Crestwatch Security Ltd (‘we’, ‘us’, ‘our’) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share personal data in connection with our website (www.crestwatch.co.uk) and our security services.

This policy is issued in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

Please read this policy carefully. By using our Website or engaging our services, you confirm that you have read and understood this Privacy Policy.

We are registered with the Information Commissioner’s Office (ICO). Our ICO registration number is ZA567284. Details of our registration can be verified through the Information Commissioner’s Office public register.

1. Who We Are

The data controller responsible for your personal data is:

• Crestwatch Security Ltd
• Registered in England and Wales — Company No. 10724335
• Registered Office: 915 High Road, London, United Kingdom N12 8QJ
• Data Protection Contact: info@crestwatch.co.uk
• Telephone: +44 2033939448

 

2. What Personal Data We Collect

2.1 Data You Provide to Us

We collect personal data that you voluntarily provide when you:

• Complete an enquiry or contact form on our Website — name, company name, email address, telephone number, and service requirements.
• Request a quotation or enter into a Service Agreement — business and contact details, billing information, and site access requirements.
• Correspond with us by email, telephone, or post.
• Apply for employment with us — name, contact details, employment history, qualifications, references, and right-to-work documentation.

2.2 Data We Collect Automatically

When you visit our Website, we automatically collect certain technical data, including:

• IP address and approximate location.
• Browser type and version.
• Pages visited and time spent on each page.
• Referring website or search engine.
• Device type and operating system.

This information may be collected through functional cookies, marketing and tracking cookies, scripts, web beacons, server logs, and similar technologies used to operate and secure our Website. Further information is available in our Cookie Policy.

2.3 Data Collected During Service Delivery

In the course of providing security services, we may collect and process:

• CCTV footage and images of individuals captured on or around client premises.
• Incident reports containing details of individuals involved in or witnessing incidents.
• Visitor logs, access records, and identity documents where access control services are provided.
• Body-worn camera footage recorded by our officers in the course of their duties.

3. How We Use Your Personal Data

We use your personal data for the following purposes:

Purpose	Lawful Basis (UK GDPR)	Retention
Responding to website enquiries and quotation requests	Legitimate interests (pre-contractual communication)	12 months from last contact
Providing contracted security services	Performance of a contract	Duration of contract + 7 years
Managing client accounts and billing	Performance of a contract / Legal obligation	7 years (financial records)
Processing employment applications	Consent / Legitimate interests	6 months if unsuccessful; duration of employment if hired
Maintaining security records, incident reports, and CCTV footage	Legitimate interests / Legal obligation	31 days (CCTV); 3 years (incident records)
Complying with legal and regulatory requirements	Legal obligation	As required by law
Sending service updates and communications to clients	Legitimate interests / Contract	Duration of contract relationship
Improving website functionality, security, performance and user experience through cookies and similar technologies	Legitimate Interests and/or Consent depending on the category of technology used	In accordance with applicable cookie retention periods

4. Special Category Data

In the course of delivering certain services, we may process special category personal data, including health information (where relevant to the safe deployment of our officers or to the welfare of individuals on client sites) and criminal conviction data (required for BS 7858 vetting of our personnel).

Where we process special category data, we rely on the following additional lawful bases under the UK GDPR and the Data Protection Act 2018:

• Substantial public interest — security purposes and the prevention and detection of unlawful acts.
• Employment, social security, and social protection purposes — in respect of our own personnel.
• Explicit consent — where required and obtained in advance.

5. Sharing Your Personal Data

We do not sell, rent, or trade your personal data. We may share your data with the following categories of recipient where necessary and lawful to do so:

• Subcontractors and staffing partners — where specialist services are required and only under appropriate data processing agreements.
• Technology and IT service providers — including our cloud storage provider, CCTV monitoring platform, and reporting software, all of whom are bound by data processing agreements.
• Legal and professional advisers — solicitors, accountants, and insurers where required for legal, financial, or regulatory purposes.
• Regulatory and law enforcement authorities — including the SIA, the Information Commissioner’s Office, the Police, and the courts, where we are required by law to do so or where disclosure is necessary for the prevention or detection of crime.
• Emergency services — where disclosure is necessary to protect the vital interests of any individual.

We do not transfer personal data outside the United Kingdom or the European Economic Area without ensuring appropriate safeguards are in place, such as standard contractual clauses approved by the ICO.

Certain third-party technologies used on our Website, including Google Maps, Google Fonts and Google reCAPTCHA, may involve the processing of technical information through infrastructure located outside the United Kingdom. Where such transfers occur, we ensure that appropriate safeguards are implemented in accordance with UK GDPR requirements.

6. CCTV and Surveillance

Where we provide CCTV installation or remote monitoring services, footage is processed on behalf of our clients (who are the data controllers in respect of their own premises). We act as a data processor in this context and process footage only in accordance with our client’s instructions and applicable law.

Where we operate body-worn cameras on our own officer deployments, we are the data controller. Footage is used for the purposes of:

• Officer safety and welfare.
• Evidence gathering in connection with incidents.
• Quality assurance and training.

Body-worn camera footage is retained for 31 days unless required for longer as part of an active investigation or legal proceedings. Footage is stored securely and access is restricted to authorised personnel only.

If you have been captured on CCTV operated by Crestwatch Security Ltd and wish to make a Subject Access Request, please see Section 9.

