Privacy Notice
Effective Date: 23 December 2025
1. Introduction
Red Stone Path Ltd (‘we’, ‘us’, ‘our’) are committed to protecting your information and the personal data that we hold. We are the Data Controller of your personal data, as defined by relevant legislation. This Privacy Notice details how and why we collect and use personal data, and what to expect us to do with your personal information. This applies to personal data that you have provided to us, as well as information that we receive from other parties. We will explain your rights and what to do if you are unsure or unhappy about how we are handling your personal data.
Red Stone Path Ltd is committed to providing professional services of the highest quality to our clients. We are a private limited company incorporated in England and Wales and registered with Companies House. We are registered with the UK’s Information Commissioner’s Office (ICO).
Registered Office: 37a Market Place, Cirencester, Gloucestershire, GL7 2NX
Company Registration Number: 16628155
ICO Reference Number: ZC058457
General Contact: contact@redstonepath.co.uk
Data Enquiries: data.enquiry@redstonepath.co.uk
Website: www.redstonepath.co.uk
2. Your Personal Data & Our Services
Red Stone Path Ltd collects, uses and stores personal information you have provided to us or personal information which is necessary for us to provide the services you have requested. Having accurate and relevant information and personal data about you is essential to delivering our services. We are committed to protecting you and your data. We comply with relevant legislation, including UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA), and the Data Use and Access Act 2025 (DUAA), and shall implement appropriate security measures to protect personal data. This Privacy Notice covers our commitments to you and is in addition to the ‘Confidentiality’ terms and ‘Information Security’ terms in your Agreement, which are designed to further enhance the protection that we provide.
2.1 Activities & Services That Use Your Data
We provide a range of services to our clients. This includes record keeping, key date tracking, third-party service provider monitoring, and other administrative support services. To empower our clients, and to meet their service goals, we offer services that categorize and index important documents, create summarized document properties, and other descriptive information that give client’s confidence and clarity about their professional network. We provide services to clients on an ongoing basis, as well as to cover specific events or periods of change.
We collect personal data to undertake the following activities and services:
a. provide and improve products and services for you as a client
b. for the prevention, detection, investigation or prosecution of crimes
c. for the operation of client or customer accounts
d. for assessing the needs of actual or prospective clients
e. for promoting and marketing our services to actual or prospective clients
f. to comply with legal and regulatory requirements, including the verification of identity for individuals and other legal entities
2.2 What Does “Personal Data & Personal Information” Mean
Personal data and personal information covers a broad range of items. To give you a full understanding of how we collect, handle and protect your data, we define personal data and personal information as including, but not limited to:
a. personal details (e.g. name, date of birth, gender, nationality, marital or civil partnership status, country of residence, dependents)
b. address and contact details (e.g. physical address, telephone number, e-mail address)
c. identification data (e.g. passport, National Insurance Number or other identity card numbers) and authentication data (e.g. specimen signature)
d. health information (such as health conditions that guide our Accessibility and Vulnerability support activities, and medical information that is included within applications and policies taken out with third-party service providers)
e. information on spouses, partners and other family details, or on authorised signatories and representatives;
f. information about financial matters (e.g. the assets and securities held, account numbers, origin of assets and wealth, your bank details)
g. account information, including registration details used with third-party service providers
h. professional and personal background information (e.g. occupation, employment, professional activity, qualifications, preferences);
i. information on electronic communication with Red Stone Path Ltd or other technical data (e.g. records of accessing our website)
j. complaints and enquiries made to us.
k. image and audio data (e.g. CCTV or voice recordings)
2.3 What About “Sensitive Personal Information”
Where necessary to provide certain services to you, and with your consent, we may collect and process Sensitive Personal Information. This may include information about your physical or mental health, medical records, and disabilities. This will only be collected with your consent,and we will state the specific purpose of holding your Sensitive Personal Information.
