GDPR Compliance

Last updated: April 11, 2026

Our Commitment to Data Protection

fancy-drift is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page provides specific information about your rights and how we comply with these regulations.

Data Controller Information

For the purposes of UK GDPR, fancy-drift is the data controller responsible for your personal information.

Contact details:
Email: [email protected]
Address: 47 Clifton Street, Bristol BS8 4PB, United Kingdom

Lawful Basis for Processing

We process your personal data only when we have a lawful basis to do so. The specific lawful bases we rely on are:

Contract Performance

When you engage our financial guidance services, we process your data to fulfill our contractual obligations. This includes analyzing your financial situation, providing recommendations, and maintaining records of our work together.

Legitimate Interests

We process certain data based on legitimate interests, such as:

  • Operating and improving our business services
  • Maintaining website security and preventing fraud
  • Understanding how visitors use our website to enhance user experience
  • Maintaining business records for accountability and quality assurance

We carefully balance these interests against your rights and only process data when the impact on you is minimal and expected.

Consent

For certain processing activities, particularly regarding cookies and analytics, we obtain your explicit consent. You can withdraw this consent at any time through our cookie preferences or by contacting us directly.

Legal Obligation

We process and retain certain data to comply with legal requirements, such as tax regulations and financial record-keeping obligations applicable to our business.

Your Data Protection Rights

Under UK GDPR, you have comprehensive rights regarding your personal data:

Right of Access

You can request confirmation of whether we process your personal data and obtain a copy of that data. This is commonly known as a Subject Access Request (SAR). We will provide this information free of charge within one month of your request.

Right to Rectification

If your personal information is inaccurate or incomplete, you have the right to have it corrected. We will update our records and notify any third parties to whom we have disclosed the data, where applicable.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • The data must be erased to comply with a legal obligation

This right is not absolute. We may need to retain certain information to comply with legal obligations or for the establishment, exercise, or defense of legal claims.

Right to Restrict Processing

You can request that we limit how we use your personal data in specific situations:

  • You contest the accuracy of the data while we verify it
  • Processing is unlawful but you prefer restriction over erasure
  • We no longer need the data but you require it for legal claims
  • You have objected to processing while we verify legitimate grounds

Right to Data Portability

Where technically feasible, you can request that we provide your personal data in a structured, commonly used, machine-readable format. This allows you to transfer your data to another service provider if desired.

This right applies when processing is based on consent or contract and is carried out by automated means.

Right to Object

You can object to processing of your personal data where we rely on legitimate interests as the lawful basis. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

You have an absolute right to object to processing for direct marketing purposes. We do not engage in mass marketing, but if you receive any marketing communication from us, you can opt out immediately.

Rights Related to Automated Decision-Making

We do not make decisions about you based solely on automated processing, including profiling, that would produce legal effects or similarly significantly affect you.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us at [email protected] with the following information:

  • Your full name and contact information
  • A description of the right you wish to exercise
  • Any relevant details to help us locate your information
  • Proof of identity if requested (to prevent unauthorized disclosure)

We will respond to your request within one month. In complex cases, this may be extended by up to two additional months, and we will inform you of any delay.

Data Protection Principles

We adhere to the core data protection principles established by UK GDPR:

Lawfulness, Fairness, and Transparency

We process data lawfully, fairly, and in a transparent manner. This page and our Privacy Policy clearly explain our data practices.

Purpose Limitation

We collect personal data for specific, explicit, and legitimate purposes. We do not process it further in ways incompatible with those purposes.

Data Minimization

We collect only data that is adequate, relevant, and limited to what is necessary for our stated purposes. We do not request information we do not need.

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. Inaccurate data is erased or corrected without delay.

Storage Limitation

We retain personal data only as long as necessary for the purposes it was collected or as required by law. Our retention periods are documented and regularly reviewed.

Integrity and Confidentiality

We implement appropriate security measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Accountability

We are responsible for demonstrating compliance with these principles. We maintain records of our processing activities and regularly review our practices.

Data Security Measures

We implement technical and organizational measures to ensure appropriate security of personal data:

  • Encryption of data in transit and at rest
  • Access controls and authentication requirements
  • Regular security assessments and vulnerability testing
  • Staff training on data protection and security
  • Incident response procedures for potential data breaches
  • Secure disposal of data when no longer needed

Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify you without undue delay. We will also report the breach to the Information Commissioner's Office within 72 hours of becoming aware of it, as required by law.

Third-Party Processors

When we engage third parties to process personal data on our behalf, we ensure they provide sufficient guarantees of compliance with UK GDPR. We maintain written contracts with all processors that specify:

  • The subject matter and duration of processing
  • The nature and purpose of processing
  • The type of personal data and categories of data subjects
  • Obligations and rights of the controller
  • Security measures and confidentiality requirements

International Data Transfers

Your personal data is primarily stored and processed within the United Kingdom. If we transfer data internationally, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions recognizing equivalent data protection standards
  • Standard contractual clauses approved by authorities
  • Binding corporate rules for transfers within corporate groups

Children's Data

Our services are not intended for individuals under 18 years of age. We do not knowingly collect or process personal data of children. If we discover we have inadvertently collected such data, we will delete it promptly.

Updates to This Notice

We may update this GDPR notice periodically to reflect changes in our practices or legal requirements. Significant updates will be communicated through our website, and we will update the "Last updated" date accordingly.

Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your personal data appropriately:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Telephone: 0303 123 1113
Website: ico.org.uk

While you have the right to contact the ICO, we encourage you to reach out to us first so we can address your concerns directly.

Questions and Contact

If you have questions about how we comply with UK GDPR or wish to exercise your data protection rights, please contact us:

Email: [email protected]
Address: 47 Clifton Street, Bristol BS8 4PB, United Kingdom