Privacy Notice
Version 1.2 — 2026-04-27 · Last updated 27 April 2026.
This Privacy Notice explains how Bayswater Transflow Engineering Ltd. collects, uses, shares, and protects personal data. It is issued under Article 13 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
We have written this notice in plain English. If anything is unclear, please contact our Compliance Officer at compliance@bayswatertransflow.com.
1. Who we are
Bayswater Transflow Engineering Ltd. ("Bayswater", "we", "us", "our") is the data controller for the personal data described in this notice. We are a private limited company incorporated in England and Wales, registered office at 128 City Road, London EC1V 2NX, United Kingdom.
- Companies House number: 16277213
- PPON: PDND-8844-YVWN
- DUNS: 233562652
- UNGM: 1204139
- Registered jurisdiction: England and Wales
2. How to contact us about your data
For any question about this notice, your data, or to exercise your rights under UK GDPR, email our Compliance Officer at compliance@bayswatertransflow.com. Email is the primary route — we monitor this address daily and respond to rights requests within the time limits described in Section 10.
Bayswater is below the threshold requiring a statutory Data Protection Officer (Article 37 UK GDPR). Data-protection enquiries are handled by our Compliance Officer. The address shown in Section 1 is the company's registered office; it is not staffed for in-person enquiries.
3. What this notice covers
This notice applies to personal data we collect when you:
- Visit our website at bayswatertransflow.com;
- Submit a Technical Briefing request through our contact form;
- Submit a CV through our /jobs page;
- Correspond with us by email about deployment opportunities or other enquiries.
Cookie usage is covered separately in our Cookie Notice, which forms part of this Privacy Notice.
4. Personal data we collect
4.1 When you browse the website
We do not require you to sign in to read public pages. If you opt in to analytics via the cookie banner, our analytics provider (Plausible) records aggregate page views without setting cookies and without storing data that can identify you. See the Cookie Notice for the full inventory.
4.2 When you submit the contact form (Technical Briefing Request)
We collect the information you provide on the form, which is:
- Full name, role/title, work email
- Company / organisation name
- Sector, deployment geography, trade composition, headcount range
- Mobilisation timeline, nature of requirement, how you heard about us
- Any free-text notes you choose to include
4.3 When you submit a CV
We collect the information you provide on the CV submission form, which is:
- Full name, email, phone
- Nationality (see Section 12 for why this is collected)
- Trade / specialisation, years of experience
- Current country of residence, availability window, right-to-work status in the EU
- Your CV file (PDF, DOC, or DOCX, up to 5 MB)
Your CV may itself contain additional personal data we have not asked for — education history, prior employers, references, a profile photo. We process all of it under the same lawful basis and retention rules described below.
5. Why we use your data — purposes and lawful bases
UK GDPR requires that every use of your personal data have a stated purpose and a stated lawful basis. The table below names both for every category of processing we carry out.
| Data context | Purpose | Lawful basis |
|---|---|---|
| Website analytics (Plausible — opt-in) | Understand which pages and capabilities are useful to enterprise visitors so we can improve them. | Article 6(1)(f) Legitimate Interests — operating an effective B2B website. |
| Contact form (Technical Briefing) | Assess fit for a possible engagement; respond to your enquiry. | Article 6(1)(b) taking steps at your request prior to entering a possible contract. |
| CV submission — initial review | Assess your profile against current and upcoming deployment opportunities. | Article 6(1)(f) Legitimate Interests + Article 6(1)(b) pre-contractual steps. Recruitment is a legitimate business activity; you have voluntarily submitted your CV with the expectation of being considered. |
| CV disclosure to prospective end-clients | Share your CV with a specific prospective client to assess fit for a particular deployment. | Article 6(1)(b) pre-contractual steps, supplemented by your Article 6(1)(a) explicit consent obtained at CV submission for disclosure to specific prospective hirers. Disclosure is also conducted in compliance with our duties under the Conduct of Employment Agencies and Employment Businesses Regulations 2003. You can withdraw consent at any time by emailing our Compliance Officer; once withdrawn we stop disclosing your CV to hirers. |
| CV submission — extended retention (24 months) | Consider you for future opportunities you have not specifically applied to. | Article 6(1)(a) Consent. You opt in via the checkbox on the CV form. You can withdraw at any time (see Section 10). |
| Right-to-work checks (placed candidates) | Verify your legal right to work in the destination country. | Article 6(1)(c) Legal obligation — Immigration, Asylum and Nationality Act 2006. |
| Tax / payroll (placed candidates) | Comply with HMRC and destination-country statutory reporting. | Article 6(1)(c) Legal obligation. |
| Internal administration, fraud prevention, security | Protect the integrity of our services and our clients. | Article 6(1)(f) Legitimate Interests — operating a secure business. |
6. Who receives your data
We only share personal data where it is necessary for the purposes above and where the recipient is bound by appropriate confidentiality and data-protection obligations. The recipients are:
- Google LLC (Google Workspace — Drive and Sheets) — we store CV files and form submissions in our Google Workspace tenant. Google processes this data as our processor under a data-processing addendum.
