GDPR Compliance Statement

Our Commitment to Data Protection

Vast Cavern is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This statement outlines how we fulfill our obligations as a data controller.

Data Controller Information

Data Controller: Vast Cavern
Address: 42 Threadneedle Street, London, EC2R 8AY, United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. Our processing activities rely on the following legal bases:

Consent

For certain processing activities, we obtain your explicit consent. You have the right to withdraw consent at any time by contacting us.

Contract Performance

We process personal data to fulfill our contractual obligations when you engage our financial education services.

Legal Obligation

We process data to comply with legal and regulatory requirements, including:

• Tax and accounting obligations
• Financial services regulations
• Data retention requirements

Legitimate Interests

We process data for legitimate business interests, including:

• Improving our services
• Internal administrative purposes
• Fraud prevention and security
• Direct marketing (where we have a pre-existing relationship)

We always balance these interests against your rights and freedoms.

Data Subject Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right to Be Informed

You have the right to clear, transparent information about how we use your personal data. This is provided in our Privacy Policy.

Right of Access

You can request access to your personal data and receive a copy of the information we hold about you. We will respond to valid requests within one month.

Right to Rectification

You can request correction of inaccurate or incomplete personal data. We will update your information promptly upon verification.

Right to Erasure ("Right to Be Forgotten")

You can request deletion of your personal data in certain circumstances, including:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent (where consent was the basis for processing)
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

Note: We may be required to retain certain information for legal or regulatory purposes.

Right to Restrict Processing

You can request that we limit the processing of your personal data in certain situations, such as when you contest the accuracy of the data or object to processing.

Right to Data Portability

You can request to receive your personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us:

• Email: [email protected]
• Post: 42 Threadneedle Street, London, EC2R 8AY, United Kingdom

We will respond to your request within one month. In complex cases, we may extend this period by two additional months and will inform you of any delay.

Data Protection Principles

We adhere to the UK GDPR data protection principles, ensuring that personal data is:

• Processed lawfully, fairly, and transparently
• Collected for specified, explicit, and legitimate purposes
• Adequate, relevant, and limited to what is necessary
• Accurate and kept up to date
• Kept for no longer than necessary
• Processed securely with appropriate safeguards

Data Security Measures

We implement appropriate technical and organisational measures to ensure data security, including:

• Encryption of data in transit and at rest
• Regular security assessments and updates
• Access controls and authentication requirements
• Staff training on data protection
• Incident response procedures

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware
• Notify affected individuals without undue delay if the breach poses a high risk
• Document all data breaches, including facts, effects, and remedial actions taken

International Data Transfers

We primarily process data within the United Kingdom. If we transfer data internationally, we ensure appropriate safeguards are in place, such as:

• Adequacy decisions by the UK government
• Standard contractual clauses
• Binding corporate rules

Third-Party Processors

We only engage third-party processors who provide sufficient guarantees of GDPR compliance. We maintain written contracts with all processors that define:

• The subject matter and duration of processing
• The nature and purpose of processing
• The type of personal data and categories of data subjects
• Obligations and rights of the controller

Data Protection Impact Assessments

For processing activities that pose high risks to individuals' rights and freedoms, we conduct Data Protection Impact Assessments (DPIAs) before commencing processing.

Record Keeping

We maintain records of our processing activities, including:

• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients
• International data transfers
• Retention periods
• Security measures

Contact and Complaints

If you have questions about our GDPR compliance or wish to make a complaint:

Contact us:
Email: [email protected]
Address: 42 Threadneedle Street, London, EC2R 8AY, United Kingdom

Supervisory Authority:
You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: vast-cavern.com
Helpline: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Updates to This Statement

We review and update this GDPR compliance statement regularly to reflect changes in our practices or legal requirements. The current version is always available on our website.