GDPR Compliance

Data Protection Commitment

Mysterious Vale operates in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to protecting the personal data of our clients, website visitors, and business contacts.

Data Controller Information

Data Controller: Mysterious Vale
Address: 47 Woodland Rise, Glastonbury, Somerset BA6 9LT, United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis under Article 6 of UK GDPR:

1. Consent

Where you have explicitly agreed to us processing your data for specific purposes, such as receiving marketing communications. You may withdraw consent at any time.

2. Contract

Processing necessary to perform a contract with you or to take steps prior to entering a contract, such as providing ecological consulting services you've requested.

3. Legal Obligation

Processing required to comply with legal obligations, including environmental regulations, planning requirements, and financial record-keeping.

4. Legitimate Interests

Processing necessary for our legitimate business interests, provided these do not override your rights and freedoms. Examples include:

• Maintaining client relationships and project documentation
• Improving our services based on feedback and project outcomes
• Website security and fraud prevention
• Internal administration and business development

Your Data Protection Rights

Under UK GDPR, you have comprehensive rights regarding your personal data:

Right of Access (Article 15)

You can request copies of your personal data. We will provide this free of charge within one month of your request.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

Right to Erasure (Article 17)

Also known as the 'right to be forgotten,' you can request deletion of your personal data in certain circumstances:

• The data is no longer necessary for the purpose collected
• You withdraw consent and there's no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

This right may be limited where we have legal obligations to retain data, such as completed project records required by professional standards.

Right to Restriction (Article 18)

You can request we limit processing of your personal data in specific situations:

• While we verify data accuracy following your challenge
• When processing is unlawful but you prefer restriction over deletion
• When we no longer need the data but you require it for legal claims
• While we verify our legitimate grounds following your objection

Right to Data Portability (Article 20)

Where technically feasible, you can receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your rights.

Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling that produces legal effects concerning you.

Exercising Your Rights

To exercise any of these rights, contact us:

• Email: [email protected] (preferred method)
• Post: 47 Woodland Rise, Glastonbury, Somerset BA6 9LT, United Kingdom

Please include sufficient information to identify yourself and specify which right you wish to exercise. We will respond within one month, though this may be extended by two additional months for complex requests.

Data Security Measures

We implement appropriate technical and organizational measures to ensure data security:

• Encryption of data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication requirements
• Staff training on data protection obligations
• Secure backup and disaster recovery procedures
• Vendor due diligence for third-party processors

Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office within 72 hours of becoming aware
• Inform affected individuals without undue delay if the breach poses a high risk
• Document the breach, its effects, and remedial actions taken

International Data Transfers

We primarily process data within the United Kingdom. If we transfer personal data outside the UK, we ensure appropriate safeguards are in place:

• Transfers to countries with adequacy decisions
• Standard contractual clauses approved by the ICO
• Other lawful transfer mechanisms under UK GDPR

Children's Privacy

Our services are not directed at children under 16. We do not knowingly collect personal data from children. If we become aware we've collected such data, we will delete it promptly.

Data Protection Officer

Given the nature and scale of our processing activities, we have not appointed a dedicated Data Protection Officer. However, data protection responsibilities are overseen by senior management. Direct data protection inquiries to [email protected]

Supervisory Authority

You have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom

Website: ico.org.uk
Helpline: 0303 123 1113

Policy Updates

We review this GDPR compliance statement regularly to ensure it remains current with our practices and legal requirements. Material changes will be communicated through our website.

Last Review Date: May 22, 2026