Whisky & White Paper | Last updated: April 2026
Charlie Holdstock trading as Whisky & White Paper (“we”, “our”, “us”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect information when you interact with our website, services, and communications.
We are the data controller for the personal data we collect and process as described in this policy. Where we engage third-party tools to deliver our services, those tools act as data processors on our behalf.
1. Who we are
Charlie Holdstock trading as Whisky & White Paper is a sole trader business providing operations management and business support services, registered in the United Kingdom.
Contact: hello@whiskyandwhitepaper.com
2. Data we collect
We may collect and process the following categories of personal data:
• Identity data: name and business name.
• Contact data: email address and phone number (if provided).
• Booking information: call type, date, and time (collected via TidyCal).
• Enquiry data: information you provide when submitting a retainer enquiry or contact form, including details about your business and operational needs.
• Communication data: emails and messages exchanged with us.
• Payment and financial data: billing name, address, and transaction records (via Stripe or Xero). We do not store card details directly.
• Technical data: IP address, browser type, device information, and cookies (collected automatically when you visit our website).
3. How we collect your data
We collect personal data in the following ways:
• Directly: when you contact us via our website contact form, submit a retainer enquiry form, book a call, or become a client.
• Automatically: through cookies and similar technologies when you visit our website. See our Cookie Policy for full details.
• Via third-party tools: we use a number of tools to deliver our services. These are listed in full in Section 6 below.
4. Why we use your data (lawful basis)
We process personal data only where we have a lawful basis to do so. Below is a summary of our purposes and the lawful basis we rely on for each.
Responding to enquiries and contact form submissions
Lawful basis: Legitimate interest
We have a legitimate interest in responding to people who contact us.
Providing and managing services
Lawful basis: Contract
Processing is necessary to perform the contract we have with you.
Processing payments and maintaining financial records
Lawful basis: Legal obligation and contract
We are required to keep financial records and process payments under our contract with you.
Maintaining client records
Lawful basis: Legitimate interest
We have a legitimate interest in maintaining accurate records of our working relationships.
Sending relevant updates, resources, or marketing communications
Lawful basis: Consent
We will only send marketing communications where you have given your consent. You may withdraw consent at any time.
Improving our website and services
Lawful basis: Legitimate interest
We have a legitimate interest in understanding how our website is used and in improving our services.
5. Data retention
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, and in accordance with applicable legal, accounting, or reporting requirements.
• Client records are typically retained for up to 7 years following the end of the client relationship, in line with UK accounting and tax requirements.
• Enquiry data from non-clients is retained only as long as reasonably necessary to respond to the enquiry, unless a client relationship is formed.
• Cookie and technical data is retained in accordance with our Cookie Policy.
6. Third-party processors and international transfers
We use a number of trusted third-party tools to deliver our services. Where these tools process personal data on our behalf, they act as data processors. Some of these tools are based outside the United Kingdom, which means your personal data may be transferred internationally.
We are required under UK GDPR to ensure that appropriate safeguards are in place for any international transfers. The details below set out each tool we use, what it is used for, where data is held, and the transfer mechanism in place.
FormRobin
Purpose: Retainer enquiry forms
Data location: United States (AWS us-west-2)
Transfer mechanism: No published UK IDTA or EU SCCs confirmed. Transfer disclosed on the basis of contractual necessity. Under review.
Privacy policy: formrobin.com/privacy
Showit
Purpose: Website hosting and general contact form
Data location: United States
Transfer mechanism: UK GDPR acknowledged in Showit privacy policy. Transfer basis under review.
Privacy policy: showit.com/privacy
TidyCal
Purpose: Scheduling and call booking
Data location: United States
Transfer mechanism: EU Standard Contractual Clauses (SCCs) only. No UK IDTA in place. UK documentation under review.
Privacy policy: tidycal.com/privacy
SuiteDash
Purpose: Client portal, invoicing, and e-signatures
Data location: United States
Transfer mechanism: Standard contractual clauses. See SuiteDash privacy policy for details.
