PRIVACY AND DATA PROTECTION NOTICE

    Last updated: 19 February 2026

    UK Bid Writer, Lyndsey Michaels – Bid Writing Services, Redesigning Business, and Lyndsey Wray Consultancy are trading names of Mrs Lyndsey Sara Hannah Wray, Sole Trader (referred to in this notice as “we”, “us”, or “the organisation”).

    We are registered with the Information Commissioner’s Office (ICO), Registration Reference: ZA348392.

    We are committed to protecting and respecting your privacy and to processing personal data lawfully, fairly and transparently in accordance with:

    • UK General Data Protection Regulation (UK GDPR)
    • EU General Data Protection Regulation (EU GDPR) (where applicable)
    • Data Protection Act 2018
    • Privacy and Electronic Communications Regulations (PECR)

    This Privacy Notice explains what personal data we collect, how we use it, the lawful bases relied upon, how long we retain it, and your rights.

    1. DATA CONTROLLER STATUS

    For most business activities described in this notice, Mrs Lyndsey Sara Hannah Wray acts as Data Controller.

    When delivering bid writing, consultancy or AI advisory services on behalf of clients, we may act as:

    • Data Processor (where processing personal data strictly under client instruction), or
    • Independent Data Controller (where determining purposes and means of processing, such as internal business operations).

    Controller/processor roles are clarified within client contracts where required.

    2. CATEGORIES OF PERSONAL DATA COLLECTED

    A. Data Collected in the Course of Business Development

    • IP addresses
    • Contact names
    • Job titles
    • Email addresses
    • Telephone numbers
    • Business addresses
    • Correspondence records
    • Marketing preferences

    B. Data Collected During Provision of Services

    In the course of delivering consultancy, bid writing, AI advisory, or transformation services, we may process:

    • Employee CVs, biographies and employment history
    • Professional qualifications
    • Case studies relating to customers or service users
    • Organisational charts
    • Supplier information
    • Management information
    • Tender submission documentation

    C. Special Category Data

    Occasionally, special category data (as defined under GDPR) may be processed where required for legitimate tender or contractual purposes. This may include:

    • Health information (if relevant to equality, diversity or workforce disclosure requirements)
    • Equality and diversity data
    • Criminal conviction data (where legally required for specific contracts)

    Such data is processed only where:

    • Explicit consent has been obtained; or
    • Processing is necessary for employment, social security, legal obligation or substantial public interest reasons as permitted under Article 9 UK/EU GDPR and Schedule 1 DPA 2018.

    D. Website and Technical Data

    When visiting our website, we may collect:

    • IP address
    • Browser type and version
    • Pages visited
    • Time and date of visit
    • Referring URLs
    • Cookie identifiers

    E. Employee and Supplier Data

    Where applicable:

    • Payroll information
    • Tax details
    • Contact details
    • Contractual documentation

    3. LAWFUL BASES FOR PROCESSING

    We rely on the following lawful bases under UK/EU GDPR:

    • Article 6(1)(a) – Consent (e.g. marketing communications)
    • Article 6(1)(b) – Contractual necessity (delivery of services)
    • Article 6(1)(c) – Legal obligation (HMRC, statutory requirements)
    • Article 6(1)(f) – Legitimate interests, including:
      • Running and improving our business
      • Responding to enquiries
      • Maintaining professional records
      • Protecting against fraud or misuse

    Where relying on legitimate interests, we conduct a balancing test to ensure your rights are not overridden.

    4. HOW WE USE PERSONAL DATA

    Personal data is used to:

    • Respond to enquiries
    • Deliver consultancy and bid writing services
    • Submit tender responses on behalf of clients
    • Manage contractual relationships
    • Maintain financial and tax records
    • Provide relevant updates about services (where lawful)
    • Improve business operations
    • Comply with legal obligations

    We do not sell personal data.

    5. ARTIFICIAL INTELLIGENCE AND AUTOMATED TOOLS

    As part of our advisory and transformation services, we may use AI-assisted tools and digital systems to support:

    • Document drafting
    • Process optimisation
    • Research support
    • Data structuring
    • Workflow automation

    Important principles:

    • AI tools are used as assistive technologies, not as autonomous decision-makers.
    • We do not engage in solely automated decision-making producing legal or similarly significant effects under Article 22 GDPR.
    • Personal data entered into AI systems is minimised wherever possible.
    • We take reasonable steps to assess security, confidentiality and data processing terms of third-party AI platforms used in service delivery.
    • Where client data is processed using AI-enabled platforms, this is done under contractual confidentiality and data protection obligations.

    As part of our consultancy services, we may advise clients on their own responsible use of AI systems, including governance, transparency and risk management.

    6. DATA SHARING

    Personal data may be shared with:

    • Employees or contractors working under confidentiality obligations
    • Professional advisers (accountants, legal advisers)
    • IT service providers
    • Secure cloud storage providers
    • Contracting authorities receiving tender submissions
    • Consortium partners or subcontractors involved in bid submissions
    • Payment processors

    All third-party processors are required to provide appropriate security and confidentiality assurances.

    7. INTERNATIONAL DATA TRANSFERS

    Where personal data is transferred outside the UK or EEA, we ensure one of the following safeguards is in place:

    • UK or EU adequacy decision
    • Standard Contractual Clauses (SCCs)
    • International Data Transfer Agreement (IDTA)
    • Approved certification mechanisms

    8. DATA RETENTION

    We retain personal data only as long as necessary for the purpose collected, including legal, accounting and reporting requirements.

    Indicative retention periods:

    • Client contractual data: 6–7 years (tax compliance)
    • Tender submissions: retained in accordance with contractual/legal requirements
    • Marketing data: until consent withdrawn or objection received
    • Website comment data: retained unless deletion requested

    Data no longer required is securely deleted or anonymised.

    9. DATA SECURITY

    We implement appropriate technical and organisational measures including:

    • Secure password management
    • Multi-factor authentication where available
    • Encrypted devices
    • Secure cloud storage
    • Access controls
    • Confidentiality agreements
    • Regular software updates

    While no system is completely secure, we take proportionate measures aligned to the nature of our business.

    10. WEBSITE COOKIES

    We use cookies for:

    • Site functionality
    • Security
    • Spam prevention
    • Analytics (where applicable)

    Where legally required, non-essential cookies are used only with consent via a cookie banner.

    You may control cookies through browser settings.

    11. YOUR DATA PROTECTION RIGHTS

    Under UK and EU GDPR, you have the right to:

    • Access your personal data
    • Rectify inaccurate data
    • Erase personal data (where applicable)
    • Restrict processing
    • Object to processing
    • Data portability
    • Withdraw consent (where consent is relied upon)
    • Lodge a complaint with a supervisory authority

    We will respond to valid requests within one calendar month.

    12. RIGHT TO COMPLAIN

    If you are dissatisfied with how your data has been handled, you may contact:

    Information Commissioner’s Office (ICO)
    www.ico.org.uk

    If you are located in the EU, you may also lodge a complaint with your local supervisory authority.

    13. MARKETING COMMUNICATIONS

    We may send marketing communications where:

    • You have opted in; or
    • There is a lawful soft opt-in under PECR (for existing customers).

    You may unsubscribe at any time using the link provided or by contacting us directly.

    14. CONTACT DETAILS

    If you wish to:

    • Access your personal data
    • Exercise your rights
    • Request deletion
    • Ask questions about this notice

    Please contact:

    Lyndsey Wray
    Email: lyndsey@redesigning-business.com
    Phone: 07813 606033

    15. CHANGES TO THIS PRIVACY NOTICE

    We may update this Privacy Notice periodically. The most current version will always be available on our website.