GDPR Compliance

Last Updated: 1 January 2026

Our Commitment to Data Protection

flux-battery is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognise the importance of protecting your personal information and upholding your data protection rights.

This page provides specific information about our GDPR compliance measures and explains your rights under UK data protection legislation in detail.

Data Controller Information

For the purposes of UK GDPR, flux-battery is the data controller responsible for your personal information.

flux-battery
15 Deansgate Avenue
Manchester M3 2FF
United Kingdom

Email: [email protected]

As the data controller, we determine how and why your personal data is processed and are responsible for ensuring processing complies with data protection law.

Lawful Basis for Processing

UK GDPR requires us to have a lawful basis for processing your personal data. We rely on the following legal bases:

Consent (Article 6(1)(a))

For certain processing activities, we obtain your explicit consent. This includes marketing communications and non-essential cookies. You have the right to withdraw consent at any time by contacting us or using the unsubscribe mechanism provided in communications.

Contract Performance (Article 6(1)(b))

Processing is necessary to perform our contract with you when you engage our financial management services. We cannot deliver the services you've requested without processing your personal and financial information.

Legal Obligation (Article 6(1)(c))

As a regulated financial services firm, we're subject to legal obligations requiring us to process certain information. This includes anti-money laundering checks, identity verification, regulatory reporting, and record-keeping requirements imposed by the Financial Conduct Authority and other regulatory bodies.

Legitimate Interests (Article 6(1)(f))

We have legitimate business interests in processing certain data, such as maintaining client records, improving our services, preventing fraud, and operating our website effectively. We've conducted legitimate interest assessments to ensure our interests don't override your fundamental rights and freedoms.

Special Category Data

In some cases, we may process special category data (such as health information relevant to insurance recommendations). For this processing, we rely on Article 9(2)(a) (explicit consent) or Article 9(2)(f) (legal claims), depending on the circumstances.

Your Rights Under UK GDPR

UK GDPR grants you specific rights regarding your personal data. Below is detailed information about each right and how to exercise it.

Right of Access (Article 15)

You have the right to obtain confirmation that we're processing your personal data and to receive a copy of that data along with supplementary information about the processing.

Subject access requests are typically provided free of charge. We'll respond within one month, though this may be extended by two months for complex or multiple requests. We'll inform you of any extension within the initial month.

To make a subject access request, email [email protected] with sufficient information to identify you and locate your data.

Right to Rectification (Article 16)

If you believe any personal data we hold is inaccurate, you can request correction. We'll amend inaccurate data without undue delay and inform any third parties to whom we've disclosed the information.

You can also request completion of incomplete personal data by providing a supplementary statement.

Right to Erasure (Article 17)

Also known as the "right to be forgotten," this allows you to request deletion of your personal data in specific circumstances:

  • The data is no longer necessary for the purposes it was collected
  • You withdraw consent and there's no other legal basis for processing
  • You object to processing based on legitimate interests and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is necessary to comply with a legal obligation

This right is not absolute. We may refuse erasure if processing is necessary for compliance with legal obligations, establishment or defence of legal claims, or other specified reasons.

Right to Restriction of Processing (Article 18)

You can request that we restrict processing of your personal data in certain situations:

  • You contest the accuracy of the data (restriction applies while we verify accuracy)
  • Processing is unlawful but you oppose erasure and request restriction instead
  • We no longer need the data but you require it for legal claims
  • You've objected to processing pending verification of whether our legitimate grounds override yours

When processing is restricted, we can store the data but not use it without your consent, except for legal claims, protecting another person's rights, or important public interests.

Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you can request that we provide your personal data in a structured, commonly used, machine-readable format.

You can request that we transmit this data directly to another controller where technically feasible. This right applies only to data you've provided to us, not data generated by our analysis or advice.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for the performance of a task in the public interest. We'll stop processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims.

You have an absolute right to object to processing for direct marketing purposes. If you object, we'll stop processing your data for marketing immediately.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. We do not currently engage in automated decision-making of this nature.

Our financial advice always involves human review and professional judgement. While we may use software tools to assist analysis, final recommendations are made by qualified advisors.

Data Protection Principles

We adhere to the data protection principles set out in Article 5 of UK GDPR:

Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. We provide clear information about our processing activities through this policy and other communications.

Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.

Data Minimisation

We collect only data that is adequate, relevant, and limited to what's necessary for the purposes for which it's processed.

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. Inaccurate data is erased or rectified without delay.

Storage Limitation

We retain personal data only as long as necessary for the purposes for which it was collected or to comply with legal obligations. Our retention periods are detailed in our Privacy Policy.

Integrity and Confidentiality

We process personal data securely using appropriate technical and organisational measures to protect against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Accountability

We're responsible for demonstrating compliance with these principles. We maintain documentation of our processing activities, conduct data protection impact assessments where appropriate, and implement policies to ensure ongoing compliance.

International Data Transfers

Your personal data is primarily processed and stored within the United Kingdom. If we transfer data to countries outside the UK or European Economic Area, we ensure appropriate safeguards are in place.

Safeguards may include:

  • Standard contractual clauses approved by the UK authorities
  • Adequacy decisions recognising that the destination country provides adequate protection
  • Binding corporate rules for transfers within multinational organisations

You can request information about the safeguards in place for any specific transfer by contacting us.

Data Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest
  • Regular security assessments and vulnerability testing
  • Access controls ensuring only authorised personnel can access personal data
  • Secure backup and disaster recovery procedures
  • Staff training on data protection and security
  • Confidentiality agreements with employees and contractors
  • Physical security measures for premises and document storage
  • Incident response procedures for data breaches

Data Breach Notification

If we experience a personal data breach that's likely to result in a risk to your rights and freedoms, we'll notify you without undue delay in accordance with Article 34 of UK GDPR.

We'll notify the Information Commissioner's Office within 72 hours of becoming aware of a breach that meets the threshold for reporting under Article 33.

Breach notifications to affected individuals will include:

  • Description of the nature of the breach
  • Name and contact details of our data protection contact point
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its possible adverse effects

Data Protection by Design and Default

We implement data protection by design and by default in accordance with Article 25 of UK GDPR. This means we integrate data protection considerations into our processing activities and business practices from the outset.

Examples include minimising data collection, pseudonymising data where possible, ensuring transparency, enabling individuals to monitor processing, and creating ongoing security features.

Third-Party Processors

When we engage third-party service providers who process personal data on our behalf, we ensure they comply with UK GDPR through:

  • Written contracts specifying processing instructions and obligations
  • Confidentiality commitments
  • Appropriate security measures
  • Restrictions on sub-processing without authorisation
  • Assistance with subject access requests and other rights
  • Deletion or return of data at the end of services
  • Cooperation with supervisory authorities

Lodging a Complaint

If you believe we've processed your personal data in violation of UK GDPR or you're dissatisfied with how we've handled a request, you have the right to lodge a complaint with the Information Commissioner's Office.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Telephone: 0303 123 1113
Website: www.ico.org.uk

We encourage you to contact us first so we have an opportunity to address your concerns directly. Many issues can be resolved quickly through direct communication.

Updates to This Page

We review our GDPR compliance procedures regularly and update this page as necessary to reflect changes in our practices or legal requirements. Significant changes will be communicated through our website with an updated revision date.

Contact Us

If you have questions about our GDPR compliance, wish to exercise your rights, or need further information about our data protection practices, please contact:

flux-battery
Data Protection Contact
15 Deansgate Avenue
Manchester M3 2FF
United Kingdom

Email: [email protected]

We'll respond to all enquiries and requests within the timeframes required by UK GDPR.