Privacy policy.
Last updated: 6 July 2026
Who we are
Gotschna Limited (“we”, “us”, “our”) is the data controller for the personal data described in this policy. We are a company registered in England and Wales with company number 13958570.
This policy explains how we handle personal data where we are the controller (for example, data about our customers, prospective customers, website visitors, and suppliers).
Where we process personal data on behalf of a business customer (as their processor), that processing is governed by our agreement with that customer, not by this policy. This applies, for example, when we administer your cloud services, provide backup, monitor devices, investigate security alerts, migrate mailboxes, or support your systems. In those cases the customer is usually the controller and we act as processor.
You can contact us about this policy, or about your personal data, using the contact form on our website. Details of how to reach us, and of your right to complain to the regulator, are at the end of this policy.
Our services and website are intended for businesses and are not aimed at children.
The personal data we collect
Customers. Names and business contact details, account and login details, billing and payment information, information about the services you take and how you use them, technical data relating to those services, and records of our correspondence and support. Where you take communications services from us, this also includes service usage and call records, communications metadata, the numbers and IP addresses we allocate to you, porting and provisioning information, emergency-location information where applicable, and traffic and fault-diagnostic records.
Prospective customers. Business contact details and any information you give us when you enquire about our services.
Website visitors. Technical data such as IP address, device and browser information and, where you consent, analytics data (see Cookies and similar technologies below).
Other contacts. Business contact details of suppliers, partners, and other people and organisations we deal with.
We aim to collect only the personal data we need for the purposes set out below.
Some personal data is necessary for us to enter into or perform a contract with you, provide support, invoice you, meet our legal obligations, or keep our services secure. If you do not provide it, we may be unable to provide some or all of our services.
Where we get your personal data from
We usually collect personal data directly from you or from the organisation you represent. We may also receive it from colleagues, administrators, or authorised users within your organisation, from technology vendors and distributors, from payment providers, from public business sources (such as company websites and Companies House), from referral partners, and from systems we operate or support on behalf of a customer.
If you work for one of our customers, we may receive your business contact and account details, device and support-ticket information, and service-usage information from your employer or organisation.
How we use your personal data, and our legal basis
- To provide our services and manage your account: to perform our contract with you.
- To take steps at your request before entering into a contract: to perform, or take steps to enter into, a contract.
- To invoice you, take payment, and recover sums due: to perform our contract, and our legitimate interest in being paid for our services.
- To provide support and respond to your enquiries: to perform our contract, and our legitimate interest in helping our customers and prospects.
- To secure, maintain, monitor, and improve our systems and services: our legitimate interest in protecting our infrastructure and providing a reliable, secure service.
- To send you service and administrative messages: to perform our contract, and our legitimate interest in keeping you informed.
- To send relevant business-to-business marketing to business contacts, including existing customers and professional contacts: our legitimate interest, or your consent where required; you can opt out at any time.
- To comply with our legal and regulatory obligations: to meet a legal obligation.
- To establish, exercise, or defend legal claims: our legitimate interest in protecting our position.
Where we rely on legitimate interests, we have considered the impact on you and do not use your data in ways that override your rights.
Log files and technical data
Like most websites and online services, our systems automatically record certain technical information, such as IP addresses, timestamps, and details of the requests made. We use this to operate, secure, and troubleshoot our website and services.
Cookies and similar technologies
We use a small number of cookies and similar technologies:
- Essential cookies keep the site secure and remember your cookie choice. They are strictly necessary, so they are always on and need no consent.
- Google Analytics helps us understand how our website is used. It sets a cookie and is loaded only if you consent; if you do not consent, we do not load it.
- Cloudflare Web Analytics gives us aggregate, privacy-friendly usage figures. It is cookieless and does not track you across sites, so it runs under our legitimate interest.
Where we ask for your cookie choice, we remember it for up to 12 months. You can change or withdraw your choice at any time using the cookie option in our website footer.
Who we share your personal data with
We share personal data only where necessary, with:
- Service providers and sub-processors who help us run our business and deliver our services (for example, hosting, cloud, software, security, and analytics providers).
- Payment processors, to take and reconcile payments.
- Technology vendors and distributors, where a service you take from us relies on their platform or licensing.
- Professional advisers, such as our accountants and lawyers.
- Authorities, regulators, and law enforcement, where we are required or permitted by law to do so.
We do not sell your personal data, and we do not use it for third-party advertising.
International data transfers
Some of our providers (for example, certain analytics, cloud, and security services) process personal data outside the UK, including in the United States. Where a transfer outside the UK takes place, we rely on an appropriate safeguard, such as:
- UK “adequacy” regulations, where the destination country is recognised as providing adequate protection;
- the UK Extension to the EU-US Data Privacy Framework (the “UK-US Data Bridge”), for certified providers in the United States; or
- the UK International Data Transfer Agreement or Addendum.
Where we rely on the UK-US Data Bridge, we check that the US recipient is certified for the relevant personal data. Where we rely on the UK IDTA or Addendum, we carry out a transfer risk assessment where required.
How long we keep your personal data
We keep personal data only for as long as we need it. Indicative periods are:
- Customer and billing records: for the duration of our relationship with you and for up to 6 years afterwards, to meet accounting, tax, and legal requirements.
- Support tickets and correspondence: typically up to 3 years after the matter is closed.
- Service usage and technical records (such as call or usage data for communications services): typically 6 to 12 months, or longer where we are required to keep it.
- Prospective customer data: until we conclude we will not do business, or you ask us to stop or withdraw your consent, and in any event no longer than is reasonably necessary.
- Website analytics data: for the retention period set within the relevant analytics tool.
Where a longer period is required by law, or to establish, exercise, or defend legal claims, we keep the data for that period.
Where personal data is held in backups, it may remain in backup copies until those backups expire or are overwritten, unless earlier deletion is technically feasible and proportionate. We do not use backup data for ordinary purposes, and access to it is restricted.
How we keep your personal data secure
We use appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse. No system can be completely secure, but we take reasonable steps to protect the data we hold.
In providing support and managed services, our authorised staff may access systems, logs, accounts, configuration, and files where necessary to deliver the service, investigate faults, or respond to security incidents. We limit this access to those who need it and apply appropriate controls.
Automated decision-making
We do not make decisions about you based solely on automated processing that produce legal effects or similarly significantly affect you.
Your data protection rights
Under UK data protection law, you have the right to:
- access the personal data we hold about you;
- ask us to correct inaccurate or incomplete data;
- ask us to erase your data in certain circumstances;
- ask us to restrict how we use your data in certain circumstances;
- object to our processing where we rely on legitimate interests, and to direct marketing at any time;
- request portability of certain data; and
- withdraw your consent at any time, where we rely on consent.
To exercise any of these rights, contact us using our website contact form. We will respond within one month, though we may extend this where a request is complex, and we will tell you if we do.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you are unhappy with how we have handled your personal data. We would ask you to contact us first so we can try to put things right. The ICO can be reached at ico.org.uk or on 0303 123 1113.
How to contact us
For any privacy question or to exercise your rights, please use the contact form on our website. Gotschna Limited is the data controller responsible for your personal data.
If you believe personal data we hold may have been compromised, please tell us as soon as possible using our contact form.
Changes to this policy
We may update this policy from time to time. The current version is always the one published on our website, and the “last updated” date at the top shows when it last changed.