GDPR Compliance

Our commitment to protecting your data rights under UK GDPR

Our Commitment to Data Protection

dreamshade-pond Limited is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognise that when you share personal information with us, you are placing your trust in our ability to handle that data responsibly and securely.

This page outlines our approach to GDPR compliance and explains the specific measures we have implemented to protect your data rights.

Data Controller Information

For the purposes of UK GDPR, dreamshade-pond Limited is the data controller responsible for your personal information. This means we determine how and why your data is processed.

Data Controller: dreamshade-pond Limited
ICO Registration Number: ZB847392
Registered Address: 47 Threadneedle Street, London, EC2R 8AU, United Kingdom
Data Protection Contact: [email protected]

Lawful Basis for Processing

We only process your personal data when we have a lawful basis to do so under UK GDPR. The specific lawful basis depends on the purpose for which we are processing your information:

Contract Performance

When you engage our pension planning services, we process your data to fulfil our contractual obligations to you. This includes conducting pension reviews, preparing recommendations, implementing strategies, and providing ongoing advice. Without this information, we would be unable to deliver the services you have requested.

Legal Obligations

As an FCA-authorised financial services firm, we are subject to extensive regulatory requirements. We must process certain personal data to comply with anti-money laundering regulations, conduct suitability assessments, maintain adequate records, and respond to regulatory requests. These legal obligations require us to collect, retain, and in some cases share your information.

Legitimate Interests

We process some data based on our legitimate business interests, provided these interests are not overridden by your rights and freedoms. Examples include maintaining the security of our IT systems, preventing fraud, defending legal claims, and improving our services based on aggregated analysis.

Consent

Where required, we obtain your explicit consent before processing your data. This applies to activities such as sending marketing communications or using non-essential cookies on our website. You have the right to withdraw your consent at any time, and we make it easy to do so.

Your Data Protection Rights

UK GDPR grants you comprehensive rights over your personal information. We are committed to facilitating the exercise of these rights:

Right to Be Informed

You have the right to clear information about how we collect and use your personal data. We provide this through our privacy policy, this GDPR page, and in our direct communications with you.

Right of Access

You can request access to the personal data we hold about you at any time. We will provide a copy of your data in a commonly used electronic format, along with information about how we are processing it. We respond to subject access requests within one month and do not charge a fee unless the request is manifestly unfounded or excessive.

Right to Rectification

If any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. We encourage you to inform us promptly of any changes to your personal information so we can keep our records up to date.

Right to Erasure

Also known as the "right to be forgotten", you may request deletion of your personal data in certain circumstances. However, this right is not absolute—we may be legally required to retain certain information for regulatory purposes or to establish, exercise, or defend legal claims. Where we cannot delete your data, we will explain our reasons.

Right to Restrict Processing

In certain situations, you can request that we limit how we use your data. For example, if you contest the accuracy of your data, you may ask us to restrict processing while we verify its accuracy. During this restriction period, we will store your data but not actively process it.

Right to Data Portability

Where we process your data based on consent or contract performance, and the processing is carried out by automated means, you have the right to receive your data in a structured, commonly used, machine-readable format. You may also request that we transmit your data directly to another organisation where technically feasible.

Right to Object

You have the right to object to processing carried out on the basis of legitimate interests. When you object, we must stop processing your data unless we can demonstrate compelling legitimate grounds that override your interests. You have an absolute right to object to processing for direct marketing purposes—we will always honour such objections immediately.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. We confirm that we do not use automated decision-making or profiling in our pension advisory services. All advice and recommendations are made by qualified human advisers who consider your individual circumstances.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us at [email protected] or write to us at the address provided above. Please include sufficient information to allow us to verify your identity and locate your data.

We will respond to your request within one month, though this may be extended by up to two months for complex requests. We will inform you if an extension is necessary and explain the reasons for the delay.

We do not charge a fee for most requests. However, if your request is manifestly unfounded, excessive, or repetitive, we may charge a reasonable administrative fee or refuse to act on the request.

Data Security Measures

We have implemented comprehensive technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access:

Technical Security

  • End-to-end encryption for data transmitted over the internet
  • Encrypted storage for all electronic personal data
  • Regular security updates and patches to all systems
  • Firewalls and intrusion detection systems
  • Secure backup systems with off-site storage
  • Multi-factor authentication for access to systems containing personal data

Organisational Security

  • Strict access controls limiting data access to authorised personnel only
  • Regular data protection training for all staff
  • Confidentiality agreements with all employees and contractors
  • Clear data retention and deletion policies
  • Incident response procedures for data breaches
  • Regular reviews and audits of data processing activities

Data Breach Notification

In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, as required by UK GDPR.

If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay. Our notification will describe the nature of the breach, the likely consequences, and the measures we have taken or propose to take to address the breach and mitigate its effects.

International Data Transfers

We primarily store and process your personal data within the United Kingdom. In some circumstances, we may transfer data to countries outside the UK for specific purposes, such as cloud storage or IT support services.

When we transfer data internationally, we ensure appropriate safeguards are in place to protect your information. These safeguards may include adequacy decisions by the UK government, standard contractual clauses approved by the ICO, or certification schemes recognised under UK GDPR.

If you would like more information about our international data transfers and the safeguards we have implemented, please contact us at [email protected].

Data Protection by Design and Default

We embed data protection into our business processes from the outset. When implementing new systems, services, or processing activities, we conduct Data Protection Impact Assessments (DPIAs) where necessary to identify and mitigate privacy risks.

Our systems are configured to collect only the personal data necessary for the specified purpose, and we implement privacy-enhancing technologies wherever feasible. We ensure that, by default, only personal data necessary for each specific purpose is processed.

Third-Party Processors

We work with carefully selected third-party service providers who process personal data on our behalf. These data processors are contractually bound to process your data only in accordance with our instructions and to implement appropriate security measures.

We conduct due diligence on all processors before engagement and monitor their compliance on an ongoing basis. Our contracts with processors include all mandatory clauses required by UK GDPR to ensure your data is protected to the same standards we apply internally.

Retention Periods

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with legal and regulatory requirements. Our retention schedule is based on:

  • The nature of our relationship with you
  • The type of data collected
  • Regulatory requirements (particularly FCA record-keeping obligations)
  • Limitation periods for potential legal claims

When data is no longer required, we securely delete or anonymise it in accordance with our data retention policy. For specific retention periods applicable to different types of data, please see our Privacy Policy or contact us for more information.

Children's Data

Our services are not directed at children under the age of 16, and we do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it as soon as possible.

Updates to Our GDPR Practices

We regularly review our data protection practices to ensure ongoing compliance with UK GDPR and to incorporate best practices as they emerge. When we make significant changes to how we process personal data, we will update this page and, where appropriate, notify affected individuals directly.

Complaints and Concerns

If you have concerns about how we handle your personal data or believe we have not complied with UK GDPR, please contact us first so we can address your concerns:

Email: [email protected]

We take all complaints seriously and will investigate thoroughly, providing you with a response within a reasonable timeframe.

If you remain dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Website: dreamshade-pond.com

Questions About GDPR

If you have questions about our GDPR compliance, your data protection rights, or how we process your personal information, please do not hesitate to contact us at [email protected]. We are committed to transparency and will be happy to provide additional information about our data protection practices.