GDPR Compliance
Last updated: April 2026
Our Commitment to Data Protection
luster-whisper is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. We recognise the importance of privacy and take our responsibilities as a data controller seriously.
This page provides specific information about our GDPR compliance practices and your rights under data protection legislation.
Data Controller Information
For the purposes of data protection law, luster-whisper acts as the data controller for personal information collected through our website and services.
Contact details:
luster-whisper
47 Kensington Gardens
London, W2 4DX
United Kingdom
Email: [email protected]
Your Data Protection Rights
Under GDPR, you have comprehensive rights regarding your personal data. We are committed to facilitating the exercise of these rights.
Right of Access
You have the right to obtain confirmation that we are processing your personal data and to receive a copy of that data. This allows you to verify the lawfulness of processing and check the accuracy of your information.
How to exercise: Submit a subject access request to [email protected]. We will respond within one month, providing copies of the personal data we hold about you.
Right to Rectification
You have the right to have inaccurate personal data corrected and incomplete data completed. This ensures the information we hold remains accurate and current.
How to exercise: Contact us with details of the information requiring correction. We will update our records promptly.
Right to Erasure
Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, including when the data is no longer necessary for the purposes it was collected or when you withdraw consent.
How to exercise: Submit an erasure request explaining why you believe your data should be deleted. We will assess your request against legal obligations and legitimate interests.
Limitations: We may need to retain certain information to comply with legal obligations such as tax and accounting requirements.
Right to Restriction of Processing
You can request that we limit how we use your personal data in specific situations, such as when you contest the accuracy of data or object to processing.
How to exercise: Explain which processing activities you wish to restrict and your reasons. We will apply appropriate restrictions while maintaining the data.
Right to Data Portability
You have the right to receive personal data you provided to us in a structured, commonly used, machine-readable format, and to transmit this data to another controller.
How to exercise: Request a portable copy of your data. We will provide it in a format such as CSV or JSON where technically feasible.
Scope: This right applies to data processed by automated means based on consent or contract performance.
Right to Object
You can object to processing of your personal data when it is based on legitimate interests or for direct marketing purposes.
How to exercise: State your objection and the grounds relating to your particular situation. For direct marketing, we will cease processing immediately.
Rights Related to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently employ automated decision-making or profiling.
Right to Withdraw Consent
Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
How to exercise: Contact us to withdraw consent for specific processing activities. We will cease processing unless we have another legal basis.
Lawful Bases for Processing
We process personal data only when we have a lawful basis under GDPR. The lawful bases we rely on include:
Consent
We process certain data based on your explicit, freely given consent. For example, consent for analytics cookies or marketing communications. You can withdraw consent at any time.
Contract Performance
Processing is necessary to fulfil our contractual obligations when you engage our interior design and renovation services, including project delivery, communication, and payment processing.
Legal Obligation
We process data to comply with legal requirements such as tax laws, accounting standards, and health and safety regulations.
Legitimate Interests
We process data for legitimate business interests, balanced against your rights and freedoms. This includes:
- Responding to enquiries about our services
- Improving website functionality and user experience
- Maintaining business records and quality standards
- Protecting against fraud and security threats
- Defending legal claims
We conduct balancing tests to ensure processing does not override your interests or fundamental rights.
Data Protection Principles
Our data processing adheres to the core GDPR principles:
Lawfulness, Fairness, and Transparency
We process data lawfully, fairly, and in a transparent manner. We clearly communicate what data we collect and how we use it.
Purpose Limitation
We collect data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.
Data Minimisation
We collect only data that is adequate, relevant, and limited to what is necessary for the stated purposes.
Accuracy
We take reasonable steps to ensure personal data is accurate and kept up to date. Inaccurate data is erased or corrected without delay.
Storage Limitation
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.
Integrity and Confidentiality
We implement appropriate security measures to protect data against unauthorised or unlawful processing, accidental loss, destruction, or damage.
Accountability
We are responsible for demonstrating compliance with these principles through documented policies, procedures, and records of processing activities.
Data Security Measures
We implement technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data in transit and at rest where appropriate
- Access controls limiting who can view personal data
- Regular security assessments and penetration testing
- Staff training on data protection and security practices
- Incident response procedures for data breaches
- Secure disposal of data when no longer needed
- Contractual obligations for third-party processors
Data Breach Notification
In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
If the breach is likely to result in high risk to you, we will also communicate the breach to you without undue delay, providing information about the nature of the breach and measures we are taking to address it.
Third-Party Processing
When we engage third parties to process personal data on our behalf, we ensure they provide sufficient guarantees of GDPR compliance. We enter into data processing agreements that:
- Define the subject matter, duration, nature, and purpose of processing
- Specify the types of personal data and categories of data subjects
- Outline the processor's obligations regarding data security and confidentiality
- Restrict processing to documented instructions from us
- Require notification of any data breaches
- Include provisions for assisting with data subject rights requests
International Transfers
Your personal data is primarily processed within the United Kingdom. If we transfer data to countries outside the UK or European Economic Area, we ensure appropriate safeguards are in place, such as:
- Adequacy decisions recognising equivalent data protection standards
- Standard contractual clauses approved by regulatory authorities
- Binding corporate rules for intra-group transfers
We conduct transfer impact assessments to ensure protections remain effective.
Children's Data
Our services are not directed at children under 18. We do not knowingly collect or process personal data of children without appropriate parental consent. If we discover we have inadvertently collected such data, we will delete it promptly.
How to Exercise Your Rights
To exercise any of your data protection rights, please contact us:
Email: [email protected]
Post: 47 Kensington Gardens, London, W2 4DX, United Kingdom
Please include sufficient information to allow us to identify you and verify your identity. We may request additional information if necessary to confirm your identity and prevent unauthorised disclosure.
We will respond to your request within one month. If your request is complex or we receive multiple requests, we may extend this period by two additional months, notifying you of the extension and reasons.
We do not charge a fee for processing requests unless they are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.
Right to Lodge a Complaint
If you believe we have not handled your personal data properly or have concerns about our data protection practices, you have the right to lodge a complaint with a supervisory authority.
In the United Kingdom, the supervisory authority is:
Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: ico.org.uk
We would appreciate the opportunity to address your concerns directly, so please contact us first before lodging a complaint with the ICO.
Updates to This Information
We review and update our GDPR compliance practices regularly. Material changes to this information will be reflected by updating the "Last updated" date at the top of this page.
We encourage you to review this page periodically to stay informed about how we protect your personal data.
Further Information
For comprehensive information about how we collect, use, and protect your personal data, please refer to our Privacy Policy.
If you have questions about our GDPR compliance or data protection practices, please contact us at [email protected].