Privacy Policy – Baily Garner LLP (Including 4i Solutions Limited)
Effective Date: 23rd September 2005

Baily Garner LLP is committed to protecting your privacy and ensuring your personal data is handled in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

4i Solutions Limited is now part of Baily Garner LLP.

We respect and value the privacy of everyone we interact with and will only collect and use personal data in ways that are described in this policy, and in a way that is consistent with our legal obligations and your rights.

This policy explains:

• What personal data we collect and why.
• How we use and protect your data.
• Your rights under UK GDPR.
• How to contact us with any queries or requests.

For individuals who have previously interacted with 4i Solutions Limited, your data will now be processed under the governance of Baily Garner LLP.

‘We’ ‘our’ or ‘us’
‘We’ ‘our’ or ‘us’ in the context of this statement is Baily Garner LLP, a Limited Liability Partnership trading as a multi-disciplinary Construction Consultancy.

What Does This Policy Cover?
It explains how we collect, hold securely and use any personal data gathered in the course of our business. It also explains your rights under the law relating to your personal data.

What is Personal Data?
Personal data is any information about you that enables you to be identified and covers information such as your name and contact details. The personal data that we use is set out in the section ‘What Personal Data do we Collect and Why do we need it?’.

What Are Your Rights?
Under the UK GDPR, you have the following rights, which we will always work to uphold:

1. The right to be informed about the data we hold and how we use it. This policy should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in ‘How do you contact us?’ below.
2. The right to access the personal data we hold about you. The ‘How Can You Access Your Personal Data?’ section will tell you how to do this.
3. The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Again, use the details in ‘How do you contact us?’ to find out more.
4. The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have.
5. The right to restrict (i.e. prevent) the processing of your personal data if you feel you have a valid reason.
6. The right to object to us using your personal data for a particular purpose or purposes.

If you have any cause for complaint about our use of your personal data, and we do not resolve it to your satisfaction, you have the right to lodge a complaint with the Information Commissioner’s Office.

What Personal Data Do We Collect and Why Do We Need It?
We may collect some or all of the following personal data which will vary according to your relationship with us:

1. Name.
2. Address (Company or personal).
3. Email address (Company or personal).
4. Telephone number (Company or personal).
5. Specific personal information required for job applications.
6. Job title.
7. Payment information.
8. Information about how to access your property to enable us to carry out our business.

We need this information to fulfil our obligations under service contracts, or because you have consented to providing this information, or because we have assessed that we have a legitimate interest in holding this data for the purpose that we need to use it. Your personal data may have been provided to us as processors of information under UK GDPR, in which case we will act in accordance with UK GDPR regulations and by direction of the third party organisations instructing us.

How do we use cookies and tracking technologies?
We use cookies and similar tracking technologies to improve your experience on our website, understand how our site is used, and deliver relevant content and communications.

Types of cookies we use:

• Strictly Necessary Cookies – Essential for the operation of our website and enabling core functionality.
• Performance Cookies – Help us analyse website usage and improve performance.
• Functional Cookies – Enable enhanced features and personalisation.
• Targeting Cookies – Used to deliver advertising that is more relevant to you and your interests.

Third-Party Cookies: We use third-party services such as HubSpot to manage customer relationships and marketing communications. These services may collect data including your name, email address, IP address, and interactions with our emails or website. HubSpot complies with UK GDPR and applies appropriate safeguards for international data transfers.

Managing Your Preferences: You can manage your cookie preferences at any time via our cookie banner or by clicking the cookie icon at the bottom of our website. You can also adjust your browser settings to block or delete cookies.

Consent: We obtain your consent before placing any non-essential cookies on your device. You can withdraw your consent at any time using the controls mentioned above.

How Do We Use your Personal Data?
Under the UK GDPR, we must always have a lawful basis for using personal data. This will be one of the following:

• The data is necessary for us to perform works or services under a contract with you or a third party organisation
• It is in our legitimate business interests to use it
• You have consented to our use of your personal data

With your permission and/or where we wish to enhance our professional services to you, we may also use your personal data to contact you, by email and/or telephone and/or post, with information or news about our work or to invite you to events we are involved in. You will not be sent any unlawful marketing or spam and you will always have the opportunity to opt-out of receiving further such communications from us.

How Long Will We Keep Your Personal Data?
We will not keep your personal data for any longer than is necessary to fulfil the purpose for which it was collected. Once the data is no longer needed, or if at any time consent is withdrawn, it will be securely deleted unless we are legally required to retain it.

How do we handle consent and give users control over their preferences?
Where consent is the lawful basis for processing personal data—such as for marketing communications or newsletters—we ensure that it is:

• Clearly obtained through opt-in checkboxes at the point of data collection.
• Granular, allowing users to choose specific types of communications they wish to receive.
• Recorded and managed, so we can maintain accurate consent preferences.
• Revocable at any time, with simple options such as unsubscribe links in emails or contact details for direct withdrawal requests.

