GDPR Compliance Statement

Last updated: May 20, 2026

Our Commitment to Data Protection

twilight-dusk is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines how we meet our obligations under these regulations.

Data Controller Information

For the purposes of data protection legislation, twilight-dusk is the data controller responsible for your personal information.

Registered Name: twilight-dusk
Address: 42 Deansgate Mews, Manchester M3 2FF, United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so:

1. Consent

When you submit an enquiry form, subscribe to communications, or provide information for programme enrolment, you give us explicit consent to process your data for specified purposes. You may withdraw consent at any time.

2. Contract Performance

Processing is necessary to fulfill our contractual obligations when you enrol in our programmes, including delivering educational services and communicating about programme logistics.

3. Legal Obligation

We process certain data to comply with legal requirements, such as safeguarding obligations for children's services and financial record-keeping.

4. Legitimate Interests

We may process data based on legitimate interests, such as improving our services, preventing fraud, or ensuring network security, provided these interests do not override your fundamental rights.

Your Rights Under UK GDPR

Right to Be Informed

You have the right to clear, transparent information about how we use your personal data. This is provided through our Privacy Policy and this GDPR statement.

Right of Access

You can request a copy of the personal data we hold about you. This is known as a Subject Access Request (SAR). We will respond within one month, free of charge.

Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to have it corrected. Contact us at [email protected] to request corrections.

Right to Erasure

Also known as "the right to be forgotten," you can request deletion of your personal data in certain circumstances, such as when:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Note: This right is not absolute and may not apply if we have legal obligations to retain certain information.

Right to Restrict Processing

You can request that we limit how we use your personal data if:

  • You contest the accuracy of the data
  • Processing is unlawful but you don't want data erased
  • We no longer need the data but you need it for legal claims
  • You have objected to processing and verification is pending

Right to Data Portability

You can request a copy of your personal data in a structured, commonly used, and machine-readable format. You can also request that we transfer this data directly to another organisation where technically feasible.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. If you object to direct marketing, we will stop processing your data for that purpose immediately.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently engage in automated decision-making or profiling.

How to Exercise Your Rights

To exercise any of your rights under UK GDPR, please contact us:

Email: [email protected]
Subject Line: "GDPR Rights Request"

Please include:

  • Your full name
  • The specific right you wish to exercise
  • Enough information for us to verify your identity
  • Any relevant details about your request

We will respond to your request within one month. If your request is complex or we receive multiple requests, we may extend this period by two months and will inform you of the extension.

Data Security Measures

We implement appropriate technical and organisational measures to ensure data security:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls limiting data access to authorised personnel only
  • Staff training on data protection principles
  • Secure backup procedures
  • Incident response protocols

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. If the breach poses a high risk, we will also notify affected individuals without undue delay.

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risks to individuals' rights and freedoms, particularly when introducing new technologies or processing methods.

Third-Party Processors

When we engage third-party service providers who process personal data on our behalf, we ensure they:

  • Provide sufficient guarantees of appropriate technical and organisational measures
  • Process data only on our documented instructions
  • Maintain confidentiality
  • Assist us in responding to data subject rights requests
  • Delete or return data upon termination of services

International Data Transfers

If we transfer your data outside the UK, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions by the UK government
  • Standard contractual clauses approved by the ICO
  • Binding corporate rules
  • Certification schemes

Children's Data

Our programmes serve individuals under 18. We process children's data only with appropriate parental or guardian consent and implement additional safeguards to protect children's privacy and security.

Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected:

  • Enquiry data: 2 years from last contact
  • Programme participant data: 7 years from programme completion
  • Financial records: 7 years as required by UK tax law
  • Marketing consent: Until consent is withdrawn or 3 years of inactivity

Complaints

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk

We encourage you to contact us first so we can address your concerns directly.

Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our data processing practices or legal requirements. Significant changes will be communicated through our website.

Contact Our Data Protection Team

For questions about our GDPR compliance or data protection practices:

Email: [email protected]
Address: 42 Deansgate Mews, Manchester M3 2FF, United Kingdom