GDPR Compliance

Last updated: 2 June 2026

Our Commitment to GDPR

maple-kudu is committed to full compliance with the General Data Protection Regulation (GDPR). This page outlines how we meet our obligations under GDPR and protect your personal data rights.

Data Controller

For the purposes of GDPR, maple-kudu is the data controller responsible for your personal data. Our contact details are:

maple-kudu
45 Woodland Street
Bristol, BS1 4QD
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so under GDPR Article 6:

  • Consent (Article 6(1)(a)): When you have given explicit consent for specific processing activities
  • Contract (Article 6(1)(b)): When processing is necessary to perform our contractual obligations
  • Legal obligation (Article 6(1)(c)): When processing is required by law
  • Legitimate interests (Article 6(1)(f)): When processing is necessary for our legitimate business interests, balanced against your rights

Your Rights Under GDPR

As a data subject, you have the following rights:

1. Right to be Informed

You have the right to clear, transparent information about how we use your personal data. This is provided through our Privacy Policy and this GDPR statement.

2. Right of Access

You can request access to your personal data and receive a copy of the information we hold about you. We will respond to access requests within one month.

3. Right to Rectification

You can request correction of inaccurate or incomplete personal data. We will update your information promptly upon verification.

4. Right to Erasure

Also known as the 'right to be forgotten', you can request deletion of your personal data when there is no compelling reason for continued processing.

5. Right to Restrict Processing

You can request that we limit how we use your personal data in certain circumstances, such as when you contest its accuracy.

6. Right to Data Portability

You can request your personal data in a structured, commonly used, machine-readable format for transfer to another service provider.

7. Right to Object

You can object to processing based on legitimate interests or direct marketing. We will stop processing unless we have compelling legitimate grounds.

8. Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that significantly affect you. We do not engage in automated decision-making or profiling.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at [email protected] with the following information:

  • Your name and contact details
  • The right you wish to exercise
  • Details of your request
  • Proof of identity (if required)

We will respond to your request within one month. If your request is complex or we receive multiple requests, we may extend this period by two months, and we will inform you of any such extension.

Data Protection Principles

We process all personal data in accordance with GDPR's six data protection principles:

  • Lawfulness, fairness, and transparency: We process data lawfully, fairly, and in a transparent manner
  • Purpose limitation: We collect data for specified, explicit, and legitimate purposes only
  • Data minimisation: We collect only data that is adequate, relevant, and limited to what is necessary
  • Accuracy: We take reasonable steps to ensure personal data is accurate and up to date
  • Storage limitation: We keep data only as long as necessary for the purposes it was collected
  • Integrity and confidentiality: We process data securely with appropriate technical and organisational measures

Data Security Measures

We implement appropriate technical and organisational measures to ensure data security, including:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication measures
  • Staff training on data protection
  • Incident response procedures

International Data Transfers

We primarily process data within the UK and European Economic Area (EEA). If we transfer data outside these regions, we ensure appropriate safeguards are in place, such as standard contractual clauses or adequacy decisions.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

  • Enquiry data: Up to 3 years after last contact
  • Client project data: 7 years after project completion (for legal and tax purposes)
  • Marketing communications: Until you unsubscribe or request deletion
  • Website analytics: Up to 26 months

Third-Party Processors

When we engage third-party service providers to process personal data on our behalf, we ensure they comply with GDPR through:

  • Data processing agreements
  • Regular audits and assessments
  • Contractual obligations regarding data security

Children's Data

Our services are not directed at children under 16, and we do not knowingly process data of children without appropriate parental consent.

Complaints

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk

Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. We will post updates on this page with a revised date.

Contact Us

For any questions about our GDPR compliance or to exercise your rights, please contact:

Email: [email protected]
Address: 45 Woodland Street, Bristol, BS1 4QD, United Kingdom