PRIVACY NOTICE FOR ANSWERUK LTD AND TEAMSOURCE LTD WEBSITES AND SERVICES

IDENTITY AND CONTACT DETAILS

This privacy notice explains how AnswerUK Ltd and Teamsource Ltd (answeruk.co.uk and teamsourceuk.com) uses personal data in the course of operating its websites and providing services to customers.

Answer Ltd and Teamsource Ltd, of 49 Mowbray Road, Edgeware, HA8 8JL, acts as the Data Controller for personal data collected directly from our website visitors, marketing lists, and our own business contacts. As the data controller, we determine the purposes and means of this processing.

For any personal data supplied by you or your contacts in the course of providing our services (e.g., call answering and virtual PA services), we acknowledge that you, our client, remain the data controller. In this context, AnswerUK Ltd and Teamsource Ltd acts solely as a Data Processor, processing your data strictly on your documented instructions. We will not use such data for any purpose other than fulfilling our contractual obligations to you.

You can contact our Privacy Officer for any questions regarding this notice at the address above or by emailing at hello@teamsourceuk.com

WHAT PERSONAL DATA WE COLLECT AND WHY

We collect and process only the personal data necessary to provide quotations, enter into contracts, and deliver our telephone answering and related services. The table below sets out the categories of data we process, the purposes for which it is used, and the lawful basis under UK/EU GDPR (Article 6).

 

Category of Data

Examples

Purpose of Processing

Lawful Basis (UK/EU GDPR)

Contact / Professional Data

Name, job title, company name, postal address, phone number, email address

To respond to enquiries, prepare quotations, manage accounts, provide services, and maintain client relationships

Contract (Art. 6(1)(b)), Legitimate Interests (Art. 6(1)(f))

Call & Communications Data

Caller details, messages, emails, live-chat transcripts, call recordings

To deliver services, forward messages, perform quality checks, and resolve disputes

Contract (Art. 6(1)(b)), Legitimate Interests (Art. 6(1)(f)), Consent (Art. 6(1)(a)) where required

Billing & Financial Data

Bank/payment details, invoices, transaction records

To issue invoices, process payments, maintain records, comply with tax and accounting laws

Contract (Art. 6(1)(b)), Legal Obligation (Art. 6(1)(c))

Technical Data

IP address, browser type, device identifiers, cookies, analytics data

To operate websites, ensure security, support analytics and improvements

Legitimate Interests (Art. 6(1)(f)), Consent (Art. 6(1)(a)) for non-essential cookies

Marketing Data

Names and emails collected via LinkedIn, website forms, or email interactions

To send newsletters, follow up on leads, and manage opt-outs

Consent (Art. 6(1)(a)), Legitimate Interests (Art. 6(1)(f)) for existing customers

Sensitive Data (Special Categories)

Health or other sensitive information disclosed incidentally by callers or customers

Processed only if volunteered and necessary, with additional safeguards and restricted access

Explicit Consent (Art. 9(2)(a)), Legal claims (Art. 9(2)(f))

 

 

HOW WE USE YOUR DATA AND OUR LAWFUL BASES

We process personal data for the purposes described below, always on a valid GDPR lawful basis:

To provide the virtual assistant, call-answering, customer support and related services you or our client has requested, and to manage our contract with you. This includes account setup, performing tasks at your instruction, billing, and customer support. The lawful basis here is usually Contract performance or our Legal obligations (e.g. financial record-keeping).

In some cases, we process data to pursue our (or a client’s) legitimate interests, provided these do not override your rights. For instance, we record and analyse calls for quality assurance, training, fraud prevention, and service improvement. We consider this Legitimate Interests because it helps us deliver better service, but we balance it against any impact on you. When relying on legitimate interests, we inform individuals and respect objections (see “Your Rights” below).

We may process data to comply with laws and regulations (e.g. accounting laws, information requests). The basis is Legal Obligation.

We rely on Consent only for optional processing, such as marketing communications and certain cookies. You can withdraw consent at any time without affecting prior lawful processing. We will not send you marketing emails unless you have opted in or otherwise given consent.

CALL RECORDINGS TRANSPARENCY & SAFEGUARDS

We may record calls for quality assurance, training, fraud prevention, dispute resolution, retaining instructions, and to perform our contract. We will:

  1. Inform callers at the start of the call that the call may be recorded, and direct them to our Privacy Notice (available on our website) for further information.
  2. Rely on performance of contract and/or legitimate interests for routine recording; obtain consent where required by law or for marketing uses.
  3. Maintain a written Legitimate Interests Assessment (LIA) specific to call recording practices.
  4. Keep recordings only for the retention period specified in our data retention schedule (typically 30 days, extendable up to 90 days for dispute resolution or client instruction) and delete them securely once that period expires.
  5. Respect your right to object to call recording where we rely on legitimate interests, unless we can demonstrate compelling legitimate grounds.

