GDPR Compliance Statement

Last updated: 14 May 2026

Our Commitment to GDPR

quiet-gleam is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take our responsibilities seriously and have implemented comprehensive measures to protect your personal data.

Data Controller Information

For the purposes of UK GDPR, quiet-gleam is the data controller responsible for your personal information.

Contact details:
Email: [email protected]
Address: 27 Beaumont Street, Oxford, OX1 2NP, United Kingdom

Lawful Basis for Processing

We process personal data under the following lawful bases as defined by UK GDPR:

Contract (Article 6(1)(b))

Processing is necessary to perform our contract with you when you enrol in our financial education programmes. This includes:

• Managing programme bookings and attendance
• Delivering educational services
• Processing payments
• Providing customer support

Legitimate Interests (Article 6(1)(f))

We process data based on our legitimate business interests, ensuring these don't override your rights:

• Operating and improving our educational services
• Maintaining records for safeguarding purposes
• Responding to enquiries and communications
• Fraud prevention and security

Consent (Article 6(1)(a))

Where we send marketing communications, we do so based on your freely given, specific consent. You can withdraw consent at any time.

Legal Obligation (Article 6(1)(c))

We process certain data to comply with legal requirements, including:

• Tax and accounting obligations
• Safeguarding requirements for working with children
• Responding to lawful requests from authorities

Your Rights Under UK GDPR

Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you. We will provide this information free of charge within one month of your request.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data. We will update our records promptly.

Right to Erasure (Article 17)

You may request deletion of your personal data where:

• It's no longer necessary for the purposes collected
• You withdraw consent (where processing is based on consent)
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

Note: This right is not absolute. We may need to retain certain data to comply with legal obligations or for safeguarding purposes.

Right to Restrict Processing (Article 18)

You can request we limit how we use your data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

How to Exercise Your Rights

To exercise any of your GDPR rights, contact us at [email protected]. Please include:

• Your full name and contact details
• Details of your request
• Proof of identity (if required for security purposes)

We will respond to requests within one month. In complex cases, this may be extended by two additional months, and we will inform you of any extension.

Data Protection Measures

Technical Measures

• Encryption of data in transit and at rest
• Secure authentication and access controls
• Regular security testing and vulnerability assessments
• Secure backup and disaster recovery procedures

Organisational Measures

• Staff training on data protection principles
• Clear data processing procedures and policies
• Data protection impact assessments for high-risk processing
• Vendor management and third-party agreements

Data Retention

We retain personal data only as long as necessary for the purposes collected or as required by law:

• Programme enrolment records: 7 years (safeguarding requirements)
• Financial records: 7 years (tax and accounting obligations)
• Marketing consent: Until consent is withdrawn or contact becomes inactive
• Website analytics: 26 months

Data Breaches

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office within 72 hours
• Inform affected individuals without undue delay
• Take immediate steps to contain and remediate the breach
• Document the breach and our response

Third-Party Processing

When we engage third-party service providers to process personal data on our behalf, we ensure:

• Written contracts are in place with data processing terms
• Processors provide sufficient guarantees of compliance
• Only necessary data is shared
• Regular monitoring and auditing of processor activities

International Transfers

Your personal data is primarily stored and processed within the United Kingdom. If we transfer data internationally, we ensure appropriate safeguards are in place, such as:

• Adequacy decisions by the UK government
• Standard contractual clauses approved by the ICO
• Binding corporate rules

Children's Data

While our services are for children and teenagers, we collect personal information from parents and guardians. We do not process personal data directly from children under 16 without verified parental consent, in accordance with UK GDPR requirements.

Updates to This Statement

We review and update this GDPR compliance statement regularly to ensure ongoing compliance with data protection law. Material changes will be communicated via our website.

Complaints and Concerns

If you have concerns about how we handle your personal data, please contact us first at [email protected]. We take all complaints seriously and will investigate promptly.

You also have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Further Information

For more details about how we collect, use, and protect your personal data, please refer to our Privacy Policy.