GDPR Compliance

Last updated: May 22, 2026

Our Commitment to GDPR

glimmer-bush Consulting Ltd is committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines how we fulfill our obligations under these regulations and how you can exercise your rights.

Data Controller Information

Data Controller: glimmer-bush Consulting Ltd
Registered Address: 42 Rivington Street, London EC2A 3BN, United Kingdom
Contact: [email protected]

What Personal Data We Process

We process the following categories of personal data:

  • Identity Data: Name, job title, company name
  • Contact Data: Email address, postal address
  • Technical Data: IP address, browser type, device information, usage data
  • Professional Data: Service inquiries, consultation details, project information
  • Marketing Data: Communication preferences

Lawful Basis for Processing

We process your personal data under the following lawful bases:

Consent

For marketing communications and non-essential cookies, we rely on your explicit consent. You may withdraw consent at any time by contacting us or using the unsubscribe mechanism in our communications.

Contractual Necessity

When you engage our services, processing is necessary to fulfill our contractual obligations and provide the services you've requested.

Legitimate Interests

We process data based on legitimate interests for:

  • Website functionality and security
  • Business administration and internal operations
  • Improving our services and customer experience
  • Fraud prevention and security measures

Legal Obligations

We process data when required to comply with legal obligations, including tax, accounting, and regulatory requirements.

Your Rights Under UK GDPR

Right of Access

You have the right to request a copy of the personal data we hold about you. This is known as a Subject Access Request (SAR). We will respond within one month of receipt.

Right to Rectification

You can request correction of inaccurate or incomplete personal data we hold about you.

Right to Erasure ("Right to be Forgotten")

You may request deletion of your personal data when:

  • The data is no longer necessary for the purposes it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is required for compliance with a legal obligation

Right to Restriction of Processing

You can request that we restrict processing of your personal data when:

  • You contest the accuracy of the data
  • Processing is unlawful but you don't want erasure
  • We no longer need the data but you need it for legal claims
  • You've objected to processing pending verification of our legitimate grounds

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you can request that we provide your data in a structured, commonly used, machine-readable format or transfer it to another controller.

Right to Object

You have the right to object to:

  • Processing based on legitimate interests
  • Direct marketing (including profiling)
  • Processing for research or statistical purposes

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you. We do not currently engage in automated decision-making.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us:

Email: [email protected]
Post: Data Protection Officer, glimmer-bush Consulting Ltd, 42 Rivington Street, London EC2A 3BN, United Kingdom

We will respond to your request within one month. In complex cases, we may extend this by up to two months and will inform you of any such extension.

You will not have to pay a fee to exercise your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive, or we may refuse to comply with your request in these circumstances.

Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication measures
  • Staff training on data protection principles
  • Incident response and data breach procedures
  • Regular backups and disaster recovery planning

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

  • Client data: For the duration of our business relationship plus 7 years for legal and accounting purposes
  • Inquiry data: Up to 2 years if no engagement results
  • Marketing data: Until consent is withdrawn or 3 years of inactivity
  • Website analytics: Up to 26 months

International Data Transfers

While we primarily process data within the United Kingdom, some third-party service providers may process data outside the UK. When we transfer data internationally, we ensure:

  • The receiving country has an adequacy decision from the UK government, or
  • Appropriate safeguards are in place, such as Standard Contractual Clauses, or
  • A specific exception applies under UK GDPR

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware
  • Notify affected individuals without undue delay if the breach is likely to result in high risk
  • Document all data breaches and the measures taken in response

Third-Party Data Processors

We work with carefully selected third-party service providers who process data on our behalf. These processors are bound by data processing agreements that require them to:

  • Process data only on our documented instructions
  • Implement appropriate security measures
  • Maintain confidentiality
  • Assist with our GDPR compliance obligations
  • Delete or return data upon termination of services

Updates to Our GDPR Practices

We regularly review and update our data protection practices to ensure ongoing compliance with UK GDPR. Material changes will be communicated through our website and, where appropriate, directly to affected individuals.

Complaints and Supervisory Authority

If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Telephone: 0303 123 1113
Website: glimmer-bush.com

We encourage you to contact us first so we can address your concerns directly.

Contact Our Data Protection Officer

For any questions about our GDPR compliance or to exercise your data protection rights:

Email: [email protected]
Subject line: "GDPR Inquiry" or "Data Subject Request"