tracking
- Voluntary surveys and feedback
Contract (Article 6(1)(b))
- Account creation and management
- Service delivery and support
- Payment processing
- Performance of our terms of service
Legitimate Interests (Article 6(1)(f))
- Website analytics and improvement
- Security monitoring and fraud prevention
- Internal business operations
- Direct marketing to existing customers
Legal Obligation (Article 6(1)(c))
- Tax and accounting requirements
- Regulatory compliance
- Response to legal requests
Vital Interests (Article 6(1)(d))
- Emergency situations requiring immediate action
- Protection of life and safety
4. Your Data Protection Rights
Under UK GDPR, you have the following rights:
Right to be Informed
You have the right to clear, transparent information about how we use your personal data. This is provided through our Privacy Policy and this Data Protection page.
Right of Access (Subject Access Request)
You can request a copy of your personal data we hold. This includes:
- Confirmation that we are processing your data
- Access to your personal data
- Information about how we process your data
How to request: Email [email protected] with your request.
Response time: Within 30 days (may be extended by 60 days for complex requests).
Cost: Free for the first request; reasonable fees may apply for excessive requests.
Right to Rectification
You can request correction of inaccurate or incomplete personal data.
How to request: Email [email protected] or update your account settings.
Response time: Within 30 days of receiving your request.
Right to Erasure (Right to be Forgotten)
You can request deletion of your personal data in certain circumstances:
- Data is no longer necessary for the original purpose
- You withdraw consent (where consent was the legal basis)
- You object to processing and there are no overriding legitimate grounds
- Data has been unlawfully processed
- Legal obligation requires deletion
How to request: Email [email protected].
Response time: Within 30 days.
Note: Some data may be retained for legal compliance or legitimate business needs.
Right to Restrict Processing
You can request restriction of processing in certain situations:
- You contest the accuracy of data (during verification)
- Processing is unlawful but you oppose deletion
- We no longer need the data but you need it for legal claims
- You object to processing (pending verification of legitimate grounds)
How to request: Email [email protected].
Right to Data Portability
You can obtain your personal data in a structured, commonly used format to transfer to another service provider.
Applies to: Data processed based on consent or contract in automated systems.
How to request: Email [email protected].
Format: We will provide data in JSON or CSV format where technically feasible.
Right to Object
You can object to processing based on legitimate interests, including direct marketing.
Direct Marketing: You can opt out at any time using unsubscribe links or emailing [email protected].
Other Processing: Email [email protected] with your specific objection.
Rights Related to Automated Decision Making
You have rights regarding automated decision-making, including profiling:
- Right not to be subject to solely automated decisions with legal/significant effects
- Right to human intervention in automated decision processes
- Right to contest automated decisions
5. How to Exercise Your Rights
Online Request Form
Visit our data protection request form at: [URL to be added when available]
Email Requests
Send requests to the specific email addresses listed above or our general data protection email: [email protected]
Written Requests
Send written requests to our registered office address:
The Cato Bot Company Limited
Office 316, 5 Charter House
Lord Montgomery Way
Portsmouth, PO1 2SN
United Kingdom
Verification Process
To protect your privacy, we may need to verify your identity before processing requests. This may involve:
- Providing identification documents
- Answering security questions
- Confirming account details
6. Special Categories of Personal Data
We generally do not process special categories of personal data (e.g., health, racial origin, political opinions). If we do collect such data, we will:
- Obtain explicit consent or have another lawful basis
- Implement additional safeguards
- Inform you of the specific legal basis
- Provide additional information about processing
7. Children’s Data
We do not knowingly process personal data of children under 16. If we become aware that we have collected such data:
- We will delete it promptly
- We will not use it for any purpose
- We will contact parents/guardians if possible
8. International Data Transfers
When we transfer personal data outside the UK, we ensure appropriate safeguards:
Adequacy Decisions
We may transfer data to countries with adequacy decisions from the UK government.
Standard Contractual Clauses
For other transfers, we use Standard Contractual Clauses approved by the UK government.
Additional Safeguards
We may implement additional technical and organizational measures to protect transferred data.
9. Data Breach Notification
In the event of a personal data breach:
Our Obligations
- Report to the ICO within 72 hours (where feasible)
- Notify affected individuals without undue delay if high risk to rights and freedoms
- Document all breaches and remedial actions
What We Will Tell You
- Nature of the breach
- Likely consequences
- Measures taken to address the breach
- Contact point for more information
- Recommended actions you should take
10. Data Protection by Design and Default
We implement data protection principles throughout our systems:
Technical Measures
- Encryption of data in transit and at rest
- Access controls and authentication
- Regular security updates and patches
- Data minimization techniques
- Automated data retention controls
Organizational Measures
- Staff training on data protection
- Data protection impact assessments
- Vendor due diligence
- Clear data processing policies
- Regular compliance audits
11. Data Protection Impact Assessments (DPIA)
We conduct DPIAs for high-risk processing activities, including:
- Large-scale processing of sensitive data
- Systematic monitoring of public areas
- Automated decision-making with legal effects
- Processing vulnerable groups’ data
12. Complaints and Enforcement
Internal Complaints
If you have concerns about our data protection practices:
- Contact our Data Protection Officer at [email protected]
- We will investigate and respond within 30 days
- We will work with you to resolve the issue
Regulatory Complaints
You have the right to lodge a complaint with the supervisory authority:
Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Phone: 0303 123 1113
Website: https://ico.org.uk/make-a-complaint/
Email: [email protected]
13. Data Retention Periods
We retain personal data only for as long as necessary:
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Account information | Duration of account + 2 years | Contract, legitimate interests |
| Usage analytics | 26 months | Legitimate interests |
| Marketing consents | Until withdrawn + 3 years | Consent, legal obligation |
| Financial records | 7 years | Legal obligation |
| Support communications | 3 years | Legitimate interests |
| Security logs | 1 year | Legitimate interests |
14. Updates to Data Protection Practices
We regularly review and update our data protection practices. Significant changes will be communicated through:
- Updates to this page
- Email notifications to registered users
- Website announcements
- Direct communication for material changes
15. Contact Information
For all data protection matters:
General Inquiries:
[email protected]
Data Protection Officer:
[email protected]
+44 (0) 23 9000 0001
Postal Address:
Data Protection Team
The Cato Bot Company Limited
Office 316, 5 Charter House
Lord Montgomery Way
Portsmouth, PO1 2SN
United Kingdom
16. Professional and Legal Compliance
The Cato Bot Company Limited:
- Is registered with the Information Commissioner’s Office
- Maintains appropriate data protection insurance
- Engages qualified data protection professionals
- Regularly reviews legal and regulatory developments
- Participates in industry data protection initiatives
ICO Registration Number: [To be added when registered]
Company Registration: England Company Number 10286653
This Data Protection page is effective as of the last updated date shown above and complements our Privacy Policy and Terms & Conditions. Please review all our legal documents for complete information about your rights and our obligations.