GDPR Compliance

Our commitment to data protection under UK GDPR

Data Controller Information

Twilight Fall acts as the data controller for personal information processed through our business activities. We determine how and why your data is processed and are responsible for complying with data protection requirements.

Data Controller: Twilight Fall Design Studio
Address: 47 Ecclesall Road, Sheffield, S11 8PR, United Kingdom
Email: [email protected]

Your Rights Under UK GDPR

The UK General Data Protection Regulation provides comprehensive rights regarding your personal data. We're committed to facilitating these rights and responding to requests promptly.

Right to Be Informed

You have the right to clear information about how we collect and use your personal data. Our Privacy Policy and this GDPR page provide transparent details about our data processing activities.

We explain what data we collect, why we collect it, how long we keep it, and who we share it with. This information is provided at the time of collection or before we process your data.

Right of Access

You can request a copy of the personal data we hold about you. This is commonly known as a "subject access request."

When you submit an access request, we'll provide:

  • Confirmation that we're processing your data
  • Access to your personal data
  • Information about processing purposes, data categories, and recipients
  • Retention periods or criteria used to determine them
  • Details of your other rights

We respond to access requests within one month at no charge, unless requests are manifestly unfounded or excessive.

Right to Rectification

If personal data we hold about you is inaccurate or incomplete, you can request correction. We'll amend records promptly and notify any third parties with whom we've shared the data where appropriate.

This applies to factual information. We may need to verify the accuracy of new information you provide.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there's no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Deletion is required for compliance with a legal obligation

This right is not absolute. We may need to retain certain information to comply with legal obligations, particularly financial records required for tax purposes.

Right to Restrict Processing

In certain situations, you can request that we limit how we use your data whilst retaining it:

  • You contest the accuracy of the data, pending verification
  • Processing is unlawful but you prefer restriction over deletion
  • We no longer need the data but you require it for legal claims
  • You've objected to processing, pending verification of our legitimate grounds

When processing is restricted, we'll only process the data with your consent or for legal claims, public interest, or protecting others' rights.

Right to Data Portability

Where technically feasible, you can request that we transfer your data to another organisation or provide it in a structured, commonly used, machine-readable format.

This applies when processing is based on consent or contract and is carried out by automated means. It covers data you've provided to us.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

For legitimate interests, we'll cease processing unless we demonstrate compelling legitimate grounds that override your interests, or we need the data for legal claims.

For direct marketing, we'll stop processing immediately upon receiving your objection.

Rights Related to Automated Decision-Making

You have rights regarding automated decision-making and profiling. However, we don't currently use automated decision-making processes that produce legal or similarly significant effects.

How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected] with:

  • Your full name and contact details
  • Details of your request
  • Any relevant reference numbers or account information

We may need to verify your identity before processing requests to protect against unauthorised disclosure. We'll respond within one month, though complex requests may take up to three months with advance notification.

Lawful Basis for Processing

We only process personal data when we have a lawful basis:

Consent

Where you've explicitly agreed to processing for specific purposes, such as receiving marketing communications. You can withdraw consent at any time.

Contract

Processing necessary to fulfil our contractual obligations when you engage our design and renovation services.

Legal Obligation

Processing required to comply with legal requirements, such as maintaining financial records for tax authorities.

Legitimate Interests

Processing necessary for our legitimate business interests, provided these don't override your fundamental rights. Examples include:

  • Managing client relationships and providing customer service
  • Improving our services and website
  • Fraud prevention and security
  • Network and information security

We conduct assessments to ensure legitimate interests don't adversely impact your rights and freedoms.

Data Protection Principles

We adhere to the UK GDPR principles, ensuring that personal data is:

  • Processed lawfully, fairly, and transparently
  • Collected for specified, explicit, and legitimate purposes
  • Adequate, relevant, and limited to what's necessary
  • Accurate and kept up to date
  • Retained only as long as necessary
  • Processed securely with appropriate safeguards

We're accountable for demonstrating compliance with these principles.

Data Security Measures

We implement technical and organisational measures appropriate to the risks presented by our processing activities:

  • Encryption of data in transit and at rest where appropriate
  • Access controls limiting who can view personal data
  • Regular security assessments and updates
  • Staff training on data protection responsibilities
  • Secure disposal of data no longer required
  • Incident response procedures for potential breaches

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we'll notify the Information Commissioner's Office within 72 hours of becoming aware.

If the breach presents a high risk to you, we'll also notify you directly without undue delay, providing information about the nature of the breach and measures being taken.

International Data Transfers

We primarily process data within the United Kingdom. If we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as adequacy decisions or standard contractual clauses approved by the ICO.

Children's Data

Our services target adults and we don't knowingly process data of individuals under sixteen without parental consent. If you believe we've inadvertently collected such data, contact us immediately for deletion.

Updates to GDPR Compliance

We review our data protection practices regularly to ensure ongoing compliance. Significant changes to how we process personal data will be communicated through our Privacy Policy and this page.

Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office if you believe we've breached data protection law:

Information Commissioner's Office
Website: ico.org.uk
Helpline: 0303 123 1113

We encourage you to contact us first so we can address your concerns directly.

Contact for Data Protection Queries

For questions about our GDPR compliance, to exercise your rights, or to raise data protection concerns:

Email: [email protected]
Address: Twilight Fall Design Studio, 47 Ecclesall Road, Sheffield, S11 8PR, United Kingdom