GDPR Compliance

Your data protection rights under UK GDPR

Our Commitment to Data Protection

Nexora Spark is fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognise the importance of protecting your personal information and respecting your privacy rights.

This page outlines how we meet our obligations under data protection law and explains your rights in detail.

Data Controller Information

For the purposes of UK GDPR, Nexora Spark is the data controller responsible for your personal information.

Contact Details:
Nexora Spark
15 Kingsway
London WC2B 6UN
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We only process your personal data when we have a lawful basis to do so. The specific legal grounds we rely on include:

Consent

We process certain data based on your explicit consent, such as sending marketing communications or using non-essential cookies. You can withdraw consent at any time without affecting the lawfulness of processing conducted before withdrawal.

Contract

When you engage our services, processing is necessary to perform our contractual obligations to you, including delivering consultations, developing financial strategies, and providing ongoing support.

Legal Obligation

We process data to comply with legal requirements, such as maintaining records for regulatory purposes or responding to lawful requests from authorities.

Legitimate Interests

We may process data based on our legitimate business interests, provided these don't override your fundamental rights and freedoms. Examples include improving our services, preventing fraud, and ensuring network security. We conduct regular assessments to balance our interests against your rights.

Your Data Protection Rights

Under UK GDPR, you have comprehensive rights regarding your personal information. We respect these rights and have established processes to honour them efficiently.

Right to Be Informed

You have the right to clear information about how we collect and use your personal data. We provide this through our Privacy Policy and this GDPR page, using plain language wherever possible.

Right of Access

You can request a copy of the personal information we hold about you. This is commonly known as a Subject Access Request (SAR). We will provide this information free of charge within one month, though we may extend this by two additional months for complex requests.

To submit an access request, email us at [email protected] with "Subject Access Request" in the subject line. We may ask for identification to verify your identity before releasing information.

Right to Rectification

If you believe any personal information we hold is inaccurate or incomplete, you can request correction. We will assess your request and make amendments where appropriate, notifying you of the outcome within one month.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in specific circumstances:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent (where consent was the lawful basis)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Deletion is required to comply with a legal obligation

This right is not absolute. We may refuse erasure if we have legal obligations to retain the data, such as financial record-keeping requirements.

Right to Restriction of Processing

You can request that we limit how we use your data in certain situations:

  • You contest the accuracy of the data (restriction applies while we verify accuracy)
  • Processing is unlawful but you prefer restriction to erasure
  • We no longer need the data but you require it for legal claims
  • You've objected to processing (restriction applies while we assess whether our legitimate grounds override yours)

When processing is restricted, we can still store the data but not use it without your consent, except for legal claims or protecting others' rights.

Right to Data Portability

Where we process your data based on consent or contract performance, and processing is carried out by automated means, you can request to receive your data in a structured, commonly used, machine-readable format. You may also request direct transmission to another controller where technically feasible.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

For direct marketing, your right is absolute—we will stop processing immediately upon receiving your objection.

For processing based on legitimate interests, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims.

Rights Related to Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal effects or similarly significant impacts. Should this change, we will update this page and seek appropriate consent where required.

How to Exercise Your Rights

To exercise any of your data protection rights, contact us by email at [email protected]. Please include:

  • Your full name and contact information
  • A clear description of which right you wish to exercise
  • Any relevant details to help us locate your information
  • Proof of identity (if requested, to prevent unauthorised disclosure)

We will respond within one month of receiving your request. For complex requests, we may extend this period by two months and will notify you of the extension and reasons.

Exercising your rights is free of charge. However, if requests are manifestly unfounded or excessive, particularly if repetitive, we may charge a reasonable administrative fee or refuse the request.

Data Security Measures

We implement robust technical and organisational security measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

  • Encryption of data in transit and at rest
  • Regular security audits and penetration testing
  • Access controls limiting data access to authorised personnel only
  • Secure backup systems with tested recovery procedures
  • Staff training on data protection responsibilities
  • Confidentiality agreements with all employees and contractors
  • Incident response procedures for data breaches

Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach.

If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, providing:

  • A description of the nature of the breach
  • The likely consequences
  • Measures taken or proposed to address the breach and mitigate harm
  • Contact details for further information

Data Protection by Design and Default

We integrate data protection considerations into our business processes and service development from the outset. This includes:

  • Minimising data collection to what is necessary
  • Implementing privacy-enhancing technologies
  • Conducting Data Protection Impact Assessments for high-risk processing
  • Reviewing and updating security measures regularly
  • Training staff on privacy principles and practices

Third-Party Processors

When we engage third-party service providers to process personal data on our behalf, we ensure they meet strict data protection standards through:

  • Due diligence assessments before engagement
  • Written contracts specifying data protection obligations
  • Requirements to implement appropriate security measures
  • Restrictions on sub-processing without our authorisation
  • Obligations to assist with our compliance responsibilities
  • Regular audits of processor compliance

International Data Transfers

Your personal data is primarily stored and processed within the United Kingdom. If we transfer data outside the UK or European Economic Area, we ensure appropriate safeguards are in place, such as:

  • Standard contractual clauses approved by regulatory authorities
  • Adequacy decisions recognising equivalent data protection standards
  • Binding corporate rules for transfers within multinational organisations

We will inform you of any international transfers and the safeguards applied.

Record Keeping and Accountability

We maintain comprehensive records of our processing activities, including:

  • Purposes of processing
  • Categories of data subjects and personal data
  • Recipients of personal data
  • Data retention periods
  • Security measures implemented

These records demonstrate our accountability and compliance with UK GDPR requirements.

Children's Data

Our services are not directed at children under 18 years of age. We do not knowingly collect or process personal data from children. If we become aware that we have inadvertently collected such information, we will delete it promptly and, where appropriate, notify the child's parent or guardian.

Updates to This Information

We review and update our GDPR compliance practices regularly. Any changes to this page will be reflected with a revised "last updated" date. Significant changes will be communicated to active clients via email.

Questions and Concerns

If you have questions about our GDPR compliance or concerns about how we handle your personal data, please contact us:

Email: [email protected]
Address: 15 Kingsway, London WC2B 6UN, United Kingdom

Right to Lodge a Complaint

While we strive to address all concerns internally, you have the right to lodge a complaint with the UK supervisory authority if you believe we have not complied with data protection law:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom

Helpline: 0303 123 1113
Website: nexora-spark.com
Online reporting: nexora-spark.com/make-a-complaint