7. Data Security

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, loss, disclosure, alteration, or destruction. These measures include:

• Encrypted storage and transmission of personal data.
• Role-based access controls — personal data is accessible only to personnel who need it to perform their role.
• Regular security assessments and staff training.
• Secure disposal of personal data when no longer required.
• Incident response procedures for reporting and managing data breaches.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware and will notify affected individuals where required by law.

8. Data Retention

We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required by law or regulatory obligation. Our standard retention periods are:

• Client contractual and financial records: 7 years from the end of the contract (in accordance with HMRC requirements).
• Incident reports and security logs: 3 years from the date of the incident.
• CCTV footage: 31 days, unless extended for investigative or legal purposes.
• Website enquiry data: 12 months from the date of last contact.
• Unsuccessful job applicant data: 6 months from the date of notification.
• Employee records: Duration of employment plus 7 years.

At the end of the applicable retention period, personal data is securely deleted or anonymised.

9. Your Rights

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

1.  Right of Access — You have the right to request a copy of the personal data we hold about you (a Subject Access Request).

2.  Right to Rectification — You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.

3.  Right to Erasure — You have the right to request that we delete your personal data in certain circumstances, for example where it is no longer necessary for the purpose for which it was collected.

4.  Right to Restriction of Processing — You have the right to request that we restrict the processing of your personal data in certain circumstances.

5.  Right to Data Portability — Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format.

6.  Right to Object — You have the right to object to processing carried out on the basis of our legitimate interests. You also have the absolute right to object to processing for direct marketing purposes.

7.  Rights in Relation to Automated Decision-Making — You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects.

8.  Right to Withdraw Consent — Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

To exercise any of these rights, please contact us at: privacy@crestwatch.co.uk. We will respond to all requests within one calendar month. We may ask you to verify your identity before processing your request.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

• Website: www.ico.org.uk
• Telephone: 0303 123 1113
• Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

10. Cookies

10.1 What Are Cookies?

Cookies are small text files that are placed on your device when you visit a website. They enable websites to function efficiently, remember user preferences, improve user experience, and provide information to website owners and authorised third parties.

In addition to cookies, our Website may use related technologies such as scripts and web beacons. Scripts are pieces of code that enable the Website to function properly and interactively, while web beacons (also known as pixel tags) are small invisible elements used to monitor website traffic and user interactions.

10.2 Cookies We Use

Our Website uses the following categories of cookies:

Functional Cookies

Functional cookies are necessary for the proper operation of the Website and to enable essential features. These cookies allow us to remember user preferences and ensure that the Website functions correctly. Functional cookies may be placed without requiring user consent where permitted by applicable law.

Marketing and Tracking Cookies

Marketing and tracking cookies are used to create user profiles, display relevant advertising, measure marketing effectiveness, and track users across websites for similar marketing purposes. These cookies are only placed with your consent.

10.3 Technologies and Services Used

Our Website currently uses cookies and technologies associated with the following services:

• Elementor (anonymous statistics)

• WordPress (functional)

• LiteSpeed (functional)

• Google Fonts (website font delivery and display)

• Google reCAPTCHA

• Google Maps

• Complianz Consent Management Platform

• Other cookies or technologies identified through periodic website audits and compliance reviews

Some of these services may place cookies or collect technical information necessary for their operation.

10.4 Consent

When you visit our Website for the first time, you will be presented with a cookie consent banner explaining the categories of cookies used on the Website.

By selecting your preferred cookie settings and clicking “Save Preferences”, you consent to the use of the selected categories of cookies and related technologies.

Functional cookies that are strictly necessary for the operation of the Website may remain active at all times.

You may withdraw or modify your consent at any time through the Website’s cookie settings tool.

10.5 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to:

• View cookies stored on your device.

• Delete cookies individually or collectively.

• Block specific cookies.

• Block all cookies.

• Receive notifications when cookies are placed.

Please note that disabling certain cookies may affect the functionality and performance of the Website.

If you delete cookies from your browser, they may be placed again during future visits where consent is provided.

10.6 Legal Basis for Cookie Processing

Where required under the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations 2003 (PECR), we rely on your consent as the legal basis for placing non-essential cookies, including marketing and tracking cookies.

Strictly necessary cookies are used because they are essential for the operation, security and functionality of the Website and do not require consent under applicable law.

10.7 Further Information

Additional information regarding the specific cookies used on our Website, including their purposes and providers, is available in our separate Cookie Policy, which forms part of this Privacy Policy and should be read alongside it.

11. Children’s Privacy

Our Website and services are not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected personal data from a child, please contact us immediately at privacy@crestwatch.co.uk and we will take steps to delete it promptly.

12. Third-Party Websites

Our Website may contain links to third-party websites. This Privacy Policy applies only to our Website. We are not responsible for the privacy practices of third-party websites and encourage you to read their privacy policies before submitting any personal data.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The most current version will always be published on this page, with the effective date updated accordingly. We encourage you to review this policy periodically.

Where changes are material, we will take reasonable steps to notify you, for example by placing a prominent notice on our Website or by emailing registered clients.

14. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact our Data Protection team:

• Email: info@crestwatch.co.uk
• Post: Data Protection Officer, Crestwatch Security Ltd, 915 High Road, London, United Kingdom N12 8QJ
• Telephone: +44 2033939448

We aim to respond to all data protection queries within five working days.

 

Last Updated: 3 June 2026  |  Version 1.0  |  Crestwatch Security Ltd