GDPR compliance
Maintained by BeingEcom. Last updated 2026-07-17. Applies to UK GDPR and, where relevant, EU GDPR obligations.
Who we are
BeingEcom, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, GB. Contact: info@beingecom.com.
Our role
We act as a data controller for personal data you submit to us directly (e.g. contact form). We act as a data processor for personal data you instruct us to process on your behalf as part of a client engagement (e.g. Klaviyo lists, Meta audiences).
Lawful basis
- Contract to deliver services to clients under a signed agreement.
- Legitimate interests to respond to enquiries, run our website and secure our systems.
- Consent for marketing communications and non-essential cookies.
- Legal obligation for tax, accounting and regulatory record-keeping.
Your rights
Under UK/EU GDPR you have the right to access, rectify, erase, restrict processing of, port, and object to processing of your personal data, as well as the right to withdraw consent and to complain to a supervisory authority (ICO in the UK).
How to make a request
Email info@beingecom.com with the subject "Data subject request". Include enough information to identify you and describe the right you're exercising. We respond within one calendar month and will tell you within 5 working days if we need to extend that (permitted under Article 12(3) where a request is complex).
Sub-processors
When we act as your processor, our sub-processors include: cloud hosting providers, email/SMS platforms (Klaviyo, Postscript where in scope), analytics platforms (GA4, Microsoft Clarity), and productivity tools (Google Workspace). A current list is provided in your DPA on request.
International transfers
Where personal data leaves the UK/EEA, we rely on the UK IDTA / EU Standard Contractual Clauses and complete transfer risk assessments where required.
Data Processing Agreement
Every client engagement that involves us processing personal data is covered by a DPA signed at onboarding. We're also happy to counter-sign your DPA if you provide one.
Breach notification
Where we identify a personal data breach, we notify affected controllers without undue delay and, where required, within 72 hours in line with Article 33 GDPR.
Need our DPA or sub-processor list?
Email info@beingecom.com and we'll send the current version.
