The lawfulness pack
Ecology App processes personal data — landowner records, contact information, scheme participation — under a documented lawful basis. The pack sits behind the platform and informs every product decision:
- Data Protection Impact Assessment (DPIA) — ICO 7-step assessment, covering high-risk processing criteria and Article 36 prior-consultation analysis
- Legitimate Interests Assessment (LIA) — three-part purpose / necessity / balancing test for Article 6(1)(f) processing
- Public Privacy Notice — UK GDPR Article 14 indirect-collection notice; full source inventory, retention horizons, rights, ICO complaint route
- Customer Acceptable Use Policy — ToS schedule that replicates HMLR CCOD/OCOD Permitted Use restrictions verbatim; PECR compliance; no Article 22 automated decisions; no Article 9/10 inference
- Retention Policy — per-source retention horizons mirrored from the upstream publisher; nightly tombstoning sweep
Regulations covered
- UK GDPR + Data Protection Act 2018 — primary framework
- Data (Use and Access) Act 2025 — DUAA Annex 1 recognised legitimate interests assessed
- PECR — Privacy and Electronic Communications Regulations, relevant to any customer-side digital marketing using platform data
- HMLR CCOD/OCOD licence terms — bespoke crown licence; Standalone Licensed Product or Service prohibition; direct-marketing prohibition
- EU AI Act — Minimal-Risk classification; generative-AI labelling where applicable
- EU regulations — data hosted in the EU sits under the relevant EU data-protection framework (see data sovereignty)
Your rights
Subject Access, Rectification, Erasure, Restriction, Objection, Direct-Marketing Objection, and Suppression-on-Distress are all served through the public Data Subject Rights portal at /privacy/dsr. No account required. 28-day default response, 14-day target for objection and suppression-on-distress.