Privacy Notice.
How we handle personal data under UK GDPR — for website visitors, clients and individuals whose information appears in our engagements.
Last updated 30 April 2026
1. Who we are
Critical Asset Drone Inspections (“we”, “us”, “our”) is the data controller for the personal data described in this notice. We are a UK-based provider of drone inspection, photogrammetry and open-source intelligence services for commercial sites and critical assets.
- Contact: info@criticalasset.co.uk
- ICO registration: ZC132184
- CAA Operational Authorisation: PDRA01-28445
If you have a question about how we handle your personal data, email the address above. We aim to respond within 10 working days.
2. What this notice covers
This notice explains what personal data we collect, why we collect it, how we use and share it, how long we keep it, and the rights you have under UK GDPR and the Data Protection Act 2018. It applies to visitors to our website, prospective and existing clients, and any individuals whose data is processed as part of a client engagement — including staff, executives and third parties of client organisations whose information appears in our open-source intelligence work.
3. The personal data we collect
Website visitors. Information you submit through our contact form (name, email, organisation, enquiry details). Technical information automatically collected when you visit — IP address, browser type, pages visited — used only to keep the site secure and running.
Prospective and existing clients. Contact details of the individuals we deal with at the client organisation (name, job title, email, phone). Engagement details, scope, correspondence and contract records. Invoicing and payment information.
Individuals linked to client engagements. As part of our Site Security Vulnerability Assessment we process personal data relating to individuals associated with the client’s organisation, including: staff email addresses and names, executive contact information, publicly available professional profiles, and references appearing in breach datasets or dark-web sources. We do not collect, store or share cleartext passwords.
Drone imagery. Aerial imagery of client sites may incidentally capture identifiable individuals, vehicles and number plates. We take reasonable operational measures to minimise this and apply masking in any imagery shared beyond the client team.
4. Why we process this data and our lawful basis
| Purpose | Lawful basis |
|---|---|
| Responding to enquiries and quoting for work | Legitimate interests; pre-contract |
| Delivering engagements under a signed contract | Contract |
| OSINT and credential exposure checks on client's named individuals and service accounts | Legitimate interests — ours and the client's |
| Aerial capture of client sites | Contract; legitimate interests |
| Invoicing, tax and insurance records | Legal obligation; legitimate interests |
| Website security and server logs | Legitimate interests |
For processing based on legitimate interests we maintain a written Legitimate Interests Assessment that documents our balancing of those interests against individuals’ rights.
5. How long we keep your data
| Data type | Retention |
|---|---|
| Website enquiry data | 24 months from last contact |
| Client contact and engagement records | Contract term plus 7 years |
| Drone imagery and 3D digital twin files | Held throughout the engagement; on completion, client takes ownership and we retain a business reference copy for 24 months unless the Statement of Work specifies longer |
| OSINT findings & credential exposure results | Retained until report delivery plus any contracted aftercare or monitoring period; then deleted or minimised unless retention is required for legal, insurance, dispute, audit or contractual reasons |
| Invoices and tax records | 7 years (HMRC requirement) |
6. Who we share your data with
- The client organisation — engagement findings and imagery are delivered to the client. Where findings relate to identifiable individuals, we share them with the client under the client’s lawful basis for receiving them.
- Sub-processors — hosting, email, accounting and similar service providers acting on our instructions under written agreements.
- Professional advisers — our solicitors, accountants and insurers where relevant.
- Authorities — if legally required (court order, regulatory request).
We do not sell personal data. We do not share personal data with marketing or advertising companies.
Sub-processors and third-party services on the website
The following third-party services receive limited personal data when you interact with this website. Each operates under its own data protection terms; we have written agreements where required, and we keep the list under review.
| Service | Purpose | Data shared | Terms |
|---|---|---|---|
| Web3Forms | Contact form submission delivery to our enquiries inbox | Form fields you submit (name, organisation, email, phone, site location, timeframe, message) | Privacy · Terms |
| Hostinger International Ltd | Website hosting (Apache server) | IP address and standard HTTP request metadata in transit (no personal data stored by us in hosting beyond access logs) | Privacy policy |
| Google Fonts (Google LLC) | Web font delivery | IP address (no cookies set on this site by Google Fonts) | Privacy policy |
Form data submitted through the Web3Forms endpoint is transmitted to Web3Forms’ infrastructure and forwarded to our enquiries inbox. Personal data is processed under their privacy policy linked above; raise any data subject request with us in the first instance and we will coordinate with the sub-processor where required.
7. International transfers
Some of the open-source intelligence and breach-dataset services we use are operated outside the UK. Where personal data is transferred internationally, we rely on UK adequacy regulations, International Data Transfer Agreements or the UK Addendum to the EU Standard Contractual Clauses, as appropriate.
8. Security
We apply the security controls required by UK GDPR and the Cyber Essentials scheme, including encryption of data at rest and in transit, access control, multi-factor authentication on all business accounts, patched and up-to-date devices, and a documented incident response plan. If a personal data breach occurs we notify the Information Commissioner’s Office within 72 hours where required and inform affected individuals without undue delay where the breach presents a high risk to their rights.
9. Your rights
Under UK GDPR you have the right to:
- Be informed about how your data is used (this notice)
- Request a copy of the personal data we hold about you
- Request correction of inaccurate data
- Request erasure in certain circumstances
- Restrict or object to our processing in certain circumstances
- Request portability of data you have provided to us under contract
- Withdraw consent where processing is based on consent
To exercise any of these rights, email info@criticalasset.co.uk. We will respond within one calendar month. There is no charge unless a request is manifestly unfounded or excessive.
10. How to complain
If you are unhappy with how we have handled your personal data, please raise it with us in the first instance. You also have the right to complain to the Information Commissioner’s Office — the UK’s data protection regulator:
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
11. Changes to this notice
We may update this notice from time to time — for example, when we introduce new services or when the law changes. The date at the top of this notice tells you when it was last reviewed. Material changes will be notified on our website.
12. Scope boundaries
To be clear about what we do not do:
- We do not test, validate or attempt to authenticate with any credential we identify during an engagement. We identify exposure; we do not exploit it.
- We do not carry out penetration testing of client systems.
- We do not process special-category personal data (health, political opinions, religious beliefs, etc.) as part of our standard methodology.