GDPR Compliance Statement

Last Updated: April 17, 2026

Our Commitment to Data Protection

twilight-spring is committed to protecting your personal data and respecting your privacy rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This statement outlines how we comply with these regulations and the measures we take to safeguard your information.

We recognize that you trust us with sensitive financial information, and we take that responsibility seriously. Our data protection practices are designed to give you control over your personal data while enabling us to provide excellent service.

Data Controller Information

twilight-spring acts as the data controller for personal information collected through our website and services. This means we determine how and why your personal data is processed.

Data Controller: twilight-spring
Address: 42 Cheapside, London EC2V 6AA, United Kingdom
Email: [email protected]

Lawful Basis for Processing

We only process your personal data when we have a lawful basis to do so. Depending on the context, we rely on the following legal grounds:

Consent

In certain situations, we process your data based on your explicit consent. This includes newsletter subscriptions and optional marketing communications. You can withdraw consent at any time without affecting the lawfulness of processing that occurred before withdrawal.

Contractual Performance

When you engage our services, we process data necessary to fulfill our contractual obligations. This includes analyzing your financial situation, developing strategies, and providing ongoing support as agreed.

Legal Obligations

Financial services are subject to various legal and regulatory requirements. We process data when necessary to comply with these obligations, such as record-keeping requirements and anti-money laundering regulations.

Legitimate Interests

We may process data based on legitimate business interests, provided these don't override your fundamental rights. This includes improving our services, website functionality, and internal business operations. We always balance our interests against your rights before processing data on this basis.

Your GDPR Rights

UK GDPR grants you several important rights regarding your personal data. We respect these rights and have established procedures to facilitate their exercise.

Right of Access

You can request confirmation of whether we process your personal data and, if so, access to that data. We'll provide a copy of your information along with details about how we use it. The first copy is provided free of charge; reasonable fees may apply for additional copies.

Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to request correction. We'll update your information promptly and notify any third parties to whom we've disclosed it.

Right to Erasure

Also known as the "right to be forgotten," this allows you to request deletion of your personal data under certain circumstances, including when it's no longer necessary for the purposes collected, you withdraw consent, or you object to processing. This right isn't absolute; we may need to retain certain information to comply with legal obligations.

Right to Restriction of Processing

You can request that we limit how we process your data in specific situations, such as when you contest data accuracy or object to processing. When processing is restricted, we can store the data but not use it without your consent.

Right to Data Portability

Where processing is based on consent or contract performance and carried out by automated means, you can request your data in a structured, commonly used format. We'll provide this in a machine-readable format that can be transmitted to another controller.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. When you object to direct marketing, we'll stop processing your data for that purpose immediately. For other objections, we'll cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant impacts. We don't currently use automated decision-making for financial advice, but if this changes, we'll provide specific information and safeguards.

Exercising Your Rights

To exercise any of these rights, contact us at [email protected] with the subject line "Data Rights Request." Please include:

  • Your full name and contact information
  • Clear description of which right you're exercising
  • Specific details about the data or processing in question
  • Any relevant dates or reference numbers

We'll verify your identity before processing requests to protect your information from unauthorized access. This may involve requesting additional identification documents.

We aim to respond within one month of receiving a valid request. Complex requests may require up to three months; we'll inform you if an extension is necessary and explain the reasons for the delay.

Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Our security measures include:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls based on the principle of least privilege
  • Secure authentication mechanisms including multi-factor authentication
  • Regular staff training on data protection and security practices
  • Incident response procedures for potential data breaches
  • Regular backup procedures with secure storage
  • Vendor security assessments for third-party processors

Data Breach Procedures

Despite our security measures, breaches can occur. We have established procedures to detect, report, and investigate potential breaches promptly.

If a breach occurs that poses a risk to your rights and freedoms, we'll notify you without undue delay. This notification will include the nature of the breach, likely consequences, and measures we're taking to address it.

We'll also report qualifying breaches to the Information Commissioner's Office within 72 hours of becoming aware, as required by UK GDPR.

Data Retention

We don't retain personal data longer than necessary for the purposes collected or as required by law. Retention periods are determined based on:

  • Legal and regulatory requirements for financial services
  • The nature of our relationship with you
  • Whether ongoing services are being provided
  • Legitimate business needs for the information

Financial service records are typically retained for seven years following service completion, as required by UK financial regulations. After this period, data is securely deleted or anonymized.

Third-Party Processors

Some of our service providers process personal data on our behalf. We carefully select processors that demonstrate appropriate data protection standards and enter into written agreements requiring them to:

  • Process data only on our documented instructions
  • Ensure confidentiality of processing personnel
  • Implement appropriate security measures
  • Assist with responding to data subject rights requests
  • Delete or return data when processing services end
  • Make available information demonstrating compliance

We remain responsible for ensuring processors comply with data protection obligations.

International Transfers

We primarily store and process data within the United Kingdom. When transfers outside the UK are necessary, we ensure adequate safeguards are in place through approved transfer mechanisms such as:

  • Standard contractual clauses approved by the UK authorities
  • Adequacy decisions recognizing equivalent data protection standards
  • Binding corporate rules for intra-group transfers

We conduct transfer impact assessments to verify that data transferred internationally receives adequate protection.

Privacy by Design and Default

We implement privacy by design and default principles, meaning data protection is considered at the earliest stages of designing systems, services, and processes. This includes:

  • Minimizing data collection to what's genuinely necessary
  • Implementing strong privacy settings by default
  • Pseudonymization and anonymization where appropriate
  • Transparency in how data is used
  • Enabling user control over their data

Data Protection Impact Assessments

When implementing new technologies or processing activities that may pose high risks to data subjects, we conduct Data Protection Impact Assessments (DPIAs). These assessments identify risks and demonstrate how we mitigate them.

Accountability and Governance

We maintain comprehensive documentation demonstrating compliance with data protection principles, including:

  • Records of processing activities
  • Data protection policies and procedures
  • Training records for staff
  • Vendor due diligence documentation
  • Data breach logs and responses
  • Regular compliance reviews

Updates to This Statement

We review and update this GDPR compliance statement regularly to reflect changes in our practices or legal requirements. Significant changes will be communicated through our website and, where appropriate, via email.

Questions and Concerns

If you have questions about our GDPR compliance or data protection practices, please contact us at [email protected]. We welcome feedback and take all concerns seriously.

Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we've mishandled your personal data:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

While you can contact the ICO directly, we hope you'll reach out to us first so we can address your concerns.