GDPR Compliance

Our Commitment to Data Protection

Enchanted Fury operates in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognise that data protection is not merely a legal obligation but a fundamental aspect of maintaining trust with our clients.

This document provides specific information about our GDPR compliance practices and explains your rights under this legislation in clear, accessible language.

Data Controller Details

For the purposes of UK GDPR, Enchanted Fury is the data controller responsible for your personal information. This means we determine how and why your data is processed.

If you need to contact us regarding data protection matters, please use the email address provided on our contact page, marking your message as relating to data protection.

Lawful Bases for Processing

UK GDPR requires that we have a valid legal basis for processing personal information. We rely on the following bases depending on the situation:

Performance of Contract

When you engage our services, we process your information to fulfil our contractual obligations. This includes scheduling appointments, delivering pet care services, maintaining service records, and handling payment arrangements. This processing is necessary to provide the services you've requested.

Legitimate Interests

We have legitimate business interests in maintaining efficient operations, improving our services, and ensuring continuity of care. Before relying on this basis, we balance our interests against your rights and ensure processing is proportionate and non-intrusive.

Legal Compliance

Some processing activities are required by UK law, including maintaining business records for tax purposes, complying with health and safety regulations applicable to animal care facilities, and responding to lawful requests from authorities.

Consent

For certain activities, particularly marketing communications, we seek your explicit consent. You can withdraw this consent at any time without affecting other aspects of your relationship with us.

Data Protection Principles

We adhere to the core principles established by UK GDPR in all our data processing activities:

Lawfulness, Fairness, and Transparency

We process information only for legitimate purposes, in ways you would reasonably expect, and with clear communication about our practices.

Purpose Limitation

Personal information is collected for specific, explicit purposes and not used in ways incompatible with those purposes without obtaining additional consent.

Data Minimisation

We collect only information that is adequate, relevant, and necessary for the purposes we've identified. We don't gather data "just in case" it might be useful later.

Accuracy

We take reasonable steps to ensure information is accurate and kept up to date. If you notice errors, please let us know so we can correct them promptly.

Storage Limitation

Information is retained only as long as necessary for its intended purpose or as required by law, after which it is securely deleted or anonymised.

Integrity and Confidentiality

We implement appropriate security measures to protect against unauthorised or unlawful processing and accidental loss, destruction, or damage.

Accountability

We maintain documentation of our processing activities and can demonstrate compliance with data protection principles upon request by relevant authorities.

Your Rights Under UK GDPR

UK GDPR provides individuals with significant rights regarding their personal information. Here's what these mean in practice:

Right to Be Informed

You have the right to clear information about how we use your data. This document, along with our Privacy Policy, fulfils this obligation by explaining our processing activities in plain language.

Right of Access

You can request a copy of all personal information we hold about you. This is commonly called a Subject Access Request (SAR). We'll provide this within one month, free of charge, in a commonly used electronic format unless you specify otherwise.

Right to Rectification

If information we hold is inaccurate or incomplete, you can request corrections. We'll update our records and, where applicable, notify any third parties with whom we've shared the information.

Right to Erasure

Sometimes called the "right to be forgotten," this allows you to request deletion of your information in specific circumstances, such as when it's no longer necessary for its original purpose, when you withdraw consent, or when processing is unlawful. This right is not absolute – we may need to retain certain information for legal compliance or to establish, exercise, or defend legal claims.

Right to Restrict Processing

You can ask us to limit how we use your information in certain situations, such as while we verify its accuracy or assess whether we have legitimate grounds to process it. Restriction means we can store the data but not actively use it.

Right to Data Portability

Where we process your information based on consent or contract, and the processing is automated, you can request that we provide your data in a structured, commonly used format so you can transfer it to another service provider.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. For marketing, we'll stop immediately upon your request. For processing based on legitimate interests, we'll cease unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant impacts. We do not currently employ such automated decision-making in our operations.

How to Exercise Your Rights

To exercise any of the rights described above, please contact us using the email address on our contact page. Include "Data Protection Request" in your subject line to ensure prompt routing to the appropriate team member.

We may need to verify your identity before processing your request to protect against unauthorised access to your information. We'll explain what identification we need when we respond to your initial contact.

We aim to respond to all requests within one month. For complex requests or multiple requests from the same individual, this may extend to three months, though we'll inform you within the first month if an extension is necessary and explain the reason.

These services are provided free of charge. However, if requests are manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee or refuse to act on the request.

Data Security Measures

UK GDPR requires appropriate technical and organisational measures to ensure data security. Our approach includes:

Technical Security

We use encryption for data transmission over the internet, maintain secure servers with regular security updates, implement access controls limiting who can view specific information, conduct regular backups with secure storage, and deploy firewalls and intrusion detection systems.

Organisational Security

Our staff receive training on data protection principles and practices, we maintain clear policies defining acceptable use of information systems, access to personal data is granted on a need-to-know basis, we conduct regular reviews of our security measures, and we have procedures for detecting, reporting, and investigating potential breaches.

Breach Notification

In the event of a data breach likely to result in risk to your rights and freedoms, we'll notify you without undue delay. We'll also report qualifying breaches to the Information Commissioner's Office within 72 hours of becoming aware of them.

International Data Transfers

We store and process your information within the United Kingdom. If circumstances require transferring data outside the UK, we'll ensure appropriate safeguards are in place, such as standard contractual clauses approved by the ICO or transfers to countries recognised as providing adequate data protection.

We'll inform you if such transfers occur and explain the safeguards we've implemented to protect your information.

Third-Party Processing

When we engage third-party service providers who process personal data on our behalf, we ensure they meet UK GDPR standards. This includes conducting due diligence before engagement, establishing written contracts specifying their data protection obligations, limiting their use of data strictly to the services they provide for us, requiring them to implement appropriate security measures, and monitoring their compliance with data protection requirements.

Children's Data

While our services relate to pets rather than children, we may process information about minors when they accompany adults to appointments. We take extra care with such information and process it only as necessary for service delivery. We do not knowingly collect data directly from individuals under 16 without parental or guardian consent.

Changes to Our Practices

If we make significant changes to how we process personal data, we'll update this document and our Privacy Policy accordingly. We'll make reasonable efforts to notify clients of material changes that may affect their rights.

Supervisory Authority

The Information Commissioner's Office (ICO) is the UK's independent supervisory authority for data protection. If you have concerns about our data processing practices that you feel we haven't addressed satisfactorily, you have the right to lodge a complaint with the ICO.

The ICO can be contacted through their website at ico.org.uk, by telephone at 0303 123 1113, or by post at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

We'd appreciate the opportunity to address any concerns directly before you approach the ICO, but your right to contact them exists independently of any internal complaint process.

Questions and Further Information

If you have questions about this GDPR information or our data protection practices that aren't addressed here, please don't hesitate to contact us. We're committed to transparency and will gladly provide additional clarification or information about how we handle your personal data.