GDPR Compliance

Overview

mooncrest-peak is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we fulfill our obligations as a data controller.

Data controller information

Data Controller: mooncrest-peak
Address: 45 Merrion Street, Leeds LS2 8JQ, United Kingdom
Email: [email protected]

Lawful basis for processing

We process personal data only when we have a lawful basis under Article 6 of the UK GDPR:

Consent (Article 6(1)(a))

When you submit enquiry forms or opt in to receive communications, we rely on your freely given, specific, informed consent. You may withdraw consent at any time by contacting us.

Contract performance (Article 6(1)(b))

Processing is necessary to provide the educational services you've requested or to take steps before entering into a contract.

Legitimate interests (Article 6(1)(f))

We process data for legitimate business interests such as:

• Website analytics to improve user experience
• Fraud prevention and security
• Internal administrative purposes

We balance these interests against your rights and freedoms, ensuring we never override your fundamental rights.

Legal obligation (Article 6(1)(c))

We process data when required by UK law, such as financial record-keeping requirements.

Data subject rights

Under UK GDPR, you have comprehensive rights regarding your personal data:

Right of access (Article 15)

You have the right to obtain confirmation that we process your data and to receive a copy. We will respond within one month of your request.

Right to rectification (Article 16)

You can request correction of inaccurate or incomplete personal data. We will update records promptly upon verification.

Right to erasure (Article 17)

You may request deletion of your personal data when:

• The data is no longer necessary for its original purpose
• You withdraw consent and no other legal basis exists
• You object to processing and no overriding legitimate grounds exist
• The data has been unlawfully processed

This right is not absolute. We may retain data when required by law or for legitimate interests that override your request.

Right to restriction of processing (Article 18)

You can request we limit how we use your data when:

• You contest the accuracy of the data
• Processing is unlawful but you prefer restriction to erasure
• We no longer need the data but you require it for legal claims
• You have objected to processing pending verification of our legitimate grounds

Right to data portability (Article 20)

Where processing is based on consent or contract performance and carried out by automated means, you can receive your data in a structured, commonly used, machine-readable format.

Right to object (Article 21)

You may object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Rights related to automated decision-making (Article 22)

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

How to exercise your rights

To exercise any data subject rights, contact us at [email protected] with:

• Your full name and contact details
• Specific right you wish to exercise
• Details of the data or processing concerned
• Proof of identity (if required for verification)

We will respond within one month. This may be extended by two months for complex requests, with notification.

Data protection principles

We adhere to the data protection principles outlined in Article 5 of UK GDPR:

• Lawfulness, fairness, transparency: We process data lawfully, fairly, and transparently
• Purpose limitation: We collect data for specified, explicit, legitimate purposes
• Data minimisation: We collect only data adequate, relevant, and necessary
• Accuracy: We keep data accurate and up to date
• Storage limitation: We retain data no longer than necessary
• Integrity and confidentiality: We implement appropriate security measures
• Accountability: We demonstrate compliance with all principles

Data security measures

We implement technical and organizational measures appropriate to the risk, including:

• Encryption of data in transit and at rest
• Access controls and authentication requirements
• Regular security assessments and updates
• Staff training on data protection obligations
• Secure backup and recovery procedures
• Incident response procedures

Data breach notification

In the event of a personal data breach likely to result in risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office within 72 hours of becoming aware
• Notify affected individuals without undue delay if the breach poses high risk
• Document the breach, its effects, and remedial actions taken

International data transfers

We primarily process data within the United Kingdom. If we transfer data internationally, we ensure appropriate safeguards are in place as required by Chapter V of UK GDPR, such as:

• Adequacy decisions by the UK government
• Standard contractual clauses approved by the ICO
• Binding corporate rules

Children's data

When processing data about children (individuals under 18), we take extra care to:

• Obtain parental or guardian consent where required
• Use age-appropriate language in privacy notices
• Minimize data collection to what is strictly necessary
• Implement enhanced security measures

Data retention periods

We retain personal data only as long as necessary:

• Enquiries: 2 years from last contact
• Client records: 6 years after last session (legal requirement)
• Financial records: 6 years (HMRC requirement)
• Website analytics: Anonymized data retained indefinitely

Third-party processors

We engage third-party processors for specific functions. All processors:

• Are contractually bound to GDPR compliance
• Process data only on our documented instructions
• Implement appropriate security measures
• Assist with data subject rights requests
• Delete or return data upon contract termination

Regular compliance reviews

We regularly review our data processing activities to ensure ongoing compliance, including:

• Annual data protection impact assessments
• Quarterly staff training updates
• Regular security audits
• Policy and procedure reviews

Contact and complaints

For GDPR-related questions or concerns, contact us at [email protected].

If you believe we have not complied with UK GDPR, you have the right to lodge a complaint with:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

Last updated: May 14, 2026