GDPR Compliance Statement

Last updated: 8 May 2026

Our Commitment to GDPR

crystalbyte is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take our responsibility for protecting your personal data seriously and have implemented comprehensive measures to ensure compliance.

Data Controller Information

Data Controller: crystalbyte
Address: 27 Piccadilly Gardens, Manchester, M1 2AP, United Kingdom
Email: [email protected]

Your GDPR Rights Explained

Right to be Informed

You have the right to know how we collect, use, and protect your personal data. This information is provided in our Privacy Policy and is available in clear, plain language.

Right of Access

You can request a copy of all personal data we hold about you. We will provide this within one month of your request, free of charge in most cases.

How to request: Email [email protected] with "Subject Access Request" in the subject line. We may need to verify your identity before processing the request.

Right to Rectification

If any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. We will update your information within one month and notify any third parties with whom we've shared the data.

Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data when:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Note: We may be required to retain certain data for legal or regulatory purposes, even after a deletion request.

Right to Restrict Processing

You can request that we limit how we use your data in certain circumstances:

  • When you contest the accuracy of the data
  • When processing is unlawful but you don't want the data erased
  • When we no longer need the data but you need it for legal claims
  • When you've objected to processing pending verification

Right to Data Portability

You can request your personal data in a structured, commonly used, machine-readable format. This applies to data processed based on consent or contract, and we will provide it within one month.

Right to Object

You can object to processing of your personal data when:

  • Processing is based on legitimate interests
  • Processing is for direct marketing purposes
  • Processing is for research or statistical purposes

We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals.

How We Protect Children's Data

As we work with children and teenagers, we take extra precautions:

  • We obtain verifiable parental consent before collecting data from children under 16
  • We clearly explain what data we collect and why in age-appropriate language
  • We apply enhanced security measures for children's personal data
  • We never share children's data for marketing purposes
  • We maintain strict safeguarding protocols aligned with UK regulations

Data Processing Activities

We maintain detailed records of all data processing activities, including:

  • Purpose of processing
  • Categories of data subjects and personal data
  • Recipients of personal data
  • Data retention periods
  • Security measures in place

Data Security Measures

We implement appropriate technical and organisational measures:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication protocols
  • Staff training on data protection and security
  • Incident response and breach notification procedures
  • Regular backups with secure storage

Data Breach Procedures

In the unlikely event of a personal data breach:

  • We will notify the ICO within 72 hours if the breach poses a risk to individuals' rights and freedoms
  • We will notify affected individuals without undue delay if the breach poses a high risk
  • We will document all breaches and our response measures
  • We will take immediate steps to contain and remediate the breach

Third-Party Processors

When we use third-party service providers who process personal data on our behalf:

  • We conduct due diligence to ensure they meet GDPR standards
  • We establish written contracts specifying their obligations
  • We ensure they implement appropriate security measures
  • We limit their processing to our explicit instructions
  • We regularly audit their compliance

International Data Transfers

Your personal data is primarily stored and processed within the United Kingdom. If we transfer data internationally, we ensure:

  • The country has been deemed to provide adequate protection
  • Or we use standard contractual clauses approved by the ICO
  • Or we obtain your explicit consent for the transfer

Privacy by Design and Default

We embed data protection into everything we do:

  • We collect only the minimum data necessary for our purposes
  • We implement privacy-friendly default settings
  • We conduct privacy impact assessments for new projects
  • We regularly review and update our practices

Staff Training and Awareness

All staff members receive:

  • Regular GDPR and data protection training
  • Clear policies and procedures to follow
  • Ongoing updates about regulatory changes
  • Specific training on handling children's data

How to Exercise Your Rights

To exercise any of your GDPR rights:

  1. Send an email to [email protected] with your request
  2. Clearly state which right you wish to exercise
  3. Provide sufficient information for us to verify your identity
  4. We will respond within one month (or explain if we need more time)

We do not charge a fee for most requests. However, we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded, excessive, or repetitive.

Questions and Complaints

If you have questions about our GDPR compliance or wish to make a complaint:

Contact us first:
Email: [email protected]
We aim to resolve concerns promptly and fairly.

Contact the supervisory authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113
You have the right to lodge a complaint with the ICO at any time.

Updates to This Statement

We review this GDPR compliance statement regularly and update it as necessary to reflect changes in our practices or legal requirements. The date at the top of this page shows when it was last updated.