GDPR Compliance

Last updated: 25 May 2026

Our Commitment to Data Protection

gentle-traverse is committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take our data protection responsibilities seriously and have implemented appropriate measures to ensure your personal information is handled lawfully and securely.

Data Controller

For the purposes of data protection legislation, gentle-traverse is the data controller. We determine how and why your personal data is processed.

Contact details:
Email: [email protected]
Address: 27 Cathedral Road, Cardiff, CF11 9HA, United Kingdom

Your Rights Under UK GDPR

You have the following rights regarding your personal data:

1. Right to Be Informed

You have the right to be informed about the collection and use of your personal data. We provide this information through our Privacy Policy and this GDPR page.

2. Right of Access

You can request access to the personal data we hold about you. This is commonly known as a "subject access request." We'll provide a copy of your data free of charge within one month of your request.

3. Right to Rectification

If the personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. We'll update your information within one month of your request.

4. Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected, or you withdraw consent.

5. Right to Restrict Processing

You have the right to request restriction of processing of your personal data in specific situations, such as when you contest the accuracy of the data or object to processing.

6. Right to Data Portability

You can request that we transfer your personal data to another organisation or provide it to you in a structured, commonly used, machine-readable format.

7. Right to Object

You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis for processing.

8. Rights Related to Automated Decision Making

We do not use automated decision-making or profiling in our processing of your personal data.

How to Exercise Your Rights

To exercise any of these rights, please contact us at [email protected] with the subject line "GDPR Request."

Please include:

  • Your full name
  • The email address associated with your enquiry or registration
  • Details of your specific request
  • Proof of identity (if required for verification)

We'll respond to your request within one month. If your request is complex or we receive multiple requests, we may extend this period by up to two months, and we'll inform you of the extension.

Lawful Basis for Processing

We process personal data under the following lawful bases:

Consent

When you complete our enquiry forms or register for programmes, you provide explicit consent for us to process your personal data. You can withdraw consent at any time by contacting us.

Contract Performance

Processing is necessary to fulfil our contractual obligations when you register for and participate in our educational programmes.

Legitimate Interests

We may process data based on legitimate interests, such as improving our services, provided this doesn't override your rights and freedoms.

Data Protection Principles

We adhere to the following data protection principles. Personal data must be:

  • Processed lawfully, fairly, and transparently
  • Collected for specified, explicit, and legitimate purposes
  • Adequate, relevant, and limited to what is necessary
  • Accurate and kept up to date
  • Kept only for as long as necessary
  • Processed securely with appropriate technical and organisational measures

Data Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security assessments
  • Staff training on data protection
  • Secure disposal of data when no longer needed

Data Breach Procedures

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we'll notify the Information Commissioner's Office within 72 hours and inform affected individuals without undue delay.

International Data Transfers

We primarily process data within the United Kingdom. If we need to transfer data internationally, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements.

Children's Data

We collect and process information about children and teenagers as part of our educational services. We only collect data provided by parents or guardians and use it solely for programme delivery and communication purposes. We apply enhanced protections to children's data.

Updates to Our GDPR Compliance

We regularly review our data protection practices to ensure continued compliance. This page will be updated to reflect any changes in our approach or legal requirements.

Complaints and Concerns

If you have concerns about how we handle your personal data, please contact us first at [email protected]. We'll investigate and respond to your concerns.

If you're not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire
SK9 5AF
Telephone: 0303 123 1113
Website: www.gentle-traverse.com