GDPR Compliance

Last updated: 17 April 2026

Our Commitment to Data Protection

Astra Shadow is committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page provides specific information about how we fulfill our obligations under these regulations and how you can exercise your data protection rights.

Data Controller Information

For the purposes of UK data protection legislation, the data controller is:

Astra Shadow
42 Whiteladies Road
Clifton, Bristol BS8 2NH
United Kingdom
Email: [email protected]

Lawful Bases for Processing

We process personal data under the following lawful bases as defined by UK GDPR:

Consent

We may process your data based on your explicit consent, particularly for:

  • Sending marketing communications about our services
  • Using non-essential cookies on our website
  • Sharing information with third parties at your request

You have the right to withdraw consent at any time by contacting us or using the unsubscribe mechanism in our communications.

Contractual Necessity

We process certain data to fulfill our contractual obligations when providing financial guidance services, including:

  • Scheduling and conducting consultations
  • Maintaining client records
  • Processing payments
  • Delivering the services you have requested

Legitimate Interests

We may process data based on legitimate business interests, such as:

  • Improving our services and website functionality
  • Preventing fraud and ensuring security
  • Internal business administration
  • Responding to inquiries from prospective clients

We have carefully balanced these interests against your rights and freedoms and implement appropriate safeguards.

Legal Obligation

In some cases, we must process personal data to comply with legal requirements, such as:

  • Maintaining financial records as required by law
  • Responding to lawful requests from authorities
  • Meeting regulatory obligations

Your Data Protection Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right to Be Informed

You have the right to clear, transparent information about how we use your personal data. This GDPR page and our Privacy Policy provide this information.

Right of Access

You can request a copy of the personal data we hold about you, free of charge. This is commonly known as a "subject access request." We will provide this information within one month of your request.

Right to Rectification

If you believe any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. We will make the corrections within one month and notify any third parties with whom we have shared the data.

Right to Erasure

Also known as "the right to be forgotten," you can request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent (where processing was based on consent)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is required to comply with a legal obligation

Note that this right is not absolute. We may need to retain certain information to comply with legal obligations or for the establishment, exercise, or defense of legal claims.

Right to Restrict Processing

You can ask us to restrict how we use your personal data in certain situations, such as:

  • You contest the accuracy of the data
  • Processing is unlawful but you don't want the data erased
  • We no longer need the data but you need it for a legal claim
  • You have objected to processing pending verification of legitimate grounds

Right to Data Portability

Where technically feasible, you can request to receive your personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds that override your rights.

Rights Related to Automated Decision Making

We do not use automated decision-making or profiling in our services. All guidance is provided through human interaction and professional judgment.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us:

  • Email: [email protected]
  • Post: Astra Shadow, 42 Whiteladies Road, Clifton, Bristol BS8 2NH, United Kingdom

When making a request, please include:

  • Your full name and contact information
  • Clear description of which right you wish to exercise
  • Any relevant details that will help us locate your information
  • Proof of identity (to protect against unauthorized access)

We will respond to your request within one month. In complex cases, we may extend this by up to two months and will inform you of any delay.

Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Pseudonymization and encryption of personal data where appropriate
  • Ensuring ongoing confidentiality, integrity, and availability of processing systems
  • Ability to restore access to personal data in a timely manner in the event of an incident
  • Regular testing and evaluation of the effectiveness of security measures
  • Staff training on data protection principles and practices
  • Secure destruction of data that is no longer required

Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Take immediate steps to contain and remedy the breach
  • Document all breaches, including the facts, effects, and remedial action taken

Data Protection Impact Assessments

Where processing is likely to result in high risk to individuals' rights and freedoms, we conduct Data Protection Impact Assessments (DPIAs) to identify and mitigate risks. This includes systematic evaluation of:

  • The necessity and proportionality of processing operations
  • Risks to individuals
  • Measures to address those risks

International Data Transfers

We primarily process data within the United Kingdom. If we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions by the UK Government
  • Standard contractual clauses approved by the UK authorities
  • Binding corporate rules where applicable

Children's Privacy

Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children without appropriate parental consent. If we become aware that we have collected data from a child without proper consent, we will delete it promptly.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

  • Client consultation records: Seven years after the end of our professional relationship
  • Financial records: Seven years to comply with financial regulations
  • Marketing consent records: Until consent is withdrawn or deemed no longer relevant
  • Website analytics: Up to two years

When determining retention periods, we consider the amount, nature, and sensitivity of data, the purposes for which we process it, and applicable legal requirements.

Third-Party Processors

We use carefully selected third-party service providers to help us deliver our services. These processors are contractually obligated to:

  • Process data only on our documented instructions
  • Maintain appropriate security measures
  • Assist with fulfilling data subject rights requests
  • Delete or return data upon termination of services
  • Demonstrate compliance with GDPR obligations

Complaints and Supervisory Authority

If you are unhappy with how we have handled your personal data, please contact us first so we can attempt to resolve the issue. If you remain dissatisfied, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: www.astra-shadow.com
Email: [email protected]

Updates to This Information

We may update this GDPR information periodically to reflect changes in our practices or legal requirements. The "Last updated" date at the top of this page indicates when the most recent changes were made. We encourage you to review this page regularly to stay informed about how we protect your data.

Contact Us

If you have questions about our GDPR compliance or data protection practices, please contact us:

Email: [email protected]
Post: Astra Shadow, 42 Whiteladies Road, Clifton, Bristol BS8 2NH, United Kingdom