GDPR Compliance

Our commitment

chromaticwave is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We process personal data lawfully, fairly, and transparently, respecting your rights at all times.

Data controller

chromaticwave is the data controller responsible for your personal data.

Contact details:
Email: [email protected]
Address: 27 Ashford Street, Bristol, BS3 2HY, United Kingdom

Lawful basis for processing

We process personal data under the following lawful bases:

• Contract: Processing necessary to fulfill our contract with you when you enrol in our programmes
• Legal obligation: Processing required to comply with legal requirements (e.g., financial record-keeping)
• Legitimate interests: Processing necessary for our legitimate business interests, provided these don't override your rights
• Consent: Processing based on your explicit consent (e.g., marketing emails), which you can withdraw at any time

Your GDPR rights

Under the GDPR, you have the following rights:

Right to be informed

You have the right to clear information about how we collect and use your data. This website and our communications provide that transparency.

Right of access

You can request a copy of the personal data we hold about you. We will provide this within one month of your request.

Right to rectification

If your data is inaccurate or incomplete, you have the right to have it corrected.

Right to erasure

Also known as the "right to be forgotten." You can request deletion of your personal data in certain circumstances.

Right to restrict processing

You can request that we limit how we use your data in certain situations.

Right to data portability

You can request your data in a structured, commonly used, machine-readable format and transfer it to another controller.

Right to object

You can object to processing based on legitimate interests or for direct marketing purposes.

Rights related to automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

How to exercise your rights

To exercise any of your GDPR rights, contact us at [email protected]

We will respond to your request within one month. If your request is complex or we receive multiple requests, we may extend this by two months and will inform you.

We will verify your identity before processing requests to protect your data security.

Children's data protection

We take extra care when processing children's personal data, in line with GDPR requirements:

• We obtain verifiable parental consent before collecting children's data
• We collect only the minimum data necessary (name and age)
• Children's data is used solely for programme delivery
• We never use children's data for marketing purposes
• Parents can access, correct, or delete their child's data at any time

Data security measures

We implement appropriate technical and organisational measures including:

• Secure data storage with encryption
• Access controls limiting data access to authorised personnel only
• Regular security assessments and updates
• Staff training on data protection responsibilities
• Secure data transmission protocols
• Regular backups with secure storage

Data breach procedures

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the ICO within 72 hours of becoming aware
• Notify affected individuals without undue delay if the breach poses a high risk
• Document the breach, its effects, and remedial action taken
• Take immediate steps to contain and remedy the breach

Data transfers

We process and store data within the United Kingdom. If we transfer data outside the UK, we ensure appropriate safeguards are in place, such as:

• Adequacy decisions
• Standard contractual clauses
• Binding corporate rules

Currently, we do not transfer personal data outside the UK.

Third-party processors

We work with carefully selected third-party processors who handle data on our behalf. All processors:

• Have appropriate data protection agreements in place
• Process data only on our instructions
• Implement appropriate security measures
• Comply with GDPR requirements

Retention periods

We retain personal data only as long as necessary:

• Programme participant data: duration of programme plus 12 months
• Enquiry data: 24 months or until resolved
• Financial records: 7 years (legal requirement)
• Marketing consent records: until consent is withdrawn plus 12 months

After retention periods expire, data is securely deleted or anonymised.

Accountability and governance

We maintain accountability for our data protection practices through:

• Regular data protection impact assessments
• Documentation of processing activities
• Staff training and awareness programmes
• Regular policy reviews and updates
• Audit trails for data access and changes

Complaints and supervisory authority

If you have concerns about how we handle your data, please contact us first at [email protected]

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

ICO helpline: 0303 123 1113
Website: ico.org.uk

Updates to this information

We review our GDPR compliance regularly and update this page as needed. Significant changes will be communicated to affected individuals.

Last reviewed: 8 May 2026