GDPR Compliance Statement

Last updated: May 14, 2026

Our Commitment to GDPR

fuzzy-zephyr is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This statement explains how we meet our obligations and protect your rights.

Data Controller

fuzzy-zephyr is the data controller responsible for your personal information. Our contact details are:

Email: [email protected]
Address: 42 Western Road, Brighton, BN1 2EB, United Kingdom

Lawful Basis for Processing

We process personal data under the following lawful bases:

Contract (Article 6(1)(b))

Processing is necessary to fulfil our contractual obligations when you book our services, including:

• Processing bookings and payments
• Delivering educational programmes
• Providing pre-session and post-session materials
• Communicating about session details

Legitimate Interests (Article 6(1)(f))

We process data based on legitimate interests for:

• Improving our services and website functionality
• Analysing usage patterns to enhance user experience
• Maintaining records for business administration
• Fraud prevention and security

Consent (Article 6(1)(a))

We rely on your explicit consent for:

• Marketing communications about new programmes
• Testimonials and case studies
• Non-essential cookies

You can withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

Your Rights Under GDPR

Right to Access (Article 15)

You have the right to request a copy of the personal information we hold about you. We will provide this within one month of your request.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal information.

Right to Erasure (Article 17)

You can request deletion of your personal information in certain circumstances, such as when it is no longer necessary for the purpose it was collected.

Right to Restriction (Article 18)

You can request restriction of processing in specific situations, such as when you contest the accuracy of data.

Right to Data Portability (Article 20)

You can request transfer of your data in a structured, commonly used format.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling in our processing of your personal data.

How to Exercise Your Rights

To exercise any of these rights, please contact us at [email protected] with details of your request. We will:

• Respond within one month (extendable by two months for complex requests)
• Verify your identity before processing requests
• Provide services free of charge unless requests are manifestly unfounded or excessive

Data Protection Principles

We adhere to the following data protection principles:

Lawfulness, Fairness, and Transparency

We process data lawfully, fairly, and in a transparent manner.

Purpose Limitation

We collect data for specified, explicit, and legitimate purposes only.

Data Minimisation

We collect only data that is adequate, relevant, and limited to what is necessary.

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date.

Storage Limitation

We retain data only as long as necessary for the purposes it was collected.

Integrity and Confidentiality

We implement appropriate security measures to protect against unauthorised or unlawful processing and accidental loss or damage.

Data Security Measures

We implement technical and organisational measures including:

• Encryption of data in transit and at rest
• Regular security assessments
• Access controls and authentication
• Staff training on data protection
• Regular backups and disaster recovery procedures

Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours
• Inform affected individuals without undue delay if there is a high risk
• Document all breaches and our response

International Data Transfers

We do not transfer personal data outside the United Kingdom. If this changes, we will ensure appropriate safeguards are in place and inform you accordingly.

Third-Party Processing

Where we use third-party service providers who process personal data on our behalf, we ensure:

• Written contracts are in place
• Processors only act on our instructions
• Appropriate security measures are implemented
• Compliance with GDPR obligations

Children's Data

While our services are for children and teenagers, we collect personal data from parents or legal guardians. We ensure:

• Parental consent for data processing
• Age-appropriate privacy protections
• Limited collection of children's personal data

Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. Significant changes will be communicated through our website.

Contact Us

For any questions about GDPR compliance or to exercise your rights, contact us at [email protected].