GDPR Information
Last updated: July 14, 2026
Introduction
The UK General Data Protection Regulation (UK GDPR) gives individuals rights over their personal data. This page explains those rights and how hyper-willow complies with data protection requirements.
Data Controller
hyper-willow is the data controller for personal information collected through our website and consultation services. We determine how and why your personal data is processed.
For data protection enquiries, contact us at [email protected]
Legal Basis for Processing
We process personal data under the following legal bases:
Contractual Necessity
When you engage our consultation services, processing your personal data is necessary to fulfill our contractual obligations, including scheduling assessments, conducting evaluations, and delivering reports.
Legitimate Interests
We may process data based on legitimate interests, such as improving our services, preventing fraud, and maintaining business records. We balance these interests against your rights and freedoms.
Consent
For certain processing activities, such as marketing communications or analytics cookies, we obtain your explicit consent before processing your data.
Legal Obligations
We process data when necessary to comply with legal requirements, such as maintaining financial records or responding to lawful requests from authorities.
Your Rights Under UK GDPR
Right of Access
You have the right to request a copy of the personal data we hold about you. We will provide this information in a commonly used electronic format unless you request otherwise.
Right to Rectification
If personal data we hold about you is inaccurate or incomplete, you have the right to request correction. We will update records promptly upon receiving verified correction requests.
Right to Erasure
Also known as the "right to be forgotten," you may request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes it was collected or when you withdraw consent.
Note that we may need to retain certain information to comply with legal obligations or for legitimate business purposes like defending legal claims.
Right to Restrict Processing
You may request that we restrict how we use your personal data in specific situations, such as when you contest the accuracy of the data or object to processing.
Right to Data Portability
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.
Right to Object
You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Rights Related to Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. All consultation assessments involve human professional judgment.
Exercising Your Rights
To exercise any of these rights, contact us at [email protected] with sufficient information to verify your identity and specify which right you wish to exercise.
We will respond to valid requests within one month, though complex requests may require up to three months. We will inform you if additional time is needed.
There is no fee for exercising your rights unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.
Data Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Security measures include:
- Encryption of data in transit and at rest
- Access controls limiting who can view personal data
- Regular security assessments and updates
- Employee training on data protection requirements
- Secure backup procedures
Data Retention
We retain personal data only as long as necessary for the purposes it was collected or as required by law. Retention periods vary depending on data type and purpose:
- Consultation records: Six years from service completion for professional liability purposes
- Marketing consent records: Until consent is withdrawn
- Website analytics: 26 months from collection
- Financial records: As required by tax and accounting regulations
International Transfers
We primarily process data within the United Kingdom. If we transfer data internationally, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by relevant authorities.
Data Protection Impact Assessments
We conduct data protection impact assessments when introducing new processing activities that may pose high risks to individuals' rights and freedoms. These assessments help us identify and mitigate privacy risks.
Data Breach Notification
In the unlikely event of a data breach that poses risks to your rights and freedoms, we will notify you and the Information Commissioner's Office within 72 hours of becoming aware of the breach, as required by law.
Children's Privacy
Our services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected information from a child, please contact us immediately so we can delete it.
Complaints
If you believe we have not handled your personal data properly, please contact us first so we can address your concerns.
You also have the right to lodge a complaint with the supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Tel: 0303 123 1113
Website: www.ico.org.uk
Updates to This Information
We may update this GDPR information to reflect changes in our practices or legal requirements. Material changes will be communicated through our website. The date at the top indicates when this page was last revised.
Further Information
For comprehensive information about our data practices, please also review our Privacy Policy.
For specific questions about GDPR compliance or data protection, contact us at [email protected]