Privacy & Cookies
This Privacy & Cookie Notice outlines how I use your personal data, and what your rights are. It applies to people who enquire about or commission any of my services, anyone who takes part in research or evaluation, and anyone working with me to deliver archive and records management services.
Palimpsest is a trading name of Nicola Allen, sole trader, who is the data controller for personal data used by the consultancy. Palimpsest provides a range of archive and records consultancy services to individuals and organisations. Maintaining your privacy and information security is essential to my business practice. Personal data and other information are kept confidential and used to support activities, as required, including the delivery of client projects. Using (‘processing’) personal data only occurs if that use is lawful, fair and transparent. I collect the least amount of information required for the stated purpose, retaining it only as long as necessary, and protecting it from unauthorised use. As well as complying with data protection law I follow equitable and ethical practices. My ICO registration number is: ZC084968.
I can be contacted by email: nicola.allen.professional@hotmail.com
PURPOSES & LAWFUL BASIS FOR USING YOUR DATA
The UK General Data Protection Regulation (UK GDPR) and, in the UK context, the Data Protection Act 2018 allow me to process personal data without consent where this is necessary for:
- Performance of contract, or to take steps prior to entering a contract
- Compliance with a legal obligation, including tax and accounting requirements
- Legitimate business interests, namely providing professional consultancy services on a commercial basis
I have assessed my legitimate interests do not override your rights and freedoms because the data processed is limited, relevant, and expected in the context of professional consultancy services.
Occasionally, I use personal data with your informed consent, for example:
- Surveys: participation is voluntary. Surveys will never require you to enter personal details, although you may choose to give these (e.g. if you are happy to be contacted for follow-up).
- Interviews and focus groups: participation is always voluntary. If you participate you can choose what information to provide, refuse to answer questions and leave at any time.
- Reports: When reporting the results of research or evaluation through surveys, interviews and focus groups, personal information is anonymised and cannot be traced back to individuals.
You may restrict data processing or withdraw your consent later - just let me know. Withdrawing consent does not affect the lawfulness of processing carried out before consent was withdrawn.
INFORMATION SHARING, STORAGE, AND INTERNATIONAL TRANSFERS
When I work with associates to support research and consultancy projects, access to the information I collect may be granted to them for the duration of the project. Access to personal data is limited to those who need it for legitimate purposes, and information is handled in ways that maintain its confidentiality and integrity. This will be regulated by a contract, and the associates will be considered data processors. This means they are obliged to comply with the relevant legislation and to follow my standards of security and confidentiality. Their access to project data ends once the project ends.
I do not share personal information with any third-party organisation, unless obliged to do so by contract, by law, or the disclosure is ‘necessary’ for purposes of national security, taxation and criminal investigation, or unless I have your consent.
Most of my personal data processing is within the UK. If not, personal data is transferred to countries/territories which are covered by the ‘adequacy regulations’ in UK data protection law, as follows:
Videoconferencing – Zoom
When you participate in meetings or webinars via Zoom, we may collect personal information such as your name, email address, video or audio recordings, and any chat messages or meeting responses. Meetings are not routinely recorded. Where closed captions are used for accessibility, temporary recordings and transcripts may be generated during the session and are deleted as soon as the meeting ends and no later than the same working day.
This information is used to facilitate and manage meetings, based on:
Contractual necessity (where meeting participation is part of a contract)
Legitimate interests (e.g., running meetings efficiently and securely)
Your data is processed on our behalf by Zoom Video Communications, Inc. (USA) and may be stored in the United States, UK, or other countries where Zoom operates. Zoom implements contractual, technical, and organisational safeguards to ensure your personal data is adequately protected. Zoom implements contractual, technical, and organisational safeguards, including Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs) to ensure data protection equivalent to UK standards. Encryption in
transit and secure storage to protect meeting data.
Personal data collected via Zoom may be transferred outside the UK, but such transfers are protected by legally approved safeguards.
Data collected through Zoom is retained for 12 months after the meeting, after which it is deleted securely, unless Retention is required for legal or contractual reasons.
