GDPR Compliance Statement

Our Commitment to GDPR

icy-synthesis is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This statement outlines how we fulfill our obligations as a data controller and protect your personal information.

Data Controller Information

Data Controller: icy-synthesis
Registered Address: 47 Threadneedle Street, London EC2R 8AU, United Kingdom
Contact Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis under Article 6 of the GDPR:

Consent

When you provide explicit consent for specific processing activities, such as receiving marketing communications or participating in research studies. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

Contract Performance

When processing is necessary to fulfill our service agreement with you, including scheduling consultations, delivering educational services, and managing client relationships.

Legal Obligation

When we must process data to comply with legal requirements, such as tax regulations, anti-money laundering obligations, or court orders.

Legitimate Interests

When processing serves our legitimate business interests while respecting your fundamental rights. This includes fraud prevention, network security, and direct marketing to existing clients. We conduct balancing assessments to ensure your rights are not overridden.

Your Rights Under GDPR

You have comprehensive rights regarding your personal data:

Right to Access (Article 15)

You can request confirmation of whether we process your data and obtain a copy of that data. We provide the first copy free of charge within one month of your request.

Right to Rectification (Article 16)

You can request correction of inaccurate personal data and completion of incomplete data. We will notify third parties who received your data of any corrections unless impossible or disproportionately difficult.

Right to Erasure (Article 17)

You can request deletion of your personal data when:

• Data is no longer necessary for the original purpose
• You withdraw consent and no other legal basis exists
• You object to processing and no overriding legitimate grounds exist
• Data was unlawfully processed
• Erasure is required to comply with legal obligations

This right does not apply when processing is necessary for legal compliance, public health purposes, or establishment of legal claims.

Right to Restriction of Processing (Article 18)

You can request that we limit processing of your data when:

• You contest the accuracy of data during verification
• Processing is unlawful but you prefer restriction over erasure
• We no longer need the data but you require it for legal claims
• You have objected to processing pending verification of our legitimate grounds

Right to Data Portability (Article 20)

You can receive personal data you provided to us in a structured, commonly used, machine-readable format and transmit it to another controller when processing is based on consent or contract and carried out by automated means.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests or we need the data for legal claims.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently engage in automated decision-making with such effects.

Exercising Your Rights

To exercise any of these rights, submit a request to [email protected]. Please include:

• Your full name and contact information
• Description of the right you wish to exercise
• Any relevant details to help us locate your data
• Proof of identity (if necessary to prevent fraudulent requests)

We will respond within one month of receiving your request. This period may be extended by two additional months for complex or numerous requests, in which case we will inform you of the extension and reasons.

Data Protection Measures

We implement technical and organizational measures to ensure data security appropriate to the risk, including:

Technical Measures

• Encryption of data in transit using TLS protocols
• Encryption of data at rest for sensitive information
• Regular security updates and patch management
• Firewall protection and intrusion detection systems
• Secure backup procedures with encrypted storage

Organizational Measures

• Employee training on data protection principles
• Access controls based on role requirements
• Confidentiality agreements with staff and contractors
• Regular privacy impact assessments
• Incident response procedures for data breaches

Data Breach Notification

In the event of a personal data breach likely to result in high risk to your rights and freedoms, we will notify you without undue delay. We will also notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR.

Data Processing Records

We maintain comprehensive records of processing activities as required by Article 30 of the GDPR, including:

• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients
• International data transfers and safeguards
• Retention periods
• Security measures

Third-Party Processors

When we engage third-party processors, we ensure compliance through:

• Written contracts specifying processing instructions
• Confidentiality commitments
• Security measure requirements
• Assistance with data subject rights
• Data deletion or return upon contract termination

International Transfers

When transferring personal data outside the UK, we ensure adequate protection through:

• UK adequacy decisions recognizing equivalent protection
• Standard contractual clauses approved by regulatory authorities
• Binding corporate rules for intra-group transfers
• Appropriate safeguards verified through compliance assessments

Children's Data

Our services are not directed to children under 18. We do not knowingly process children's data without parental consent when required under Article 8 of the GDPR.

Supervisory Authority

You have the right to lodge a complaint with the UK Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: icy-synthesis.com

Updates to This Statement

We review this GDPR compliance statement annually and update it to reflect changes in our processing activities or regulatory requirements. Significant changes will be communicated through our website and, for existing clients, via email.

Last reviewed: May 10, 2026