GDPR Compliance Statement

Last Updated: 10 May 2026

1. Our Commitment to GDPR

fusion-shift is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take our data protection responsibilities seriously and have implemented appropriate measures to ensure your personal data is processed lawfully, fairly, and transparently.

2. Data Controller Information

For the purposes of UK GDPR, the data controller is:

fusion-shift
42 Kingsway
London WC2B 6EX
United Kingdom
Email: [email protected]

3. Lawful Basis for Processing

We only process your personal data when we have a lawful basis to do so. Our lawful bases include:

3.1 Consent

We process data based on your explicit consent when you:

• Submit contact forms on our website
• Subscribe to our communications
• Accept cookies through our cookie banner

You have the right to withdraw consent at any time by contacting us.

3.2 Contract

Processing is necessary to fulfill our contractual obligations when you:

• Book our services or workshops
• Enter into a service agreement with us

3.3 Legal Obligation

We process data to comply with legal requirements, including:

• Tax and accounting records
• Compliance with financial services regulations
• Responding to lawful requests from authorities

3.4 Legitimate Interests

We process data for legitimate business interests, such as:

• Improving our services and website functionality
• Preventing fraud and ensuring security
• Internal administrative purposes

We always balance these interests against your rights and freedoms.

4. Your Data Protection Rights

Under UK GDPR, you have comprehensive rights regarding your personal data:

4.1 Right to Access (Article 15)

You have the right to request copies of your personal data. We will provide this information free of charge within one month of your request.

4.2 Right to Rectification (Article 16)

You have the right to request correction of any inaccurate or incomplete personal data we hold about you.

4.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data in certain circumstances, including:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

4.4 Right to Restrict Processing (Article 18)

You can request that we limit how we use your personal data if:

• You contest the accuracy of the data
• Processing is unlawful but you don't want erasure
• We no longer need the data but you need it for legal claims
• You've objected to processing pending verification

4.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

4.6 Right to Object (Article 21)

You have the right to object to:

• Processing based on legitimate interests
• Direct marketing
• Processing for scientific/historical research or statistical purposes

4.7 Rights Related to Automated Decision Making (Article 22)

We do not use automated decision-making or profiling in our services. All decisions regarding our services involve human oversight.

5. How to Exercise Your Rights

To exercise any of your data protection rights, please:

• Email us at: [email protected]
• Write to us at: fusion-shift, 42 Kingsway, London WC2B 6EX, United Kingdom

We will respond to your request within one month. In complex cases, we may extend this by two additional months and will inform you if this is necessary.

6. Data Security Measures

We implement appropriate technical and organizational measures to ensure data security, including:

• Encryption of data in transit and at rest
• Regular security assessments and updates
• Access controls limiting who can view personal data
• Staff training on data protection principles
• Secure backup procedures
• Incident response procedures

7. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware
• Notify affected individuals without undue delay if there is a high risk to their rights
• Document the breach and our response

8. Data Retention

We retain personal data only for as long as necessary:

• Inquiry data: 3 years from last contact or until deletion requested
• Client records: 7 years after service completion for legal and tax compliance
• Marketing consents: Until consent is withdrawn or 2 years of inactivity
• Website analytics: 26 months
• Cookie data: As specified in our Cookies Policy

9. Third-Party Processing

When we use third-party service providers who process data on our behalf, we ensure:

• Written contracts are in place
• Processors comply with UK GDPR
• Appropriate security measures are implemented
• Processing is limited to our documented instructions

10. International Transfers

Your data is primarily stored and processed within the United Kingdom. If we transfer data internationally, we ensure adequate safeguards are in place through:

• Adequacy decisions by the UK government
• Standard contractual clauses approved by the ICO
• Binding corporate rules where applicable

11. Children's Data

We do not knowingly process data of individuals under 18 years of age. If we become aware that we have collected data from a child without parental consent, we will delete it immediately.

12. Privacy by Design and Default

We implement privacy by design and default principles by:

• Collecting only necessary data
• Limiting access to personal data
• Ensuring data accuracy and security
• Maintaining transparency about data processing

13. Updates to This Statement

We review and update this GDPR compliance statement regularly to reflect changes in our practices or legal requirements. Material changes will be communicated prominently on our website.

14. Complaints and Supervisory Authority

If you believe we have not complied with UK GDPR requirements, you can:

• Contact us directly at [email protected]
• Lodge a complaint with the Information Commissioner's Office (ICO)

Information Commissioner's Office (ICO):

Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom

Helpline: 0303 123 1113
Website: fusion-shift.com
Report a concern: fusion-shift.com/make-a-complaint

15. Contact for Data Protection Queries

For any questions about how we process your personal data or to exercise your rights, please contact:

Email: [email protected]
Address: fusion-shift, 42 Kingsway, London WC2B 6EX, United Kingdom