GDPR Compliance

Your data protection rights under UK GDPR

Our Commitment to Data Protection

calm-funds Limited operates in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to transparency in how we collect, use, and protect your personal data.

This page provides specific information about your rights under GDPR and how we fulfill our obligations as a data controller.

Data Controller Details

Controller Name: calm-funds Limited
Registration Number: 09847265
Registered Address: 42 Riverside Business Park, Harcourt Way, Bristol BS2 0AW, United Kingdom
Contact Email: [email protected]

We do not have a designated Data Protection Officer as we are not required to appoint one under GDPR. However, data protection matters are handled directly by senior management and you may contact us at the above email for any data protection inquiries.

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. For different processing activities, we rely on:

Consent

When you explicitly agree to us processing your data for specific purposes, such as receiving marketing communications. You can withdraw consent at any time by contacting us.

Contract Performance

When processing is necessary to deliver services you've requested or to take steps before entering into a contract. This includes conducting assessments and providing consultations.

Legal Obligation

When we must process data to comply with legal requirements, such as maintaining financial records for tax purposes or responding to lawful requests from authorities.

Legitimate Interests

When processing is necessary for legitimate business purposes, provided your rights and freedoms are not overridden. This includes business administration, improving services, and preventing fraud. We conduct assessments to ensure our interests are balanced against your rights.

Your Rights Under GDPR

UK GDPR grants you specific rights regarding your personal data:

Right to be Informed

You have the right to clear information about how we use your personal data. This is provided through our Privacy Policy and this GDPR page.

Right of Access

You can request confirmation of whether we process your personal data and receive a copy of that data. This is commonly known as a Subject Access Request (SAR). We will respond within one month, providing your data in a commonly used electronic format where possible.

Right to Rectification

If your personal data is inaccurate or incomplete, you can request that we correct or complete it. We will do so within one month and notify any third parties with whom we've shared the data if appropriate.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the purpose we collected it
  • You withdraw consent and there's no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • The data must be erased to comply with a legal obligation

This right is not absolute. We may need to retain information for legal compliance, establishing or defending legal claims, or other specific reasons permitted under GDPR.

Right to Restrict Processing

You can request that we limit how we use your data in certain situations, such as when you contest accuracy or object to processing. During restriction, we may store the data but not use it further without your consent or for specific legal purposes.

Right to Data Portability

When we process your data based on consent or contract, and processing is automated, you can receive your data in a structured, commonly used, machine-readable format. You can also request that we transmit this data directly to another controller where technically feasible.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. For direct marketing, we must stop immediately. For other processing, we will stop unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects. If this changes, we will update this policy and obtain your explicit consent where required.

Exercising Your Rights

To exercise any of these rights, contact us at [email protected] with:

  • Your name and contact information
  • Details of which right you wish to exercise
  • Any relevant details to help us locate your information
  • Proof of identity (if needed to verify your request)

We will respond within one month. In complex cases, we may extend this by two additional months and will explain the reasons for any delay.

There is no fee for making a request unless it is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse the request.

Data Protection Principles

We adhere to the data protection principles set out in UK GDPR, ensuring that personal data is:

  • Processed lawfully, fairly, and transparently: We are open about how we use your data and have legal grounds for processing
  • Collected for specified, explicit, and legitimate purposes: We collect data only for identified purposes and don't use it in ways incompatible with those purposes
  • Adequate, relevant, and limited: We collect only what we need for stated purposes
  • Accurate and kept up to date: We take reasonable steps to ensure accuracy and correct or delete inaccurate data
  • Kept for no longer than necessary: We retain data only as long as needed for specified purposes or legal requirements
  • Processed securely: We implement appropriate security measures to protect against unauthorized or unlawful processing and accidental loss or damage

International Data Transfers

Your personal data is primarily stored and processed within the United Kingdom. If we transfer data internationally, we ensure appropriate safeguards are in place:

  • Transfers to countries with adequacy decisions from the UK government
  • Standard contractual clauses approved by the UK authorities
  • Other legally approved transfer mechanisms

You can request information about the safeguards we use for specific transfers by contacting us.

Data Breach Procedures

We have procedures in place to detect, report, and investigate data breaches. If a breach occurs that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware
  • Inform affected individuals without undue delay if the risk is high
  • Document the breach and our response
  • Take steps to mitigate harm and prevent recurrence

Children's Privacy

Our services are directed at adult homeowners. We do not knowingly collect personal data from children under 16. If we become aware that we've collected such data without appropriate consent, we will delete it promptly.

Supervisory Authority

The Information Commissioner's Office (ICO) is the UK supervisory authority for data protection. If you believe we have not handled your personal data appropriately, you have the right to lodge a complaint with the ICO:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Phone: 0303 123 1113
Website: ico.org.uk

We encourage you to contact us first so we can address your concerns directly, but you have the right to contact the ICO at any time.

Policy Updates

We review this GDPR compliance information regularly and update it as needed to reflect changes in our practices or legal requirements. Significant changes will be communicated to active clients via email.

Last updated: 15 April 2026