Advertising Content

GDPR Compliance Statement

Last Updated: June 18, 2026

Our Commitment to Data Protection

phantasia-warden is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This statement outlines how we meet our obligations as a data controller and protect the rights of individuals whose data we process.

Data Controller Information

Business Name: phantasia-warden
Address: 142 Riverside Industrial Estate, Meadow Lane, Nottingham, NG2 3HQ, United Kingdom
Contact: [email protected]

Lawful Basis for Processing

We process personal data under the following lawful bases established by UK GDPR:

Contract Performance (Article 6(1)(b))

Processing customer information necessary to fulfill rental service agreements, including:

  • Processing booking requests and confirmations
  • Arranging equipment delivery and collection
  • Managing rental periods and returns
  • Processing payments and refunds
  • Providing technical support during rental periods

Legal Obligation (Article 6(1)(c))

Processing required to comply with legal requirements:

  • Maintaining financial records for tax purposes (7 years)
  • Accounting and VAT compliance
  • Responding to lawful requests from authorities

Legitimate Interests (Article 6(1)(f))

Processing necessary for legitimate business interests:

  • Fraud prevention and security measures
  • Website functionality and user experience improvements
  • Business analytics and operational efficiency
  • Maintaining equipment inventory and logistics

We conduct regular legitimate interest assessments to ensure processing is proportionate and respects individual rights.

Consent (Article 6(1)(a))

Explicit consent for optional activities:

  • Marketing communications and promotional emails
  • Non-essential cookies and analytics tracking
  • Customer feedback surveys

Consent can be withdrawn at any time without affecting the lawfulness of processing based on consent before withdrawal.

Individual Rights Under UK GDPR

Right of Access (Article 15)

You may request confirmation of what personal data we process and obtain a copy. We respond to access requests within one month, free of charge for the first request.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data. We update records promptly and notify relevant third parties if necessary.

Right to Erasure (Article 17)

You may request deletion of your personal data when:

  • Data is no longer necessary for its original purpose
  • You withdraw consent and no other lawful basis applies
  • You object to processing based on legitimate interests
  • Data was processed unlawfully

This right is subject to legal retention requirements (e.g., accounting records).

Right to Restriction (Article 18)

You can request we limit processing while:

  • Verifying accuracy of contested data
  • Assessing legitimate grounds for objection
  • Processing is unlawful but you prefer restriction over erasure

Right to Data Portability (Article 20)

For data processed based on consent or contract, you can receive your data in structured, machine-readable format and request direct transfer to another controller where technically feasible.

Right to Object (Article 21)

You may object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds overriding your interests.

Rights Related to Automated Decision-Making (Article 22)

We do not employ automated decision-making or profiling that produces legal or similarly significant effects. All booking decisions involve human review.

Exercising Your Rights

To exercise any GDPR rights, contact us at [email protected] with:

  • Clear identification of which right you're exercising
  • Sufficient information to verify your identity
  • Specific details about your request

We respond within one month, extendable to three months for complex requests. We will explain any delays and provide reasons if we decline a request.

Data Security Measures

We implement appropriate technical and organizational measures as required by Article 32:

Technical Measures

  • Encryption of data in transit using TLS 1.3
  • Encrypted storage of sensitive customer information
  • Regular security patching and updates
  • Secure authentication and access controls
  • Automated backup systems with encryption

Organizational Measures

  • Staff training on data protection principles
  • Access controls limiting data exposure to authorized personnel
  • Data protection impact assessments for new processing activities
  • Vendor due diligence and data processing agreements
  • Incident response procedures for data breaches

Data Breach Notification

In accordance with Article 33 and 34, we maintain procedures to:

  • Detect and investigate potential data breaches
  • Notify the ICO within 72 hours of becoming aware of qualifying breaches
  • Inform affected individuals without undue delay when breach poses high risk
  • Document all breaches regardless of notification requirement

Third-Party Data Processors

We engage third-party processors for:

  • Payment processing (Stripe, PayPal)
  • Email services
  • Website hosting and infrastructure
  • Delivery logistics coordination

All processors are selected based on GDPR compliance and are bound by data processing agreements meeting Article 28 requirements.

International Data Transfers

Data is primarily stored within the United Kingdom. When transfers outside the UK are necessary, we ensure appropriate safeguards through:

  • Adequacy decisions for countries with equivalent protection
  • Standard Contractual Clauses approved by regulatory authorities
  • Additional security measures where required

Data Retention

We retain personal data only as long as necessary for defined purposes:

  • Rental transaction records: 7 years (tax and accounting obligations)
  • Customer communication: 3 years from last interaction
  • Marketing consent: Until withdrawal
  • Website analytics: Maximum 26 months

Retention schedules are reviewed annually and data is securely deleted after retention periods expire.

Children's Data

Our services target adults aged 18 and over. We do not knowingly process data of individuals under 18 without parental consent. If we discover such processing, we delete the data immediately.

Privacy by Design and Default

We implement privacy considerations at the design stage of new processing activities:

  • Data minimization - collecting only necessary information
  • Purpose limitation - processing only for specified purposes
  • Storage limitation - deleting data after retention periods
  • Default privacy settings - opt-in for non-essential processing

Supervisory Authority

Our lead supervisory authority is the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk

You have the right to lodge a complaint with the ICO if you believe we've violated data protection laws.

Policy Updates

This GDPR compliance statement is reviewed and updated regularly to reflect:

  • Changes in data processing activities
  • Updates to data protection legislation
  • Guidance from regulatory authorities
  • Organizational changes affecting data processing

Material changes are communicated through website notices and direct contact where appropriate.

Contact for Data Protection Matters

For questions, concerns, or requests related to GDPR compliance and data protection:

Email: [email protected]
Subject Line: Data Protection Inquiry
Address: 142 Riverside Industrial Estate, Meadow Lane, Nottingham, NG2 3HQ, United Kingdom