If recordings contain sensitive data that is incidentally disclosed (for example, health information), we will apply additional safeguards and strictly limit access. Recorded calls and transcripts are retained only as long as needed. As set out in our data retention schedule, the default retention period for call recordings is 30 days (extendable up to 90 days where necessary). After the retention period ends, recordings are securely deleted.

 

INTERNATIONAL DATA TRANSFER

We may transfer your personal data to countries outside of the United Kingdom. We will only do so when we are confident that the transfer is subject to appropriate safeguards to protect your information to a level that is essentially equivalent to the standards found in the UK GDPR. Where we process EU personal data, we use the EU Standard Contractual Clauses (2021) alongside the UK IDTA or Addendum.

Transfers to Israel: We may transfer data to a team in Israel. This transfer is based on the adequacy decision granted to Israel by the European Commission, which is recognized by the UK as providing an adequate level of data protection. No additional safeguards are required for this transfer.

Transfers to South Africa: We use an outsourced call-handling partner based in South Africa to help provide our services. Their work includes answering calls, patching calls through, sending messages and emails, and listening to call recordings for quality checks (for example, correcting wrong numbers or retrieving missing contact details). The types of information that may be accessed by our South Africa team include caller names, telephone numbers, email addresses, and messages left for our clients. They act only under our documented instructions and do not make independent decisions about how your data is used, although they may exercise limited judgment (for example, clarifying a misheard number).

We have in place legally binding contracts and Data Processing Agreements with IntelliBPO that meet the requirements of Article 28 UK GDPR. Under these agreements, IntelliBPO must process personal data only on our documented instructions, ensure staff confidentiality, and implement appropriate technical and organisational security measures. They are also required to assist us in responding to data subject rights requests, notify us promptly in the event of a personal data breach, and securely delete or return personal data once the service ends. Transfers to USA: We may transfer personal data to cloud service providers and payment processors based in the United States. As the USA does not currently benefit from a UK adequacy decision, these transfers are treated as restricted transfers under UK GDPR. To safeguard your information, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supported by a Transfer Risk Assessment (TRA) and, where needed, supplementary security measures such as encryption and access controls.In addition, as required by the Schrems II ruling, we have performed a Transfer Impact Assessment (TIA) to ensure that the laws and practices in these countries do not undermine the protections provided by our chosen transfer mechanisms. This TIA follows the rigorous guidance provided by the European Data Protection Board (EDPB) and includes an assessment of local laws and government access to data, along with the implementation of supplementary technical and organisational measures where necessary.

Transfer Location

Purpose / Recipient

Legal Basis / Safeguard

Additional Measures

Israel

Internal team support

UK recognition of EU Adequacy Decision (no additional safeguards required)

Standard contractual and security measures in place

South Africa (IntelliBPO)

“Outsourced call-handling: answering calls, patching, messaging, reviewing recordings for quality checks”

UK International Data Transfer Agreement (IDTA) / UK Addendum to EU SCCs + documented Transfer Risk Assessment (TRA)

“Contracts under Article 28 UK GDPR; encryption, access controls, staff confidentiality, breach notification, secure deletion/return”

United States

Cloud service providers and payment processors

UK IDTA / UK Addendum to EU SCCs + documented TRA & Transfer Impact Assessment (TIA)

“Encryption, MFA, access restrictions, supplementary technical and organisational safeguards”

EU (Gixo Datacentre)

Backup and storage of call-handling systems

UK adequacy decision for EU/EEA

“Encryption, MFA, restricted IP access, 24/7 monitoring”

HOW WE PROTECT TRANSFERS:

We use Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA) / addendum (where applicable), or Binding Corporate Rules.

For transfers to countries that do not benefit from an adequacy decision (for example South Africa), we carry out and document a Transfer Risk Assessment (TRA) and implement appropriate supplementary technical and organisational measures. Summaries of TRAs and copies of transfer agreements are available on request from hello@teamsourceuk.com

DATA SHARING AND SUB-PROCESSING

We may share your personal data with other companies and third parties, but only for the purposes listed above. We have legally binding contracts and agreements in place to ensure that your information is protected and is not used for any other purpose.

