GDPR Compliance

Last updated: May 10, 2026

Our Commitment to GDPR

Although the UK has left the European Union, we continue to comply with the principles of the General Data Protection Regulation (GDPR) as incorporated into UK law through the UK GDPR and Data Protection Act 2018. We are committed to protecting your personal data and respecting your privacy rights.

Data Controller

For the purposes of data protection legislation, cloudy-arc is the data controller. We are responsible for deciding how we hold and use personal information about you.

Contact details:
Email: [email protected]
Address: 42 Meadowbank Street, Edinburgh EH8 7DY, United Kingdom

Lawful Basis for Processing

We process your personal data under the following lawful bases:

• Consent: You have given clear consent for us to process your personal data for specific purposes (e.g., submitting a service request)
• Contract: Processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract
• Legal obligation: Processing is necessary for us to comply with the law (not including contractual obligations)
• Legitimate interests: Processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests

Special Category Data

Given the nature of our services, we process special category data including health information and details about disabilities. We process this data under the following conditions:

• You have given explicit consent
• Processing is necessary for social protection purposes (benefits applications)
• Processing is necessary for establishing, exercising, or defending legal claims

Your GDPR Rights

Under the UK GDPR, you have the following rights:

Right to be Informed

You have the right to be informed about the collection and use of your personal data. This GDPR statement and our Privacy Policy fulfill this obligation.

Right of Access

You have the right to request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data we hold about you.

Right to Erasure

You have the right to request deletion or removal of personal data where there is no compelling reason for its continued processing. This right is not absolute and only applies in certain circumstances.

Right to Restrict Processing

You have the right to request restriction of processing of your personal data in specific circumstances, such as when you contest the accuracy of the data.

Right to Data Portability

You have the right to request transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable format.

Right to Object

You have the right to object to processing of your personal data where we are relying on legitimate interests (or those of a third party).

Rights Related to Automated Decision Making

We do not use automated decision-making or profiling in our services.

How to Exercise Your Rights

To exercise any of your rights, please contact us at [email protected]. We will respond to your request within one month, though this may be extended by two further months in complex cases.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.

Data Security Measures

We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Pseudonymization and encryption of personal data
• Ongoing confidentiality, integrity, availability, and resilience of processing systems
• Ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident
• Regular testing and evaluation of the effectiveness of security measures

Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. We will also notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach.

International Data Transfers

We do not routinely transfer personal data outside the United Kingdom. If such transfers become necessary, we will ensure appropriate safeguards are in place as required by UK GDPR.

Data Protection Officer

We have not appointed a Data Protection Officer as we are not required to do so under UK GDPR. However, our data protection practices are overseen by our senior management team.

Complaints

If you believe we have not complied with your data protection rights, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk

Changes to This Statement

We may update this GDPR compliance statement from time to time. Any changes will be posted on this page with an updated revision date.