GDPR Compliance

Last updated: 15 January 2024

crisp-pursuit Ltd is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page provides detailed information about how we comply with these regulations and how you can exercise your rights.

Our Commitment to Data Protection

Data protection is central to how we operate. We handle sensitive financial information as part of our educational services, and we take that responsibility seriously. Our approach is guided by the following principles:

  • Lawfulness, fairness, and transparency: We process data only when we have a valid legal basis and are clear about what we do with it
  • Purpose limitation: We collect data only for specified, explicit purposes and don't use it for incompatible activities
  • Data minimisation: We only collect the data we actually need
  • Accuracy: We take reasonable steps to keep data accurate and up to date
  • Storage limitation: We don't keep data longer than necessary
  • Integrity and confidentiality: We protect data against unauthorised access, loss, or damage
  • Accountability: We can demonstrate compliance with these principles

Data Controller Information

crisp-pursuit Ltd acts as the data controller for personal data collected through our website and services. This means we determine the purposes and means of processing your data.

Data Controller: crisp-pursuit Ltd

Company Number: SC478921

Address: 147 West George Street, Glasgow, G2 2JJ

Data Protection Contact: [email protected]

Lawful Bases for Processing

Under UK GDPR, we must have a lawful basis for each processing activity. Here's how we justify the data processing we undertake:

Contractual Necessity

When you engage our services, we process your data to fulfil our agreement with you. This includes:

  • Managing your booking and delivering the service
  • Communicating about your sessions
  • Processing payments
  • Providing follow-up materials and support

Legitimate Interests

We process some data based on our legitimate business interests, balanced against your rights. Examples include:

  • Analysing website usage to improve our services
  • Protecting against fraud
  • Marketing our services to existing clients (with easy opt-out)
  • Maintaining records for business administration

Consent

For certain activities, we rely on your explicit consent:

  • Sending marketing communications to prospective clients
  • Using non-essential cookies
  • Sharing testimonials or case studies (anonymised or attributed)

Legal Obligation

We may process data to comply with legal requirements, such as:

  • Maintaining financial records for tax purposes
  • Responding to lawful requests from authorities
  • Meeting anti-money laundering requirements where applicable

Your Rights Under UK GDPR

UK GDPR grants you specific rights regarding your personal data. Here's what you can do and how to exercise these rights:

Right to Access

You can request a copy of all personal data we hold about you. This is commonly known as a Subject Access Request (SAR). We will provide the information within one month of verifying your identity.

Right to Rectification

If any data we hold about you is inaccurate or incomplete, you have the right to have it corrected. Simply let us know what needs updating.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your data in certain circumstances, such as when the data is no longer necessary or you withdraw consent.

Right to Restrict Processing

You can ask us to limit how we use your data while issues are resolved—for example, if you've contested its accuracy or objected to processing.

Right to Data Portability

Where technically feasible, you can request your data in a structured, commonly used format to transfer to another organisation.

Right to Object

You can object to processing based on legitimate interests or for direct marketing. We will stop processing unless we have compelling legitimate grounds.

Rights Related to Automated Decisions

We do not make decisions based solely on automated processing that have legal or significant effects on you.

Right to Withdraw Consent

Where we rely on consent, you can withdraw it at any time. This won't affect the lawfulness of processing before withdrawal.

How to Exercise Your Rights

To make a request regarding any of your data rights, please contact us:

  • Email: [email protected]
  • Post: Data Protection, crisp-pursuit Ltd, 147 West George Street, Glasgow, G2 2JJ

When you contact us, please provide:

  • Your full name and any previous names used with us
  • Your email address (the one you used when engaging with us)
  • A description of the data or rights request you're making

We may need to verify your identity before processing your request. This protects your data from being disclosed to someone pretending to be you.

We aim to respond to all requests within one month. If your request is complex or we receive many requests, we may extend this by up to two additional months, but we'll inform you within the first month if this is necessary.

Data Processors and Third Parties

We use carefully selected third-party services to help operate our business. Where these services process personal data on our behalf, we have appropriate data processing agreements in place.

Categories of processors we use include:

  • Payment processing: Secure card payment handling
  • Email services: Sending communications and managing mailing lists
  • Website hosting: Storing and serving our website
  • Analytics: Understanding website usage patterns
  • Cloud storage: Secure document storage

We only share the minimum data necessary, and all processors are contractually required to handle data in accordance with UK GDPR.

International Data Transfers

Some of our service providers operate outside the United Kingdom. When we transfer data internationally, we ensure appropriate safeguards are in place:

  • Transfers to countries with UK adequacy decisions
  • Standard Contractual Clauses approved by the UK ICO
  • Binding Corporate Rules where applicable

You can request details of the safeguards used for any specific transfer by contacting us.

Data Breach Procedures

In the unlikely event of a personal data breach, we have procedures in place to:

  • Detect and contain the breach quickly
  • Assess the risk to individuals' rights and freedoms
  • Notify the Information Commissioner's Office within 72 hours where required
  • Inform affected individuals without undue delay if there's a high risk to their rights
  • Document the breach and our response

Data Protection Impact Assessments

For processing activities that may present high risks to individuals, we conduct Data Protection Impact Assessments (DPIAs). This helps us identify and minimise data protection risks in new projects or changes to existing processes.

Staff Training and Awareness

All our team members receive training on data protection principles and our policies. This training is refreshed regularly and supplemented when regulations or our practices change.

Complaints

If you're unhappy with how we've handled your data, we'd like the opportunity to address your concerns. Please contact us at [email protected].

You also have the right to complain to the supervisory authority:

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Website: ico.org.uk

Helpline: 0303 123 1113

Updates to This Information

We keep our data protection practices under regular review. This page will be updated to reflect any changes in our approach or in the regulatory environment. The "last updated" date at the top indicates when these details were last reviewed.