Privacy Policy
V10 - Updated: 15 April 2026
Overview
This policy applies to information we, Lemon Business Solutions, collect about individuals who use our services and our website.
Your privacy is important to us and we are committed to keeping your information secure and managing it in accordance with our legal responsibilities under applicable data protection laws. We are registered with the UK Information Commissioner's Office (ICO) as a data controller under registration number Z3522971.
Under UK data protection law, including the UK GDPR, Data Protection Act 2018, and the Data (Use and Access) Act 2025, we are classified as the Data Controller and the individual whose data we have collected is known as the Data Subject.
If you require any further information, you can contact the Compliance department directly at compliance@no-sour-business.co.uk or post to Compliance Department, Lemon Business Solutions Ltd, Unit 1 Lockheed Court, Preston Farm Business Park, Stockton-on-Tees, TS18 3SH. Telephone queries can be made to: 0800 612 7595
In this Privacy Policy the terms, 'we' or 'us' is Lemon Business Solutions Ltd.
Please read this Privacy Policy carefully as it contains important information to help you understand how and why we process any personal information that you give to us.
Policy Statement
What types of information do we collect?
When you enquire about our services, or use our services, we may collect and process personal data including your full name, email address, job title, telephone number, company name, company address, company website, social media profiles, IP address, and any other information necessary to provide and manage our services or that is shared with us during our business relationship.
We automatically collect certain technical information when you use our website, including your IP address, browser type, device type, operating system, approximate geographic location, and information about how you interact with our website. This information is collected through cookies, analytics tools, and server logs to help us improve website performance, understand visitor behaviour, and maintain security.
Where we provide services on behalf of our clients, we may also process personal data relating to their customers, such as names, postal addresses, email addresses, telephone numbers, and any other personal information disclosed during the course of service delivery.
For personal data relating to our own business contacts, website users, and prospective clients, Lemon Business Solutions Ltd acts as the data controller, determining how and why that personal data is processed. Where we process personal data on behalf of our clients as part of delivering outsourced contact centre or business support services, we act as the data processor, processing such data only in accordance with our clients’ instructions and applicable contractual obligations.
Special Categories of Personal Data
Special category personal data includes particularly sensitive information such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, health data, and data concerning a person’s sex life or sexual orientation.
We only process special category personal data where it is necessary and lawful to do so, including where:
- the individual has explicitly made such information available during communications with us;
- the processing is necessary for the provision of services requested by our clients;
- the processing is required to comply with legal or regulatory obligations; or
- another condition under Article 9 UK GDPR applies.
Where we act as a data processor, we process special category personal data solely on the documented instructions of our client, who remains responsible for determining the lawful basis for such processing.
Where we act as a data controller, we ensure that any processing of special category personal data is limited to what is necessary, proportionate, and supported by an appropriate lawful condition.
We apply enhanced safeguards to protect special category personal data and seek to minimise the collection, access, and retention of such data wherever possible.
How we use your information
We use personal data for a range of purposes connected with the delivery of our business process outsourcing and contact centre services, including providing our services to clients, managing and servicing customer accounts, and supporting our day-to-day business operations.
We will only process personal data where we have a valid lawful basis to do so under UK data protection law, including where processing is necessary for the performance of a contract, to comply with a legal obligation, where we have a legitimate interest that is not overridden by individuals’ rights, or where consent has been obtained where required. The table below explains the purposes for which we process personal data and the lawful basis relied upon in each case.
