GDPR Compliance

Our Commitment to Data Protection

Quasar Meadow is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we comply with these regulations and what rights you have regarding your personal information.

Data Controller Information

Quasar Meadow acts as the data controller for the personal information we collect and process. Our contact details are:

Lawful Basis for Processing

We only process your personal data when we have a lawful basis to do so. Our processing activities rely on the following legal grounds:

Consent

For certain activities, such as sending marketing communications or using non-essential cookies, we rely on your explicit consent. You can withdraw this consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Contractual Necessity

When you engage our services, we process your data to fulfill our contractual obligations and deliver the financial planning services you've requested.

Legitimate Interests

We may process data where it serves our legitimate business interests, such as improving our services, preventing fraud, or ensuring website security, provided this doesn't override your fundamental rights and freedoms.

Legal Obligation

In some cases, we process data to comply with legal requirements, such as record-keeping obligations for financial services or responding to lawful requests from authorities.

Your GDPR Rights

Under UK GDPR, you have comprehensive rights regarding your personal data:

Right to Be Informed

You have the right to clear, transparent information about how we collect and use your personal data. This information is provided through our privacy policy and this GDPR compliance page.

Right of Access

You can request a copy of the personal data we hold about you, free of charge. This is known as a Subject Access Request (SAR). We will respond within one month of receiving your request.

Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to have it corrected. Please contact us if you notice any errors in the information we hold.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, such as when:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent and there's no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Erasure is required to comply with a legal obligation

This right is not absolute, and we may need to retain certain information for legal or regulatory reasons.

Right to Restrict Processing

You can request that we limit how we use your data in certain situations, such as when you're contesting the accuracy of the data or questioning the lawfulness of processing.

Right to Data Portability

Where we process your data based on consent or contract, and the processing is automated, you have the right to receive your personal data in a structured, commonly used, and machine-readable format. You can also request that we transfer this data directly to another controller where technically feasible.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. Upon receiving an objection to marketing, we will stop processing your data for that purpose immediately.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you. We do not currently use automated decision-making processes that fall under this provision.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at [email protected] with the following information:

• Your full name and contact details
• A clear description of your request
• Any relevant details to help us locate your information
• Proof of identity (to prevent unauthorized access to your data)

We will respond to your request within one month. In complex cases, this may be extended by up to two additional months, and we will inform you if this extension is necessary.

Data Protection Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data during transmission and storage
• Regular security assessments and penetration testing
• Access controls limiting who can view personal data
• Staff training on data protection principles and practices
• Incident response procedures for data breaches
• Regular backups with secure storage

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
• Inform affected individuals without undue delay if the breach is likely to result in high risk to their rights and freedoms
• Document the breach, including facts, effects, and remedial actions taken

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements:

• Client Records: Retained for seven years after the relationship ends, as required by financial services regulations
• Inquiry Data: Retained for one year if no service relationship develops
• Marketing Data: Retained until you unsubscribe or request deletion
• Website Analytics: Anonymized and retained for analytical purposes

Third-Party Processing

When we engage third-party service providers who process personal data on our behalf (data processors), we ensure:

• Written contracts are in place specifying their obligations
• They provide sufficient guarantees of appropriate security measures
• They process data only on our documented instructions
• They assist us in responding to requests to exercise data subject rights
• They notify us immediately of any data breaches

International Data Transfers

Your personal data is primarily stored and processed within the United Kingdom. If we transfer data to countries outside the UK, we ensure appropriate safeguards are in place, such as:

• Standard contractual clauses approved by the ICO
• Adequacy decisions recognizing equivalent data protection standards
• Binding corporate rules for intra-group transfers

Children's Data

Our services are not directed at children under 18, and we do not knowingly process data relating to children. If we discover we have inadvertently collected such data, we will delete it promptly.

Privacy by Design and Default

We incorporate data protection principles into our operations from the outset:

• Collecting only data that is necessary for specific purposes
• Implementing privacy-enhancing technologies
• Setting default privacy settings at the highest level
• Conducting Data Protection Impact Assessments for high-risk processing

Updates to This Policy

We may update this GDPR compliance information periodically to reflect changes in regulations or our practices. Significant changes will be communicated to active clients via email.

Complaints and Supervisory Authority

If you're not satisfied with how we handle your personal data or your requests regarding data rights, you have the right to lodge a complaint with the UK supervisory authority:

However, we encourage you to contact us first so we can attempt to resolve your concern directly.

Questions About GDPR Compliance

If you have questions about our GDPR compliance or data protection practices, please contact us at [email protected]. We're committed to transparency and will be happy to provide additional information.