Understanding your data protection rights under UK GDPR
Last updated: January 2026
ember-studio is committed to ensuring compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page provides information about how we fulfil our obligations under these regulations.
For the purposes of data protection law, ember-studio is the data controller for personal information processed through this website and in the course of providing our services.
Contact:
ember-studio
47 Victoria Street
London, SW1H 0EU
Email: [email protected]
Under the UK GDPR, you have the following rights regarding your personal data:
You have the right to obtain confirmation that we are processing your personal data and to request a copy of that data. We will respond to access requests within one month.
You have the right to request that we correct any inaccurate personal data we hold about you, or complete any incomplete data.
Also known as the "right to be forgotten", you may request that we delete your personal data in certain circumstances, such as when the data is no longer necessary for its original purpose.
You have the right to request that we restrict the processing of your personal data in certain situations, such as when you contest the accuracy of the data.
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format.
You have the right to object to processing based on legitimate interests, and to processing for direct marketing purposes.
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently use automated decision-making of this nature.
To exercise any of these rights, please contact us using the details above. We may need to verify your identity before processing your request. We aim to respond to all legitimate requests within one month, though this may be extended by two further months for complex requests.
We process personal data under the following lawful bases:
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Our standard retention periods are:
Where we transfer personal data outside the United Kingdom, we ensure appropriate safeguards are in place, including standard contractual clauses approved by the ICO or transfers to countries with adequacy decisions.
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks presented by processing. These measures include access controls, encryption, and regular security assessments.
In the event of a personal data breach that poses a risk to individuals' rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach. Where the breach is likely to result in high risk, we will also notify affected individuals directly.
You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe that your data protection rights have been infringed:
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
We may update this GDPR information page periodically. Significant changes will be communicated through our website or, where appropriate, by direct notification.