Privacy policy: suitedash.com/privacy-policy
Microsoft 365 / Outlook / OneDrive
Purpose: Email communication and file storage
Data location: UK and EU (Microsoft data centres)
Transfer mechanism: EU adequacy decision applies. Microsoft Data Protection Addendum in place.
Privacy policy: microsoft.com/privacy
Google Drive
Purpose: File storage (limited client documents)
Data location: United States and EU (Google infrastructure)
Transfer mechanism: EU Standard Contractual Clauses and UK adequacy decision.
Privacy policy: policies.google.com/privacy
Stripe
Purpose: Payment processing
Data location: United States and EU
Transfer mechanism: EU Standard Contractual Clauses and UK IDTA addendum in place.
Privacy policy: stripe.com/privacy
Xero
Purpose: Accounting and invoicing records
Data location: United States, New Zealand and EU
Transfer mechanism: Standard contractual clauses. See Xero privacy policy for details.
Privacy policy: xero.com/uk/legal/privacy
Bitwarden
Purpose: Secure credential storage
Data location: United States (AWS)
Transfer mechanism: EU Standard Contractual Clauses in place. See Bitwarden privacy policy.
Privacy policy: bitwarden.com/privacy
Cookiebot (Usercentrics)
Purpose: Cookie consent management
Data location: EU (Denmark and Germany)
Transfer mechanism: No transfer outside UK or EU. EU adequacy applies.
Privacy policy: usercentrics.com/privacy-policy
Where a transfer mechanism is noted as under review, we are actively working to confirm or put in place appropriate UK GDPR-compliant documentation. In the meantime, we minimise the personal data shared with these processors and ensure it is handled appropriately under their own privacy policies.
We do not sell or rent personal data to any third party. We do not share personal data with any party other than those listed above, except where required by law.
7. AI-assisted tools
We may use AI-assisted tools to support the delivery of our services. We do not input client confidential information into publicly accessible AI tools in a way that could expose it. Where AI tools process personal data, appropriate safeguards are in place in accordance with the tool provider’s privacy policy and our own data handling procedures.
8. Cookies
Our website uses cookies and similar technologies. Cookie consent is managed through Cookiebot, and non-essential cookies are not placed before you have given your consent.
Full details of the cookies we use, their purposes, and how to manage your preferences are set out in our Cookie Policy, available on our website.
9. Your rights
Under UK GDPR, you have the following rights in relation to your personal data:
• Right of access: you may request a copy of the personal data we hold about you.
• Right to rectification: you may request that we correct inaccurate or incomplete data.
• Right to erasure: you may request that we delete your personal data in certain circumstances.
• Right to restrict processing: you may request that we limit how we use your data in certain circumstances.
• Right to data portability: you may request that we transfer your data to you or another organisation in certain circumstances.
• Right to object: you may object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: where we process your data on the basis of consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
To exercise any of these rights, please contact us at hello@whiskyandwhitepaper.com. We will respond within one calendar month of receiving your request.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk or by calling 0303 123 1113.
10. Data security
We apply appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, disclosure, or alteration. These include:
• Secure cloud-based storage via the third-party tools listed in Section 6.
• Password management via Bitwarden.
• Device encryption enabled on business devices.
• Access controls limiting who can access personal data.
No method of transmission or storage is completely secure. If you have concerns about the security of your data, please contact us at hello@whiskyandwhitepaper.com.
11. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, tools, or legal obligations. The latest version will always be published on our website with the date of the most recent revision noted at the top of this page.
Where changes are material, we will take reasonable steps to notify existing clients directly. We encourage you to review this page periodically.
12. Contact
If you have any questions about this Privacy Policy or how we handle your personal data, please contact:
Charlie Holdstock trading as Whisky & White Paper
Email: hello@whiskyandwhitepaper.com