GDPR Compliance

Our Commitment to GDPR

bright-patcher is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines how we meet our obligations and protect your rights.

Data Controller Information

For the purposes of UK GDPR, bright-patcher is the data controller responsible for your personal data.

Contact Details:
bright-patcher
47 Ashford Lane
Bristol, BS3 4QT
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so under Article 6 of the UK GDPR:

1. Performance of a Contract (Article 6(1)(b))

When you engage our services, we process your personal data to fulfill our contractual obligations to you, including:

• Providing benefit assessment and application support
• Communicating about your case
• Preparing documentation and submissions

2. Consent (Article 6(1)(a))

We obtain your explicit consent before:

• Sending marketing communications
• Using non-essential cookies
• Sharing information with third parties beyond what's necessary for service delivery

3. Legal Obligation (Article 6(1)(c))

We process certain data to comply with legal requirements, such as:

• Maintaining financial records for tax purposes
• Retaining case files as required by professional regulations
• Responding to lawful requests from authorities

4. Legitimate Interests (Article 6(1)(f))

We process data for legitimate business interests where this doesn't override your rights:

• Website analytics to improve user experience
• Fraud prevention and security
• Internal administration

Special Category Data

Given the nature of our services, we often process special category data (sensitive personal data) including:

• Health information
• Information about disabilities
• Financial circumstances

We process this data under Article 9(2)(h) – provision of health or social care – and with your explicit consent. We implement enhanced security measures for this data.

Your Rights Under GDPR

Right to Access (Article 15)

You have the right to obtain confirmation that we are processing your data and to access that data. We will provide a copy free of charge within one month of your request.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data. We will update our records promptly.

Right to Erasure (Article 17)

You can request deletion of your personal data in certain circumstances, such as:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent and there's no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds

Note: We may be required to retain certain data for legal or regulatory reasons.

Right to Restriction of Processing (Article 18)

You can request that we limit how we use your data in specific situations, such as when you contest the accuracy of the data.

Right to Data Portability (Article 20)

You can request a copy of your data in a commonly used, machine-readable format to transfer to another service provider.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate grounds.

Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us:

• Email: [email protected]
• Write to: 47 Ashford Lane, Bristol, BS3 4QT, United Kingdom

We will respond to your request within one month. If your request is complex or we receive multiple requests, we may extend this by two months and will inform you.

Data Security Measures

We implement appropriate technical and organizational measures to ensure data security, including:

• Encryption of data in transit and at rest
• Access controls and authentication systems
• Regular security audits and assessments
• Staff training on data protection
• Incident response procedures

Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours
• Notify affected individuals without undue delay
• Document the breach and our response
• Take steps to mitigate the impact

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk to individuals' rights and freedoms.

International Data Transfers

We primarily store and process data within the United Kingdom. If we transfer data outside the UK, we ensure appropriate safeguards are in place, such as:

• Adequacy decisions
• Standard contractual clauses
• Binding corporate rules

Data Retention

We retain personal data only for as long as necessary:

• Active client data: Duration of service plus 7 years
• Inquiry data (no service engagement): 2 years
• Marketing consent data: Until consent is withdrawn
• Website analytics: 26 months

Children's Data

We do not knowingly process data of children under 18 without parental consent. If you are under 18, please ensure a parent or guardian reviews this information and provides consent if you use our services.

Supervisory Authority

You have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
Website: www.ico.org.uk

Updates to This Policy

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. We will notify you of significant changes via email or prominent website notice.

Contact Our Data Protection Team

For any questions about our GDPR compliance or to exercise your rights:

Email: [email protected]
Address: 47 Ashford Lane, Bristol, BS3 4QT, United Kingdom