GDPR Compliance

Last Updated: June 18, 2026

Our Commitment to Data Protection

canopy-egret is committed to complying with the UK General Data Protection Regulation and all applicable data protection laws. We take the security and privacy of personal data seriously and have implemented comprehensive measures to ensure lawful, fair, and transparent processing.

Lawful Basis for Processing

We process personal data under the following lawful bases:

• Consent: When you submit contact forms or accept cookies
• Contract: When providing services to active clients
• Legal Obligation: When required to comply with UK regulations
• Legitimate Interests: For website analytics and service improvement

Data Subject Rights

Under UK GDPR, you have the following rights:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data under certain conditions
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a structured format
• Right to Object: Object to processing based on legitimate interests
• Rights Related to Automated Decision-Making: Challenge automated decisions

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at: [email protected]

We will respond to your request within one month. In complex cases, we may extend this period by two additional months and will inform you of any delay.

Data Protection Measures

We implement the following technical and organizational measures:

• End-to-end encryption for data transmission
• Encryption at rest for stored data
• Multi-factor authentication for system access
• Regular security audits and penetration testing
• Employee training on data protection requirements
• Incident response procedures for data breaches

Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours and inform affected individuals without undue delay.

International Data Transfers

All personal data is processed and stored within the United Kingdom. We do not transfer data outside the UK except when required for emergency response coordination with client-specified international services, and only under appropriate safeguards.

Third-Party Processors

We work with carefully vetted third-party processors who assist with infrastructure and technical services. All processors are bound by data processing agreements that ensure GDPR compliance and appropriate security measures.

Children's Data

Our services are intended for professional organizations and are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children.

Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office if you believe we have not handled your data appropriately:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk

Contact Our Data Protection Officer

For questions regarding GDPR compliance or to exercise your rights, please contact our Data Protection Officer at: [email protected]