GDPR Compliance

Last Updated: May 26, 2026

Our Commitment to Data Protection

frosted-cities is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines how we comply with data protection principles and your rights under these regulations.

Data Controller

frosted-cities acts as the data controller for personal information collected through our website and educational programs.

Contact Details:
frosted-cities
45 Buchanan Street
Glasgow G1 3HL
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data under the following lawful bases:

Consent: When you provide explicit consent for specific processing activities, such as receiving marketing communications
Contract: When processing is necessary to fulfill our contractual obligations to provide educational programs
Legal Obligation: When we must process data to comply with legal requirements
Legitimate Interests: When processing is necessary for our legitimate business interests, such as improving our services, provided this does not override your rights

Data Protection Principles

We adhere to the following data protection principles:

Lawfulness, Fairness, and Transparency: We process data lawfully, fairly, and in a transparent manner
Purpose Limitation: We collect data for specified, explicit, and legitimate purposes only
Data Minimization: We collect only the data necessary for our purposes
Accuracy: We take reasonable steps to ensure data is accurate and up to date
Storage Limitation: We retain data only as long as necessary
Integrity and Confidentiality: We implement appropriate security measures to protect data
Accountability: We demonstrate compliance with all data protection principles

Your Rights Under GDPR

You have the following rights regarding your personal data:

Right to Access

You have the right to request access to your personal data and receive information about how we process it.

Right to Rectification

You can request correction of inaccurate or incomplete personal data.

Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes it was collected.

Right to Restriction of Processing

You can request that we restrict processing of your personal data in specific situations.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.

Right to Object

You can object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing that produces legal effects or similarly significant effects. We do not currently engage in automated decision-making.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

How to Exercise Your Rights

To exercise any of your rights under GDPR, please contact us at [email protected]. We will respond to your request within one month, though this may be extended by two further months in complex cases.

You will not normally have to pay a fee to exercise your rights. However, we may charge a reasonable fee or refuse to comply with your request if it is clearly unfounded, repetitive, or excessive.

Data Security Measures

We implement appropriate technical and organizational measures to ensure data security, including:

Encryption of data in transit and at rest where appropriate
Regular security assessments and updates
Access controls limiting data access to authorized personnel only
Staff training on data protection obligations
Incident response procedures for data breaches

Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. If the breach poses a high risk, we will also notify affected individuals without undue delay.

International Data Transfers

We primarily process data within the United Kingdom. If we transfer data outside the UK, we ensure appropriate safeguards are in place, such as standard contractual clauses or adequacy decisions.

Children's Data

Given that our programs serve children and teenagers, we take extra precautions when processing children's data. We obtain parental consent before collecting personal information from children under 13 and provide parents with control over their child's data.

Third-Party Processors

We work with carefully selected third-party service providers who process data on our behalf. All processors are bound by data processing agreements ensuring they handle data in compliance with GDPR requirements.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations. Typical retention periods include:

Student enrollment records: duration of program plus 2 years
Financial records: 7 years for tax purposes
Marketing consent records: until consent is withdrawn
Website analytics: 26 months

Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: frosted-cities.com

Updates to This Policy

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. Significant changes will be communicated to affected individuals.

Contact Us

For questions about our GDPR compliance or to exercise your data protection rights, please contact us at [email protected].