Last updated: 28 May 2026
This policy explains how Tensile Infrastructure Limited (“we”, “us”) handles personal data. We're a UK limited company and we take the UK GDPR and the Data Protection Act 2018 seriously.
Tensile Infrastructure Limited is the data controller for any personal data we hold.
We do not use cookies, analytics, or tracking scripts on this website. See our Cookies Notice for detail. Our hosting provider (Cloudflare) processes standard server request information — including IP address — purely to deliver the site and protect against abuse. We do not receive or store that information ourselves.
If you email us, we process the information you give us (name, email address, the content of your message, and any company details you share) in order to respond and, if it goes further, to discuss whether we can work together. The lawful basis is Article 6(1)(b) of the UK GDPR — taking steps at your request prior to entering a contract — or 6(1)(f) (legitimate interests in responding to business enquiries) where no contract follows.
We send B2B cold outreach emails to corporate subscribers (UK limited companies, LLPs, and similar) under Regulation 22 of PECR and the legitimate interests basis in Article 6(1)(f) of the UK GDPR. We may use a named business contact where one is publicly available, or an official generic company inbox published by the company. The information we hold is limited to business contact data and company research data gathered from publicly available sources such as the Companies House register and the company's own website.
Every outreach email contains a one-click opt-out and clearly identifies us. If you ask to be removed, we suppress your details promptly and do not contact you again. You can also request removal at any time by emailing [email protected].
If we discuss or run an asset-management pilot, we process the business contact details needed to assess fit, set up the workspace, invite agreed users, provide support, and manage billing. This can include names, business email addresses, job roles, organisation details, workspace membership and support messages.
Asset-management workspaces may also contain client-provided records, such as asset details, site or route information, inspections, jobs, notes, photos, completion evidence and timestamps. Some of that content may include personal data, for example where a staff member is assigned work or appears in a note or image.
We process account, support and billing information under Article 6(1)(b) of the UK GDPR (contract performance), Article 6(1)(f) (legitimate interests in running and supporting the service), and Article 6(1)(c) where legal obligations apply. Where we process asset-management records controlled by the client, we do so as the client's processor under our Data Processing Agreement.
For website modernisation work, we process the information needed to scope and deliver the project: your name, business contact details, billing information, website details, content you provide, and any access you grant to repositories, hosting, DNS, analytics or content systems. This is processed under Article 6(1)(b) (contract performance), Article 6(1)(f) (legitimate interests in delivering and supporting the work), and Article 6(1)(c) where legal obligations apply.
Where we process personal data belonging to your users or staff in the course of website or product work, we do so as your processor under the terms of our Data Processing Agreement. We only act on your documented instructions, and the retention rules in section 4 apply to temporary exports, credentials and working artefacts.
We use a small number of carefully chosen service providers to run the business. Each acts as our processor under a written agreement. They fall into the following categories:
Each provider is either based in the UK or EEA, or relies on UK GDPR transfer mechanisms (the UK Extension to the EU-US Data Privacy Framework, the International Data Transfer Addendum, or Standard Contractual Clauses). We will share the specific identity of any processor on request — email us at the address in section 1.
We do not sell personal data. We do not share it for marketing purposes. We only disclose it to third parties outside the categories above where we are required to do so by law (for example, to HMRC, the Information Commissioner, or a court order).
Under the UK GDPR you have the right to ask us to:
To exercise any of these rights, email [email protected]. We'll respond within one month. We don't charge a fee for reasonable requests.
We take appropriate technical and organisational measures to protect personal data against loss, misuse, and unauthorised access. Where client credentials are required for an engagement, they are stored in a dedicated password manager and are not accepted by plain email. Client systems are accessed over encrypted channels. Hardware is encrypted and password-protected. Access is limited to named personnel on a need-to-know basis. For more detail, see our Security page.
If you're not happy with how we've handled your personal data, please email us first and we'll try to put it right. You also have the right to complain to the Information Commissioner's Office at any time:
We'll update this page if our practices change. The “last updated” date at the top of the page shows when it was last revised. Substantive changes will be communicated to active clients by email.