Purpose |
Categories of Personal Data |
Lawful Basis |
Special Category Condition |
To respond to enquiries and provide information about our services |
Name, company details, email, telephone number, enquiry details |
Legitimate interests – responding to business enquiries and promoting our services |
Not usually applicable |
To assess client requirements and provide quotations or proposals |
Contact details, company details, service requirements |
Required action prior to entering into a contract |
Not usually applicable |
To provide outsourced contact centre and BPO services to clients |
Client contact data, customer contact data, communications records, service interaction data |
Necessary for performance of contract; where acting for clients, processing is carried out under client instructions as processor |
Where applicable: Article 9 condition determined by client as controller |
To administer and manage client accounts |
Contact details, account records, billing details, contract records |
Necessary for performance of contract; legitimate interests in managing business relationships |
Not usually applicable |
To handle customer and client communications, including telephone calls, email, SMS, WhatsApp, and web messaging |
Names, phone numbers, email addresses, message content, call recordings |
Necessary for performance of contract; legitimate interests in delivering and managing services |
Where special category data arises incidentally: Article 9(2)(f) or other applicable condition |
To record and monitor calls for quality assurance, training, compliance, and dispute resolution |
Call recordings, voice data, interaction notes |
Legitimate interests in quality assurance, staff training, compliance and service improvement |
Where special category data is incidentally disclosed: Article 9 condition as applicable |
To manage complaints, disputes, and service issues |
Contact details, complaint records, correspondence |
Legitimate interests in resolving complaints and protecting business interests |
Where applicable: legal claims condition |
To verify identity where necessary |
Identification details, contact details |
Legal obligation where required by law, or legitimate interests in fraud prevention and security |
Not usually applicable |
To comply with legal and regulatory obligations |
Identification data, financial records, audit logs, correspondence |
Compliance with legal obligations |
Where required by law and applicable Article 9 condition |
To maintain website security and performance |
IP address, browser type, device information, server logs |
Legitimate interests in securing and maintaining website integrity |
Not applicable |
To analyse website usage and improve website functionality |
IP address, cookie identifiers, usage analytics data, approximate geographic location |
Consent (for non-essential cookies); legitimate interests for essential technical functionality |
Not applicable |
To send marketing communications about our services |
Name, email address, company details, communication preferences |
Consent where required; legitimate interests for existing business relationships where PECR soft opt-in applies |
Not applicable |
To manage recruitment and employment applications |
CVs, employment history, qualifications, references |
Legitimate interests in recruitment; steps prior to entering employment contract |
Where special category data is included: employment law obligations / Article 9(2)(b) |
To train staff and improve internal processes |
Employee records, call samples, training assessments |
Legitimate interests in workforce development and service quality |
Where applicable: employment law condition |
To protect against fraud, misuse, and unlawful activity |
System logs, IP addresses, communications data |
Legitimate interests in fraud prevention and protecting business operations |
Not usually applicable |
To retain records for audit, legal defence, and business continuity |
Account records, communications records, contracts, logs |
Legal obligation and legitimate interests in legal protection and continuity |
Where applicable: legal claims condition |
How we retain your personal information
We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, including to meet contractual, legal, regulatory, accounting, and operational requirements. When personal data is no longer required, we will securely delete, anonymise, or otherwise dispose of it in accordance with our retention and destruction procedures.
Retention periods may vary depending on the type of data, the nature of the service provided, and any legal or contractual obligations that apply. In some circumstances, we may retain data for longer where required to establish, exercise, or defend legal claims, comply with legal obligations, or resolve disputes.
Type of personal information |
Retention Period |
Client and business contact personal data (including names, contact details, account and contractual records) |
Up to 3 years after the end of the business relationship, unless a longer period is required by law or contract |
General personal data relating to client customers collected during service interactions |
Normally retained for 6 months unless otherwise instructed by the client or required by contractual or legal obligations |
Service interaction details (including: call recordings, message details) |
Normally retained for 6 months unless a longer retention period is required for contractual, regulatory, training, compliance, complaint handling, or legal purposes |
Special category personal data relating to client customers collected during service interactions |
Retained only where necessary and normally for no longer than 6 months unless a longer period is required by law, client instruction, or legal claims handling |
Website analytics and cookie-related data |
Retained in accordance with applicable cookie durations and our cookie settings. Further details referenced within Cookie Policy. |
Complaint, dispute, and legal claim records |
Retained for as long as necessary to resolve the matter and for any applicable legal limitation period |
Where we act as a data processor on behalf of clients, retention periods may also be determined by the relevant client as data controller, in accordance with their instructions and contractual arrangements.
We regularly review the personal data we hold to ensure it is not kept longer than necessary.
How we share your information
Lemon Business Solutions may share personal data with carefully selected third-party service providers and suppliers who support the delivery, operation, and improvement of our services. These may include providers of IT infrastructure, cloud hosting, telecommunications platforms, contact centre technology, data storage, software systems, professional advisers, and marketing support services.
We only share personal data where it is necessary for a legitimate business purpose, to fulfil our contractual obligations, or to comply with legal and regulatory requirements. All third parties who process personal data on our behalf are required to:
- process personal data only on our documented instructions;
- use appropriate technical and organisational security measures;
- keep personal data confidential; and
- comply with applicable UK data protection laws.
We ensure that any sharing of personal data is limited to the minimum information necessary for the relevant purpose and is carried out securely and proportionately.
Where we act as a data processor on behalf of our clients, we only share personal data with authorised sub-processors or third parties in accordance with our clients’ instructions and contractual arrangements.
We may also disclose personal data where required to do so by law, regulation, court order, or competent authority.
