GDPR Compliance

Introduction

chrome-spark is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines how we meet our obligations and protect your data rights.

Data Controller

chrome-spark acts as the data controller for personal information collected through our website and services.

Controller name: chrome-spark
Address: 127 Wellington Street, Leeds, LS1 4JE, United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so:

Consent

We obtain your explicit consent before:

• Sending marketing communications
• Using non-essential cookies
• Processing children's personal information

You can withdraw consent at any time by contacting us or using the unsubscribe link in our emails.

Contract Performance

We process your data to fulfil our contractual obligations when you book our services, including:

• Scheduling and delivering educational programmes
• Processing payments
• Communicating about service delivery

Legitimate Interests

We process data for legitimate business interests, such as:

• Improving our services and website functionality
• Fraud prevention and security
• Internal administration

We always balance these interests against your rights and freedoms.

Legal Obligations

We process data when required to comply with legal obligations, including:

• Tax and accounting regulations
• Safeguarding requirements when working with children
• Responding to lawful requests from authorities

Your GDPR Rights

Right of Access

You can request a copy of the personal data we hold about you. We will provide this within one month, free of charge.

Right to Rectification

If your personal data is inaccurate or incomplete, you can request correction. We will update our records promptly.

Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data when:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent and there's no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

Note: We may need to retain certain information to comply with legal obligations (e.g., financial records for tax purposes).

Right to Restrict Processing

You can request limitation on how we process your data in certain circumstances, such as when:

• You contest the accuracy of the data
• Processing is unlawful but you don't want erasure
• You need the data for legal claims

Right to Data Portability

You can request your personal data in a structured, commonly used, machine-readable format. We will provide this or transfer it directly to another controller where technically feasible.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

Exercising Your Rights

To exercise any of your GDPR rights, please contact us:

• Email: [email protected]
• Subject line: "GDPR Rights Request"
• Include: Your full name, contact details, and specific request

We will:

• Verify your identity to protect your data
• Respond within one month (extendable by two months for complex requests)
• Provide reasons if we cannot fulfil your request
• Not charge a fee unless the request is manifestly unfounded or excessive

Children's Data Protection

We take special care when processing children's personal data:

• We obtain parental consent before collecting children's information
• We collect only the minimum data necessary for educational purposes
• Parents can access, correct, or delete their child's data at any time
• We never use children's data for marketing or share it unnecessarily
• All staff working with children undergo background checks and data protection training

Data Security Measures

We implement appropriate technical and organisational measures to ensure data security:

• Encryption of data in transit and at rest
• Access controls and authentication
• Regular security audits and updates
• Staff training on data protection
• Secure backup procedures
• Incident response plans

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the ICO within 72 hours of becoming aware of the breach
• Inform affected individuals without undue delay if there's a high risk
• Provide clear information about the breach and steps being taken
• Document the breach and our response

International Data Transfers

We primarily store and process data within the United Kingdom. If we transfer data internationally, we ensure appropriate safeguards are in place, such as:

• Standard contractual clauses approved by the UK authorities
• Adequacy decisions recognising equivalent data protection
• Binding corporate rules for transfers within organisations

Third-Party Processors

We engage third-party processors (e.g., payment providers, email services) who are contractually bound to:

• Process data only on our instructions
• Maintain appropriate security measures
• Assist with fulfilling data subject rights
• Delete or return data upon contract termination

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for any processing likely to result in high risk to individuals' rights and freedoms, particularly when introducing new technologies or programmes.

Record Keeping

We maintain comprehensive records of our processing activities, including:

• Purposes of processing
• Categories of data subjects and personal data
• Recipients of personal data
• Data retention periods
• Security measures

Complaints

If you're unhappy with how we handle your data, please contact us first at [email protected] so we can address your concerns.

You also have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Tel: 0303 123 1113
Website: chrome-spark.com

Updates to This Policy

We review and update our GDPR compliance procedures regularly. Any significant changes will be communicated through our website and, where appropriate, via email to registered users.

This page was last updated: 20 May 2026