GDPR Compliance Statement

Last updated: 20 May 2026

Our Commitment to GDPR

Elegant Roam Ltd is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take our data protection responsibilities seriously and have implemented appropriate measures to protect your personal information.

Data Controller

For the purposes of UK GDPR, Elegant Roam Ltd is the data controller. Our contact details:

Elegant Roam Ltd
42 Woodland Way
Stroud, Gloucestershire GL5 2RN
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data under the following lawful bases:

• Contract: Processing is necessary to fulfill our contract with you when you book our services
• Legitimate Interest: To operate our business, improve our services, and maintain customer relationships
• Consent: When you explicitly agree to receive marketing communications or provide optional information
• Legal Obligation: To comply with legal requirements such as tax and health & safety obligations
• Vital Interests: To protect your health and safety during wilderness activities

Your GDPR Rights

Under UK GDPR, you have the following rights:

Right to Access

You can request a copy of all personal data we hold about you. We will provide this within one month of your request, free of charge.

Right to Rectification

You can ask us to correct any inaccurate or incomplete personal data we hold about you.

Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data. This right is not absolute and may be limited by legal obligations to retain certain information.

Right to Restrict Processing

You can ask us to restrict how we use your data in certain circumstances, such as while we verify the accuracy of data.

Right to Data Portability

You can request your data in a structured, commonly used, machine-readable format and have it transferred to another organization.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision Making

We do not use automated decision making or profiling that produces legal or similarly significant effects.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at [email protected] with your request. We will respond within one month. If your request is complex or we receive multiple requests, we may extend this period by two months and will inform you of any delay.

We may need to verify your identity before processing your request to ensure data security.

Data Protection Measures

We implement appropriate technical and organizational measures including:

• Encryption of data in transit and at rest
• Access controls and authentication
• Regular security assessments
• Staff training on data protection
• Secure data backup procedures
• Incident response procedures

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. If the breach poses a high risk to you, we will also notify you directly without undue delay.

Third-Party Processing

When we engage third-party processors, we ensure they provide sufficient guarantees to implement appropriate technical and organizational measures. We have data processing agreements in place with all processors.

International Data Transfers

We primarily process data within the United Kingdom. If we transfer data internationally, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the ICO
• Transfers to countries with adequacy decisions
• Other approved transfer mechanisms

Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected:

• Booking and participant records: 7 years (legal and insurance requirements)
• Financial records: 7 years (tax obligations)
• Marketing consent: Until withdrawn or inactive for 3 years
• Website analytics: 26 months maximum

Children's Data

Our services are primarily for adults. When minors participate in our programmes, we require parental consent and collect only necessary information for their safety and program participation.

Complaints

If you believe we have not handled your data correctly or have concerns about our compliance, you can contact us directly to resolve the issue.

You also have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: www.ico.org.uk

Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. The current version is always available on our website with the last updated date clearly displayed.

Questions

If you have questions about our GDPR compliance or data protection practices, please contact us at [email protected]