GDPR Compliance

Our commitment to data protection

General Data Protection Regulation

crispend-io is committed to compliance with the General Data Protection Regulation (GDPR) and UK data protection legislation. We recognise the importance of protecting personal data and ensuring transparency in how we collect, use, and safeguard information.

This page outlines our GDPR compliance measures and explains your rights under this regulation.

Data Controller Information

For the purposes of data protection legislation, crispend-io acts as the data controller for personal information we collect and process.

Our contact details:
crispend-io
42 Kensington Church Street
London, W8 4BX
United Kingdom
Email: [email protected]

Lawful Basis for Processing

GDPR requires that we process personal data only when we have a valid legal basis. We rely on the following lawful bases:

Consent

In certain situations, we ask for your explicit consent before processing specific types of personal data. When we do this, we explain clearly what data we will collect and how we will use it. You have the right to withdraw consent at any time.

Contract

Processing is necessary to perform our contract with you when you book styling services. This includes managing appointments, delivering consultations, and providing follow-up support.

Legal Obligation

We process certain data to comply with legal requirements, such as maintaining financial records for tax purposes or responding to lawful requests from authorities.

Legitimate Interests

We process some data based on legitimate business interests, such as improving our services, preventing fraud, or communicating with clients about relevant services. We always balance these interests against your rights and freedoms.

Your GDPR Rights

Under GDPR, you have specific rights regarding your personal data. We respect and facilitate the exercise of these rights:

Right to Access

You can request confirmation of whether we process your personal data and obtain a copy of that data. This is commonly known as a Subject Access Request (SAR). We will provide this information free of charge within one month of your request.

Right to Rectification

If personal data we hold is inaccurate or incomplete, you have the right to have it corrected. We will make amendments promptly and notify any third parties to whom we have disclosed the data.

Right to Erasure

Also known as the "right to be forgotten," this allows you to request deletion of your personal data in certain circumstances, such as when it is no longer necessary for the purpose it was collected or if you withdraw consent.

This right is not absolute. We may need to retain certain information to comply with legal obligations or establish legal claims.

Right to Restriction of Processing

You can request that we limit how we use your personal data in specific situations, such as when you contest the accuracy of the data or object to processing. During a restriction period, we will store the data but not actively use it without your consent.

Right to Data Portability

For data you have provided to us, you can request that we transfer it to another service provider in a structured, commonly used, and machine-readable format. This right applies when processing is based on consent or contract and is carried out by automated means.

Right to Object

You can object to processing of your personal data when it is based on legitimate interests or performed for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant impacts. We do not currently use automated decision-making processes, but if this changes, we will ensure appropriate safeguards are in place.

How to Exercise Your Rights

To exercise any GDPR rights, send a written request to [email protected]. Please include:

  • Your full name and contact details
  • A description of which right you wish to exercise
  • Any relevant details to help us locate your information
  • Proof of identity (we may request this to prevent unauthorised disclosure)

We will respond to your request within one month. In complex cases, we may extend this by an additional two months, and we will inform you if this is necessary.

Most requests are handled free of charge. However, if a request is manifestly unfounded or excessive, we may charge a reasonable administrative fee or refuse to act on the request.

Data Protection Principles

Our data handling practices adhere to the core GDPR principles:

Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. We clearly communicate what data we collect and how we use it.

Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes. We do not process data in ways incompatible with those purposes.

Data Minimisation

We collect only the personal data that is adequate, relevant, and necessary for the purposes for which it is processed. We do not gather excessive information.

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. Inaccurate data is corrected or deleted promptly.

Storage Limitation

We retain personal data only as long as necessary for the purposes for which it was collected or to comply with legal requirements. After this period, we securely delete or anonymise the data.

Integrity and Confidentiality

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Accountability

We take responsibility for our data protection practices and can demonstrate compliance with GDPR principles through documented policies, procedures, and records.

Data Security Measures

We implement robust security measures to protect personal data:

  • Encryption of data in transit and at rest
  • Access controls ensuring only authorised personnel can access personal data
  • Regular security assessments and updates
  • Staff training on data protection responsibilities
  • Secure disposal of personal data when no longer needed
  • Incident response procedures for data breaches

Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

If the breach is likely to result in a high risk to your rights and freedoms, we will also inform you directly without undue delay, explaining the nature of the breach and the measures we are taking to address it.

International Data Transfers

We primarily process data within the United Kingdom. When we transfer personal data outside the UK or European Economic Area, we ensure appropriate safeguards are in place to protect your data in accordance with GDPR requirements.

These safeguards may include standard contractual clauses approved by the European Commission, adequacy decisions, or other legally recognised transfer mechanisms.

Third-Party Processors

We work with carefully selected third-party service providers who process personal data on our behalf. These processors are contractually required to:

  • Process data only according to our documented instructions
  • Implement appropriate security measures
  • Maintain confidentiality
  • Assist us in responding to data subject requests
  • Notify us of any data breaches
  • Delete or return personal data at the end of the service relationship

Children's Data

Our services are not directed at children under sixteen. We do not knowingly process personal data of children. If we become aware that we have collected data from a child without appropriate parental consent, we will delete it immediately.

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have not handled your personal data in accordance with GDPR.

In the United Kingdom, the relevant supervisory authority is:
Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Website: www.ico.org.uk
Telephone: 0303 123 1113

Updates to GDPR Compliance

We regularly review our data protection practices to ensure ongoing compliance with GDPR and evolving legal requirements. Any significant changes will be reflected on this page and in our Privacy Policy.

Questions About GDPR Compliance

If you have questions about our GDPR compliance practices or wish to exercise your rights, please contact us at [email protected].

We are committed to addressing your concerns and ensuring your personal data is handled with the highest standards of care and compliance.