GDPR Compliance

Last Updated: May 27, 2026

Our Commitment to Data Protection

Photon Peak is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we meet our obligations and protect your personal data.

Data Controller Information

Data Controller: Photon Peak
Address: 47 Wellington Street, Manchester, M1 3BD, United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data under the following lawful bases as defined by Article 6 of the UK GDPR:

  • Consent (Article 6(1)(a)): Where you have given clear consent for us to process your personal data for specific purposes
  • Contract (Article 6(1)(b)): Where processing is necessary for the performance of a contract with you
  • Legal Obligation (Article 6(1)(c)): Where we must process your data to comply with legal requirements
  • Legitimate Interests (Article 6(1)(f)): Where processing is necessary for our legitimate business interests

Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of Access (Article 15)

You can request a copy of the personal data we hold about you. We will provide this within one month of your request.

Right to Rectification (Article 16)

You can request that we correct any inaccurate or incomplete personal data.

Right to Erasure (Article 17)

You can request that we delete your personal data in certain circumstances, including where:

  • The data is no longer necessary for the purposes it was collected
  • You withdraw consent
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Right to Restriction of Processing (Article 18)

You can request that we restrict the processing of your personal data in certain situations.

Right to Data Portability (Article 20)

You can request to receive your personal data in a structured, commonly used, and machine-readable format.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision Making (Article 22)

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

How to Exercise Your Rights

To exercise any of your rights under UK GDPR, please:

  • Email us at [email protected]
  • Clearly state which right you wish to exercise
  • Provide sufficient information to verify your identity

We will respond to your request within one month. In complex cases, we may extend this by two additional months and will inform you of the reasons for the delay.

Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication procedures
  • Staff training on data protection
  • Secure backup and recovery procedures

Data Breach Procedures

In the event of a personal data breach, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
  • Document all data breaches and our response measures

Third-Party Data Processors

Where we use third-party service providers to process personal data on our behalf, we ensure that:

  • They process data only on our documented instructions
  • They are bound by confidentiality obligations
  • They implement appropriate security measures
  • Written contracts are in place as required by Article 28

International Data Transfers

We primarily process data within the United Kingdom. If we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions by the UK government
  • Standard contractual clauses
  • Binding corporate rules

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected. Our retention periods are based on:

  • The nature of the data and purposes of processing
  • Legal and regulatory requirements
  • Contractual obligations
  • Legitimate business needs

When data is no longer needed, we securely delete or anonymize it.

Children's Privacy

Our services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

Complaints

If you have concerns about how we handle your personal data, please contact us first. If you remain unsatisfied, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Tel: 0303 123 1113
Website: www.ico.org.uk

Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. Please review this page periodically for updates.

Contact Us

For questions about our GDPR compliance or to exercise your rights, please contact:

Email: [email protected]
Address: 47 Wellington Street, Manchester, M1 3BD, United Kingdom