GDPR Compliance

Last updated: 11 April 2026

Our Commitment to Data Protection

zen-spiral Interior Services Ltd is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take our responsibilities regarding your personal data seriously and have implemented appropriate policies and procedures to ensure compliance.

Data Controller Information

For the purposes of UK data protection legislation, the data controller is:

zen-spiral Interior Services Ltd
47 Greenwood Lane
Southwark, London SE1 4TN
United Kingdom
Email: [email protected]

What Personal Data We Collect

We collect and process the following categories of personal data:

Identity Data

Including your name, title, and other identifiers you provide when contacting us or engaging our services.

Contact Data

Including email address, postal address, and property location details relevant to your project.

Project Data

Including information about your requirements, preferences, property measurements, photographs, and design specifications.

Financial Data

Including payment information, billing address, and transaction records necessary to process payments and maintain financial records.

Technical Data

Including IP address, browser type, device information, and website usage data collected through cookies and similar technologies.

Communications Data

Including records of correspondence, enquiries, and any feedback you provide about our services.

Lawful Basis for Processing

We process your personal data under one or more of the following lawful bases:

Performance of a Contract

Where processing is necessary to deliver the repair or design services you have contracted us to provide, including project assessment, planning, execution, and post-completion support.

Legitimate Interests

Where processing is necessary for our legitimate business interests, such as:

  • Responding to enquiries and providing information about our services
  • Improving our services and website functionality
  • Maintaining business records and managing customer relationships
  • Protecting our business against fraud or other illegal activities

We carefully balance these interests against your rights and will not process your data if your interests override ours.

Legal Obligation

Where we are required to process your data to comply with legal or regulatory requirements, such as maintaining financial records for tax purposes or complying with building regulations.

Consent

Where you have explicitly consented to specific processing activities, such as receiving marketing communications or allowing use of non-essential cookies. You may withdraw consent at any time.

Your Rights Under GDPR

UK GDPR grants you several rights regarding your personal data:

Right of Access

You can request a copy of the personal data we hold about you, along with information about how we use it. We will provide this free of charge within one month of your request.

Right to Rectification

You can request correction of inaccurate or incomplete personal data. We will make corrections promptly and notify any third parties with whom we've shared your data.

Right to Erasure

You can request deletion of your personal data in certain circumstances, such as when:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other lawful basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Note that we may be unable to delete certain data if we have a legal obligation to retain it.

Right to Restriction of Processing

You can request that we limit how we use your personal data in certain situations, such as when you contest the accuracy of the data or object to processing.

Right to Data Portability

Where processing is based on consent or contract performance and is carried out by automated means, you can request to receive your personal data in a structured, commonly used, machine-readable format and have it transmitted to another organisation.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. We do not currently use automated decision-making processes.

How to Exercise Your Rights

To exercise any of your rights under UK GDPR, please contact us:

Email: [email protected]
Subject line: Data Protection Request

In your request, please specify which right you wish to exercise and provide sufficient information to verify your identity. We may request additional identification to confirm your identity before processing your request.

We will respond to your request within one month. In complex cases, we may extend this by up to two months, in which case we will inform you of the extension and the reasons for it.

Data Security

We have implemented appropriate technical and organisational security measures to protect your personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls ensuring only authorised personnel can access personal data
  • Staff training on data protection requirements and security practices
  • Secure data backup and disaster recovery procedures
  • Contractual obligations on third-party processors to maintain security standards

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Information Commissioner's Office within 72 hours as required by law.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including meeting legal, accounting, or reporting requirements.

Retention periods vary depending on the type of data:

  • Enquiries that don't proceed to projects: 2 years
  • Project files and documentation: 7 years from project completion
  • Financial and tax records: 7 years as required by HMRC
  • Website analytics data: 26 months
  • Marketing consent records: Until consent is withdrawn

When personal data is no longer required, we securely delete or anonymise it in accordance with our data retention policy.

International Data Transfers

We operate primarily within the United Kingdom. In limited circumstances, we may transfer personal data outside the UK when using certain technology service providers. Where such transfers occur, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions confirming the recipient country provides adequate data protection
  • Standard contractual clauses approved by the UK Information Commissioner's Office
  • Other mechanisms ensuring equivalent protection to UK GDPR

Third-Party Data Processors

We may share your personal data with third-party service providers who process data on our behalf. These processors are contractually bound to:

  • Process data only according to our documented instructions
  • Implement appropriate security measures
  • Maintain confidentiality
  • Assist us in meeting our GDPR obligations
  • Delete or return data when services conclude

Children's Data

Our services are not directed at children under 18, and we do not knowingly collect or process personal data from children. If we become aware that we have collected data from a child, we will take immediate steps to delete it.

Changes to This Notice

We may update this GDPR information periodically to reflect changes in our practices or legal requirements. When we make significant changes, we will update the "Last updated" date and, where appropriate, notify you by email or through a notice on our website.

Complaints and Supervisory Authority

If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom

Telephone: 0303 123 1113
Website: www.ico.org.uk

We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first if you have any issues.

Contact Information

If you have questions about how we handle your personal data or wish to exercise your rights, please contact us:

Email: [email protected]
Address: zen-spiral Interior Services Ltd, 47 Greenwood Lane, Southwark, London SE1 4TN, United Kingdom