Your data.Plainly handled.
What we collect. Why. How long. Who else sees it.
UK-GDPR-compliant privacy notice for Giant Communications Ltd, registered with the ICO (data protection registration number ZB224231). If you want short version: we collect what's needed to deliver the service, we don't sell anything, and you can exercise every right the regulation gives you in a single email.
Last reviewed. Reviewed at least annually + on any material change.
Version 1.2. Material changes (new third party, new processing purpose) trigger an email notification to active customers; minor edits (typos, link fixes) don't.
The data controller, in writing.
We are the controller for personal data collected via this website and the customer portal. Registered company information below; any privacy question goes to [email protected] and gets answered within 5 working days.
Six categories. Each one accounted for.
Every personal-data category we process, the purpose, the legal basis under UK GDPR Article 6, and how long we keep it. If something isn't on this list, we don't collect it.
| Category | Examples | Legal basis | Retention |
|---|---|---|---|
Account information Service delivery, billing, support What: Name, address, email, phone, date of birth, postcode availability check Basis: Contract Keep: Duration of contract + 6 years after termination (HMRC tax obligations) | Name, address, email, phone, date of birth, postcode availability check | Contract | Duration of contract + 6 years after termination (HMRC tax obligations) |
Payment information Billing, fraud prevention What: Direct Debit mandate (bank account), payment history, card-on-file (via processor) Basis: Contract + legal obligation Keep: 6 years after last transaction (HMRC) | Direct Debit mandate (bank account), payment history, card-on-file (via processor) | Contract + legal obligation | 6 years after last transaction (HMRC) |
Network usage Service delivery, fair-use enforcement, fault diagnosis What: Data volume, connection logs (no content), VoIP call records (CDR — number, duration, not content) Basis: Contract + legitimate interest Keep: 12 months for usage logs, 6 years for billing-relevant CDRs | Data volume, connection logs (no content), VoIP call records (CDR — number, duration, not content) | Contract + legitimate interest | 12 months for usage logs, 6 years for billing-relevant CDRs |
Communications with us Support quality, dispute resolution What: Tickets, emails, chat transcripts, recorded calls (where notified) Basis: Legitimate interest + legal obligation Keep: 3 years after issue closed; recorded calls 6 months unless escalated | Tickets, emails, chat transcripts, recorded calls (where notified) | Legitimate interest + legal obligation | 3 years after issue closed; recorded calls 6 months unless escalated |
Web analytics (with consent) Improve giant.net.uk + customer portal What: Pages visited, time on page, broad device type, anonymised IP via GA4 + Hotjar Basis: Consent (Google Consent Mode v2) Keep: 26 months in GA4; 365 days in Hotjar | Pages visited, time on page, broad device type, anonymised IP via GA4 + Hotjar | Consent (Google Consent Mode v2) | 26 months in GA4; 365 days in Hotjar |
Marketing preferences (with consent) Service updates, optional product news What: Email subscription state, contact preferences Basis: Consent (opt-in) Keep: Until you withdraw consent | Email subscription state, contact preferences | Consent (opt-in) | Until you withdraw consent |
Who else touches your data.
We share data only where necessary to deliver the service or comply with the law. Below is every processor + recipient, what they do, and how the international transfer is safeguarded.
| Party | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Openreach + Netomnia + altnet partners | Physical network delivery | UK | No personal data beyond installation requirements |
| Stripe + GoCardless | Payment processing | UK + EU | EEA — adequacy |
| Google (Analytics 4, Ads) | Web analytics, ad measurement | US | EU Standard Contractual Clauses + DPF |
| Hotjar (Contentsquare) | Heatmaps, session recording | Malta + EU | EEA — adequacy |
| Ookla | Speed test infrastructure | US | SCCs + DPF, no PII transmitted |
| Trustpilot | Customer reviews + ratings | Denmark | EEA — adequacy |
| Cloudflare | CDN, DDoS protection | US + global | SCCs + DPF, edge-cached static assets |
| AWS / Microsoft Azure | Application hosting + databases | UK + EU | EEA — adequacy (UK + IE regions) |
| HMRC, Ofcom, ICO, law enforcement | Legal obligations | UK | Statutory disclosure only when required |
We do not sell personal data. We do not share data with advertisers beyond the aggregated audience-size metrics that Google Consent Mode v2 reports when you've granted analytics consent. Cookies and the analytics stack are listed in full at /legal/cookies.
Six rights. One email to exercise any of them.
Under UK GDPR you have specific rights over the personal data we hold. Email [email protected] with the right you want to exercise and we'll respond within 30 calendar days (extendable to 90 only in complex cases, with notice).
Access
Get a copy of the personal data we hold about you. Free, within 30 days, identity verification required.
Rectification
Correct inaccurate data. Email or via the portal — most fields are self-serve.
Erasure
Be forgotten where lawful (not where we have a legal obligation to retain, e.g. tax records for 6 years).
Restriction
Pause processing while a complaint or accuracy issue is resolved.
Portability
Export your data in a machine-readable format. Use for switching to another carrier.
Object
Object to processing based on legitimate interest. We'll stop unless we have compelling reasons that override your interests.
How to exercise a right
Email [email protected] with: (a) which right you're exercising, (b) the account or email associated with the data, (c) any specific scope. We'll verify your identity, then process the request. Free of charge, within 30 days, no questions asked beyond the verification step.
How we keep your data safe.
Technical and organisational measures we have in place to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
Encryption in transit
TLS 1.2+ for all customer-facing endpoints. HSTS preloaded. Internal services on mTLS where applicable.
Encryption at rest
AES-256 on all customer databases. KMS-managed keys, rotated annually. Backups encrypted and geo-redundant.
ISO 27001 infrastructure
Our hosting partners (AWS, Azure UK regions) are ISO 27001 certified. We map our controls to the same framework.
Access on least-privilege
Staff access to customer data is role-scoped and audit-logged. MFA mandatory. Access reviews quarterly.
72-hour breach reporting
Any personal data breach with a likely risk to individuals is reported to the ICO within 72 hours, and to affected individuals without undue delay.
Retention limits
Data deleted on schedule per retention column above. No 'keep forever just in case'.
Unhappy?
Two routes.
First, try us. Email [email protected] — we acknowledge within 1 working day, response within 30 days. Most data concerns clear up in that one round.
Not resolved? Lodge a complaint with the Information Commissioner's Office (ICO) — it's free, doesn't require legal representation, and the ICO will tell us if they think we've got it wrong.
How we'll tell you if anything changes.
- Material changes — new third-party processor, new processing purpose, change of legal basis: notified to active customers by email at least 30 days in advance.
- Non-material changes — typos, link fixes, clarifications: updated on this page, no email. Version number + last-reviewed date at the top of the page reflect the change.
- Version history: available on request — email [email protected].
Questions? Real human, 5 working days.
Privacy queries go to [email protected]. Other queries to support. Either way you get a real human who knows the answer or can find it.