We are committed to transparency and user control, ensuring that consent is never assumed and can be changed easily at any time.

Do we use automated decision-making or profiling?
We do not use automated decision-making or profiling that produces legal effects or similarly significant impacts on individuals. This means that decisions about you are not made solely by automated systems without human involvement.

If our use of automated processing changes in the future, we will update this privacy policy and inform affected individuals where required, in line with UK GDPR obligations.

How do we protect your personal data?
We are committed to safeguarding personal data through robust technical and organisational measures that reflect industry best practices. These measures are designed to prevent unauthorised access, loss, misuse, or disclosure of personal information. Specifically, we implement:

• Encryption of data both at rest and in transit to ensure confidentiality and integrity.
• Role-based access controls to restrict data access to authorised personnel only.
• Regular staff training on data protection principles and responsibilities.
• Annual security audits and penetration testing to identify and address vulnerabilities.
• Incident response procedures, including breach notification protocols, to ensure swift and transparent handling of any security incidents.

These measures are reviewed regularly to ensure they remain effective and aligned with evolving security standards and regulatory requirements.

How and Where Do We Store or Transfer Your Personal Data?
We may store your personal data in either electronic or hard copy form (or both).

We will only store your personal data within the UK or, if stored digitally by third parties, for back up, file transfer or storage purposes, on servers in the European Economic Area (the “EEA”). The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein. This means that your personal data will be fully protected under the UK GDPR or to equivalent standards by law.

The security of your personal data is a priority to us and to protect all our data, we conform to industry standard cyber and digital security standards, which are independently verified on an annual basis.

Do We Share Your Personal Data?
We will not share any of your personal data with any third parties for any purposes, other than we may be required to share certain personal data, with third parties in the course of meeting our obligations under contract (e.g. to provide your details to an authorised contractor performing remedial works that we are overseeing).

We may share your personal data with the following categories of recipients:

• IT service providers and cloud hosting platforms.
• Payment processors and financial institutions.
• Marketing and analytics platforms (e.g. HubSpot).
• Legal and professional advisers.
• Contractors and subcontractors involved in service delivery.

If any of your personal data is required by a third party, as described above, we will take the necessary steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law.

In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.

We may transfer personal data outside the UK and EEA in limited circumstances—for example, when using cloud-based services or working with international partners. When we do, we ensure that appropriate safeguards are in place to protect your data in line with UK GDPR requirements.

These safeguards may include:

• Adequacy decisions: Transfers to countries deemed by the UK government or European Commission to have adequate data protection laws.
• Standard Contractual Clauses (SCCs): Approved contractual terms that ensure data protection standards are upheld during international transfers.
• UK International Data Transfer Agreement (IDTA): Where applicable, we use the UK-specific framework for safeguarding data transfers.

We regularly review our international data transfer arrangements to ensure they remain compliant and secure.

What happens if there is a personal data breach?
We take data protection seriously and have procedures in place to respond swiftly and effectively to any personal data breach. In the event of a breach that poses a risk to individuals’ rights and freedoms, we will:

• Notify the Information Commissioner’s Office (ICO) within 72 hours, in accordance with UK GDPR requirements.
• Inform affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
• Take immediate steps to contain the breach, assess its impact, and prevent recurrence.
• Document the breach and our response actions as part of our internal incident management process.

Our goal is to ensure transparency, minimise harm, and uphold trust in how we handle personal data.

Do we assess the privacy risks of our data processing activities?
Yes. We conduct Data Protection Impact Assessments (DPIAs) for any processing activities that are likely to result in a high risk to individuals’ rights and freedoms. DPIAs help us identify, assess, and mitigate potential privacy risks before we begin processing.

This includes, but is not limited to:

• Large-scale processing of sensitive personal data.
• Use of new technologies or systems that may impact privacy.
• Automated decision-making or profiling.
• Data sharing arrangements with third parties.

By carrying out DPIAs where appropriate, we ensure that our data handling practices remain transparent, accountable, and compliant with UK GDPR requirements.

How Can You Access Your Personal Data?
If you want to know what personal data we have about you, you can ask by submitting a “subject access request”.

All subject access requests should be made in writing and sent to the email or postal addresses shown below.

There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.

We will respond to your subject access request as quickly as we are able and in any case, not more than one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data, within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of progress.

How Do You Contact Us?
To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details:

Send an email to general@bailygarner.co.uk or write to our registered address: 146-148 Eltham Hill, London, SE9 5DY.

Marie Carpenter is our designated Data Protection Officer.

Changes to this Privacy Notice
We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes. Any changes will be made available here.

This privacy policy was last updated September 2025.