GDPR Compliance Statement

Overview

Echo Ride is committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines our approach to protecting your personal data and upholding your rights.

Data Controller

Echo Ride acts as the data controller for the personal information we collect through our educational services. We are responsible for determining how and why your data is processed.

Data Controller:
Echo Ride Financial Education
42 Charter Square
Sheffield, S1 4HS
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. Our primary bases are:

Consent

When you submit booking forms or subscribe to communications, you provide explicit consent for us to process your information for those specific purposes. You may withdraw consent at any time.

Contractual Necessity

Processing is necessary to fulfil our contractual obligations when you book and attend our educational sessions.

Legitimate Interests

We may process data where necessary for our legitimate business interests, such as improving services, preventing fraud, or ensuring network security, provided these interests don't override your rights.

Legal Obligation

We process certain data to comply with legal requirements, such as maintaining business records and responding to lawful requests from authorities.

Your GDPR Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right to Access

You can request a copy of the personal data we hold about you. We will provide this within one month of your request.

Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to have it corrected or completed.

Right to Erasure

In certain circumstances, you can request that we delete your personal data. This right is not absolute and may be limited by legal retention requirements.

Right to Restrict Processing

You can ask us to limit how we use your data in specific situations, such as while we verify data accuracy or assess whether we have legitimate grounds to process it.

Right to Data Portability

You can request a copy of your data in a structured, commonly used format, or ask us to transfer it to another organisation where technically feasible.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling processes that produce legal effects or significantly affect you.

How to Exercise Your Rights

To exercise any of your GDPR rights, contact us at [email protected] with:

• Your full name and contact details
• A description of your request
• Proof of identity (if required for security purposes)

We will respond to your request within one month. In complex cases, we may extend this by two additional months and will inform you of any delay.

Data Protection Principles

We adhere to the following data protection principles:

Lawfulness, Fairness, and Transparency

We process data lawfully, fairly, and transparently, informing you about how we use your information.

Purpose Limitation

We collect data for specific, explicit, and legitimate purposes, and do not process it in ways incompatible with those purposes.

Data Minimisation

We collect only the data necessary to fulfil the stated purposes.

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date.

Storage Limitation

We retain data only as long as necessary for the purposes collected or as required by law.

Integrity and Confidentiality

We implement appropriate security measures to protect data against unauthorised access, loss, or damage.

Accountability

We take responsibility for demonstrating compliance with data protection principles.

Data Security Measures

We implement technical and organisational security measures including:

• Encryption of data in transit and at rest
• Access controls and authentication requirements
• Regular security assessments and updates
• Staff training on data protection
• Secure data backup procedures

Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it. If the breach poses a high risk, we will also notify affected individuals without undue delay.

International Data Transfers

We do not routinely transfer personal data outside the United Kingdom. If such transfers become necessary, we will ensure appropriate safeguards are in place as required by UK GDPR.

Third-Party Processing

When we engage third-party service providers to process data on our behalf, we ensure they:

• Process data only according to our instructions
• Implement appropriate security measures
• Comply with GDPR requirements
• Have signed data processing agreements

Children's Data

We provide services to children but collect personal data only from parents or legal guardians. When processing children's data, we apply enhanced privacy protections and obtain parental consent where required.

Complaints

If you're not satisfied with how we've handled your personal data, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Telephone: 0303 123 1113
Website: ico.org.uk

Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. Material changes will be communicated through our website.

Contact Us

For questions about GDPR compliance or to exercise your rights, contact us at [email protected].