GDPR Compliance

Last updated: 1 June 2026

Our Commitment

indigo-stream is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take our responsibilities as a data controller seriously and have implemented comprehensive measures to protect your personal data.

Data Controller Information

For the purposes of UK GDPR, the data controller is:

indigo-stream
47 Broadcast House
Clerkenwell Road
London EC1R 5AR
United Kingdom
Email: [email protected]

Your Rights Under UK GDPR

The UK GDPR provides you with the following rights regarding your personal data:

Right to Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, to access that data along with information about how it is processed. We will provide this information free of charge within one month of your request.

Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected without undue delay. Where data is incomplete, you have the right to have it completed.

Right to Erasure (Article 17)

Also known as the "right to be forgotten", you may request deletion of your personal data in certain circumstances, including when the data is no longer necessary for the purpose it was collected, or when you withdraw consent.

Right to Restrict Processing (Article 18)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of your data or when processing is unlawful but you prefer restriction over erasure.

Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that significantly affect you. We do not currently use automated decision-making for course admissions.

How to Exercise Your Rights

To exercise any of your rights under UK GDPR, please contact us at:

• Email: [email protected]
• Post: 47 Broadcast House, Clerkenwell Road, London EC1R 5AR

We will respond to your request within one month. In complex cases, we may extend this by two further months, but we will inform you of any extension within the first month.

Lawful Basis for Processing

We process personal data on the following lawful bases:

• Contract (Article 6(1)(b)): Processing necessary to perform our training services agreement with you
• Consent (Article 6(1)(a)): Where you have explicitly consented, such as for marketing communications
• Legitimate Interests (Article 6(1)(f)): For business purposes such as improving our services, provided this does not override your rights
• Legal Obligation (Article 6(1)(c)): Where we are required to process data by law

Data Protection Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data where appropriate
• Regular testing and evaluation of security measures
• Staff training on data protection responsibilities
• Access controls limiting data access to authorised personnel
• Regular backup procedures
• Incident response procedures for data breaches

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay.

International Data Transfers

We primarily process data within the United Kingdom. Where we transfer personal data to countries outside the UK, we ensure appropriate safeguards are in place, such as:

• Transfers to countries with adequate protection as determined by the UK government
• Standard contractual clauses approved by the ICO
• Binding corporate rules where applicable

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected. Our standard retention periods are:

• Course participant records: 6 years after completion
• Enquiry data (non-enrolled): 2 years from last contact
• Marketing consent records: Duration of consent plus 1 year
• Financial records: 7 years as required by law

Complaints

If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Website: ico.org.uk

We encourage you to contact us first so we can attempt to resolve any concerns directly.

Updates to This Notice

We may update this GDPR compliance notice periodically. Significant changes will be communicated through our website or, where appropriate, by direct communication.