- Vercel Inc. — our website hosting provider. Vercel does not access form contents (which travel directly from the browser to Google Workspace) but does process visit-level network data for serving the site.
- Plausible Insights OÜ (Estonia) — our analytics provider, only if you opt in via the cookie banner. Plausible does not set cookies and does not store data that identifies you.
- Prospective end-clients — where your profile is being assessed for a specific deployment, we share relevant assessment data with the prospective client under a confidentiality agreement, only after we have validated your suitability internally.
- Professional advisers (legal, accounting, audit) — under confidentiality, where strictly necessary.
- Regulatory authorities — where required by law (e.g. tax authorities, immigration authorities, courts).
We do not sell your personal data. We do not use it for advertising. We do not share it with parties outside this list.
7. International transfers
Two of our processors are located outside the United Kingdom:
- Google LLC (United States) — transfers are protected by the UK Addendum to the EU Standard Contractual Clauses, plus Google's organisational and technical safeguards under its EU-US Data Privacy Framework certification.
- Vercel Inc. (United States) — transfers are protected by the UK Addendum to the EU Standard Contractual Clauses.
- Plausible Insights OÜ (Estonia) — Estonia is part of the EEA; no third-country transfer.
A copy of the safeguards in place can be provided on request — email compliance@bayswatertransflow.com.
8. How long we keep your data
UK GDPR requires that personal data not be kept longer than necessary. The retention periods below apply by default; we may shorten them if you request earlier deletion (see Section 10).
| Data category | Retention | Why |
|---|---|---|
| Contact-form submissions (Technical Briefing) | 12 months from submission | Allows reasonable follow-up window for deployment scoping. Beyond this, deleted unless an active engagement begins. |
| CV submissions — assessed and unsuccessful | 6 months from decision | Equality Act 2010 limitation period for discrimination claims (ICO recommended floor). |
| CV submissions — opted in to talent pool | 24 months from submission | You consented to extended retention for future opportunities. Withdrawable at any time. |
| Right-to-work documents (placed candidates only) | 2 years post-employment end | Immigration, Asylum and Nationality Act 2006, s.8 — Home Office statutory guidance on right-to-work checks. |
| Tax / payroll records (placed candidates only) | 6 years post-employment end | HMRC payroll record-keeping requirements and Companies Act 2006 statutory record-keeping. |
| Plausible analytics — aggregate counts | Aggregate visit counts retained for trend analysis. No identifiable record of any individual visitor is retained at any point. | Operating an effective B2B website. Plausible Insights OÜ acts as our data processor; their public retention policy applies. |
9. Your rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Right to be informed — this notice itself satisfies that right.
- Right of access — you may request a copy of the personal data we hold about you (a "data subject access request" or DSAR).
- Right to rectification — you may ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — you may ask us to delete your data, subject to limited legal exceptions.
- Right to restriction — you may ask us to pause processing while a question about your data is resolved.
- Right to object — you may object to processing carried out on the basis of legitimate interest. Where an objection is upheld, we stop processing.
- Right to data portability — for processing based on consent or contract, you may receive your data in a machine-readable format.
- Right to withdraw consent — where we rely on consent (currently: optional 24-month CV retention, and analytics cookies), you may withdraw at any time.
