GDPR Compliance

Our commitment to data protection under UK GDPR

Our Commitment to Data Protection

Smooth Mint operates in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take our responsibilities as a data controller seriously and have implemented policies, procedures, and technical measures to ensure compliance with data protection principles.

Data Protection Principles

We process personal data in accordance with the following fundamental principles:

Lawfulness, Fairness, and Transparency

We process your information lawfully, fairly, and in a transparent manner. We clearly explain what information we collect, why we collect it, and how we use it. We only process data where we have a valid legal basis to do so.

Purpose Limitation

We collect personal information for specific, explicit, and legitimate purposes. We do not use your data for purposes incompatible with those for which it was originally collected without your consent.

Data Minimization

We only collect and process personal information that is adequate, relevant, and limited to what is necessary for our stated purposes. We do not request or retain excessive information.

Accuracy

We take reasonable steps to ensure personal information is accurate and kept up to date. We encourage you to inform us of any changes to your information so we can maintain accuracy.

Storage Limitation

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations. We have established retention schedules and delete or anonymize data when no longer needed.

Integrity and Confidentiality

We process personal information securely using appropriate technical and organizational measures to protect against unauthorized access, loss, destruction, or damage.

Accountability

We are responsible for demonstrating compliance with these principles. We maintain documentation of our processing activities and regularly review our practices to ensure ongoing compliance.

Legal Basis for Processing

We rely on the following legal bases when processing your personal information:

Contractual Necessity

When you engage our consulting services, we process your information to perform our contractual obligations to you. This includes delivering the services you have purchased, communicating with you about your engagement, and processing payments.

Legitimate Interests

We process certain information based on our legitimate business interests, such as:

  • Improving our services and website functionality
  • Understanding how our website is used
  • Preventing fraud and maintaining security
  • Managing our business operations

We carefully balance our legitimate interests against your rights and freedoms. Where your interests override ours, we will not process data on this basis.

Consent

In some cases, we ask for your explicit consent to process personal information, particularly for marketing communications or non-essential cookies. You can withdraw consent at any time.

Legal Obligations

We process certain data to comply with legal and regulatory requirements, such as maintaining business records and responding to lawful requests from authorities.

Your Data Protection Rights

Under UK GDPR, you have comprehensive rights regarding your personal information:

Right of Access (Subject Access Request)

You can request confirmation of whether we process your personal data and obtain a copy of that data. We will provide this information free of charge within one month of your request.

When making a subject access request, you will receive:

  • Confirmation that we hold your data
  • A copy of your personal information
  • Details about how we use your data
  • Information about who we share it with
  • How long we keep it
  • Your other rights regarding the data

Right to Rectification

You can request correction of inaccurate or incomplete personal information. We will update our records promptly and inform any third parties with whom we shared the data.

Right to Erasure (Right to be Forgotten)

You can request deletion of your personal information in certain circumstances:

  • The data is no longer necessary for the purpose collected
  • You withdraw consent and there is no other legal basis
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is required for legal compliance

This right is not absolute; we may need to retain certain information for legal or regulatory purposes.

Right to Restriction of Processing

You can request that we limit how we use your data in specific situations:

  • While we verify accuracy of contested data
  • When processing is unlawful but you prefer restriction over erasure
  • We no longer need the data but you require it for legal claims
  • While we verify legitimate grounds following your objection

Right to Data Portability

Where processing is based on consent or contract performance and carried out by automated means, you can request your data in a structured, commonly used, and machine-readable format. You can also ask us to transmit this data directly to another controller where technically feasible.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produces legal effects or similarly significant effects. We do not currently engage in automated decision-making or profiling.

Exercising Your Rights

To exercise any of your data protection rights, please contact us at [email protected] with:

  • Your full name and contact information
  • Clear description of which right you wish to exercise
  • Specific information or details you are requesting
  • Proof of identity if requested for security purposes

We will respond to your request within one month. In complex cases or multiple requests, we may extend this by two additional months, in which case we will inform you of the delay and reasons.

We do not charge fees for most requests. However, if your request is clearly unfounded or excessive, we may charge a reasonable fee or refuse the request.

Data Security Measures

We implement appropriate technical and organizational security measures to protect personal information:

Technical Measures

  • Encryption of data in transit and at rest
  • Secure server infrastructure with regular updates
  • Access controls and authentication systems
  • Regular security testing and vulnerability assessments
  • Backup systems and disaster recovery procedures

Organizational Measures

  • Staff training on data protection responsibilities
  • Clear policies governing data handling
  • Limited access to personal data on need-to-know basis
  • Confidentiality agreements with employees and contractors
  • Regular review and audit of data processing activities

Data Breach Notification

In the unlikely event of a personal data breach that poses risks to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach. If the breach is likely to result in high risk to you, we will also inform you directly without undue delay, providing information about the nature of the breach and measures taken or proposed.

Third-Party Processing

When we engage third-party service providers who process personal data on our behalf, we ensure:

  • Appropriate data processing agreements are in place
  • Processors provide sufficient guarantees regarding security
  • Processing is limited to our documented instructions
  • Confidentiality commitments are established
  • Sub-processing requires our prior authorization

International Data Transfers

If we transfer your data outside the United Kingdom or European Economic Area, we ensure appropriate safeguards:

  • Transfers to countries with adequacy decisions
  • Standard contractual clauses approved by authorities
  • Binding corporate rules where applicable
  • Additional security measures for high-risk transfers

Contact and Complaints

For questions about our GDPR compliance or to exercise your rights:

Email: [email protected]
Address: 32 Kingsway, Holborn, London WC2B 6EX, United Kingdom

Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office if you believe we have not complied with data protection law:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: www.ico.org.uk

Updates to Our Practices

We regularly review our data protection practices to ensure ongoing compliance with UK GDPR. This page will be updated to reflect any changes in how we process personal information or fulfill our obligations.