GDPR Compliance Policy

SOTERweb, a trading arm of Montgomery & Coupers Ltd, is committed to protecting the privacy and personal data of all users. As a UK-based SME SaaS company serving public sector and commercial clients, we take our data protection responsibilities seriously. This document sets out how we collect, use, protect, and share personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

​

1. Introduction
This GDPR Policy explains how Montgomery & Coupers Ltd complies with the UK General Data Protection Regulation (UK GDPR) as a data controller for the SOTERweb platform. The policy outlines our practices relating to the collection, use, storage, and protection of personal data.

2. Scope
This policy applies to all personal data processed in connection with the SOTERweb platform. It covers the personal information of clients, prospective clients, users, website visitors, and individuals who communicate with us.

3. Data Controller Details
Montgomery & Coupers Ltd is a UK-based micro-entity offering cloud-based health and safety software to organisations in the public and private sector. Montgomery & Coupers Ltd is the sole owner and operator of the SOTERweb platform. This means all intellectual property rights, licensing arrangements, customer relationships, and data processing obligations relating to SOTERweb are held and managed directly by Montgomery & Coupers Ltd. For all data protection enquiries, please email: admin@soterweb.org.uk. 

4. Personal Data Collected
We collect personal data such as names, job titles, contact details including telephone numbers and email addresses, and technical identifiers like IP addresses and browser types. Additionally, we gather usage data through website analytics and retain correspondence submitted via contact forms or customer support channels.

5. Lawful Basis for Processing
We process personal data only where a lawful basis applies. This may include the user’s consent, where it has been freely given and can be withdrawn at any time. Where processing is necessary to fulfil a contract or service agreement, or to comply with legal obligations, we will do so accordingly. We also rely on legitimate interests to improve our platform and respond to user needs, where such interests are not overridden by the rights of the data subject.
 

6. Data Subject Rights
Under the UK GDPR, individuals have the right to understand and control how their data is used. This includes the right to access the personal data we hold, correct any inaccuracies, request deletion or restriction of processing, object to specific uses, and ask for their data in a structured, portable format. Requests can be submitted to: admin@soterweb.org.uk and we aim to respond within one calendar month.

7. Data Sharing
We do not sell personal data to any third party. However, we may share data with trusted service providers for hosting, analytics, and technical support, provided they meet strict contractual standards for GDPR compliance. These partners include cloud infrastructure providers and tools such as HubSpot and Google Analytics.

8. Data Security
We employ a wide range of security measures to protect personal data from loss, misuse, or unauthorised access. These include encrypted communications via HTTPS, firewall protection, access controls including two-factor authentication for administrators, and secure storage environments. Staff devices are also protected with antivirus software and encryption.

9. International Transfers
We do not transfer data outside the UK.

10. Data Retention
Personal data is retained only for as long as necessary to fulfil its original purpose or to comply with legal, contractual, or regulatory obligations. Once the relevant retention period has expired, data is securely deleted or anonymised.

11. Data Breach Management
In the event of a suspected data breach, we will promptly investigate and, where required, notify the Information Commissioner's Office (ICO) within 72 hours. If the breach poses a high risk to individuals, we will also contact affected parties directly and without undue delay.

​

12. Data Protection by Design
We integrate data protection principles throughout the development of our software and internal processes. This includes limiting data collection to what is necessary, restricting access to authorised personnel only, and applying pseudonymisation or encryption where appropriate.

13. Monitoring and Review
This policy is reviewed at least annually, and sooner if there are significant regulatory changes or updates to our practices. Staff receive training to ensure they understand their responsibilities under GDPR.

14. Contact
For any queries or concerns relating to this policy or our data protection practices, please contact us via: admin@soterweb.org.uk.