GDPR Compliance

Last updated: 17 April 2026

Our Commitment to Data Protection

Velvet Glimmer is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognise the importance of protecting your personal information and have implemented comprehensive measures to ensure your data rights are respected at all times.

Data Controller Information

For the purposes of UK data protection legislation, the data controller is:

Velvet Glimmer Financial Education
42 Clifton Heights
Bristol BS8 4HJ
United Kingdom
Email: [email protected]

Your Data Protection Rights

Under UK GDPR, you have the following rights concerning your personal data:

1. Right of Access (Article 15)

You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to receive a copy of that data along with information about how it is being used.

How to exercise: Submit a Subject Access Request by emailing [email protected] with "Subject Access Request" in the subject line. Please provide sufficient detail to help us locate your information.

Response time: We will respond within one month of receiving your request. In complex cases, this may be extended by an additional two months, and we will inform you of any extension.

2. Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data we hold about you.

How to exercise: Contact us at [email protected] specifying which information requires correction and providing accurate details.

Response time: We will make corrections within one month and notify you once complete.

3. Right to Erasure / Right to be Forgotten (Article 17)

You can request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Limitations: This right does not apply where we are legally required to retain records, such as financial documentation required by law to be kept for seven years.

How to exercise: Email [email protected] with your erasure request, explaining the grounds on which you are making the request.

4. Right to Restriction of Processing (Article 18)

You can request that we limit how we use your personal data in specific situations:

  • You contest the accuracy of the data (restriction applies while we verify accuracy)
  • Processing is unlawful but you prefer restriction to erasure
  • We no longer need the data but you require it for legal claims
  • You have objected to processing (restriction applies while we verify our legitimate grounds)

How to exercise: Contact [email protected] outlining the circumstances that warrant restriction.

5. Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller where:

  • Processing is based on consent or contract, and
  • Processing is carried out by automated means

How to exercise: Email [email protected] requesting data portability. We will provide your data in CSV or JSON format, or transfer it directly to another service provider if technically feasible.

6. Right to Object (Article 21)

You can object to processing of your personal data where:

  • Processing is based on legitimate interests or public interest
  • Data is used for direct marketing purposes (we will stop immediately)
  • Data is used for research or statistical purposes

How to exercise: Contact [email protected] stating your objection. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

7. Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significant effects.

Note: Velvet Glimmer does not engage in automated decision-making or profiling that produces legal or similarly significant effects.

8. Right to Withdraw Consent

Where we process your data based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

How to exercise: Email [email protected] or adjust your cookie preferences via our cookie settings.

How We Process Your Data

Lawful Bases for Processing

We process personal data only when we have a lawful basis under UK GDPR:

Consent (Article 6(1)(a))

We obtain your explicit consent for certain processing activities, such as non-essential cookies. You can withdraw consent at any time.

Contractual Necessity (Article 6(1)(b))

Processing is necessary to deliver the consultation services you have requested or to take steps at your request before entering into a contract.

Legal Obligation (Article 6(1)(c))

We process data to comply with legal requirements, such as maintaining financial records as mandated by UK law.

Legitimate Interests (Article 6(1)(f))

We have legitimate interests in operating our business efficiently, improving our services, and communicating with clients, provided this does not override your fundamental rights and freedoms.

Data Minimisation

We collect only the personal data necessary for the specific purposes outlined in our Privacy Policy. We do not retain data longer than required.

Accuracy

We take reasonable steps to ensure personal data is accurate and up to date. You can request corrections at any time.

Storage Limitation

We retain personal data only as long as necessary for the purposes for which it was collected or to comply with legal obligations. See our Privacy Policy for specific retention periods.

Data Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and accidental loss, destruction, or damage:

  • Encryption of data in transit using SSL/TLS protocols
  • Secure access controls with role-based permissions
  • Regular security audits and vulnerability assessments
  • Staff training on data protection and confidentiality
  • Secure disposal procedures for data that is no longer required
  • Incident response procedures to address potential data breaches

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, where feasible
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
  • Provide clear information about the nature of the breach and steps being taken to address it

Third-Party Processing

Where we engage third-party service providers to process personal data on our behalf, we ensure:

  • Written contracts are in place with data processing clauses that meet UK GDPR requirements
  • Processors provide sufficient guarantees of appropriate technical and organisational measures
  • Processors only process data according to our documented instructions
  • Regular reviews of processor compliance with data protection obligations

International Data Transfers

Your personal data is primarily stored and processed within the United Kingdom. Where we transfer data internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses approved by the ICO
  • Adequacy decisions recognising the recipient country's data protection standards
  • Additional security measures to protect data during transfer

Children's Data

Our services are not directed at children under 18, and we do not knowingly collect or process personal data from children. If we become aware that we have inadvertently collected data from a child, we will delete it promptly.

Making a Complaint

We are committed to resolving any concerns about how we handle your personal data. If you are dissatisfied with our response to your request or believe we are not processing your data in accordance with UK GDPR, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom

Telephone: 0303 123 1113
Website: velvet-glimmer.com

Exercising Your Rights

To exercise any of the rights outlined above, or if you have questions about our GDPR compliance:

Email: [email protected]
Subject Line: Include "GDPR Request" or the specific right you wish to exercise
Include: Your full name, contact details, and sufficient information to verify your identity

We will respond to requests within one month. For complex requests, we may extend this by an additional two months and will inform you of the extension and reasons for the delay.

There is no fee for exercising your rights unless requests are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse to act on the request.

Updates to GDPR Compliance

We regularly review our data protection practices to ensure ongoing compliance with UK GDPR. This page will be updated to reflect any changes in our approach or legal obligations. The "Last updated" date at the top indicates when the most recent changes were made.

Further Information

For additional details about how we collect and use your personal information, please refer to our comprehensive Privacy Policy.