GDPR Compliance

Our Commitment to Data Protection

lunar-spot is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page provides specific information about our GDPR compliance and your rights as a data subject.

Data Controller Information

Data Controller: lunar-spot
Registered Address: 42 Deansgate Avenue, Manchester, M3 2FF, United Kingdom
Contact Email: [email protected]

What Personal Data We Collect

We collect and process the following categories of personal data:

Identity Data

• Parent/guardian full name
• Child's name and age

Contact Data

• Email address
• Postal address

Financial Data

• Payment card information (processed securely by third-party payment providers)
• Billing address
• Transaction history

Technical Data

• IP address
• Browser type and version
• Device information
• Cookie data

Usage Data

• Website navigation patterns
• Pages viewed
• Time spent on pages

Program Data

• Program enrollment information
• Attendance records
• Progress assessments (with consent)

Legal Basis for Processing

We process your personal data under the following legal bases as defined by UK GDPR:

Purpose	Legal Basis
Program enrollment and service delivery	Contract performance (Article 6(1)(b))
Payment processing	Contract performance (Article 6(1)(b))
Marketing communications	Consent (Article 6(1)(a))
Website improvement and analytics	Legitimate interests (Article 6(1)(f))
Legal compliance (e.g., tax records)	Legal obligation (Article 6(1)(c))
Fraud prevention	Legitimate interests (Article 6(1)(f))

Your GDPR Rights

Under UK GDPR, you have the following rights regarding your personal data:

1. Right to Be Informed

You have the right to clear, transparent information about how we use your personal data. This GDPR page and our Privacy Policy fulfill this obligation.

2. Right of Access (Subject Access Request)

You can request a copy of all personal data we hold about you. To make a subject access request:

• Email [email protected] with the subject line "Subject Access Request"
• Provide proof of identity (to protect your data from unauthorized access)
• We will respond within one month, free of charge

3. Right to Rectification

If your personal data is inaccurate or incomplete, you can request that we correct or complete it. We will make corrections within one month.

4. Right to Erasure (Right to Be Forgotten)

You can request deletion of your personal data in the following circumstances:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent (where processing was based on consent)
• You object to processing and there are no overriding legitimate grounds
• The data was processed unlawfully
• Legal obligations require erasure

Note: We may not be able to delete data if we have a legal obligation to retain it (e.g., tax records).

5. Right to Restrict Processing

You can request that we limit how we use your data in certain situations, such as when you contest the accuracy of the data or object to processing.

6. Right to Data Portability

You can request a copy of your personal data in a structured, commonly used, machine-readable format (e.g., CSV or JSON). This right applies when:

• Processing is based on consent or contract performance
• Processing is carried out by automated means

7. Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.

8. Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects. All enrollment decisions and assessments involve human review.

How to Exercise Your Rights

To exercise any of your GDPR rights:

1. Send an email to [email protected] with your request
2. Clearly state which right you wish to exercise
3. Provide sufficient information to identify you (we may request proof of identity)
4. We will respond within one month (extendable to two months for complex requests)

All requests are free of charge unless they are manifestly unfounded, excessive, or repetitive.

Data Retention Periods

We retain personal data only as long as necessary:

• Program enrollment data: 7 years after program completion (for legal and tax purposes)
• Marketing consent data: Until consent is withdrawn or 3 years of inactivity
• Financial records: 7 years (legal requirement)
• Website analytics: 26 months
• Correspondence: 3 years after last contact

Data Security Measures

We implement appropriate technical and organizational measures to protect your data:

• Encryption of data in transit (TLS/SSL) and at rest
• Regular security audits and vulnerability assessments
• Access controls: staff access data only on a need-to-know basis
• Secure password policies and multi-factor authentication
• Regular staff training on data protection
• Secure backup and disaster recovery procedures
• Confidentiality agreements with all staff and contractors

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms:

• We will notify the Information Commissioner's Office (ICO) within 72 hours
• We will notify affected individuals without undue delay if there is a high risk
• We will provide clear information about the breach and steps being taken

Third-Party Data Processors

We work with carefully selected third-party processors who handle data on our behalf. All processors:

• Are contractually bound to GDPR standards
• Process data only on our instructions
• Implement appropriate security measures
• Assist us in meeting our GDPR obligations

Current categories of processors include:

• Payment processing providers
• Email service providers
• Website hosting services
• Analytics providers

International Data Transfers

If we transfer your data outside the UK, we ensure adequate protection through:

• Transfers to countries with adequacy decisions
• Standard Contractual Clauses (SCCs) approved by UK authorities
• Other appropriate safeguards recognized under UK GDPR

Children's Data

We collect limited data about children (name and age) with explicit parental consent. We:

• Verify parental consent before processing children's data
• Collect only data necessary for program delivery
• Do not use children's data for marketing purposes
• Apply heightened security measures to children's data
• Allow parents to access, rectify, or delete their child's data at any time

Complaints and Supervisory Authority

If you believe we have not handled your data in accordance with UK GDPR, you can:

1. Contact us directly at [email protected] to resolve the issue
2. Lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: www.lunar-spot.com
Helpline: 0303 123 1113

Updates to This Page

We may update this GDPR information to reflect changes in regulations or our practices. Significant changes will be communicated via email or prominent website notice.

Contact Our Data Protection Team

For any questions or concerns about GDPR compliance or data protection:

Email: [email protected]
Subject Line: GDPR Inquiry
Address: 42 Deansgate Avenue, Manchester, M3 2FF, United Kingdom