GDPR Compliance Statement

Last Updated: 20 May 2026

Our Commitment to Data Protection

Whispered Path is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take your privacy seriously and implement robust measures to protect your personal data.

Data Controller Information

Whispered Path acts as the data controller for personal information collected through our website and business operations.

Contact Details:
Email: [email protected]
Address: 47 Thornfield Lane, Altrincham, Greater Manchester, WA14 2QR, United Kingdom

What Personal Data We Collect

We collect and process the following categories of personal data:

  • Identity Data: Name, title
  • Contact Data: Email address, property address
  • Technical Data: IP address, browser type, device information, website usage data
  • Project Data: Service requests, project requirements, consultation notes
  • Communication Data: Email correspondence, feedback, inquiries

Lawful Basis for Processing

We process your personal data only when we have a lawful basis to do so:

1. Consent

Where you have explicitly agreed to us processing your data for specific purposes, such as receiving marketing communications. You can withdraw consent at any time.

2. Contract Performance

Processing necessary to fulfill our contractual obligations to you or to take steps at your request before entering into a contract.

3. Legal Obligation

Processing required to comply with legal or regulatory requirements, such as tax and accounting obligations.

4. Legitimate Interests

Processing necessary for our legitimate business interests, provided these do not override your fundamental rights and freedoms. Examples include:

  • Improving our services and website functionality
  • Preventing fraud and ensuring security
  • Internal administrative purposes

Your GDPR Rights

Under UK GDPR, you have the following rights regarding your personal data:

1. Right to be Informed

You have the right to clear, transparent information about how we use your personal data and your rights. This is provided through our Privacy Policy and this GDPR statement.

2. Right of Access

You can request a copy of all personal data we hold about you. This is known as a Subject Access Request (SAR). We will respond within one month of receiving your request.

3. Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to request correction or completion.

4. Right to Erasure (Right to be Forgotten)

In certain circumstances, you can request deletion of your personal data. This applies when:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there's no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • The data must be erased to comply with a legal obligation

5. Right to Restrict Processing

You can request that we limit how we use your personal data in specific circumstances, such as when you contest the accuracy of the data.

6. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

7. Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

8. Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at:

Email: [email protected]

Please include the following in your request:

  • Your full name
  • Email address associated with your data
  • Specific right you wish to exercise
  • Any relevant details to help us locate your data

We will respond to your request within one month. In complex cases, we may extend this by two additional months and will inform you if this is necessary.

Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls limiting who can access personal data
  • Staff training on data protection principles
  • Secure backup systems
  • Incident response procedures

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected or as required by law:

  • Client project data: 6 years after project completion (for legal, warranty, and tax purposes)
  • Inquiry data (no contract): 2 years from last contact
  • Marketing consent data: Until consent is withdrawn or the individual requests deletion
  • Website analytics: 26 months

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Document all data breaches and remedial actions taken

Third-Party Data Processors

When we engage third-party service providers who process personal data on our behalf, we ensure:

  • Written contracts are in place with appropriate data protection clauses
  • Processors only act on our documented instructions
  • Processors implement appropriate security measures
  • Processors assist with our GDPR compliance obligations

International Data Transfers

We primarily process data within the United Kingdom. If we transfer data outside the UK, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions by the UK government
  • Standard contractual clauses approved by the ICO
  • Binding corporate rules

Changes to This Statement

We may update this GDPR compliance statement from time to time to reflect changes in our practices or legal requirements. Significant changes will be communicated through our website.

Complaints and Supervisory Authority

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113

Questions and Contact

If you have any questions about our GDPR compliance or data protection practices, please contact us:

Email: [email protected]