This policy covers your rights under UK GDPR (UK General Data Protection Regulation) and PECR (Privacy and Electronic Communications Regulations). Our aim is to be responsible, relevant, and secure when using your data.
As the operators of cathree.com, elionboarding.com and the Eli Onboarding Platform, CA3 registered as CAThree Ltd in England and Wales with Company Registration Number 07812353 and having its registered office address at Unit 117, The Record Hall, 16-16A Baldwins Gardens, London, EC1N 7RJ ("We", "Us", "CA3") is committed to protecting and respecting users' privacy. This policy covers all our brands – CA3 and Eli and their associated products and services.
Scope
This document is relevant to all data collected and used for the purpose of marketing and sales for CA3's business.
UK GDPR Compliance
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation which replaces the Data Protection Regulation (Directive 95/46/EC). The Regulation aims to harmonise data protection legislation across EU member states, enhancing privacy rights for individuals and providing a strict framework within which commercial organisations can legally operate.
Although the UK is no longer an EU member state, the UK's DPA 2018 has enacted the EU GDPR's requirements into UK law. With effect from 1 January 2021, the DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 amended the DPA 2018 and merged it with the requirements of the EU GDPR to form a new, UK-specific data protection regime. This regime is known as the UK GDPR. CA3 complies with applicable UK GDPR regulations as both a data processor and controller.
PECR sits alongside the UK GDPR and provides additional rules specifically covering electronic marketing communications, cookies, and related technologies. Where we use email or other electronic means to communicate with individuals for marketing purposes, we comply with PECR as well as the UK GDPR.
Lawful Basis for Processing
UK GDPR requires us to identify a lawful basis before processing personal data. For marketing and sales data, CA3 relies on the following lawful bases:
| Processing Activity | Lawful Basis |
|---|---|
| Sending marketing communications to existing clients and contacts with whom we have an established relationship | Legitimate Interests (Article 6(1)(f)) – subject to a Legitimate Interests Assessment (LIA) |
| Sending marketing communications to new contacts and prospects by email or other electronic means | Consent (Article 6(1)(a)) – in accordance with PECR |
| Analysing engagement with our marketing communications and website | Legitimate Interests (Article 6(1)(f)) |
| Responding to enquiries and providing information about our products and services | Legitimate Interests (Article 6(1)(f)) or Pre-contractual steps (Article 6(1)(b)) |
Where we rely on legitimate interests, we ensure our interests are not overridden by your rights and interests. Where we rely on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
For electronic marketing to individuals (as distinct from corporate subscribers), PECR requires that we obtain prior consent.
Control of Personal Data
The Data Controller for marketing data is CAThree Ltd.
Personal Data Collected
The categories of personal data collected and used for marketing and sales purposes are:
- Name
- Job title
- Company name
- Business email address
- Business telephone number (where provided)
- Records of your interactions and communications with CA3 (e.g. enquiries, event attendance, email engagement)
No personal website links or personal email addresses are collected, stored, or processed, even if they are in the public domain.
We may obtain data directly from you (e.g. via enquiry forms, event registrations, or business cards) or from third-party sources such as referrals from clients, publicly available sources such as company websites and LinkedIn. Where we obtain data from third-party sources, we will inform you of this at the point of first contact or as soon as reasonably practicable, in accordance with our Article 14 obligations under UK GDPR.
Our websites use cookies and similar tracking technologies. Please refer to our Cookie Policies on our websites for further details.
Access to Your Data
CA3 does not sell, rent, or lease its marketing data to third parties. CA3 may share data with trusted partners to help us perform statistical analysis, provide customer support, or consultancy services. It may be necessary for the purposes of delivering digital communications to share personal data with technology platforms (such as email marketing tools or CRM systems). All such third parties are prohibited from using personal data except to provide these services to CA3, and they are required to maintain the confidentiality of that data.
We only share personal data within our organisation where necessary for the purposes specified in this policy. All staff members processing personal data are bound by confidentiality obligations.
International transfers: CA3 does not transfer marketing personal data outside the UK or European Economic Area (EEA).
Data Retention
The retention period for personal data used for marketing purposes is 5 years. We have chosen five years because it reflects the average length of time a UK Manager remains in a post.
CA3 will deactivate personal data after the relevant retention period, or upon receipt of a valid data subject request to do so, whichever is the earlier. The data subject has the right to withdraw consent or object to processing at any point during the retention period.
Your Rights
Under the UK GDPR, you have the following rights in relation to your personal data held by CA3:
- Access – You have the right to request a copy of the personal data we hold about you.
- Rectification – You have the right to request that we correct inaccurate data or complete incomplete data.
- Erasure – You have the right to request that we erase your personal data, under certain conditions.
- Restriction of Processing – You have the right to request that we restrict the processing of your data in certain circumstances.
- Data Portability – You have the right to receive your personal data in a structured, commonly used, and machine-readable format where processing is based on consent or contract.
- Right to Object – You have the right to object to processing based on legitimate interests. You have an absolute right to object to processing for direct marketing purposes, including profiling for direct marketing. We will stop processing your data for this purpose immediately upon receipt of your objection.
- Withdraw Consent – Where processing is based on consent, you have the right to withdraw consent at any time without detriment.
- Rights related to Automated Decision-Making – You have the right not to be subject to decisions based solely on automated processing that have a significant effect on you. CA3 does not carry out solely automated decision-making for marketing purposes.
If you wish to exercise any of these rights, please contact us using the details in the below section. We will respond within one month of receiving your request.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been breached. Visit ico.org.uk or call 0303 123 1113.
Contact Us
If you make a request, we have one month to respond. The primary point of contact for all issues arising from this privacy policy, including requests to exercise data subject rights, is our Data Protection Officer.
Email: [email protected] or [email protected]
Call us at: 020 3567 0672
Or write to us: CA3, Unit 117, The Record Hall, 16-16A Baldwin's Gardens, London, EC1N 7RJ, UK
Changes to Policy
This privacy policy is effective as of April 2026. We reserve the right to update or change our privacy policy at any time. Users should check this privacy policy periodically. Where changes are material, we will take reasonable steps to notify relevant individuals.