GDPR Compliance Statement

Last Updated: May 14, 2026

Our Commitment to GDPR

froststrike-hold is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines how we meet our obligations under these regulations.

Data Controller Information

froststrike-hold is the data controller responsible for your personal data. Our contact details are:

froststrike-hold
42 Woodhouse Lane
Leeds, West Yorkshire LS2 9HT
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so under UK GDPR. The lawful bases we rely on include:

1. Consent

We obtain your explicit consent before processing personal data for specific purposes, such as marketing communications. You have the right to withdraw consent at any time.

2. Contract

We process personal data when necessary to fulfill our contractual obligations to provide educational services to enrolled students.

3. Legal Obligation

We process personal data when required to comply with legal obligations, such as safeguarding requirements for organizations working with children.

4. Legitimate Interests

We may process personal data based on our legitimate interests in operating and improving our services, provided these interests do not override your fundamental rights and freedoms.

Data Protection Principles

We adhere to the following data protection principles:

• Lawfulness, fairness, and transparency: We process data lawfully, fairly, and in a transparent manner
• Purpose limitation: We collect data for specified, explicit, and legitimate purposes only
• Data minimization: We collect only the data necessary for our purposes
• Accuracy: We keep personal data accurate and up to date
• Storage limitation: We retain data only as long as necessary
• Integrity and confidentiality: We implement appropriate security measures to protect data
• Accountability: We take responsibility for compliance and can demonstrate it

Your GDPR Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right to Be Informed

You have the right to clear, transparent information about how we use your personal data, provided through our Privacy Policy and this GDPR statement.

Right of Access

You have the right to request access to your personal data. We will provide a copy of your data in a commonly used electronic format within one month of your request.

Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. We will update your information promptly upon verification.

Right to Erasure

Also known as the "right to be forgotten," you may request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected.

Right to Restrict Processing

You have the right to request that we limit how we use your personal data in certain situations, such as when you contest the accuracy of the data.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another organization.

Right to Object

You have the right to object to processing based on legitimate interests, direct marketing, or processing for research purposes.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling in our services.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at [email protected] with the subject line "GDPR Rights Request." Please include:

• Your full name and contact information
• A clear description of your request
• Proof of identity (to prevent unauthorized disclosure)

We will respond to your request within one month. In complex cases, we may extend this period by two additional months and will inform you of any such extension.

Children's Data

As an organization providing services to children and teenagers, we take extra care to protect their personal data. We:

• Obtain verifiable parental or guardian consent before collecting children's data
• Collect only the minimum data necessary for service delivery
• Implement enhanced security measures for children's data
• Provide clear information to parents about data collection and use
• Enable parents to access, correct, or delete their child's data
• Ensure all staff working with children have appropriate DBS clearance

Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest
• Regular security assessments and penetration testing
• Access controls limiting data access to authorized personnel only
• Staff training on data protection and security
• Incident response procedures for data breaches

Data Breach Notification

In the event of a personal data breach that poses a risk to individuals' rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay if the breach poses a high risk
• Document all data breaches and our response measures

International Data Transfers

We primarily process data within the United Kingdom. If we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as:

• Standard contractual clauses approved by the UK authorities
• Transfers to countries with adequate data protection laws
• Other legally recognized transfer mechanisms

Third-Party Processors

We work with third-party service providers who process personal data on our behalf. We ensure that:

• All processors are GDPR-compliant
• Data processing agreements are in place
• Processors implement appropriate security measures
• We maintain oversight of processor activities

Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected or as required by law. Our retention periods include:

• Enrollment records: Retained for 7 years after programme completion for safeguarding and legal compliance
• Marketing consents: Retained until consent is withdrawn
• Email correspondence: Retained for 3 years for operational purposes
• Website analytics: Anonymized after 26 months

Complaints

If you are not satisfied with how we have handled your personal data, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

Updates to This Statement

We may update this GDPR Compliance Statement from time to time to reflect changes in our practices or legal requirements. Significant changes will be communicated through our website and via email to registered users.

Contact Information

For questions about GDPR compliance or to exercise your data protection rights, please contact us at:

Email: [email protected]
Subject Line: GDPR Inquiry