GDPR Information

Understanding your data protection rights under the General Data Protection Regulation

Our Commitment to GDPR Compliance

The General Data Protection Regulation (GDPR) establishes comprehensive rules for how organizations collect, use, and protect personal data. Although the United Kingdom has left the European Union, we maintain full compliance with GDPR principles through the UK GDPR framework.

We are committed to protecting your personal data and respecting your privacy rights. This page explains how we comply with GDPR requirements and what rights you have regarding your information.

Data Controller Information

For the purposes of data protection law, lunar-myth is the data controller responsible for your personal information.

Contact details:
Email: [email protected]
Address: 47 Clerkenwell Road, London EC1M 5RS, United Kingdom

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. The legal bases we rely on include:

Consent

When you submit information through our contact form or sign up for communications, you provide explicit consent for us to process that data. You may withdraw consent at any time by contacting us.

Contract Performance

When we enter into a service agreement with your organization, we process personal data necessary to fulfill contractual obligations, including project delivery and client communication.

Legitimate Interests

We process certain data based on legitimate business interests, such as improving our services, maintaining security, and conducting business operations. We ensure these interests do not override your fundamental rights and freedoms.

Legal Obligation

In some cases, we process data to comply with legal requirements, such as tax obligations or responding to lawful requests from authorities.

Your Rights Under GDPR

Right to Be Informed

You have the right to clear, transparent information about how we use your personal data. This information is provided in our privacy policy and this GDPR statement.

Right of Access

You can request confirmation of whether we process your personal data and obtain a copy of that data. We will provide this information free of charge within one month of your request.

Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to request correction. We will update the information and notify any third parties with whom we have shared it, where appropriate.

Right to Erasure

Also known as the right to be forgotten, you can request deletion of your personal data in certain circumstances:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Deletion is required to comply with a legal obligation

This right is not absolute. We may retain data when legally required, such as for tax purposes or contract fulfillment.

Right to Restrict Processing

You can request that we limit how we use your personal data in certain situations:

  • You contest the accuracy of the data
  • Processing is unlawful but you do not want the data erased
  • We no longer need the data but you need it for legal claims
  • You have objected to processing and are awaiting verification of legitimate grounds

Right to Data Portability

When processing is based on consent or contract performance and carried out by automated means, you can request your personal data in a structured, commonly used, machine-readable format. You may also request that we transmit this data directly to another controller where technically feasible.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing that produces legal effects or similarly significant effects. We do not currently employ automated decision making processes.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at [email protected] with your request. Please include:

  • Your full name and contact information
  • Details of the specific right you wish to exercise
  • Any relevant information to help us locate your data

We will respond to your request within one month. In complex cases, we may extend this period by two additional months and will inform you of any such extension.

We may request additional information to verify your identity before responding to rights requests. This protects your personal data from unauthorized access.

Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication requirements
  • Staff training on data protection principles
  • Incident response procedures

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within seventy-two hours of becoming aware of the breach.

If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, providing information about the nature of the breach and measures taken or proposed to address it.

International Data Transfers

Your personal data is stored and processed within the United Kingdom. If we need to transfer data outside the UK, we will ensure appropriate safeguards are in place, such as:

  • Adequacy decisions recognizing equivalent data protection standards
  • Standard contractual clauses approved by regulatory authorities
  • Binding corporate rules for transfers within multinational organizations

Third-Party Processors

When we engage third-party service providers to process personal data on our behalf, we ensure they:

  • Provide sufficient guarantees of appropriate technical and organizational measures
  • Process data only on our documented instructions
  • Maintain confidentiality of personal data
  • Implement appropriate security measures
  • Assist us in responding to data subject rights requests

Right to Lodge a Complaint

If you believe we have not handled your personal data properly or have violated your rights under GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom

Telephone: 0303 123 1113
Website: ico.org.uk

We encourage you to contact us first so we can address your concerns directly before escalating to the supervisory authority.

Updates to This Statement

We may update this GDPR information statement from time to time to reflect changes in our practices or legal requirements. Significant changes will be communicated through our website. The date of the last update appears at the top of our privacy policy.