Legal

GDPR Compliance

Last updated: March 2026

The UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR) govern how personal data is collected, stored, and used in the United Kingdom. AlwaysOn Booking is committed to full compliance - both in how we operate and in the tools we provide to our clients.

Our platform is powered by GoHighLevel, which is certified under the EU-US Data Privacy Framework (including UK extensions) and maintains ISO 27001 certification.

The seven principles of UK GDPR

  1. Lawfulness, fairness and transparency - We have a clear legal basis for processing and are open about how we use data.
  2. Purpose limitation - Data is collected only for specified, explicit purposes.
  3. Data minimisation - We collect only what is necessary.
  4. Accuracy - We take reasonable steps to keep data accurate and up to date.
  5. Storage limitation - Data is not kept longer than necessary.
  6. Integrity and confidentiality - Appropriate security measures protect all personal data.
  7. Accountability - We maintain records, policies, and procedures to demonstrate compliance.

Data roles

  • Your business (data controller) - decides why and how customer data is collected. Responsible for consent, privacy notices, and customer rights requests.
  • AlwaysOn Booking (data processor) - processes client and customer data on your behalf to deliver automation services.
  • GoHighLevel / LeadConnector (sub-processor) - the underlying platform that stores and transmits data, subject to GoHighLevel's Data Processing Agreement and security standards.

As a business using AlwaysOn Booking, you act as the data controller for your customers' personal data. You are responsible for ensuring you have appropriate lawful basis and privacy notices in place.

Legal basis for processing

We rely on the following lawful bases under UK GDPR Article 6:

  • Contract (Art. 6(1)(b)) - processing necessary to deliver subscribed services
  • Legitimate interests (Art. 6(1)(f)) - transactional communications and service improvement
  • Legal obligation (Art. 6(1)(c)) - retaining financial records and regulatory compliance
  • Consent (Art. 6(1)(a)) - where required for marketing or non-essential processing

SMS messaging and PECR

Appointment reminders, confirmations, and missed-call text-backs are transactional messages. Explicit opt-in is not required, but customers must be informed they will receive these messages at the point of booking.

Google review requests fall under the PECR soft opt-in rule - sent to existing customers about the service they received. Recipients can opt out at any time by replying STOP.

Individual rights

Under UK GDPR, individuals have the right to:

  • Access - request a copy of personal data held about them
  • Rectification - ask for inaccurate data to be corrected
  • Erasure - request deletion where there is no longer a lawful basis for processing
  • Restriction - limit how their data is used in certain circumstances
  • Portability - receive data in a structured, machine-readable format
  • Object - object to processing based on legitimate interests or direct marketing

To exercise any right, contact lee@alwaysonbooking.co.uk. We respond within 30 days.

Security measures

  • Data encryption in transit (TLS) and at rest
  • Role-based access controls
  • GoHighLevel ISO 27001 certification
  • EU-US Privacy Framework compliance
  • Incident response and breach notification procedures

In the event of a personal data breach, we will notify the ICO within 72 hours where required, and affected individuals without undue delay.

International data transfers

GoHighLevel is a US-based company. Transfers to the US are covered by GoHighLevel's certification under the EU-US Data Privacy Framework (including UK extension).

Your responsibilities as a client

  • Publish a privacy notice explaining how you collect and use customer data
  • Inform customers at the point of booking that they will receive SMS or email communications
  • Include an opt-out mechanism (e.g. "Reply STOP to opt out") in all automated messages
  • Maintain records of consent where required
  • Have a process to handle customer rights requests
Recommended booking form statement

"By booking an appointment, you agree to receive appointment reminders and follow-up messages via SMS. Reply STOP at any time to opt out."

Contact and complaints

AlwaysOn Booking

Email: lee@alwaysonbooking.co.uk

Website: alwaysonbooking.co.uk

Information Commissioner's Office (ICO): ico.org.uk | 0303 123 1113

This page does not constitute legal advice. We recommend consulting a qualified legal professional for advice tailored to your specific circumstances.