IoT Technologies Ltd is generally the controller for personal data collected through this website, enquiry handling, marketing communications and ordinary business administration.

In customer delivery scenarios, our role may vary depending on the contract, system design and data path. We may act as a controller, joint controller, processor or independent supplier depending on the agreed scope and signed terms.

Project-specific data protection responsibilities should always be confirmed in the relevant contract, statement of work, data processing agreement or information governance schedule.

We process personal data only where there is a lawful basis. Common bases include legitimate interests, contract performance, steps before entering a contract, compliance with legal obligations and, where required, consent.

Legitimate interests may include responding to genuine business enquiries, securing the website, preventing misuse, managing supplier and customer relationships, maintaining records and improving operational reliability.

Where consent is required, we aim to make the request clear. Consent can be withdrawn, but withdrawal does not affect processing that was lawful before withdrawal.

We aim to process personal data lawfully, fairly and transparently. We limit collection to what is relevant, use data for defined purposes, keep it accurate where necessary, retain it only as long as needed and apply proportionate security controls.

We do not treat data protection as a paperwork exercise. For IoT and operational systems, data governance must be considered alongside device design, telemetry routing, access control, dashboard permissions, alert workflows and customer ownership.

Where a project involves operational data, sensor data, location data or personal data, the governance model should be designed before deployment rather than added afterwards.

We use suppliers for hosting, communications, security, professional services and operational tooling. Where a supplier processes personal data for us, we expect suitable contractual and security commitments.

Where data may be processed outside the United Kingdom, appropriate safeguards should be considered and documented where required by law.

Supplier selection for operational systems considers security, resilience, supportability, data location, access control and the customer’s governance requirements.

We use access controls, role separation where practical, least-privilege permissions, secure authentication, supplier review and operational monitoring to reduce data risk.

Where data risk is higher, we may use additional controls such as data minimisation, encryption, audit logging, retention controls, documented access approval and project-specific governance reviews.

We maintain evidence proportionate to the risk and nature of processing. This may include contracts, supplier records, technical decisions, security controls, project notes and documented customer instructions.

Individuals may have rights including information, access, rectification, erasure, restriction, portability, objection and rights connected with automated decision-making.

Requests should be sent through the Contact page or by email, marked “Data protection request”. We may request verification and may ask for clarification where the request is broad or unclear.

Some rights are not absolute. We may need to retain or withhold certain information where required or permitted by law, including for legal claims, security, confidentiality, contractual records or the rights of others.