- Right not to be subject to automated decision-making — we do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you.
10. How to exercise your rights
Email compliance@bayswatertransflow.com with the subject line "Data subject request — [your right]". Please include enough information for us to verify your identity (typically the email address you used to submit the form or CV).
We will respond within one calendar month of receiving your request. We may extend this by up to two further months for complex or numerous requests, in which case we will tell you within the first month and explain why. We do not charge a fee for handling rights requests, except in the rare case of manifestly unfounded or excessive requests.
To withdraw analytics consent, click "Manage cookie preferences" in the footer of any page and untick the Analytics toggle. To withdraw the optional 24-month CV retention, email us using the address above.
11. Right to complain to the ICO
If you believe we have mishandled your personal data, you have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. We would prefer the chance to address your concern first — but the ICO route is your right and is independent of us.
- Online: https://ico.org.uk/make-a-complaint/
- Helpline: 0303 123 1113
- Post: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
12. Recruitment-specific notes
Why we collect nationality
Cross-border deployment requires us to assess the regulatory pathway available to each candidate before a placement is possible. Nationality determines whether posted-worker provisions apply, what type of work permit is required, and the order in which we approach destination countries. We use nationality strictly to assess deployment viability, not as a selection criterion in itself.
Automated decision-making
Bayswater does not make decisions that produce legal effects, or similarly significant effects, on candidates by automated means within the meaning of Article 22 UK GDPR. Every shortlisting and placement decision is taken by a member of the deployment team, who is responsible for the outcome. Internal analytical tools may be used to support that decision, but the human decision- maker reviews each candidate's record before any progression or rejection decision is communicated and can override any analytical output. You have the right to request information about, and human review of, any decision that affects you — see Section 10.
Special category data
We do not deliberately collect special category data within the meaning of Article 9 UK GDPR (such as racial or ethnic origin, religious beliefs, political opinions, health, or sexual orientation). If your CV incidentally contains such data — for example a profile photo, a religious holiday reference, or a health-related qualification — we will only process it to the extent strictly necessary for the recruitment assessment, relying on Article 9(2)(b) UK GDPR (processing necessary for the performance of obligations and the exercise of specific rights in the field of employment) read with Schedule 1 Part 1 paragraph 1 of the Data Protection Act 2018 and our published Appropriate Policy Document. You may redact your CV at any time and ask us to re-process the redacted version, and you may object to processing of any specific category at any time by emailing our Compliance Officer.
Why our lawful basis is not consent
The Information Commissioner's Office has stated that consent is generally not the appropriate lawful basis for recruitment processing because the power imbalance between a candidate and a prospective employer compromises the requirement that consent be "freely given." We therefore rely on legitimate interest (with a documented Legitimate Interests Assessment) and pre-contractual steps. Consent is reserved for the genuinely optional 24-month retention.
13. Contact form (Technical Briefing) — specific notes
When you submit a Technical Briefing request, we ask for company information (sector, geography, trades, headcount, timeline) to assess whether we can credibly serve the requirement before responding. This is pre-contractual assessment under Article 6(1)(b) UK GDPR. If we conclude we cannot serve the requirement, we tell you plainly and delete the submission within 12 months.
14. Cookies and similar technologies
We use a small number of strictly-necessary localStorage entries and, with your consent, a cookieless analytics service. Full inventory and controls are in our Cookie Notice.
15. How we protect your data
We take appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit (HTTPS / TLS) for all submissions;
- Encryption at rest within Google Workspace;
- Access control limiting CV and submission visibility to deployment-team members on a need-to-know basis;
- Regular review of access permissions;
- Procedures for detecting, investigating, and reporting personal-data breaches to the ICO within 72 hours where the breach poses a risk to data subjects.
16. Changes to this notice
We may update this notice to reflect changes in our practices, our processors, or the law. Material changes — to controller identity, lawful basis, recipients, retention periods, or your rights — will bump the version string at the top of this page and update the "Last updated" date. We will not notify each data subject individually unless required by law (for example, where a material change affects rights tied to a specific consent).
Significant updates that affect cookie consent will trigger the cookie banner to reappear so you can review and re-consent.