The categories of companies that we may share data with include:

  • Other companies within our corporate group.
  • IT service providers for website hosting, email, and IT systems.
  • We also use common productivity and collaboration tools, including Microsoft Teams, Outlook, and Google Drive, to manage our communications and file storage. These providers act as our processors under UK GDPR, and we have data protection agreements in place with them. Where such providers transfer data outside the UK/EEA (for example to the United States), we ensure that appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.
  • Professional advisors, such as accountants and legal counsel.
  • Companies providing marketing and customer relationship management (CRM) services.
  • Other companies and partners involved in fulfilling your order.
  • For services such as virtual PA and call answering we use sub-processors, including our UK telephony platform provider Phoneta and our offshore BPO partner IntelliBPO (South Africa). Both act as processors under Article 28 UK GDPR and are bound by Data Processing Agreements requiring them to process personal data only on our instructions, ensure staff confidentiality, implement appropriate technical and organisational security measures, assist with data subject requests, notify us promptly of any personal data breach, and delete or return personal data at the end of the contract.

OUR OBLIGATIONS AS A DATA PROCESSOR

Where we process personal data on behalf of our clients (the Data Controllers), we comply with the requirements of Article 28 of the UK GDPR. In particular, we commit that:

  • Instructions Only – We will only process personal data on the documented instructions of our client, unless required to do so by law.
  • Confidentiality – All persons authorised to process personal data are subject to strict duties of confidentiality, either by contract or statutory obligation.
  • Security Measures – We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption, access controls, and regular audits.
  • Sub-Processors – We will not engage another processor without the client’s prior knowledge and documented authorisation. Where we do, we ensure a written agreement is in place imposing the same data protection obligations.
  • Assistance with Rights – We assist our clients in fulfilling their obligations to respond to data subject rights requests, such as access, rectification, erasure, restriction, or portability, where applicable.
  • Breach Notification – We promptly inform clients if we become aware of a personal data breach, and provide all reasonable assistance in meeting their regulatory obligations.
  • Deletion or Return of Data – At the end of our engagement, we will, at the client’s choice, securely delete or return all personal data, unless retention is required by law.
  • Audit and Information – We make available to clients all information necessary to demonstrate compliance with Article 28 and allow for audits or inspections, subject to confidentiality and security considerations.

MARKETING COMMUNICATIONS

We may collect your name and email address when you engage with us through LinkedIn, our website forms, or by email. This information is used to send newsletters, follow up on leads, and carry out targeted marketing, including retargeting campaigns.

We rely on your consent before sending marketing emails or placing non-essential cookies, and you may withdraw your consent at any time by clicking “unsubscribe” or contacting us at hello@teamsourceuk.com. In some cases, we may rely on our legitimate interests to send marketing to existing customers, in line with the UK Privacy and Electronic Communications Regulations (PECR). You always have the right to opt out of receiving marketing at any time.

We use trusted service providers to manage and deliver our marketing activities, including Pipedrive, Mailchimp, and Dripiffy. These providers act as our processors under data protection law and are bound by contractual obligations to safeguard your information.

We retain marketing information until you opt out or request deletion. We regularly review our marketing lists and remove contacts who have withdrawn consent or not engaged for a significant period.

RETENTION OF PERSONAL DATA

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal and contractual obligations, and to resolve disputes. Once the relevant retention period has expired, we securely delete or anonymise personal data unless a legal hold or regulatory requirement requires us to keep it for longer.

For queries about our retention practices, or to request deletion of your personal data were permitted by law, please contact our Privacy Officer at hello@teamsourceuk.com.

The table below sets out typical retention periods for the categories of data we process:

Data Category

Typical Retention Period

Purpose / Rationale

Call recordings and metadata

“30 days (default); up to 90 days if required for dispute resolution, legal hold, or client’s contractual instruction”

“Service delivery, record of instructions, dispute resolution”

“Customer enquiries (forms, emails, chat transcripts)”

12 months

Operational support and follow-up

“Billing, invoices, payment records”

7 years (or as required by applicable law)

“Tax, accounting and legal compliance”

Marketing leads and preferences

Until you opt out or request deletion (lists reviewed regularly to remove inactive contacts)

“Marketing communications, lead follow-up”

Backups (Gixo EU Datacentre)

Retained securely for operational continuity and overwritten/deleted in line with internal retention schedules

Service continuity and data recovery

Website analytics (non-identifiable / aggregated)

As required to support analytics / improvements (kept in aggregated or anonymised form where possible)

Service improvement

Security logs and incident records

As needed for security monitoring and incident management

“Fraud prevention, security investigations”

Client data processed on behalf of a client

As set out in the client contract

Processed under client instruction; follows contractual retention terms

YOUR RIGHTS

Under UK and EU data protection legislation, you have a number of rights with respect to your information. These include:

 Right to be informed – to know how and why we use your data (as explained in this Privacy Notice).

 Right of access – to request a copy of the personal data we hold about you.