Microsoft services – such as Teams, Outlook, or OneDrive for meetings, collaboration, or file sharing
We may collect personal information such as your name, email address, messages, files, and other content you provide. This information is used to facilitate communication, collaboration, and file management, based on:
Contractual necessity (where use of Microsoft services forms part of a contract)
Legitimate interests (e.g., running meetings and managing information efficiently)
Your data is processed on our behalf by Microsoft Corporation (USA) and its subsidiaries and may be stored in the United States, UK, or other countries where Microsoft operates. Microsoft implements contractual, technical, and organisational safeguards, including:
Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs) to ensure personal data is protected to UK/EU standards. Encryption in transit and at rest to safeguard content and communications. Access controls, monitoring, and staff training to ensure only authorised personnel can access your data.
Personal data collected via Microsoft services may be transferred outside the UK, but these safeguards ensure transfers comply with legally approved protections.
Data collected through Microsoft services is retained according to service-specific policies, typically for 12 months after use, unless longer retention is required for legal or contractual reasons, after which it is deleted securely.
Surveys and forms in SmartSurvey
When you participate in surveys or forms hosted via SmartSurvey, we may collect personal information such as name, email address, responses, and other survey data. This information is used to gather feedback, analyse responses, and improve services, based on:
Contractual necessity (where survey participation is required under a contract)
Legitimate interests (e.g., gathering feedback efficiently and securely)
Your data is processed on our behalf by SmartSurvey Ltd (UK) and may be stored in the UK or European Union. SmartSurvey implements contractual and technical safeguards to ensure your personal data is adequately protected.
Personal data collected via SmartSurvey may be transferred outside the UK, but such transfers are protected by legally approved safeguards.
Data collected through SmartSurvey is retained for 12 months after collection, after which it is deleted securely.
Scheduling polls using Doodle
When you participate in scheduling polls using Doodle, we collect your name, email address, and meeting availability. This information is used to organise and schedule meetings efficiently, based on:
Contractual necessity (where scheduling meetings forms part of a contract)
Legitimate interests (e.g., ensuring meetings are organised efficiently)
Your data is processed on our behalf by Doodle AG (Switzerland) and may be stored in Switzerland, other EU countries, or the United States. Doodle implements contractual, technical, and organisational safeguards, including:
Standard Contractual Clauses (SCCs) and other contractual mechanisms to protect personal data
Encryption, access controls, and staff training to ensure data security
Personal data collected via Doodle may be transferred outside the UK, but these safeguards ensure transfers comply with legally approved protections.
Data collected through Doodle is retained for 12 months after the meeting, after which it is deleted securely, unless retention is required for legal or contractual reasons.
Mobile devices
I may access personal data on mobile phones (e.g., emails, calendar, documents, or messaging apps) to manage commissions and communications. Mobile devices are secured with passwords, PINs, biometric locks, and encryption where available. No personal data is stored longer than necessary, and devices are regularly updated to maintain security.
SECURITY AND RETENTION
I handle and manage personal data in compliance with the UK’s data protection legislation and following strict security processes. These include protecting all information by secure accounts with strong passwords and multi-factor authentication. I have an information security policy.
I keep client related personal data for six years after work is completed and any invoices are paid. This retention period reflects contractual, legal, and tax obligations.
COOKIES
The website does not use non-essential cookies or tracking technologies. No banner is therefore required. Essential technical functionality is provided by the website platform.
RIGHTS
UK GDPR gives you rights over personal data that relates to you held by or on behalf of Palimpsest. You can:
- correct any personal data if you can show it is incorrect
- request I erase personal data that there is no longer a legitimate purpose for processing
- object to processing which relies on legitimate interests
- get a machine-readable copy of personal data that you provided with your consent or under a contract
- stop me from processing any personal data that there is no legal or contractual obligation to process
- request access to personal data I hold about you
To exercise any of these rights, please contact me. If you think I am using personal data about you in any way that is unfair or prejudicial to you, I will investigate and address the issue where possible.
To ensure personal data is kept secure you may be asked to prove your identity before being granted access to data that relates to you or exercising other rights. This may be by showing me a proof of ID or by providing contextual information that proves that you are who you say you are.
If you have any concerns about my handling of personal data that relates to you, you can raise these with me directly. You have a right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters (www.ico.co.uk).
Updated: January 2026 / This notice will be updated from time to time.
Unsure what you need? Book a free 40 min call to explore your project.
Copyright © 2026 Palimpsest - All Rights Reserved.