GDPR Compliance

Last updated: 21 May 2026

Our Commitment to Data Protection

shiny-sprocket is committed to protecting your personal data and complying with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. This page outlines our approach to data protection and your rights under these regulations.

Data Controller

For the purposes of GDPR, shiny-sprocket is the data controller responsible for your personal data. Our contact details are:

shiny-sprocket
47 Thornbury Lane
Bristol BS7 8NQ
United Kingdom
Email: [email protected]

Legal Basis for Processing

We process your personal data under the following legal bases:

  • Consent: When you have given explicit consent for us to process your data for specific purposes (e.g., marketing communications)
  • Contractual Necessity: When processing is necessary for the performance of a contract with you
  • Legal Obligation: When we must process your data to comply with legal requirements
  • Legitimate Interests: When processing is necessary for our legitimate business interests, provided these do not override your rights

Your Rights Under GDPR

Under GDPR, you have the following rights regarding your personal data:

1. Right to Access

You have the right to request access to the personal data we hold about you. We will provide you with a copy of your data in a commonly used electronic format.

2. Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data.

3. Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data when:

  • The data is no longer necessary for the purposes it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

4. Right to Restriction of Processing

You have the right to request that we restrict processing of your personal data in certain circumstances.

5. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transfer it to another controller.

6. Right to Object

You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis for processing.

7. Right to Withdraw Consent

Where we process your data based on consent, you have the right to withdraw that consent at any time.

8. Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us:

  • Email: [email protected]
  • Post: Data Protection Officer, shiny-sprocket, 47 Thornbury Lane, Bristol BS7 8NQ, United Kingdom

We will respond to your request within one month of receipt. In complex cases, this may be extended by up to two additional months, and we will inform you of any such extension.

Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication procedures
  • Staff training on data protection
  • Secure data storage and backup systems
  • Incident response procedures

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay, and in any case within 72 hours of becoming aware of the breach.

International Data Transfers

We primarily store and process your data within the United Kingdom and European Economic Area. If we need to transfer your data outside these regions, we will ensure appropriate safeguards are in place in accordance with GDPR requirements.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

  • Client project records: 7 years (in line with UK tax and business record requirements)
  • Marketing consent records: Until consent is withdrawn
  • Website analytics: 26 months
  • Email communications: Duration of business relationship plus 2 years

Third-Party Processors

We work with carefully selected third-party service providers who process data on our behalf. All processors are bound by data processing agreements that comply with GDPR requirements.

Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Phone: 0303 123 1113
Website: ico.org.uk

Updates to This Policy

We may update this GDPR compliance statement from time to time to reflect changes in our practices or legal requirements. Any changes will be posted on this page with an updated effective date.

Contact Us

If you have any questions about GDPR compliance or how we handle your personal data, please contact our Data Protection Officer:

Email: [email protected]