GDPR Compliance

Last Updated: June 19, 2026

Our Commitment to GDPR

mist-elk is committed to protecting your personal data and complying with the General Data Protection Regulation (GDPR). This page explains how we fulfill our obligations under GDPR and describes your rights as a data subject.

Data Controller Information

For the purposes of GDPR, mist-elk acts as the data controller for personal information collected through our website and services.

Data Controller: mist-elk
Address: 127 Bath Street, Glasgow G2 2SZ, United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so under GDPR Article 6. Our lawful bases include:

Consent (Article 6(1)(a))

When you provide explicit consent for us to process your personal data for specific purposes, such as marketing communications or optional data collection. You may withdraw your consent at any time.

Contractual Necessity (Article 6(1)(b))

Processing necessary to perform a contract with you or to take steps at your request before entering into a contract. This applies when you request our financial management services.

Legal Obligation (Article 6(1)(c))

Processing required to comply with legal obligations, such as tax laws, financial regulations, or court orders.

Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests, provided these interests do not override your fundamental rights and freedoms. This includes:

• Improving our services and website functionality
• Preventing fraud and ensuring security
• Internal administrative purposes
• Direct marketing to existing clients (with opt-out option)

Your Rights Under GDPR

As a data subject, you have the following rights under GDPR:

Right to Access (Article 15)

You have the right to obtain confirmation that we are processing your personal data and to access that data. We will provide a copy of your personal data in a commonly used electronic format.

Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

Right to Erasure (Article 17)

Also known as the "right to be forgotten," you may request deletion of your personal data when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• The data must be erased to comply with a legal obligation

Note that this right is not absolute and may be limited by legal obligations to retain certain data.

Right to Restriction of Processing (Article 18)

You may request that we restrict processing of your personal data when:

• You contest the accuracy of the data
• Processing is unlawful but you do not want the data erased
• We no longer need the data but you need it for legal claims
• You have objected to processing pending verification of legitimate grounds

Right to Data Portability (Article 20)

You have the right to receive personal data you provided to us in a structured, commonly used, machine-readable format and to transmit that data to another controller where technically feasible.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you. We do not currently engage in automated decision-making that produces such effects.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at [email protected] with the subject line "GDPR Request" and specify which right you wish to exercise.

We will respond to your request within one month. In complex cases, we may extend this period by two additional months and will inform you of the extension and reasons for the delay.

We will verify your identity before processing your request to protect your personal data from unauthorized access.

Data Protection Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Pseudonymization and encryption of personal data
• Ongoing confidentiality, integrity, availability, and resilience of processing systems
• Regular testing and evaluation of security measures
• Staff training on data protection principles
• Data protection impact assessments for high-risk processing

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. Where required by law, we will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

International Data Transfers

We primarily store and process data within the United Kingdom and European Economic Area (EEA). If we transfer personal data outside the UK/EEA, we will ensure appropriate safeguards are in place, such as:

• Standard contractual clauses approved by the European Commission
• Adequacy decisions recognizing equivalent data protection standards
• Binding corporate rules or certification mechanisms

Children's Data

Our services are not directed at children under 16 years of age. We do not knowingly collect or process personal data from children. If we become aware that we have collected data from a child without appropriate consent, we will delete it promptly.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements. Specific retention periods are detailed in our Privacy Policy.

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates GDPR. In the United Kingdom, the relevant authority is:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

Updates to This Policy

We may update this GDPR Compliance page to reflect changes in our data processing practices or legal obligations. We will notify you of significant changes and update the "Last Updated" date at the top of this page.

Contact Us

If you have questions about our GDPR compliance or wish to exercise your rights, please contact us at [email protected].