GDPR Compliance Statement

Last Updated: May 10, 2026

Our Commitment to Data Protection

misty-breeze is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines how we fulfill our obligations under these regulations.

Data Controller Information

For the purposes of UK data protection legislation, the data controller is:

misty-breeze
45 Hanover Street
Edinburgh, EH2 2PJ
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data under the following lawful bases as defined by UK GDPR Article 6:

  • Consent (Article 6(1)(a)): For marketing communications and optional services
  • Contract (Article 6(1)(b)): To fulfill our contractual obligations when you engage our services
  • Legal Obligation (Article 6(1)(c)): To comply with UK financial regulations and tax requirements
  • Legitimate Interests (Article 6(1)(f)): For business operations, fraud prevention, and service improvement

Your Data Protection Rights

Under UK GDPR, you have the following rights regarding your personal data:

1. Right to be Informed

You have the right to clear, transparent information about how we use your personal data. This information is provided in our Privacy Policy and this GDPR statement.

2. Right of Access (Subject Access Request)

You have the right to obtain:

  • Confirmation that we are processing your personal data
  • A copy of your personal data
  • Information about how we use your data

We will respond to access requests within one month. If your request is complex, we may extend this by two additional months.

3. Right to Rectification

You have the right to have inaccurate personal data corrected. We will respond to rectification requests within one month.

4. Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Note: We may be required to retain certain financial records for seven years under UK law, even if you request erasure.

5. Right to Restrict Processing

You have the right to request restriction of processing in specific circumstances, such as when you contest the accuracy of your data or object to processing.

6. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

7. Right to Object

You have the right to object to:

  • Processing based on legitimate interests
  • Direct marketing
  • Processing for scientific or historical research purposes

8. Rights Related to Automated Decision Making

We do not use automated decision-making or profiling in our services. All financial advice is provided by qualified professionals.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us:

Please provide:

  • Your full name
  • Email address associated with your account or consultation
  • Clear description of your request
  • Proof of identity (if required for verification)

Data Security Measures

We implement appropriate technical and organizational measures to ensure data security, including:

  • Encryption of data in transit and at rest
  • Regular security assessments
  • Access controls and authentication procedures
  • Staff training on data protection
  • Secure backup systems
  • Incident response procedures

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Document all data breaches, including facts, effects, and remedial action taken

Data Processing Agreements

We ensure that all third-party service providers who process personal data on our behalf:

  • Have appropriate data processing agreements in place
  • Provide sufficient guarantees of GDPR compliance
  • Process data only on our documented instructions
  • Implement appropriate security measures

International Data Transfers

If we transfer personal data outside the United Kingdom, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the UK authorities
  • Adequacy decisions by the UK government
  • Binding corporate rules

Data Retention

We retain personal data only for as long as necessary:

  • Client consultation records: 7 years (UK financial regulations)
  • Marketing communications data: Until consent is withdrawn
  • Website analytics: 26 months
  • Contact form inquiries: 2 years or until purpose fulfilled

Children's Data

We do not knowingly collect or process personal data from individuals under 18 years of age. Our services are directed at adults only.

Complaints

If you believe we have not complied with UK GDPR, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Website: misty-breeze.com
Online reporting: misty-breeze.com/make-a-complaint

Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. Material changes will be communicated to affected individuals.

Contact Information

For questions about GDPR compliance or to exercise your data protection rights:

Email: [email protected]
Address: 45 Hanover Street, Edinburgh, EH2 2PJ, United Kingdom