Legal

GDPR Statement

Last updated: June 2026 · New Roads International Ltd

New Roads International Ltd is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This statement explains our approach to data protection, your rights as a data subject, and how we ensure your personal data is handled lawfully, fairly, and transparently.

1. Our Commitment to GDPR Compliance

As an AI consulting business operating in Scotland, we understand that data protection is fundamental — both to our own operations and to the clients we serve. We are committed to:

Processing personal data lawfully, fairly, and transparently
Collecting data only for specified, explicit, and legitimate purposes
Ensuring data is adequate, relevant, and limited to what is necessary
Keeping data accurate and up to date
Storing data no longer than necessary
Processing data securely with appropriate technical and organisational measures

2. Data Controller Information

New Roads International Ltd acts as the Data Controller for personal data collected through our website and in connection with our consulting services.

Data Controller: New Roads International Ltd
Jurisdiction: Scotland, United Kingdom
Contact: hello@newroads.scot
Website: newroads.scot

3. Lawful Bases for Processing

We process personal data under the following lawful bases as defined by UK GDPR Article 6:

Legitimate Interests (Art. 6(1)(f)) — processing enquiries, managing client relationships, and improving our services
Contractual Necessity (Art. 6(1)(b)) — where processing is required to fulfil a consulting engagement
Legal Obligation (Art. 6(1)(c)) — where required by UK law, including HMRC record-keeping requirements
Consent (Art. 6(1)(a)) — where you have explicitly opted in to receive communications from us

4. Your Rights as a Data Subject

Under UK GDPR, you have the following rights regarding your personal data. We will respond to all requests within 30 days.

Right of Access

Request a copy of the personal data we hold about you (Subject Access Request).

Right to Rectification

Request correction of any inaccurate or incomplete personal data we hold.

Right to Erasure

Request deletion of your personal data where there is no legitimate reason to continue processing it.

Right to Restriction

Request that we restrict processing of your data in certain circumstances.

Right to Portability

Request your personal data in a structured, commonly used, machine-readable format.

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent

Withdraw consent at any time where processing is based on consent, without affecting prior processing.

Right to Complain

Lodge a complaint with the ICO if you believe your data rights have been violated.

To exercise any of these rights, contact us at hello@newroads.scot. We will acknowledge your request within 72 hours and respond in full within 30 days.

5. Data Retention

We apply the following retention periods to personal data:

Website enquiries with no subsequent engagement — deleted after 12 months
Active client project data — retained for the duration of the engagement plus 6 years
Financial and contractual records — retained for 6 years as required by HMRC
Marketing consent records — retained until consent is withdrawn

6. Data Security Measures

We implement appropriate technical and organisational measures to protect personal data against accidental loss, destruction, alteration, unauthorised disclosure, or access. Our security measures include:

Encrypted communications via HTTPS across all web interactions
Secure business email via Zoho Mail (EU data centre) with two-factor authentication enabled
Access controls limiting data access to authorised personnel only
Regular review of data processing activities and third-party processors

7. Data Transfers

Where we use third-party services that may process data outside the UK, we ensure appropriate safeguards are in place in line with UK GDPR requirements. Our primary processors include:

Netlify (website hosting and forms) — processes data under standard contractual clauses with EU/UK adequacy
Zoho Mail (email) — EU data centre, processed under Zoho's Data Processing Agreement in compliance with UK GDPR

8. Data Breach Procedure

In the event of a personal data breach, New Roads International Ltd will:

Assess the risk to individuals within 24 hours of becoming aware
Notify the ICO within 72 hours if the breach poses a risk to individuals' rights and freedoms
Notify affected individuals without undue delay if the breach poses a high risk to their rights
Document all breaches in our internal breach register regardless of whether notification is required

9. AI-Specific Data Considerations

As an AI consulting business, we are acutely aware of the data protection implications of AI systems. When implementing AI solutions for clients, we adhere to the following principles:

Data minimisation — only the data necessary for the AI system to function is used
Purpose limitation — client data is never used to train models beyond the agreed scope
Transparency — we document all data flows within AI implementations clearly
Human oversight — we build human review into all consequential AI decision-making processes
GDPR-by-design — data protection considerations are built into every AI solution from the outset

10. Contact the ICO

If you are not satisfied with how we handle your personal data, you have the right to complain to the Information Commissioner's Office (ICO):

Information Commissioner's Office
Website: ico.org.uk
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

11. Updates to This Statement

This GDPR Statement is reviewed annually and updated as required. The current version is always available at newroads.scot/gdpr.html. Last reviewed: June 2026.