GDPR Compliance

Your data protection rights under UK law.

Last updated: January 2024

Our Commitment to Data Protection

Crystal Fury Limited takes data protection seriously. As a financial services provider, we handle sensitive personal and financial information, and we understand the trust you place in us when sharing this data. This page outlines our approach to data protection under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Who We Are

Crystal Fury Limited is the data controller for personal information collected through our website and during the provision of our retirement planning services. Our contact details are:

  • Company: Crystal Fury Limited
  • Address: 47 Bartholomew Lane, London, EC2N 2AB
  • Email: [email protected]
  • ICO Registration: ZA274891

The Data We Process

In the course of our business, we process various categories of personal data:

Identity and Contact Data

Names, addresses, email addresses, and dates of birth necessary to identify you and communicate with you about our services.

Financial Data

Information about your pensions, investments, income, assets, and liabilities required to provide retirement planning advice.

Employment Data

Details of your current and past employment relevant to understanding your pension entitlements and planning needs.

Health Data

Where relevant to your retirement planning, we may process information about health conditions. This is special category data requiring explicit consent.

Technical Data

Information collected when you visit our website, including IP addresses, browser information, and browsing behaviour.

Lawful Bases for Processing

We rely on several lawful bases for processing your personal data:

Contractual Necessity

Much of our processing is necessary to provide the services you have engaged us to perform. Without processing your financial and personal information, we cannot conduct pension reviews or develop retirement strategies.

Legal Obligation

As a firm regulated by the Financial Conduct Authority, we have legal obligations to maintain records, prevent financial crime, and comply with various regulatory requirements. Processing for these purposes is lawful under UK GDPR Article 6(1)(c).

Legitimate Interests

We process some data based on our legitimate interests, such as improving our services, training staff, and managing our business relationship with you. We conduct balancing tests to ensure our interests do not override your rights and freedoms.

Consent

For special category data (particularly health information) and certain marketing communications, we rely on your explicit consent. You may withdraw this consent at any time.

Your Data Protection Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right of Access

You can request a copy of the personal data we hold about you. We will provide this within one month of your request, free of charge in most cases.

Right to Rectification

If you believe the data we hold is inaccurate or incomplete, you can ask us to correct or complete it. We will respond within one month.

Right to Erasure

In certain circumstances, you can ask us to delete your personal data. This right is not absolute—we may need to retain data for legal or regulatory reasons.

Right to Restrict Processing

You can ask us to limit how we use your data in certain circumstances, for example while we verify the accuracy of data you have disputed.

Right to Data Portability

Where we process your data based on consent or contract, you can request your data in a structured, commonly used, machine-readable format.

Right to Object

You can object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.

How to Exercise Your Rights

To exercise any of these rights, please contact us by email at [email protected] or by post at the address above. Please provide:

  • Your full name and contact details
  • A clear description of what you are requesting
  • Any information that helps us locate your data

We may need to verify your identity before acting on your request. We will respond within one month, though this may be extended by a further two months for complex requests.

Data Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit using TLS/SSL
  • Encryption of data at rest
  • Strict access controls based on the principle of least privilege
  • Regular security assessments and penetration testing
  • Staff training on data protection and information security
  • Incident response procedures for data breaches
  • Secure disposal of physical documents and electronic media

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected. Our retention periods are determined by:

  • Legal and regulatory requirements
  • The nature of our ongoing relationship with you
  • Potential future needs (for example, you may return for further advice)
  • Industry best practice

As a financial services firm, we are required to retain certain records for extended periods. Client files are typically retained indefinitely to support potential future advice, though this is subject to periodic review.

International Data Transfers

We primarily process data within the United Kingdom. Where data is transferred internationally (for example, if you are resident overseas), we ensure appropriate safeguards are in place, such as:

  • Transfers to countries deemed adequate by the UK government
  • Standard contractual clauses approved by the UK government
  • Binding corporate rules where applicable

Third-Party Processors

We work with carefully selected third parties who may process your data on our behalf. These include:

  • IT service providers
  • Cloud storage providers
  • Professional advisors

All processors are bound by data processing agreements that require them to implement appropriate security measures and process data only on our instructions.

Data Breach Procedures

In the event of a personal data breach, we have procedures in place to:

  • Contain and assess the breach
  • Notify the Information Commissioner's Office within 72 hours where required
  • Notify affected individuals where the breach poses a high risk to their rights and freedoms
  • Document the breach and our response

Complaints

If you have concerns about how we handle your personal data, please contact us first. We take all complaints seriously and will investigate promptly.

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office:

  • Website: ico.org.uk
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Changes to This Information

We may update this GDPR information from time to time to reflect changes in our practices or legal requirements. Significant changes will be communicated to you directly or via our website.

Further Information

For more detailed information about how we collect and use your data, please refer to our Privacy Policy and Cookies Policy.