 Right to rectification – to have inaccurate or incomplete data corrected.

Right to erasure (“right to be forgotten”) – to request deletion of your data where it is no longer needed, consent is withdrawn, or processing is unlawful.

Right to restrict processing – to request that we limit how we use your data in certain circumstances.

Right to data portability – to receive your data in a structured, commonly used, and machine-readable format, and to have it transferred to another controller where technically feasible.

Right to object – to object at any time to processing based on our legitimate interests, including profiling. You also have an absolute right to object to direct marketing.

Right to withdraw consent – where processing is based on your consent (for example, marketing or cookies), you may withdraw it at any time.

 

If you have any questions about the information we hold, how we use it, or how to exercise these rights, please contact us at hello@teamsourceuk.com

COMPLAINTS

If you have any concerns about how we handle your personal data, please contact our Privacy Officer at hello@teamsourceuk.com and we will do our best to resolve the issue.

If you are not satisfied, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO). The ICO can be contacted at ico.org.uk/concerns or by phone on 0303 123 1113.

If in future we provide services to customers in the European Union, we will update this notice to include details of the relevant EU supervisory authorities.

SECURITY

We implement robust technical and organizational security measures to protect your personal data. These include encryption in transit and at rest, access controls, firewalls, intrusion detection, regular data backups, and ongoing staff training on data handling.

We use Gixo EU Datacentres to store and back up our call-handling systems. All databases and backups are encrypted, access-controlled, monitored 24/7, and protected with multi-factor authentication.

We conduct periodic security reviews and audits of our systems and sub processors. Our contracts with processors require equivalent protections. We do not disclose detailed security configurations publicly to avoid raising security risks.

CHANGES TO THIS NOTICE

We may update this notice. Material changes will be published on our website and, where appropriate, notified to affected individuals.

AUTOMATED DECISION-MAKING & CHILDREN

We do not carry out automated decision-making that produces legal or similarly significant effects. If this changes, we will notify affected individuals and provide required information about the logic involved. We do not knowingly collect children’s data. If such data is inadvertently collected, we will promptly delete it and take steps to prevent recurrence.

Our services are not directed to children under 16. If we learn that we have collected children’s data without parental consent, we will delete it and, where appropriate, notify the parent/guardian.

COOKIES

To ensure our website works properly and to provide a better browsing experience, we use cookies and similar technologies. A cookie is a small text file placed on your device when you visit our site. Cookies allow us to remember your actions and preferences (such as login, language and display settings) so that you do not need to re-enter them each time you return or move between pages.

TYPES OF COOKIES WE USE

  • Strictly necessary cookies: essential for the operation of our website and services (for example, to remember cookie choices). These do not require your consent.
  • Preference cookies: remember your settings such as display options or whether you have already responded to a survey.
  • Analytics cookies: help us understand how visitors use our site and improve its performance. For example, we use Google Analytics to collect aggregated, anonymous statistics. These cookies are only set with your prior consent.
  • Embedded content cookies: some pages contain embedded videos or third-party content that may set their own cookies, also only placed with your consent.

HOW WE USE COOKIES

We use cookies to:

  • Remember your display preferences (such as contrast and font size).
  • Record if you have responded to a survey or consent pop-up.
  • Save your cookie consent choices.
  • Collect anonymised analytics on how visitors arrive at and use our site, to help us improve it.

YOUR CHOICES AND CONTROL

When you first visit our site, you will see a cookie banner allowing you to accept or decline non-essential cookies. You can also change your preferences at any time using the cookie manager available on our site. If you prefer, you can block or delete cookies via your browser settings; however, some features of the site may not work as intended without them.

We do not use cookies to personally identify you, and we do not use them for purposes other than those described here. Non-essential cookies are disabled by default and will only be placed if you actively consent. Your cookie preferences are recorded and stored for 12 months unless you withdraw them sooner.

For more details about the cookies, we use, their duration and providers, please see our separate Cookie Policy or contact us at hello@teamsourceuk.com

Cookie type

Purpose

Consent required

Lifespan

Strictly necessary

“Site operation (sessions, security)”

No

Session

Analytics

Usage statistics to improve site

Yes (prior consent)

See cookie manager

Marketing

Targeted advertising and tracking

Yes (prior consent)

See cookie manager

HOW TO CONTACT US / REQUEST COPIES

If you have questions, concerns or complaints about our handling of personal data, please contact our Privacy Lead (contact details above). We take all queries seriously and will work with you to address any issues. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO). The ICO’s details are available at ico.org.uk/concerns or by telephone at 0303 123 1113.

This Notice may be updated from time to time. Material changes will be communicated via our website. Please refer to our website or contact our Privacy Lead for the most current version.