The purpose of collecting, storing and using your Sensitive Personal Information may include offering you additional support relating to Accessibility and Vulnerability, or may be related to medical information that is included within applications and policies taken out with third-party service providers that you have asked that we include in our services to you. We collect this information through a variety of sources, including the Onboarding Process where we get a detailed understanding of your service needs, conversations and correspondence with us, including recorded telephone lines, and anti-money laundering verification services where applicable.
2.4 What Are “Cookies” & Why Do We Use Them
We use cookies to distinguish you from other users of our website, our client portals or client-facing applications. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.
This helps us improve our services by understanding how you are using them. It helps us provide a good experience when utilising our website or client-facing application and portals. When you access of our website, client portals or client-facing applications, you will have the option to customize which cookies you consent to us collecting.
On our website (https://www.redstonepath.co.uk), we use the following cookies:
2.5 Keeping Your Personal Data Secure
We have appropriate security measures to prevent personal data from being accidentally lost or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
If you want detailed information from ‘Get Safe Online’ on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
2.6 Our Obligations Regarding Care, Skill & Due Diligence
We take the security of all the data we hold seriously. Staff are trained on data protection, confidentiality and security, and we maintain a culture of confidentiality. We have a framework of policies and procedures which ensure that we keep the data we hold secure. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to the duty of confidentiality. We will deal with any suspected data security breach and will notify you of a suspected breach as required by law.
2.7 Our Due Diligence & Monitoring Obligations For Third-Party Service Providers
Every professional business relies on accessing and using third-party service providers. From the software on our computers, to our internet access providers, we rely on other businesses to provide our services to clients. Before entering into an agreement with a third-party service provider, we have an obligation to you to ensure they are fit for purpose. This is done through robust due diligence, comprehensive contractual arrangements, and ongoing oversight and risk management.
Due diligence will include assessing a third-party service providers technical capability, their legal and regulatory standing, and their operational resilience. This can include assessing their financial stability to ensure a sustainable long-term service continuity. It also includes a review of the provider's ability to protect confidential information and comply with data protection laws.
3. Artificial Intelligence, Machine Learning & Other Data Science Tools
Artificial intelligence is a broad term that encompasses a wide range of advancements in information technology. Our use of data science tools, including Artificial Intelligence (AI), Machine Learning (ML), and Large Language Models (LLM), is to enhance the quality of our client service offering. Making improvements in safety, security, efficiency and accessibility. These information technology processes will support decision-making within many different areas of the business, not just those services that are client facing. While we build and use advance processes, none of them will be ‘fully automated’. No decisions will be made that significantly affects a client without human oversight. We will ensure that appropriate safeguards are in place and that human judgment is central to our oversight and service delivery.
4. Large Language Models and AI text generation
Large Language Models (LLM) is an advanced AI tool, trained on massive text datasets to understand, generate, and predict human language. We may provide AI-generated content to our clients directly, or via publicly available channels such as our website or social media platforms. If we do this, we will include a description of how the content was generated and what third-party provider, or internally created software, we have used. You have the right to know how our services are provided and what safeguards are in place to prevent any misrepresentation of the service offering that we provide.
We are committed to transparency, fairness, and accountability – and this is what governs our use of technology.
5. Data Protection Rights & Lawful Basis
Under UK data protection law, including UK General Data Protection Regulation and the Data Protection Act 2018, and the Data Use and Access Act 2025, we must have a “lawful basis” for collecting and using your personal information. You can find out more about lawful basis on the ICO’s website.
5.1 Data Protection Rights
You have a number of important rights regarding data protection. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website. Here is a summary of your data protection rights:
5.2 Lawful Basis
Our lawful basis for collecting or using personal information varies depending on the activity or service that uses your personal data. This is covered in the “Activities & Services That Use Your Data” section of this notice.
