Version 4 — Last updated: 27 May 2025
Key Facts (one-minute read)
Who we are — Complete Licensing Limited (company no. 12611128), a London-based consultancy that helps hospitality and entertainment operators obtain and keep licences.
What we collect — Identity/contact details, professional and compliance information, billing data, CCTV evidence, electronic-signature audit trails and anonymised website analytics.
Why — To deliver our services, comply with the law, defend legal claims, improve security and—if you opt in—send newsletters.
Sharing — With vetted UK staff/contractors, named cloud providers and regulators or police where required. Never sold.
Storage & transfers — Mostly UK-hosted; some EU/US providers protected by Standard Contractual Clauses (SCCs) or the UK International Data-Transfer Addendum (IDTA). All e-signatures are processed in France (EU-adequate).
Security — Cyber Essentials certified; controls aligned with ISO 27001/27701 and the NIST Privacy Framework; MFA on every account; encryption in transit & at rest.
Retention — Client files 7 years, e-signature audit trails 10 years (eIDAS), marketing data 2 years, CVs 6 months unless you agree longer.
Your rights — Access, rectify, erase, restrict, object, data portability, withdraw consent & complain to the ICO.
Quick contact — [email protected] | 0207 222 2345 | [email protected] (24 × 7 for vulnerabilities)
1 Who We Are
Legal name | Complete Licensing Limited |
Company number | 12611128 |
Registered office | 11 Forest Drive, Woodford Green, Essex IG8 9NG |
ICO registration | ZA764285 |
Telephone | 020 4621 7798 |
Security contact | [email protected] (see Vulnerability-Disclosure Policy) |
Data Protection Officer | Internal DPO (contact via email above) |
We are the controller under the UK GDPR and the Data Protection Act 2018.
2 Changes to This Policy & Effectiveness Review
We review this Policy at least annually and whenever legislation or our practices change. Effectiveness is tested quarterly via random file reviews, KPI dashboards and an annual external audit. Material updates are flagged directly to clients where feasible.
Version history
Version | Date | Key changes |
|---|---|---|
4 | 27 May 2025 | Removed Adobe; added Yousign; clarified local PDF workflow; updated retention for e-signature logs |
3 | 1 May 2025 | Key-Facts summary, glossary, DPIA criteria, DPA link, security-contact window, ISO 27701/NIST mapping |
2 | 6 Jan 2021 | Expanded sub-processor list; clarified retention schedule |
1 | 19 May 2020 | Initial publication |
3 Data We Collect
Category | Typical examples | Source(s) |
|---|---|---|
Client personal data | Name, residential address, passport/ID, proof of address, contact details | Forms, email, secure uploads |
Business & compliance data | Licensing history, trading activities, incident reports, CCTV, body-worn video, police reference numbers | Client evidence, authorities |
Staff data (client/contractor) | Name, role, photograph, training records, NI number, personal-licence number & expiry | Employers, authorities |
Financial & billing data | Invoices, Direct-Debit mandates, payment records, bank references (Stripe, GoCardless, PayPal, Starling Bank) | Payment processors |
E-signature audit data | Signatory name/email, IP address, timestamp, OTP code, signed PDF | Yousign |
Website & communications data | Anonymised IP, browser type, pages visited, Matomo analytics, form submissions | Automated collection |
Marketing-engagement data | Mailchimp pixel data: opens, shares, IP region, spam flags | Mailchimp |
Children’s data | Only where required to investigate alleged under-age sales | Client evidence |
We do not intentionally collect special-category data (e.g. health) except where unavoidable (e.g. CCTV) and we never knowingly collect data from anyone under 16 outside the scenario above.
4 How We Collect Your Data
Secure online forms and document-upload links
Direct communications (email, phone, post, in person)
Evidence supplied by clients or obtained from public authorities
Automated collection via cookies and analytics (see § 12)
5 Lawful Bases for Processing
We rely on one or more of the following lawful bases under UK GDPR:
Contract – to enter into or perform our contract with you.
Legal obligation – to meet statutory or regulatory duties (e.g. anti-money-laundering checks).
Legitimate interests – our legitimate business interest in providing licensing services and defending clients, provided these interests are not overridden by your rights (we record legitimate-interest assessments).
Consent – for optional activities such as marketing emails; you may withdraw consent at any time.
Legal claims / vital interests – to establish, exercise or defend legal claims, or protect life.
We do not carry out automated decision-making that produces legal or similarly significant effects.
6 How We Use Your Data
Preparing, submitting and managing licence and permit applications
Representing or defending clients in licensing reviews, criminal proceedings or regulatory investigations
Liaising with police and responsible authorities on clients’ behalf
Performing Know-Your-Customer (KYC) and anti-money-laundering checks
Maintaining internal records, accounts and audits
Handling electronic signatures via Yousign and storing signed documents and audit trails
Communicating urgent service, security or billing matters (including limited-purpose SMS)
Sending newsletters and updates where you have opted in or the “soft opt-in” applies
Improving services, website and security through pseudonymised analytics
Training staff and improving service quality (e.g. by reviewing anonymised calls)
Artificial intelligence – We do not currently use AI or machine-learning systems to profile individuals or make automated decisions. If that changes, this Policy will be updated before deployment.
