GDPR Compliance

Your data protection rights

The General Data Protection Regulation (GDPR) and UK GDPR provide robust protections for your personal data. This page explains how peppy-tread complies with these regulations and outlines your rights as a data subject.

Our Commitment to Data Protection

We are committed to protecting your personal data and respecting your privacy. Our approach to data protection is built on transparency, accountability, and ensuring you maintain control over your information.

As a data controller, peppy-tread is responsible for deciding how and why your personal data is processed. We take this responsibility seriously and have implemented policies and procedures to ensure compliance with data protection law.

Principles We Follow

We process personal data in accordance with the following principles:

Lawfulness, Fairness, and Transparency

We only process data when we have a valid legal basis, we don't deceive you about how data is used, and we provide clear information about our processing activities.

Purpose Limitation

We collect data for specified, explicit purposes and don't use it for incompatible purposes without informing you and, where necessary, obtaining your consent.

Data Minimisation

We only collect the personal data we actually need for the stated purposes. We don't gather information "just in case" it might be useful.

Accuracy

We take reasonable steps to ensure personal data is accurate and up to date. You can request corrections at any time.

Storage Limitation

We don't keep personal data longer than necessary. We have retention schedules that govern how long different types of data are kept.

Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or damage.

Your Rights Under GDPR

The regulation gives you several important rights regarding your personal data:

Right to Be Informed

You have the right to know how we collect and use your personal data. This page and our Privacy Policy provide this information. We will always tell you what data we need and why when we collect it.

Right of Access

You can request a copy of the personal data we hold about you. This is sometimes called a Subject Access Request (SAR). We will respond within one month and provide the information free of charge in most cases.

Right to Rectification

If you believe any information we hold about you is inaccurate or incomplete, you can ask us to correct it. We will respond within one month.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, including:

  • When the data is no longer necessary for its original purpose
  • When you withdraw consent (if consent was the legal basis)
  • When you object to processing and there are no overriding legitimate grounds
  • When data has been unlawfully processed

Note that we may need to retain some data for legal or regulatory reasons even if you request erasure.

Right to Restrict Processing

You can ask us to limit how we use your data in certain situations, such as while we verify accuracy following a rectification request, or while we consider your objection to processing.

Right to Data Portability

Where technically feasible, you can request that we provide your personal data in a structured, commonly used, machine-readable format so you can transfer it to another service provider.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. If you object to direct marketing, we will stop immediately.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that significantly affect you. We do not currently use automated decision-making in our services.

Exercising Your Rights

To exercise any of these rights, please contact us:

  • Email: [email protected]
  • Post: Data Protection, peppy-tread, Suite 14, Wellington House, 36 Wellington Street, Leeds, LS1 2DE

We may need to verify your identity before processing your request. We aim to respond to all requests within one month, though complex requests may take longer (up to three months total), in which case we will inform you.

International Data Transfers

We primarily process data within the United Kingdom. If we need to transfer data outside the UK, we ensure appropriate safeguards are in place, such as standard contractual clauses or adequacy decisions.

Data Breach Procedures

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours. If the breach is likely to result in high risk to you, we will also notify you directly without undue delay.

Data Protection Officer

Given the nature and scale of our operations, we are not required to appoint a formal Data Protection Officer. However, responsibility for data protection compliance rests with our senior management team. For data protection queries, please contact us at [email protected].

Supervisory Authority

The supervisory authority for data protection in the UK is the Information Commissioner's Office (ICO). If you are not satisfied with our response to a data protection concern, you have the right to lodge a complaint with the ICO:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Website: ico.org.uk

Updates to This Information

We may update this page periodically to reflect changes in our practices or legal requirements. The date at the top of this page indicates when it was last revised.