A list of current sub-processors may be provided on request.
Information Security
We take the security of personal data seriously and implement appropriate technical and organisational measures to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, misuse, or access.
These measures include, where appropriate:
- secure access controls and user authentication;
- encryption and secure transmission technologies;
- network and system monitoring;
- restricted access to personal data on a need-to-know basis;
- regular security reviews, updates, and risk assessments; and
- staff training on data protection, confidentiality, and information security responsibilities.
We maintain security procedures designed to safeguard the confidentiality, integrity, and availability of the personal data we process, taking into account the nature of the data and the risks involved.
While we take all reasonable steps to protect personal data, no method of transmission over the internet or electronic storage is completely secure. Accordingly, although we strive to use commercially and industry-appropriate safeguards, we cannot guarantee absolute security where factors are outside our reasonable control.
Where we use third-party service providers to store or process personal data, we require them to maintain equivalent security standards under contractual and regulatory obligations.
Updates
We keep this Privacy Policy under regular review to ensure it remains accurate and reflects changes in legal, regulatory, operational, and business requirements.
We may update this Privacy Policy from time to time where necessary to reflect:
- changes in applicable law or regulatory guidance;
- changes to our services, systems, or processing activities; or
- improvements to clarity, transparency, or data protection practices.
Where changes are minor and do not materially affect your rights or our obligations, the updated version will be published on our website and will take effect from the date shown at the top of the policy.
Where changes are material, we will notify affected clients by appropriate means, such as email notification, account communication, or written notice under the terms of our contract.
The most current version of this Privacy Policy will always be available on our website, and continued use of our services after notification of any updates will constitute acceptance of the revised version, unless otherwise agreed in writing.
Links
Where our website contains links to third-party websites or external resources, these sites operate independently and are not controlled by us. This Privacy Policy applies only to personal data collected through our own website and services and does not extend to third-party websites.
We are not responsible for the privacy practices, content, or security of external websites, and we encourage you to review the privacy policies of any third-party sites you visit before providing personal data.
Cookies and Similar Tracking Technologies
Our website uses cookies and similar tracking technologies to ensure the website functions properly, improve performance, analyse visitor behaviour, and support certain features and marketing activities.
For full details of the cookies we use, including cookie types, purposes, retention periods, and how to manage your preferences, please refer to our separate Cookie Policy, available on our website.
International Transfers
In the course of providing our services, personal data may be transferred to, stored in, or accessed from countries outside the United Kingdom where our service providers, systems, or authorised sub-processors operate.
Where personal data is transferred outside the UK, we will ensure that appropriate safeguards are in place to protect that data in accordance with UK data protection law. These safeguards may include:
- transferring personal data to countries that have been recognised by the UK government as providing an adequate level of data protection;
- using the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the European Commission’s Standard Contractual Clauses;
- implementing other lawful transfer mechanisms permitted under applicable law.
Where we act as a data processor on behalf of clients, any international transfers of personal data will be carried out only in accordance with our clients’ instructions, contractual obligations, and applicable legal requirements.
We take reasonable steps to ensure that any overseas recipients of personal data apply appropriate technical and organisational security measures to protect personal data to standards equivalent to those required in the UK.
Your Rights
You have a number of rights in relation to your personal data under UK data protection law.
These rights include the right to:
- request access to the personal data we hold about you (commonly known as a Data Subject Access Request or “DSAR”);
- receive a copy of your personal data and information about how we use it;
- request correction of inaccurate or incomplete personal data;
- request deletion of your personal data in certain circumstances;
- request restriction of processing where applicable;
- object to processing carried out on the basis of legitimate interests;
- request transfer of your personal data to another organisation, where technically feasible;
- withdraw consent at any time where processing is based on consent (this will not affect the lawfulness of processing carried out before withdrawal).
If you wish to exercise any of these rights, including making a Data Subject Access Request, please contact us in writing using the contact details for our Compliance Department within this document.
We may ask you to verify your identity before responding to a request, to ensure that personal data is not disclosed to anyone who is not entitled to receive it.
We will respond to valid requests without undue delay and, in most cases, within one month of receipt. In certain circumstances, where requests are complex or numerous, this period may be extended in accordance with applicable law.
Please note that some rights are not absolute and may be subject to exemptions or limitations where permitted under applicable data protection legislation.
Complaints Process
If you have a complaint about how we have handled your personal information you may contact us using the details for our Compliance Department within this document and we will investigate your complaint. You also have the right to complain to the Information Commissioner’s Office at www.ico.org.uk, which regulates the processing of personal data.