GDPR Compliance Statement

Last updated: May 11, 2026

Our Commitment to GDPR

azure-glen is fully committed to compliance with the General Data Protection Regulation (GDPR) and UK data protection legislation. We treat the protection of your personal data as a fundamental responsibility.

Data Controller Information

azure-glen acts as the data controller for personal information collected through our website and services.

Data Controller: azure-glen
Address: 47 Merchant Street, Bristol, BS1 3EE, United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so under GDPR Article 6:

• Consent (Article 6(1)(a)): When you have explicitly agreed to our processing of your data for specific purposes
• Contractual necessity (Article 6(1)(b)): When processing is necessary to fulfill our service agreement with you
• Legal obligation (Article 6(1)(c)): When we must process data to comply with UK law
• Legitimate interests (Article 6(1)(f)): When processing is necessary for our legitimate business interests, provided these do not override your fundamental rights

Special Categories of Personal Data

In providing benefits guidance services, we may process special categories of personal data including health information. We process this sensitive data only:

• With your explicit consent (Article 9(2)(a))
• When necessary for social protection purposes (Article 9(2)(b))
• When you have manifestly made the data public (Article 9(2)(e))
• For legal claims purposes (Article 9(2)(f))

Your Rights Under GDPR

You have the following rights regarding your personal data:

Right to Access (Article 15)

You can request confirmation of whether we process your personal data and obtain a copy of that data. We will respond within one month of your request.

Right to Rectification (Article 16)

You can request correction of inaccurate personal data and completion of incomplete data.

Right to Erasure (Article 17)

You can request deletion of your personal data in certain circumstances, including:

• The data is no longer necessary for its original purpose
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

Right to Restriction of Processing (Article 18)

You can request that we limit how we use your data in specific situations.

Right to Data Portability (Article 20)

You can request your data in a structured, commonly used format and have it transmitted to another controller.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects.

How to Exercise Your Rights

To exercise any of your GDPR rights, contact us at:

Email: [email protected]

We will respond to your request within one month. In complex cases, we may extend this by two additional months and will inform you of the extension.

Data Protection Measures

We implement appropriate technical and organizational measures to ensure data security, including:

• Encryption of data in transit and at rest
• Access controls limiting who can view personal data
• Regular security assessments and updates
• Staff training on data protection obligations
• Secure backup and recovery procedures

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

• Active client files: Duration of service plus 7 years
• Financial records: 7 years from end of financial year
• Marketing communications: Until consent is withdrawn
• Website analytics: 26 months

International Data Transfers

We do not routinely transfer personal data outside the United Kingdom. If we do need to transfer data internationally, we ensure adequate safeguards are in place in accordance with GDPR Chapter V.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours
• Notify affected individuals without undue delay if the breach poses a high risk
• Document the breach and our response measures

Third-Party Processors

When we engage third-party service providers who process personal data on our behalf, we ensure:

• A written contract is in place specifying data protection obligations
• The processor provides sufficient guarantees of GDPR compliance
• Processing occurs only on our documented instructions

Complaints

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Tel: 0303 123 1113
Website: www.ico.org.uk

Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal obligations. Significant changes will be communicated via email to active clients.

Contact Our Data Protection Team

For any questions regarding GDPR compliance or data protection:

Email: [email protected]
Address: 47 Merchant Street, Bristol, BS1 3EE, United Kingdom