7 Who We Share Your Data With
7.1 Internal
Employees and vetted UK-based contractors, all trained in data protection and bound by confidentiality.
7.2 Approved Service Providers (Sub-processors)
Purpose | Provider | Primary hosting region* | Safeguard / certifications |
|---|---|---|---|
Endpoint detection & response (EDR) | CrowdStrike Falcon | EU (Frankfurt) + USA fail-over | IDTA + SCCs, ISO 27001, SOC 2 |
Secure file storage & sharing | Egnyte | Netherlands (EU 1) | EU adequacy, ISO 27001, SOC 2 |
Direct-Debit processing | GoCardless | EU / USA | SCCs, ISO 27001 |
Email-security gateway / anti-phishing | Inky | Netherlands (EU) | EU adequacy, ISO 27001 |
Incident-report & licensing records | Licensing Connect | United Kingdom (AWS London) | UK-hosted, Cyber Essentials |
Mobile-device management | Jamf Now | USA | IDTA + SCCs, ISO 27001 |
Email newsletters & analytics | Mailchimp | USA | IDTA + SCCs, ISO 27001, SOC 2 |
Email-auth compliance & DMARC | Mailhardener | EU | EU adequacy |
Website analytics (cookieless) | Matomo Cloud | Germany (EU) | EU adequacy |
Email & productivity suite | Microsoft 365 | United Kingdom | UK-hosted, ISO 27001, SOC 2 |
Web hosting / CDN & WAF | Cloudflare | EU edge (global fail-over) | SCCs, ISO 27001, SOC 2 |
Card-payment processing | PayPal | USA / EU | SCCs, PCI-DSS |
Lone-worker safety monitoring** | Safe Point | United Kingdom (AWS London) | UK-hosted, Cyber Essentials |
Card-payment processing | Stripe | USA / EU cluster | SCCs, ISO 27001, PCI-DSS |
Banking platform | Starling Bank | United Kingdom | UK-hosted, PRA/FCA-regulated |
Accounting & invoicing | Xero | EU data-centre | SCCs, ISO 27001 |
E-signature & audit trail | Yousign (France) | France (Rouen & Paris AWS zones) | EU adequacy, ISO 27001, eIDAS qualified |
*Where a provider offers regional choice, the table shows our configured region.
**Safe Point processes staff location data only—listed for transparency.
PDF workflow – PDFs are edited locally on encrypted company devices using PDF Expert. When electronic signatures are required, documents are uploaded to Yousign’s EU data-centres; the signed PDF and audit-trail are then stored back in Egnyte/Microsoft 365.
A current sub-processor list is always available at /sub-processors.
Data-Processing Addendum (DPA) – Our pre-signed UK-GDPR-compliant DPA is available at https://completelicensing.uk/documents/dpa.pdf.
7.3 Regulators & Law-enforcement Authorities
We may share data with licensing authorities, police, courts or HMRC where required by law or necessary to defend our clients’ legal rights.
We never sell personal data.
8 International Transfers
Data are stored in the UK wherever practicable. Where a provider processes data outside the UK (e.g. USA), we rely on:
the UK International Data-Transfer Addendum (IDTA) to the EU Standard Contractual Clauses;
an adequacy decision (for EU/EEA locations such as France); or
binding corporate rules or another UK-approved mechanism.
All e-signature data are processed within France (EU-adequate), so no additional transfer mechanism is required. For every transfer to a non-adequate country we complete a UK Transfer Risk Assessment (TRA) and adopt ICO-recommended supplementary measures.
9 Data Retention
Record type | Standard retention | Rationale |
|---|---|---|
Client matter files | 7 years after closure | Limitation Act & PI defence |
E-signature audit trail | 10 years | eIDAS evidential requirement |
Contracts & agreements | 7 years from expiry | HMRC & audit |
Marketing-list data | 2 years after last meaningful interaction | ICO guidance |
CVs & job applications | 6 months (unless consent to keep longer) | Equality Act defence |
Security & audit logs | 12 months | Cyber-security monitoring |
Data reaching end-of-life are securely shredded or irreversibly erased using NCSC-approved tools.
10 Security Measures
10.1 Governance & Certification
Cyber Essentials certificate ID 15c19be6-e562-4231-8484-0206e33fa373 (valid to 4 September 2025).
Controls aligned with ISO 27001 and ISO 27701; privacy programme mapped to the NIST Privacy Framework v1.0.