The lawful basis include:
a. Consent: Where you may have granted explicit permission, such as within a “Client Agreement” and associated “Terms of Business”. You do have the right to withdraw your consent at any time.
b. Contract: Where you have granted us authority, including agency authority, to enter into or carry out a contract for you.
c. Legal Obligation: Where we have to collect or use your information so we can comply with the law
d. Legitimate Interests: Where we are collecting or using your information because it benefits you. It may also indirectly benefit you by benefiting our organisation, or someone else related to you. This will be undertaken only where it does not pose an undue risk of harm to anyone. Our legitimate interests are covered in the “Activities & Services That Use Your Data” section of this notice, but are broadly the provision of professional services to you as a client.
5.3 Sharing Your Personal Information
There are circumstances where we may wish to disclose or are compelled to disclose your personal information to third parties. This may be because we have a Legal Obligation, or where we can clearly see a benefit to you by doing so, so we would have a Legitimate Interest in sharing your personal information.
We may pass on your data to:
a. a third-party service provider
b. a regulator, government authority, or legal body such as courts
c. technology service providers who are processing the data on our behalf, subject to due diligence and contractual arrangements that ensure data protection and confidentiality
d. identification verification service providers
e. fraud prevention organisations
f. service providers, such as printing services
5.4 Sharing Your Personal Information Outside of the European Economic Area (EEA)
The personal data we collect from you may be transferred to, and stored at, destinations outside the UK and European Economic Area (EEA). When it is necessary for us to share your personal data outside the EEA, we will take steps to ensure your data is protected to an equivalent standard as within the EEA. We will ensure any third-party service providers receiving your data are required to take appropriate security measures in line with our policies and applicable UK laws.
6. Data Retention Schedule
Our Data Retention Schedule details how long we keep your personal information. We review our retention policy and the data we hold on a regular basis to ensure compliance with data protection laws.
Your personal information will be retained for as long as it is necessary to carry out the purposes and services set out in this Privacy Notice, as well as in your “Client Agreement” and associated “Terms of Business”.
We provide services to clients on an ongoing basis, as well as to cover specific events or periods of change. To improve the quality of our service, we will retain your personal information for a period of 7 years after the termination of an agreement to provide services on an ongoing basis, so that the ongoing service can be restarted without the requirement to collect and categorize the same personal information again.
We will retain your personal information for a period of 2 years following the termination of an agreement that covered a specific event, or covered a set period of time only. This is to enable us provide you with additional copies of personal information held, or carry out an ad hoc request for additional services after the termination of the agreement. If a client has both ‘ongoing basis’ and ‘specific event’ services, the longer retention period shall apply.
We may keep an anonymised form of your personal information, which will no longer refer to you, for statistical purposes without time limits, to the extent that we have a legitimate interest and lawful interest in doing so. This includes the legitimate interest of improving our service offering to other clients. We will only retain your personal information for longer than the retention periods outlined if required to by law.
7. Data Enquires
If you would like to review, verify, or amend your personal data, then we will be happy to engage with you on this. Having accurate and relevant information and personal data about you is essential to delivering our services, so please contact us if you want to undertake a personal data review. Within applicable legislation, you have the right to have your personal data erased and remove from our records. This is sometimes referred to as the 'right to be forgotten' and is one of many rights that you have over your personal data, with more details in the “Data Protection Rights” section of this notice. If you want to withdraw your consent to the processing of your personal data or want to request that your personal data is erased, then notify us of this request. In addition to our general communication channels, there is a specific contact for all data enquiries, email: data.enquiry@redstonepath.co.uk
We will respond to your request as soon as we are able. This will usually be within 30 days of receiving your request, although it may take longer to deal with your request. If we believe meeting your request will take longer than 30 days, we will contact you and let you know. There is no charge for providing our response to your data enquiry requests.
8. How to Complain
We are registered with the UK’s Information Commissioner’s Office (ICO). If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice. If you remain unhappywith how we’ve used your data after raising a complaint with us, you can also complain to the ICO using the following contact information:
Website: www.ico.org.uk/make-a-complaint
Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire
SK9 5AF, United Kingdom
Phone: +44 (0)303 123 1113
9. Changes to Our Privacy Notice
We will occasionally make changes to our Privacy Notice. Updated notices will be posted on our website and where appropriate notified to you by email or by another form of communication.