Privacy Policy

The Data Controller is ADAM KEY LTD, a company incorporated under the laws of England and Wales, registered office at 124 City Road, London EC1V 2NX, United Kingdom, VAT no. GB289019079, registered with Companies House under number 07935023 (in this notice "Adam Key", "we").

For any question relating to the processing of personal data you can reach us at info@adamkey.com. This notice applies to all processing of personal data carried out through the adamkey.com website and its subdomains.

We process the following categories of personal data:

• Contact details you provide — when you fill in the contact form we collect your name, email address, company name (optional) and the content of your message.
• Technical data collected automatically — at the moment of form submission and during normal browsing we may collect your IP address, request timestamp, browser user agent, referrer and the outcome of anti-spam verification. This data is necessary to secure the site and prevent abuse.
• Consent records — we record your acceptance of the terms and privacy notice through the mandatory checkbox of the contact form, with its timestamp.
• Session data — selected language and other technical preferences, stored in strictly necessary cookies (see Cookie Policy).

We do not process special categories of data (Article 9 GDPR) or criminal-offence data (Article 10 GDPR) through this site. If you choose to include them in your message please refrain from doing so: the contact form is not an appropriate channel.

Your personal data is processed for the following purposes, each with its own legal basis:

• Replying to your enquiry — legal basis: pre-contractual measures at your request and the controller's legitimate interest in handling business correspondence (Article 6(1)(b) and 6(1)(f) GDPR).
• Site security and abuse prevention (rate limiting, reCAPTCHA verification, submission logs) — legal basis: legitimate interest of the controller in protecting infrastructure and users from spam, automated attacks and misuse (Article 6(1)(f) GDPR).
• Compliance with legal obligations (responding to lawful requests from competent authorities, tax and accounting obligations if a commercial relationship is established) — legal basis: legal obligation (Article 6(1)(c) GDPR).
• Establishment, exercise or defence of legal claims — legal basis: legitimate interest of the controller (Article 6(1)(f) GDPR).

We do not use your data for marketing, automated profiling or decisions producing legal effects concerning you within the meaning of Article 22 GDPR. Should we decide in the future to start commercial communications, we will first collect explicit, separate and withdrawable consent.

Providing the data required by the contact form (name, email, message, consent) is optional: not providing it prevents you from submitting your enquiry through the site but does not prevent you from contacting us through other channels (direct email, phone, post).

Processing of technical security data is necessary in order to enable use of the site itself and is carried out on the basis of our legitimate interest.

Personal data is kept for the time strictly needed to fulfil the purposes for which it was collected:

• Contact-form data — kept for the time needed to handle the enquiry and, unless a commercial relationship is established, for a further 24 months for archival and evidential purposes, after which it is deleted or anonymised.
• Technical security logs — kept for 30 days, unless a longer retention is required to investigate ongoing security incidents.
• Consent records — kept for the duration of the relationship and for the following 24 months, in order to demonstrate the consent given pursuant to Article 7 GDPR.
• Contractual or tax data (if a relationship is established) — kept for the period required by applicable law, indicatively 6 years from the end of the relevant financial year under section 388 of the UK Companies Act 2006, as the Controller is a company incorporated under the laws of England and Wales.

Your personal data may be processed, in addition to authorised Adam Key staff and contractors, by third parties acting as processors under Article 28 GDPR, on the basis of written Data Processing Agreements and with adequate technical and organisational measures:

• Resend, Inc. (USA) — provider of transactional email delivery for messages generated by the contact form. Certified under the EU–US Data Privacy Framework.
• Vercel, Inc. (USA) — hosting infrastructure and edge network of the site. Certified under the EU–US Data Privacy Framework.
• Google LLC / Google Ireland Ltd — provider of the reCAPTCHA service for anti-spam protection of the contact form. Certified under the EU–US Data Privacy Framework.
• Upstash, Inc. (USA) — Redis rate-limiting provider, used to throttle automated submissions and prevent abuse.
• Professional advisors (lawyers, accountants) and competent authorities, where required by law.

An up-to-date list of appointed processors is available on request at info@adamkey.com. We do not sell or share your personal data with third parties for their own commercial purposes.

Some of the providers listed above are established or process data outside the European Economic Area, in particular in the United States. Such transfers take place under one of the safeguards provided by Chapter V GDPR:

• provider's adherence to the EU–US Data Privacy Framework and the related European Commission adequacy decision of 10 July 2023;
• the Standard Contractual Clauses approved by the European Commission under Decision 2021/914;
• supplementary measures where needed to ensure an equivalent level of protection.

For transfers between the EEA and the United Kingdom we rely on the European Commission's UK Adequacy Decision of 28 June 2021. Transfers from the UK rely on UK-specific adequacy regulations and the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs, as applicable.

You may at any time exercise the rights granted by Articles 15–22 GDPR / UK GDPR:

• Access to your personal data and obtain a copy.
• Rectification of inaccurate data and completion of incomplete data.
• Erasure (right to be forgotten) in the cases set out in Article 17.
• Restriction of processing in the cases set out in Article 18.
• Portability of the data you have provided, in a structured, commonly used, machine-readable format.
• Objection to processing based on the controller's legitimate interest, save for overriding legitimate grounds.
• Withdrawal of consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
• Complaint to a supervisory authority: in Italy the Garante per la Protezione dei Dati Personali; in the United Kingdom the Information Commissioner's Office (ICO); in other Member States, the authority of your habitual residence or of the alleged infringement.

To exercise your rights write to info@adamkey.com stating your request clearly and attaching, where needed, an ID document. We will respond within 30 days of receipt, extendable by up to 60 additional days for complex cases under Article 12 GDPR, with reasoned notice.

Adam Key applies technical and organisational measures appropriate to protect personal data against unauthorised access, disclosure, alteration or destruction. These include:

• encryption of data in transit via TLS and HSTS;
• Content Security Policy, X-Frame-Options, anti-CSRF and other HTTP security headers;
• rate limiting and reCAPTCHA anti-spam protection on public forms;
• server-side sanitisation and validation of every input;
• least-privilege access to personal data by staff under confidentiality obligations;
• monitored security logs and internal incident-response procedures.

In the event of a personal-data breach likely to result in a risk to the rights and freedoms of data subjects, Adam Key will notify the competent supervisory authority within 72 hours as required by Article 33 GDPR and, where required, will inform the affected data subjects pursuant to Article 34 GDPR.

The site is not intended for children under 16 years of age and we do not knowingly collect personal data relating to minors. If a parent or guardian believes that a child has provided personal data through the site, they may write to info@adamkey.com to request its erasure.

This notice may be updated from time to time to reflect regulatory or organisational changes. The current version is always available at this URL, with the last-updated date shown above. Material changes will be signposted on the site and, where possible, communicated by email to data subjects who have previously contacted us.

For any question on the processing of your personal data or to exercise the rights set out in section 8, write to info@adamkey.com.

For the detail of cookies used on the site see the Cookie Policy.