GDPR Compliance

petal-puffin is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page provides information about how we process personal data and your rights under these regulations.

Data Controller

petal-puffin acts as the data controller for personal information collected through this website and in the course of our business activities. This means we determine the purposes and means of processing personal data.

Categories of Personal Data

We process the following categories of personal data:

• Identity data: names, job titles
• Contact data: email addresses, business addresses
• Technical data: IP addresses, browser information, device identifiers
• Usage data: information about how you use our website
• Communication data: correspondence and enquiry content

Lawful Basis for Processing

We rely on one or more of the following lawful bases for processing your personal data:

• Consent: Where you have provided clear consent for us to process your personal data for specific purposes
• Contract: Where processing is necessary for a contract we have with you or to take steps at your request before entering a contract
• Legal obligation: Where we need to comply with a legal requirement
• Legitimate interests: Where processing is necessary for our legitimate interests and does not unduly affect your rights

Your Data Protection Rights

Under the UK GDPR, you have the following rights:

Right of Access

You have the right to request a copy of the personal data we hold about you. This is commonly known as a subject access request.

Right to Rectification

You have the right to request correction of personal data if it is inaccurate or incomplete.

Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for its original purpose.

Right to Restrict Processing

You have the right to request that we limit how we use your personal data in certain circumstances.

Right to Data Portability

You have the right to request transfer of your personal data to another organisation or directly to you in a structured, commonly used format.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

Exercising Your Rights

To exercise any of these rights, please contact us using the details provided below. We will respond to your request within one month. There is no fee for making a request, although we may charge a reasonable fee if your request is unfounded, excessive, or repetitive.

Data Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption of data in transit and at rest
• Access controls and authentication requirements
• Regular security assessments and updates
• Staff training on data protection
• Incident response procedures

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach. Where the breach is likely to result in high risk, we will also notify affected individuals without undue delay.

International Data Transfers

Where we transfer personal data outside the United Kingdom, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the Information Commissioner's Office.

Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office. We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.

Contact Information

For data protection enquiries or to exercise your rights, please contact us at [email protected] or write to our office address.

Last updated: June 2026