GDPR Information

Our Commitment to Data Protection

freshen-glow Limited is fully committed to complying with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. We recognize the importance of protecting your personal information and respecting your privacy rights.

This page explains how we meet our GDPR obligations and provides information about your rights under data protection legislation.

Data Controller

For the purposes of data protection legislation, freshen-glow Limited is the data controller responsible for your personal information.

Our contact details are:
freshen-glow Limited
42 Kensington High Street
London, W8 4PF
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We only process your personal data when we have a lawful basis to do so. The specific legal basis depends on the type of processing:

Contractual Necessity

When you engage our retirement planning services, we process your personal and financial information because it is necessary to perform the contract between us. Without this information, we cannot provide the advice and services you have requested.

Legal Compliance

As a regulated financial services provider, we must process certain personal information to comply with legal obligations. These include requirements under financial services regulations, anti-money laundering legislation, and tax laws. This processing is mandatory and not based on your consent.

Legitimate Interests

We sometimes process personal information based on our legitimate business interests, provided this does not override your fundamental rights. Examples include analysing website usage to improve our services, maintaining records for potential legal claims, and conducting internal business administration.

Consent

For certain processing activities, we rely on your explicit consent. This includes sending marketing communications and processing special categories of personal data beyond what is necessary for providing our services. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Types of Personal Data We Process

Depending on your interaction with us, we may process different categories of personal information:

Identity Information

Names, titles, dates of birth, identification documents, and National Insurance numbers.

Contact Information

Postal addresses, email addresses, and communication preferences.

Financial Information

Details of pension arrangements, income levels, assets, liabilities, bank account information, and transaction history.

Employment Information

Current and previous employment details, salary information, and workplace pension arrangements.

Technical Information

IP addresses, browser types, device information, and website usage patterns collected through cookies and similar technologies.

Special Category Data

In some circumstances, we may process health information relevant to retirement planning decisions. We only process such sensitive data with your explicit consent or when necessary for regulatory compliance.

Your Rights Under GDPR

GDPR grants you specific rights regarding your personal information. We respect these rights and have procedures in place to facilitate their exercise.

Right to Be Informed

You have the right to clear, transparent information about how we collect and use your personal data. This right is fulfilled through our Privacy Policy and this GDPR information page.

Right of Access

You can request access to the personal information we hold about you. This is commonly known as a "subject access request." We will provide you with a copy of your personal data along with supplementary information about how we use it.

Right to Rectification

If you believe personal information we hold is inaccurate or incomplete, you have the right to request correction. We will assess your request and make appropriate amendments where justified.

Right to Erasure

Sometimes called the "right to be forgotten," this allows you to request deletion of your personal data in specific circumstances. However, this right is not absolute. We may need to retain certain information to comply with legal obligations or for legitimate business purposes such as defending legal claims.

Right to Restrict Processing

You can ask us to restrict how we use your personal information in certain situations, such as when you contest the accuracy of data or object to processing. During any restriction period, we may store your data but not actively use it.

Right to Data Portability

Where we process your information based on consent or contract performance, and the processing is automated, you have the right to receive your personal data in a structured, commonly used, and machine-readable format. You can also request that we transmit this data directly to another organization where technically feasible.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. When you object to direct marketing, we will stop such processing immediately. For objections based on legitimate interests, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. We do not use fully automated decision-making processes in our retirement planning services. All significant recommendations involve human analysis and judgment.

How to Exercise Your Rights

To exercise any of your data protection rights, please submit your request in writing to [email protected] or by post to our office address.

Please include sufficient information to help us identify you and understand your request. We may need to verify your identity before fulfilling certain requests to protect your personal information from unauthorized access.

We aim to respond to all requests within one month of receipt. In complex cases, this period may be extended by up to two additional months. If we extend the response period, we will inform you of the extension and the reasons for the delay.

There is generally no charge for exercising your rights. However, we may charge a reasonable fee for manifestly unfounded or excessive requests, particularly repeated requests for the same information.

Data Security Measures

We implement robust technical and organizational measures to protect your personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Technical Safeguards

Our security measures include encryption of data in transit and at rest, secure authentication and access controls, regular security testing and vulnerability assessments, firewalls and intrusion detection systems, and secure backup and disaster recovery procedures.

Organizational Safeguards

We maintain comprehensive data protection policies and procedures, provide regular staff training on data protection responsibilities, limit access to personal data on a need-to-know basis, use confidentiality agreements with staff and third parties, and conduct regular reviews of our data protection practices.

Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, including satisfying legal, regulatory, tax, accounting, or reporting requirements.

For client relationships, we typically retain records for a minimum of six years after the relationship ends, in accordance with financial services regulations. Some information may be retained for longer periods where necessary to defend potential legal claims or comply with specific regulatory requirements.

When determining retention periods, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the data, whether we can achieve those purposes through other means, and applicable legal requirements.

Once personal information is no longer required, we securely delete or anonymize it in accordance with our data retention and destruction procedures.

International Data Transfers

We primarily process and store your personal data within the United Kingdom. If we need to transfer personal information to countries outside the UK, we ensure that appropriate safeguards are in place to protect your data in accordance with GDPR requirements.

These safeguards may include transferring data to countries that have been deemed to provide adequate data protection, using standard contractual clauses approved by the UK authorities, or relying on other legally recognized transfer mechanisms.

Third-Party Processing

Where we engage third-party service providers who process personal data on our behalf, we ensure they meet GDPR standards. We have written contracts in place that require these processors to protect your data, process it only according to our instructions, and implement appropriate security measures.

We regularly assess our third-party processors to ensure ongoing compliance with data protection requirements.

Data Breach Procedures

Despite our security measures, no system is completely immune to breaches. We have procedures in place to detect, report, and investigate data breaches.

If we discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

Privacy by Design

We incorporate data protection considerations into all new projects, systems, and processes from the outset. This "privacy by design" approach ensures that data protection is built into our operations rather than added as an afterthought.

Data Protection Impact Assessments

When implementing new processing activities that are likely to result in high risks to your rights and freedoms, we conduct Data Protection Impact Assessments. These assessments help us identify and minimize data protection risks.

Children's Data

Our services are not directed at children, and we do not knowingly process personal data of individuals under 18 years of age. If we become aware that we have inadvertently collected information from someone under 18, we will delete it promptly.

Updates to Our Practices

We regularly review and update our data protection practices to ensure continued compliance with GDPR and best practices. Significant changes will be communicated through updates to our Privacy Policy and this GDPR information page.

Questions and Complaints

If you have questions about our GDPR compliance or concerns about how we handle your personal data, please contact us at [email protected]. We take all concerns seriously and will investigate and respond promptly.

Supervisory Authority

While we hope to resolve any concerns directly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk

Further Information

For more detailed information about how we process your personal data, please refer to our Privacy Policy. For information about cookies and similar technologies, see our Cookies Policy.