GDPR Compliance Statement

Our Commitment to Data Protection

shimmer-glade complies with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. We are committed to processing your personal information lawfully, fairly, and transparently.

Data Controller Information

For the purposes of data protection law, shimmer-glade is the data controller for personal information we collect through our services and website. You can contact us regarding data protection matters at [email protected].

Legal Basis for Processing

We process personal information based on the following legal grounds:

Contractual Necessity

Processing is necessary to fulfil our contract with you when you book cooking classes or other services. This includes managing your booking, preparing for your session, and providing follow-up materials.

Legitimate Interests

We process certain information based on our legitimate business interests, such as improving our services, maintaining security, and managing our business operations. We balance these interests against your rights and do not process data in ways you would not reasonably expect.

Legal Obligations

Some processing is required to comply with legal requirements, such as maintaining financial records for tax purposes or responding to lawful requests from authorities.

Consent

For certain activities like marketing communications or optional cookies, we rely on your explicit consent. You can withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

Your Data Protection Rights

Under GDPR, you have comprehensive rights regarding your personal information:

Right of Access

You can request confirmation of whether we process your personal data and receive a copy of that data. This is commonly known as a Subject Access Request. We will provide this information free of charge within one month of your request.

Right to Rectification

If information we hold about you is inaccurate or incomplete, you have the right to have it corrected. We will make corrections promptly and notify any third parties to whom we have disclosed the information.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal information in certain circumstances, such as when it is no longer necessary for the purpose it was collected, when you withdraw consent, or when you object to processing. This right is not absolute and may be limited by our legal obligations to retain certain information.

Right to Restriction of Processing

You can request that we limit how we use your information in specific situations, such as while we verify the accuracy of data you have contested or while we assess whether our legitimate interests override your objection to processing.

Right to Data Portability

You can obtain your personal data in a structured, commonly used, machine-readable format and transmit it to another controller. This applies to information you provided to us where processing is based on consent or contract performance.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. When you object to marketing, we will stop processing your data for that purpose immediately. For other objections, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects. We do not currently use automated decision-making systems, but if this changes, we will inform you and provide information about the logic involved.

Exercising Your Rights

To exercise any of these rights, contact us at [email protected] with your request. Please include sufficient detail to help us understand and verify your identity and the nature of your request.

We will respond to your request within one month. In complex cases or if we receive multiple requests, we may extend this period by two months and will notify you of any delay along with the reasons.

We do not charge a fee for most requests. However, if your request is clearly unfounded, repetitive, or excessive, we may charge a reasonable fee or refuse to act on the request.

Data Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

Encryption of personal data during transmission and storage. Access controls limiting who within our organisation can access personal information. Regular security assessments and updates to our systems. Staff training on data protection responsibilities. Secure disposal procedures for information no longer needed.

Data Breach Notification

In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay. We will also report the breach to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it, where required by law.

International Data Transfers

We primarily store and process data within the United Kingdom. If we transfer data outside the UK or European Economic Area, we ensure appropriate safeguards are in place, such as standard contractual clauses or adequacy decisions, to protect your information in accordance with GDPR standards.

Data Protection by Design and Default

We incorporate data protection principles into our business processes and systems from the outset. We collect only the minimum information necessary for our purposes, implement privacy-friendly default settings, and regularly review our data processing activities.

Third-Party Processors

When we engage third parties to process personal data on our behalf, we ensure they provide sufficient guarantees of appropriate technical and organisational measures. We maintain written contracts with processors that specify their data protection obligations and our rights to audit compliance.

Retention Periods

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, including meeting legal, accounting, or reporting requirements. Specific retention periods vary by data type:

Booking and financial records are retained for seven years to comply with tax and accounting regulations. Customer contact information is kept while you remain an active customer and for three years after your last interaction, unless you request earlier deletion. Email correspondence is retained for three years. Website analytics data is retained for two years in anonymised form.

Children's Data

We do not knowingly process personal data of individuals under 16 years of age without parental consent. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

Right to Lodge a Complaint

If you believe we have not handled your personal information in accordance with data protection law, you have the right to lodge a complaint with the supervisory authority. In the United Kingdom, this is the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. We will notify you of significant changes through our website or by email where appropriate.

Contact Information

For questions about GDPR compliance or to exercise your data protection rights, contact us at:

shimmer-glade
42 Riverside Quarter
Bristol BS1 4RX
United Kingdom
Email: [email protected]