GDPR Compliance

Overview

The General Data Protection Regulation, as incorporated into UK law, gives you specific rights regarding your personal information. Brightmend Gear is committed to upholding these rights and maintaining transparent data practices.

This page explains your GDPR rights in practical terms and describes how we've structured our operations to respect them.

Data Controller Information

Brightmend Gear acts as the data controller for personal information collected through our business operations. This means we determine how and why your data is processed.

Our contact details:
Brightmend Gear
42 Ashfield Road
Bristol, BS6 5NR
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal information only when we have a lawful basis to do so. The specific basis depends on the context:

Contractual Necessity

When you place an order, we need certain information to fulfill our contract with you. This includes your name, delivery address, and contact details. Processing this data is necessary to complete the transaction you've initiated.

Legitimate Interests

We have legitimate business interests in understanding how our website performs, preventing fraud, and improving our services. We process certain data on this basis, ensuring our interests don't override your rights and freedoms.

Legal Obligation

UK law requires us to retain financial records for tax purposes. We process and store relevant data to comply with these obligations.

Consent

Where we process data based on your consent, such as for marketing communications you've requested, you may withdraw that consent at any time.

Your Rights Under GDPR

Right to Be Informed

You have the right to clear information about how we collect and use your personal data. Our Privacy Policy provides this transparency, and we're available to answer specific questions about our practices.

Right of Access

You can request a copy of the personal information we hold about you. This is commonly called a subject access request. We'll provide this information within one month at no charge, unless your request is manifestly unfounded or excessive.

Right to Rectification

If information we hold about you is inaccurate or incomplete, you have the right to have it corrected. We'll update our records promptly upon notification and inform any third parties who received the incorrect information.

Right to Erasure

Sometimes called the "right to be forgotten," this allows you to request deletion of your personal data in certain circumstances. We'll comply unless we have a legitimate reason to retain the information, such as legal obligations requiring us to keep financial records.

Right to Restrict Processing

You may request that we limit how we use your personal information in specific situations, such as while we verify data accuracy after you've challenged it, or when processing is unlawful but you prefer restriction rather than deletion.

Right to Data Portability

For data you've provided to us that we process automatically based on consent or contract, you can request a copy in a structured, commonly used format. This allows you to move your data between service providers.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. When you object, we'll stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision Making

We do not use automated systems to make decisions that significantly affect you. All customer service decisions involve human review and judgment.

How to Exercise Your Rights

To exercise any GDPR rights, contact us at [email protected] with your request. Please include sufficient detail to help us locate your information and verify your identity.

We may request additional information to confirm your identity before processing requests, particularly for access or deletion requests. This security measure protects your information from unauthorized disclosure.

We'll respond to valid requests within one month. If your request is particularly complex or we've received multiple requests from you, we may extend this period by two months, but we'll inform you of any delay and explain the reason.

Data Protection Principles

We adhere to the core principles established by GDPR in all our data processing activities:

Lawfulness, Fairness, and Transparency

We process data lawfully, fairly, and in a transparent manner. We're open about our practices and provide clear information about how we use personal information.

Purpose Limitation

We collect personal information for specific, explicit, and legitimate purposes. We don't use your data for purposes incompatible with those we've disclosed.

Data Minimization

We collect only the information necessary for our stated purposes. We don't request excessive data or information unrelated to the services we provide.

Accuracy

We take reasonable steps to ensure personal information is accurate and kept current. We encourage you to inform us if your details change or if you notice inaccuracies.

Storage Limitation

We retain personal information only as long as necessary for the purposes we collected it, or as required by law. We have defined retention periods for different categories of data.

Integrity and Confidentiality

We implement appropriate security measures to protect personal information from unauthorized access, accidental loss, destruction, or damage. Access to data is restricted to team members who need it for their work.

Accountability

We're responsible for demonstrating compliance with these principles. We maintain documentation of our processing activities and regularly review our practices.

Data Retention

Different types of information are retained for different periods based on legal requirements and business needs:

Order and financial records are kept for seven years to comply with UK tax law. Customer correspondence is typically retained for three years unless it relates to an ongoing issue. Technical logs and analytics data are anonymized or deleted after 24 months.

When retention periods expire, we securely delete or anonymize the relevant data.

Data Security

We implement technical and organizational measures appropriate to the risks involved in our processing activities. These measures include encryption of data in transit, secure storage systems, access controls, and regular security reviews.

Our team receives training on data protection principles and their responsibilities. We maintain policies and procedures designed to prevent unauthorized access, loss, or misuse of personal information.

In the unlikely event of a data breach that poses risks to your rights and freedoms, we'll notify you and the relevant supervisory authority as required by law.

International Data Transfers

We store and process data within the United Kingdom. We do not routinely transfer personal information outside the UK. If circumstances require international transfer, we'll implement appropriate safeguards such as standard contractual clauses approved for such transfers.

Third-Party Processors

Some of our service providers process personal data on our behalf. These processors include payment services, shipping carriers, and email systems. We have contracts with these providers requiring them to protect your data and process it only according to our instructions.

We select processors carefully and assess their data protection capabilities before engaging their services.

Children's Data

Our services are not directed at children under 16, and we do not knowingly collect or process data belonging to individuals in this age group. If we discover we've inadvertently obtained such information, we'll delete it promptly.

Updates to Our Practices

We may update our data protection practices as our business evolves or regulations change. Material changes will be communicated through our website, and we'll seek additional consent where required by law.

Complaints and Concerns

If you have concerns about how we handle your personal information, please contact us first so we can address the issue. We take data protection seriously and will investigate any complaints thoroughly.

You also have the right to lodge a complaint with the Information Commissioner's Office, the UK supervisory authority for data protection:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

Further Information

For detailed information about our data practices, please refer to our Privacy Policy. For specific questions about GDPR compliance or your data protection rights, contact us at [email protected].