GDPR Information
Your data protection rights under UK GDPR and how we uphold them.
Last Updated: January 2024
Brave Haven Financial Education Ltd is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page provides detailed information about how we comply with these regulations and explains your rights as a data subject.
Data Controller Information
For the purposes of data protection law, the data controller is:
Brave Haven Financial Education Ltd
Company Number: 07284156
42 Finsbury Square
London EC2A 1PX
United Kingdom
Email: [email protected]
Our Data Protection Principles
We adhere to the following principles when processing personal data:
- Lawfulness, fairness, and transparency: We process data lawfully, fairly, and in a transparent manner. We inform you about how your data is used.
- Purpose limitation: We collect data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.
- Data minimisation: We collect only the data necessary for the purposes we have stated.
- Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date.
- Storage limitation: We retain data only as long as necessary for the stated purposes or as required by law.
- Integrity and confidentiality: We implement appropriate security measures to protect personal data against unauthorised access, loss, or damage.
- Accountability: We maintain records demonstrating compliance with these principles.
Lawful Bases for Processing
Under UK GDPR, we must have a valid legal basis to process your personal data. We rely on the following bases:
Contractual Necessity
We process personal data when necessary to fulfil our contractual obligations to you. This includes:
- Providing financial education and consultation services
- Processing payments and maintaining financial records
- Communicating about appointments and service delivery
Legitimate Interests
We may process data when it serves our legitimate business interests, provided these do not override your rights. Examples include:
- Improving our services based on client feedback
- Protecting our business against fraud
- Maintaining internal records and business administration
Consent
For certain processing activities, we ask for your explicit consent. This applies to:
- Marketing communications and newsletters
- Non-essential cookies and website tracking
- Processing special category data (if applicable)
You may withdraw consent at any time by contacting us.
Legal Obligation
Some processing is required to comply with legal obligations, such as:
- Tax reporting requirements
- Responding to lawful requests from authorities
- Maintaining records as required by law
Your Data Subject Rights
Under UK GDPR, you have the following rights regarding your personal data:
Right of Access
You have the right to request a copy of the personal data we hold about you. This is known as a Subject Access Request (SAR). We will respond within one month of receiving your request. There is no fee for the first request, though we may charge a reasonable fee for excessive or repetitive requests.
Right to Rectification
If you believe the personal data we hold about you is inaccurate or incomplete, you have the right to request correction. We will respond to rectification requests within one month.
Right to Erasure
Also known as the "right to be forgotten," you may request deletion of your personal data in certain circumstances, including:
- When the data is no longer necessary for its original purpose
- When you withdraw consent (where consent was the basis for processing)
- When you object to processing and there are no overriding legitimate grounds
- When data has been unlawfully processed
Note that we may need to retain certain data for legal or legitimate business reasons.
Right to Restrict Processing
You may request that we limit how we use your data in certain situations, such as:
- While we verify the accuracy of data you have contested
- When processing is unlawful but you prefer restriction over erasure
- When we no longer need the data but you need it for legal claims
- While we consider an objection you have raised
Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format. This right applies when processing is based on consent or contract and carried out by automated means.
Right to Object
You have the right to object to processing based on legitimate interests or for direct marketing purposes. If you object to direct marketing, we will stop processing your data for that purpose immediately.
Rights Related to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing that significantly affect you. We do not currently use automated decision-making in our services.
Exercising Your Rights
To exercise any of your data rights, please contact us at:
Email: [email protected]
Post: Data Protection, Brave Haven Financial Education Ltd, 42 Finsbury Square, London EC2A 1PX
When making a request, please provide:
- Your full name and contact details
- The specific right you wish to exercise
- Any information to help us identify the relevant data
- Proof of your identity (we may request this for verification)
We will respond to all legitimate requests within one month. If your request is complex or we receive multiple requests, we may extend this period by a further two months, in which case we will inform you within the initial month.
Data Security Measures
We implement robust technical and organisational measures to protect your data:
- Encryption of data in transit using TLS/SSL protocols
- Encryption of sensitive data at rest
- Access controls limiting data access to authorised personnel
- Regular security assessments and updates
- Staff training on data protection and security
- Secure disposal of data when no longer needed
- Business continuity and disaster recovery planning
International Data Transfers
Your data is primarily stored and processed within the United Kingdom. If we transfer personal data outside the UK, we ensure appropriate safeguards are in place:
- Transfers to countries with an adequacy decision from the UK
- Use of Standard Contractual Clauses approved by the ICO
- Other appropriate safeguards as permitted by UK GDPR
Data Breach Procedures
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the Information Commissioner's Office within 72 hours
- Communicate the breach to affected individuals without undue delay when required
- Document all breaches and our response actions
Children's Data
Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected such data, we will take steps to delete it promptly.
Updates to This Information
We may update this GDPR information periodically. Material changes will be communicated through our website or direct notification. The "Last Updated" date indicates the most recent revision.
Complaints
If you are dissatisfied with how we have handled your personal data or responded to a rights request, you have the right to lodge a complaint with the supervisory authority:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Helpline: 0303 123 1113
We encourage you to contact us first so we have the opportunity to address your concerns directly.
Related Policies
For additional information, please refer to our:
- Privacy Policy — Detailed information about data collection and use
- Cookies Policy — Information about cookies and tracking technologies
- Terms of Use — Terms governing use of our website and services