GDPR Compliance Statement

Last updated: 10 May 2026

1. Our Commitment to Data Protection

crisp-node is committed to protecting the privacy and security of personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This page explains how we comply with data protection legislation and your rights as a data subject.

2. Data Controller Information

For the purposes of UK GDPR, crisp-node is the data controller responsible for your personal data.

Contact Details:
crisp-node
42 Threadneedle Street
London EC2R 8AY
United Kingdom
Email: [email protected]

3. Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. The lawful bases we rely on include:

3.1 Consent

When you provide explicit consent for us to process your personal data for a specific purpose, such as marketing communications. You may withdraw consent at any time.

3.2 Contract Performance

Processing necessary to fulfill our contractual obligations to you when you engage our consultancy services.

3.3 Legal Obligation

Processing required to comply with legal or regulatory obligations, such as financial record-keeping requirements.

3.4 Legitimate Interests

Processing necessary for our legitimate business interests, such as improving our services, preventing fraud, and maintaining the security of our systems, provided these interests do not override your fundamental rights and freedoms.

4. Your Rights Under UK GDPR

As a data subject, you have the following rights:

4.1 Right to Be Informed

You have the right to clear, transparent information about how we use your personal data. This is provided through our Privacy Policy and this GDPR statement.

4.2 Right of Access

You can request a copy of the personal data we hold about you. We will provide this free of charge within one month of your request.

4.3 Right to Rectification

You can request that we correct any inaccurate or incomplete personal data we hold about you.

4.4 Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data in certain circumstances, such as when it is no longer necessary for the purpose it was collected, or you withdraw consent.

4.5 Right to Restrict Processing

You can request that we limit how we use your personal data in certain circumstances, such as while we verify the accuracy of data you have disputed.

4.6 Right to Data Portability

You can request that we transfer your personal data to another organization, or provide it to you in a structured, commonly used, machine-readable format.

4.7 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds that override your interests.

4.8 Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently use automated decision-making processes.

5. How to Exercise Your Rights

To exercise any of your data protection rights, please contact us:

We will respond to your request within one month. In complex cases, we may extend this by a further two months and will inform you if this is necessary.

We may need to verify your identity before processing your request to protect your personal data from unauthorized access.

6. Data Protection Principles

We adhere to the following data protection principles as required by UK GDPR:

  • Lawfulness, fairness, and transparency: We process data lawfully, fairly, and in a transparent manner
  • Purpose limitation: We collect data for specified, explicit, and legitimate purposes only
  • Data minimization: We collect only data that is adequate, relevant, and limited to what is necessary
  • Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date
  • Storage limitation: We retain personal data only for as long as necessary
  • Integrity and confidentiality: We implement appropriate security measures to protect personal data
  • Accountability: We take responsibility for compliance and can demonstrate our compliance

7. Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication procedures
  • Staff training on data protection and information security
  • Incident response and breach notification procedures
  • Regular backups and disaster recovery planning

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. We will also notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, where required.

9. Third-Party Processing

When we engage third-party service providers to process personal data on our behalf, we:

  • Ensure they provide sufficient guarantees of compliance with UK GDPR
  • Establish data processing agreements that set out their obligations
  • Ensure they process data only on our documented instructions
  • Monitor their compliance with data protection requirements

10. International Data Transfers

If we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as:

  • Standard contractual clauses approved by the ICO
  • Transfers to countries with adequacy decisions
  • Other mechanisms approved under UK data protection law

11. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when processing is likely to result in high risk to individuals' rights and freedoms, ensuring that risks are identified and mitigated appropriately.

12. Record Keeping

We maintain records of our processing activities as required by UK GDPR, including:

  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients of personal data
  • International transfers and safeguards
  • Retention schedules
  • Security measures

13. Staff Training and Awareness

All staff members who handle personal data receive regular training on data protection principles, UK GDPR requirements, and our internal data protection policies and procedures.

14. Complaints and Supervisory Authority

If you have concerns about how we handle your personal data, please contact us first so we can attempt to resolve the issue.

You also have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk

15. Updates to This Statement

We review and update this GDPR compliance statement regularly to ensure it remains accurate and reflects current practices. The date of the last update is shown at the top of this page.

16. Contact Us

If you have any questions about our GDPR compliance or wish to exercise your data protection rights, please contact us:

Email: [email protected]
Address: 42 Threadneedle Street, London EC2R 8AY, United Kingdom