+44 800 779 7322
Legal

Data Protection & GDPR Statement

Rebasoft Limited

Registered Office: Albany House, 14 Shute End, Wokingham, Berkshire, RG40 1BJ
Company Number: 06914233
Website: www.rebasoft.net
Email: legal@rebasoft.net
Telephone: 0800 779 7322

Data Protection & GDPR Statement

Version: 4.0
Effective Date: 26 March 2026
Last Reviewed: 26 March 2026
Next Review Date: March 2027

1. Purpose and Scope

Rebasoft Limited (“Rebasoft”, “we”, “us”, or “our”) is committed to protecting personal data and maintaining the highest standards of data protection and privacy.

This statement provides a clear, high-level overview of how Rebasoft manages, protects, and governs personal data in accordance with:

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018

  • Privacy and Electronic Communications Regulations (PECR), where applicable

This document applies to all personal data processed by Rebasoft across:

  • Business operations

  • Website usage

  • Service delivery

2. Roles and Responsibilities

Rebasoft operates in clearly defined roles depending on the context of processing.

2.1 Data Controller

Rebasoft acts as a Controller where it determines the purposes and means of processing, including:

  • Website operation and analytics

  • Marketing and communications

  • Business administration and customer management

2.2 Data Processor

Rebasoft acts as a Processor when delivering its platform and services on behalf of customers.

In this context:

  • Processing is governed by the Data Processing Addendum (DPA)

  • Processing occurs only on documented instructions from the Customer

👉 Customers are responsible for ensuring that:

  • Personal data provided is lawful and necessary

  • Data minimisation principles are applied

3. Data Protection Principles (Article 5 UK GDPR)

Rebasoft adheres to the core principles of UK GDPR:

  • Lawfulness, fairness, and transparency

  • Purpose limitation

  • Data minimisation

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality

  • Accountability

These principles are embedded into:

  • System design

  • Operational processes

  • Governance frameworks

4. Accountability and Governance (Article 24)

Rebasoft operates a risk-based, accountability-driven approach to data protection.

This includes:

  • Defined policies and control frameworks

  • Management oversight and responsibility

  • Documented processing activities

  • Continuous monitoring and validation of controls

👉 Rebasoft is committed to maintaining defensible evidence of compliance, not just policy-based assurance.

5. Technical and Organisational Measures (Article 32)

Rebasoft implements appropriate technical and organisational measures (“TOMs”) to protect personal data, including:

Security Controls

  • Encryption in transit and at rest (TLS 1.2/1.3, AES-256 or equivalent)

  • Role-Based Access Control (RBAC) and least privilege

  • Strong authentication and identity controls

Operational Controls

  • Audit logging and monitoring

  • Anomaly detection and alerting

  • Segregation of duties

Architectural Controls

  • Secure system design and segmentation

  • Controlled administrative access

These controls ensure the:

  • Confidentiality

  • Integrity

  • Availability

of personal data.

Further details are available upon request, subject to confidentiality obligations.

6. Data Processing Controls

Rebasoft ensures that:

  • Personal data is processed only for defined, lawful purposes

  • Processing is documented and controlled

  • Access is restricted to authorised personnel

  • Safeguards prevent unauthorised access, disclosure, or loss

Where acting as Processor:

  • Controls are contractually defined in the DPA

  • Processing is aligned to Customer instructions

7. Subprocessors

Rebasoft may engage carefully selected Subprocessors.

Rebasoft ensures that all Subprocessors:

  • Are subject to Article 28-compliant agreements

  • Implement appropriate security measures

  • Are assessed and monitored on a risk basis

👉 Rebasoft remains fully accountable for Subprocessor performance

A current list is available at:
www.rebasoft.net/subprocessors

8. International Data Transfers

Where personal data is transferred outside the UK:

Rebasoft ensures appropriate safeguards, including:

  • UK International Data Transfer Agreement (IDTA)

  • Standard Contractual Clauses (SCCs)

  • Adequacy decisions

All transfers are:

  • Risk assessed

  • Documented

  • Aligned with UK ICO guidance

9. Data Subject Rights

Individuals have the following rights:

  • Access

  • Rectification

  • Erasure

  • Restriction

  • Objection

  • Data portability

  • Withdrawal of consent

Requests can be made via:
📧 legal@rebasoft.net

Rebasoft responds within statutory timeframes.

10. Data Retention and Deletion

Rebasoft retains personal data only as necessary to:

  • Deliver services

  • Meet legal or regulatory obligations

  • Fulfil contractual requirements

Data is:

  • Securely deleted

  • Or irreversibly anonymised

when no longer required.

11. Incident Management and Breach Response

Rebasoft maintains formal incident management processes.

In the event of a personal data breach:

  • Incidents are identified and contained promptly

  • Customers are notified without undue delay where required

  • Regulatory obligations are fulfilled in line with UK GDPR

Rebasoft supports Customers in meeting their own reporting obligations.

12. Continuous Improvement

Rebasoft continuously enhances its data protection posture through:

  • Monitoring regulatory developments

  • Improving controls and processes

  • Adapting to emerging threats

  • Ongoing validation of security and compliance measures

13. Related Documents

Privacy Policy: www.rebasoft.net/privacy
Cookie Policy: www.rebasoft.net/cookie-policy
Data Processing Addendum: www.rebasoft.net/data-processing-addendum
Subprocessors: www.rebasoft.net/subprocessors
Security Overview: www.rebasoft.net/security

14. Contact

For all data protection enquiries:

Email: legal@rebasoft.net