10.2 Identity & Access Management
Single Sign-On and enforced Multi-Factor Authentication
Role-based least-privilege access; automated de-provisioning
10.3 Network & Infrastructure
AES-256 encryption at rest; TLS 1.2+ (TLS 1.3 preferred) in transit
Cloudflare Web Application Firewall & DDoS mitigation
Weekly vulnerability scans; annual external penetration test
Local PDF workflow – PDFs edited and signed on-device via PDF Expert
10.4 Email & Messaging
Inky inbound filtering and malware/phishing defence
SPF, DKIM & DMARC (p=reject) with MTA-STS and DANE; failure reports monitored
Internal email end-to-end encrypted (Microsoft 365); full message encryption on request
Confidential internal chat via Signal or Microsoft Teams (E2EE)
10.5 Data-Loss Prevention & Backup
Microsoft 365 DLP policies
Daily encrypted off-site backups (separate UK data centre); monthly restore tests
10.6 Training & Awareness
Mandatory induction and annual refresher training
Quarterly simulated phishing campaigns
10.7 Incident Response
Documented plan; 24 × 7 duty officer
ICO notified within 72 hours where required; affected individuals informed without undue delay
10.8 Data-Protection Impact Assessments (DPIAs)
We conduct a DPIA before we:
introduce new technology that processes special-category data;
carry out systematic monitoring;
process special-category data on a large scale; or
undertake any ICO-listed high-risk activity.
DPIA summaries are available to clients under NDA.
11 Marketing & Communications
Emails – sent only with your opt-in or under the “soft opt-in” for existing clients. Mailchimp pixels record open rates and aggregate engagement, used solely to improve content. You can unsubscribe at any time.
SMS – used sparingly for overdue-payment reminders, urgent service alerts or two-factor-authentication links.
Post & phone – we do not conduct unsolicited postal or telephone marketing.
12 Cookies & Website Analytics
We use cookies that are (i) essential for the site to function and (ii) optional analytical cookies served by Matomo Cloud, which anonymises IP addresses and respects “Do Not Track”. You can manage non-essential cookies at any time through the banner. See our full Cookie Policy for a category-by-category list.
13 Children’s Data
Our services target professionals and businesses. We do not knowingly process data relating to individuals under 18 except where strictly necessary to investigate alleged age-restricted sales, and such data are deleted immediately after the investigation.
14 Your Data-Protection Rights
Under the UK GDPR and the Data Protection Act 2018 you enjoy the rights set out below. The simplest way to exercise any right is to email [email protected] with the subject “Data-rights request”. We aim to acknowledge receipt within two working days.
Ref | Right | What it means in practice |
|---|---|---|
14.1 | Be informed | Clear, concise information about what we do with your data—primarily this Policy. |
14.2 | Access | Copy of the personal data we hold about you plus processing details. |
14.3 | Rectification | Correct inaccurate or incomplete data. |
14.4 | Erasure | Delete data where no lawful reason to keep it applies. |
14.5 | Restriction | Limit processing while accuracy or objections are resolved. |
14.6 | Objection | Object to processing based on legitimate interests or for direct marketing. |
14.7 | Data portability | Receive your data in a structured, machine-readable format or have us transmit it. |
14.8 | Automated decisions | We make none; if that changes you’re entitled to human review. |
14.9 | Withdraw consent | Withdraw at any time where processing is based solely on consent. |
14.10 | Complain & judicial remedy | Complain to the ICO and seek court redress if required. |
14.11 How we handle a request
Identification – we may ask for proof of ID or authority.
Time-frame – we respond within one calendar month; complex requests may take up to two extra months.
Fees – the first copy is free; we may charge for excessive or unfounded requests.
Format – responses are normally electronic unless you ask otherwise.
15 Contact Us
Email (privacy queries): [email protected]
Email (security & vulnerabilities): [email protected] (24 × 7)
Telephone: 020 4621 7798
Post: Complete Licensing Limited, 11 Forest Drive, Woodford Green, Essex IG8 9NG
Web form: https://completelicensing.uk/contact
If you need this Policy in an alternative format (large print, audio, easy-read) please let us know.
Appendix A Glossary
Term | Meaning |
|---|---|
Controller | Organisation that decides how and why personal data are processed. |
Processor | Third party that processes personal data on behalf of the controller. |
Personal data | Any information relating to an identified or identifiable natural person. |
Special-category data | Personal data revealing racial or ethnic origin, political opinions, religion, trade-union membership, genetics, biometrics, health, sex life or sexual orientation. |
Processing | Any operation performed on personal data, such as collection, storage, use or deletion. |
UK GDPR | The retained version of the EU GDPR as it forms part of UK law. |
SCCs / IDTA | Standard Contractual Clauses / International Data-Transfer Addendum — UK-approved safeguards for overseas transfers. |
TRA | Transfer Risk Assessment — evaluation of privacy risks for overseas transfers. |