GDPR Compliance

Last updated: June 19, 2026

Our Commitment to Data Protection

ironclad-spell is committed to complying with the General Data Protection Regulation (GDPR) and protecting the privacy rights of individuals in the European Economic Area and the United Kingdom. This page outlines our approach to GDPR compliance and explains your rights as a data subject.

Data Controller Information

For the purposes of GDPR, ironclad-spell acts as the data controller for personal information collected through our website and business operations.

Contact details:
ironclad-spell
45 Rivington Street, Shoreditch
London EC2A 3QB
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. Our processing activities rely on the following legal grounds:

  • Consent: When you voluntarily provide information through our contact forms or subscribe to communications
  • Contract: When processing is necessary to fulfill our service agreements with you
  • Legitimate Interests: When we have a legitimate business interest that does not override your fundamental rights and freedoms
  • Legal Obligation: When we must process data to comply with legal requirements

Your Rights Under GDPR

As a data subject, you have the following rights regarding your personal data:

1. Right to Be Informed

You have the right to know how your personal data is being collected, used, and stored. We provide transparent information through our Privacy Policy and this GDPR Compliance page.

2. Right of Access

You can request confirmation of whether we are processing your personal data and obtain a copy of that data. We will respond to such requests within one month.

3. Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to request that we correct or complete it.

4. Right to Erasure (Right to be Forgotten)

Under certain circumstances, you can request deletion of your personal data. This right applies when:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • The data must be erased to comply with a legal obligation

5. Right to Restrict Processing

You can request that we limit how we use your personal data in certain situations, such as when you contest the accuracy of the data or object to processing.

6. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

7. Right to Object

You can object to processing of your personal data when we rely on legitimate interests as the legal basis. You have an absolute right to object to processing for direct marketing purposes.

8. Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals.

How to Exercise Your Rights

To exercise any of these rights, please contact us at [email protected] with your request. We will respond within one month, though this may be extended by two additional months for complex requests. We will always inform you of any extension and the reasons for it.

You will not be charged a fee to exercise your rights unless your request is clearly unfounded, repetitive, or excessive.

Data Protection Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication mechanisms
  • Staff training on data protection and security
  • Incident response procedures

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. We will also report qualifying breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements. Retention periods vary depending on the type of data and the purpose of processing.

International Data Transfers

If we transfer your personal data outside the European Economic Area, we ensure that appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Transfers to countries with adequacy decisions
  • Other legally recognized transfer mechanisms

Third-Party Processing

When we engage third-party processors to handle personal data on our behalf, we ensure they provide sufficient guarantees regarding data protection. We maintain written contracts with all processors that set out their data protection obligations.

Right to Lodge a Complaint

If you believe we have not complied with GDPR requirements, you have the right to lodge a complaint with a supervisory authority. In the United Kingdom, this is the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Website: ico.org.uk

Updates to This Statement

We may update this GDPR Compliance statement from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated through our website.

Contact Us

If you have questions about our GDPR compliance or wish to exercise your data protection rights, please contact us at [email protected].