GDPR Compliance Statement

Last Updated: June 7, 2026

Our Commitment to Data Protection

violet-marsh is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. This page provides detailed information about your rights and how we ensure compliance with applicable data protection laws.

Data Controller Information

violet-marsh acts as the data controller for personal information collected through this website and during the provision of our consulting services. Our contact details are:

violet-marsh
12 Albemarle Gardens
London SW19 4PN
United Kingdom
Email: [email protected]

Your Data Protection Rights

1. Right of Access

You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to access that data along with information about how it is being used. To request access, please submit a written request to the contact details above. We will respond within one month of receipt.

2. Right to Rectification

If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request correction or completion of that information. We will update our records promptly upon verification of the correction.

3. Right to Erasure (Right to be Forgotten)

You may request deletion of your personal data in the following circumstances:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent on which processing is based
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Erasure is required to comply with a legal obligation

Please note that this right is not absolute and we may be required to retain certain information for legal or regulatory purposes.

4. Right to Restriction of Processing

You have the right to request that we restrict processing of your personal data in certain situations, such as when you contest the accuracy of the data or when processing is unlawful but you do not want the data erased.

5. Right to Data Portability

Where processing is based on consent or contract performance and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format. You may also request that we transmit this data directly to another controller where technically feasible.

6. Right to Object

You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis for processing. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

7. Rights Related to Automated Decision-Making

We do not currently use automated decision-making or profiling that produces legal effects or similarly significant effects. Should this change, you will be informed and provided with appropriate safeguards.

How to Exercise Your Rights

To exercise any of the rights outlined above, please submit a request in writing to:

Email: [email protected]
Subject Line: "GDPR Data Subject Request"

Your request should include:

• Your full name and contact details
• A description of the right you wish to exercise
• Any relevant details that will help us locate your data
• Proof of identity (we may request additional verification to protect your information)

We will respond to your request within one month. In complex cases, we may extend this period by two additional months and will notify you of any such extension.

Lawful Bases for Processing

We process personal data only when we have a lawful basis to do so. The lawful bases we rely on include:

• Consent: You have given clear consent for us to process your data for a specific purpose
• Contract: Processing is necessary to fulfil a contract with you or to take steps at your request before entering a contract
• Legal Obligation: Processing is necessary to comply with the law
• Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party, provided your rights do not override those interests

Data Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Encryption of data in transit and at rest
• Regular security assessments and vulnerability testing
• Access controls and authentication procedures
• Staff training on data protection principles
• Incident response and breach notification procedures

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. We will also notify the UK Information Commissioner's Office within 72 hours of becoming aware of the breach, where required by law.

Third-Party Processing

When we engage third-party service providers to process personal data on our behalf, we ensure they provide sufficient guarantees regarding data protection. We enter into data processing agreements that specify their obligations and ensure they process data only in accordance with our instructions.

International Data Transfers

If we transfer personal data outside the United Kingdom or European Economic Area, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions recognising equivalent data protection standards
• Binding Corporate Rules for intra-group transfers

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by law. Our standard retention periods are:

• Contact inquiries: 3 years from last contact
• Client project data: 7 years from project completion
• Financial records: 7 years as required by tax regulations
• Marketing consent records: Until consent is withdrawn or 3 years of inactivity

Complaints and Supervisory Authority

If you believe we have not handled your personal data in accordance with GDPR or UK data protection law, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Telephone: 0303 123 1113
Website: ico.org.uk

Updates to This Statement

We may update this GDPR compliance statement periodically to reflect changes in our data processing activities or legal requirements. Material changes will be communicated through our website and, where appropriate, by direct notification.

Questions and Further Information

If you have questions about our GDPR compliance practices or data protection policies, please contact us using the details provided at the top of this page. We are committed to transparency and will address your inquiries promptly.