Second Shift Modern operations for ambitious UK businesses

Legal

Privacy policy

Last updated .

This policy explains how Second Shift (“we”, “us”) collects, uses, and protects personal data. It is written in plain English where it can be, and is designed to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Second Shift is a sole trader operating in the United Kingdom. For the purposes of this policy, the data controller is Second Shift, reachable at hello@secondshift.co.uk.

What we collect

We collect personal data in a small number of situations:

When you contact us

When you email us at hello@secondshift.co.uk, we process the contents of your message, your name, and your email address. We may also process any other information you choose to include.

When you visit this website

We use a privacy-preserving analytics tool to understand which pages are visited. This tool does not use cookies and does not collect personal data. We do not know who you are when you read this website unless you have emailed us separately.

Our web server logs request IPs for security and reliability purposes for up to 30 days. These logs are not linked to any other identifying information.

When you become a client

In the course of an engagement, we process personal data about you, your colleagues, and — where the engagement requires it — your customers, users, staff, or suppliers. We process this data as a processor on your instructions, under a written agreement. Your data-protection obligations to the people whose data you have asked us to process remain yours.

When you subscribe to our writing

We do not currently run an email newsletter. If we introduce one, this policy will be updated and you will be asked to consent before any email is sent.

Why we process it

Our lawful bases for processing, under Article 6 of the UK GDPR, are:

  • Legitimate interests (Art. 6(1)(f)) for responding to enquiries, understanding how our website is used, and the general administration of our business. The legitimate interest is the ability to run a small professional firm and respond to the people who have voluntarily contacted us.
  • Contract (Art. 6(1)(b)) for processing your personal data where we have entered into a written engagement with you.
  • Legal obligation (Art. 6(1)(c)) where we must retain records for tax, accounting, or other statutory purposes.

We do not process special-category data (health, ethnicity, political opinion, etc.) about you as a visitor or enquirer. During a client engagement, we may handle special-category data on your instructions, under a written data-processing agreement; we will flag this explicitly and agree safeguards in writing before any such processing begins.

Who we share it with

We use a small number of third parties to run the business:

Email
Google Workspace (Google Ireland Limited) — for sending and receiving email.
Document storage
Google Workspace — for storing proposals, diagnoses, and engagement documents.
Analytics
A privacy-preserving analytics tool, run without cookies and without personal data.
Hosting
Cloudflare Inc. — serves the website and routes email.

We do not sell your personal data. We do not share it for marketing purposes. We do not allow third parties to use it for their own purposes.

International transfers

Some of the processors listed above are based outside the United Kingdom. Where this is the case, we rely on the UK’s adequacy decisions (in the case of EU-based processors) or on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (in the case of US-based processors). Additional safeguards are applied where appropriate.

How long we keep it

Enquiry correspondence
Retained for up to two years from last contact, then deleted, unless the enquiry led to an engagement.
Engagement records
Retained for seven years after the end of the engagement, for statutory and tax purposes.
Web server logs
Retained for up to 30 days.
Client-processed data (as processor)
Retained per the data-processing agreement governing the engagement. Usually returned or deleted within 30 days of the engagement ending.

Your rights

You have, under the UK GDPR, a number of rights in relation to your personal data:

  • The right of access — to ask us what personal data we hold about you.
  • The right of rectification — to have inaccurate data corrected.
  • The right of erasure — in most circumstances, to have your data deleted.
  • The right to restrict processing, to object to processing based on legitimate interests, and to data portability where applicable.
  • The right to lodge a complaint with the Information Commissioner’s Office (ico.org.uk).

To exercise any of these rights, write to us at hello@secondshift.co.uk. We will respond within one calendar month, usually sooner.

Security

We take reasonable and appropriate technical and organisational measures to protect personal data, including encrypted storage, two-factor authentication on all business accounts, and a documented incident-response plan. If we become aware of a data breach affecting your personal data, we will notify you without undue delay in accordance with our obligations under the UK GDPR.

Changes to this policy

We will update this policy when our processing changes. The “last updated” date at the top of the page reflects the most recent version. Substantial changes will be announced to active clients and to anyone subscribed to our writing.

Contact

For any question about this policy, write to hello@secondshift.co.uk. We read every email ourselves.