GDPR Compliance Statement

Last updated: June 15, 2026

Our Commitment to Data Protection

cypress-drift is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we meet our obligations and protect your personal data rights.

Legal Basis for Processing

We process personal data under the following legal bases:

• Consent: When you provide explicit consent for specific processing activities
• Contract: When processing is necessary to fulfill service agreements with you
• Legitimate interests: When we have legitimate business interests that do not override your fundamental rights
• Legal obligation: When required to comply with UK law

Data Controller Information

cypress-drift acts as the data controller for personal information collected through this website and our services.

Data Controller:
cypress-drift
27 Park Row
Leeds LS1 5HD
United Kingdom
[email protected]

Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right to Access

You may request confirmation of whether we process your personal data and obtain a copy of that data. We will respond to access requests within one month.

Right to Rectification

You may request correction of inaccurate or incomplete personal data. We will verify and update information promptly.

Right to Erasure

You may request deletion of your personal data under certain circumstances, including when data is no longer necessary for original purposes or when you withdraw consent.

Right to Restrict Processing

You may request restriction of processing when you contest data accuracy, processing is unlawful but you prefer restriction to erasure, or you need data retained for legal claims.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you may request your personal data in a structured, commonly used, machine-readable format.

Right to Object

You may object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision Making

We do not engage in automated decision-making or profiling that produces legal effects or similarly significant impacts on individuals.

How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected] with your request. Please include:

• Clear description of the right you wish to exercise
• Sufficient information to verify your identity
• Specific details about data concerned (where applicable)

We will respond to requests within one month, extending to three months for complex requests with notification of delay.

Data Security Measures

We implement appropriate technical and organizational measures to protect personal data:

• Encryption of data in transit and at rest
• Access controls limiting personnel who can view personal data
• Regular security assessments and updates
• Staff training on data protection requirements
• Secure backup procedures

Data Breach Procedures

In the event of a data breach likely to result in risk to your rights and freedoms, we will notify affected individuals within 72 hours of becoming aware of the breach. Notifications will include:

• Nature of the breach
• Likely consequences
• Measures taken or proposed to address the breach
• Contact information for further inquiries

Third-Party Processing

Where we engage third-party processors to handle personal data on our behalf, we ensure:

• Formal data processing agreements are in place
• Processors provide sufficient guarantees of GDPR compliance
• Appropriate technical and organizational measures are implemented
• Regular audits of processor compliance

International Data Transfers

Personal data is primarily processed within the United Kingdom. Where transfers outside the UK are necessary, we ensure adequate protection through:

• Adequacy decisions by UK authorities
• Standard contractual clauses approved by UK authorities
• Other legally recognized transfer mechanisms

Data Retention

We retain personal data only as long as necessary for purposes outlined in our Privacy Policy or as required by law. Standard retention periods:

• Inquiry data without engagement: 2 years
• Client engagement records: 7 years following engagement completion
• Financial records: 7 years per UK tax requirements
• Marketing consent records: Until consent withdrawn plus 1 year

Children's Privacy

Our services are not directed at individuals under 18. We do not knowingly collect personal data from children. If we become aware of such collection, we will delete the information promptly.

Complaints

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Telephone: 0303 123 1113
Website: www.ico.org.uk

We encourage you to contact us first so we can address your concerns directly.

Updates to GDPR Compliance

We regularly review our data protection practices to ensure ongoing compliance with UK GDPR requirements. This statement is updated as necessary to reflect changes in our practices or legal requirements.