GDPR Compliance

Our Commitment to Data Protection

Brightara Hub is committed to complying with the UK General Data Protection Regulation and the Data Protection Act 2018. We recognize the importance of protecting personal information and take our responsibilities as a data controller seriously.

This page provides specific information about how we meet GDPR requirements and how you can exercise your rights under this legislation.

Data Controller Information

For the purposes of UK GDPR, Brightara Hub acts as the data controller for personal information processed through our services.

Data Controller: Brightara Hub
Registered Address: 15 Broad Street, Oxford OX1 3AS, United Kingdom
Contact Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis under GDPR. The specific basis depends on the nature of the processing.

Contractual Necessity

When you engage our consultation services, we process information necessary to deliver those services. This includes your interests, preferences, availability, and contact details. Processing this information is essential to fulfill our contractual obligations to you.

Legitimate Interests

We have legitimate interests in processing certain data to improve our services, understand client needs, maintain our partner network, and operate our business effectively. We balance these interests against your rights and only process data when our interests do not override your fundamental rights and freedoms.

Consent

Where we require consent, we obtain it clearly and explicitly. This includes sharing your information with third-party hobby organizations, sending marketing communications, using testimonials in our materials, and placing non-essential cookies on your device. You may withdraw consent at any time without affecting other aspects of our relationship.

Legal Obligations

We process certain data to comply with legal requirements, including maintaining financial records for tax purposes and responding to lawful requests from authorities.

Your Rights Under GDPR

UK GDPR grants you specific rights regarding your personal information. We are committed to facilitating the exercise of these rights.

Right to Access

You have the right to request confirmation of whether we process your personal data and to receive a copy of that data. We will provide this information in a commonly used electronic format unless you request otherwise. This is commonly known as a Subject Access Request.

To make an access request, email us at [email protected] with "Subject Access Request" in the subject line. We will respond within one month of receiving your request.

Right to Rectification

If personal information we hold about you is inaccurate or incomplete, you have the right to have it corrected. This ensures our recommendations and communications remain relevant to your actual circumstances.

Simply contact us with the corrected information, and we will update our records promptly.

Right to Erasure

Also known as the "right to be forgotten," you may request deletion of your personal data in certain circumstances. These include when the data is no longer necessary for its original purpose, when you withdraw consent, when you object to processing based on legitimate interests, or when data has been processed unlawfully.

This right is not absolute. We may retain information where we have legal obligations to do so, such as financial records required for tax compliance.

Right to Restrict Processing

You may request that we limit how we use your data in specific situations, such as when you contest the accuracy of data while we verify it, when processing is unlawful but you prefer restriction over deletion, when we no longer need the data but you require it for legal claims, or when you have objected to processing while we verify whether our legitimate grounds override yours.

Right to Data Portability

For information you have provided to us where processing is based on consent or contract and carried out by automated means, you have the right to receive that data in a structured, commonly used, machine-readable format. You may also request that we transmit this data directly to another controller where technically feasible.

Right to Object

You may object to processing based on legitimate interests or for direct marketing purposes. If you object to direct marketing, we will stop such processing immediately. For objections based on your particular situation, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects. Our recommendations are made through personal consultation and human judgment.

How to Exercise Your Rights

To exercise any of these rights, contact us via email at [email protected] or write to us at our registered address. Please include sufficient information to identify you and specify which right you wish to exercise.

We will respond to requests within one month. In complex cases or if we receive multiple requests, we may extend this period by two additional months, but we will inform you of any delay and the reasons for it.

We do not charge fees for most requests. However, if requests are manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee or refuse the request.

Data Protection Principles

We adhere to the data protection principles set out in GDPR, ensuring that personal data is processed lawfully, fairly, and transparently; collected for specified, explicit, and legitimate purposes; adequate, relevant, and limited to what is necessary; accurate and kept up to date; kept in a form that permits identification for no longer than necessary; and processed securely using appropriate technical and organizational measures.

Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This includes pseudonymization and encryption where appropriate, ensuring ongoing confidentiality and integrity of processing systems, regular testing and evaluation of security effectiveness, and processes for restoring availability following incidents.

We limit access to personal data to employees and consultants who need it to perform their duties. All staff receive training on data protection principles and obligations.

Data Breaches

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify you without undue delay. Where the breach poses a high risk, we will communicate this directly to you unless it would involve disproportionate effort, in which case we will make a public communication.

We will also notify the Information Commissioner's Office within 72 hours of becoming aware of a breach where it is likely to result in a risk to individuals' rights and freedoms.

Third-Party Processing

Where we engage third parties to process personal data on our behalf, we ensure they provide sufficient guarantees of GDPR compliance. We use written contracts that specify the subject matter, duration, nature, and purpose of processing, along with the obligations and rights of both parties.

Processors we engage are contractually obligated to process data only on our instructions, ensure confidentiality of data, implement appropriate security measures, not engage sub-processors without our authorization, assist us in responding to data subject requests, and delete or return data when services conclude.

International Transfers

We primarily store and process data within the United Kingdom. If we transfer data internationally, we ensure appropriate safeguards are in place. This may include adequacy decisions, standard contractual clauses, or binding corporate rules as appropriate.

We will not transfer your data to countries or international organizations without ensuring adequate protection as required by UK GDPR.

Children's Data

Our services are directed at adults. We do not knowingly process data of children under 18 without parental consent. If we become aware that we have inadvertently collected data from a child without appropriate consent, we will delete it promptly.

Record Keeping

We maintain records of our processing activities as required by GDPR. These records include the purposes of processing, categories of data subjects and personal data, categories of recipients, retention periods, and security measures in place.

Privacy by Design and Default

We implement data protection principles at the design phase of any project involving personal data processing. We use privacy-enhancing technologies where appropriate and default to processing the minimum data necessary for each specific purpose.

Consent Management

When we rely on consent as our lawful basis for processing, we ensure that consent is freely given, specific, informed, and unambiguous. We obtain clear affirmative action indicating consent and maintain records of when and how consent was obtained.

You may withdraw consent at any time as easily as it was given. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

Marketing Communications

We only send marketing communications to individuals who have consented or where we have a legitimate interest and have determined that interest is not overridden by your rights. Every marketing email includes a clear unsubscribe option. We honor opt-out requests immediately.

Complaints and Supervisory Authority

If you believe we have not complied with GDPR or your data protection rights, please contact us first so we can address your concerns. We take complaints seriously and investigate them thoroughly.

You also have the right to lodge a complaint with the Information Commissioner's Office, the UK's supervisory authority for data protection.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

Updates to GDPR Compliance

Data protection law evolves, and we regularly review our practices to ensure ongoing compliance. We update this information as necessary to reflect changes in law, regulatory guidance, or our processing activities.

Questions and Contact

If you have questions about our GDPR compliance, how we process your data, or how to exercise your rights, please contact us at [email protected]. We are committed to transparency and will address your queries promptly.