GDPR Compliance

Last updated: 9th April 2026

Our Commitment to Data Protection

Sunlit Plex Limited is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take our data protection responsibilities seriously and have implemented appropriate measures to ensure your personal information is processed lawfully, fairly, and transparently.

Data Controller Information

Sunlit Plex Limited is the data controller responsible for your personal information. Our details are:

Sunlit Plex Limited
42 Bloomsbury Way
London WC1A 2SE
United Kingdom
Email: [email protected]
Company Number: 09876543

Your GDPR Rights Explained

Under UK GDPR, you have specific rights regarding how we handle your personal data. Here's what each right means in practice:

1. Right to Be Informed

You have the right to clear, transparent information about how we collect and use your personal data. We provide this through our Privacy Policy and this GDPR page.

What this means for you: You'll always know what data we collect, why we collect it, and how we use it.

2. Right of Access

You can request a copy of the personal information we hold about you. This is often called a Subject Access Request (SAR).

What this means for you: You can see exactly what information we have about you, including your reading preferences, consultation notes, and communication history.

How to exercise this right: Email us at [email protected] with "Subject Access Request" in the subject line. We'll respond within one month, providing your data in a clear, accessible format.

3. Right to Rectification

If your personal information is inaccurate or incomplete, you can ask us to correct it.

What this means for you: If your email address changes, your reading preferences evolve, or we've recorded something incorrectly, you can request an update.

How to exercise this right: Simply contact us with the correct information, and we'll update our records promptly.

4. Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal information in certain circumstances.

When this applies:

  • The data is no longer necessary for the purpose we collected it
  • You withdraw consent and we have no other legal basis for processing
  • You object to processing and we have no overriding legitimate grounds
  • The data has been unlawfully processed
  • We must delete data to comply with legal obligations

Exceptions: We may need to retain certain information for legal compliance, such as financial records for tax purposes.

5. Right to Restrict Processing

You can ask us to limit how we use your information whilst we resolve specific issues.

When this applies:

  • You're challenging the accuracy of your data
  • Processing is unlawful but you don't want erasure
  • We no longer need the data, but you need it for legal claims
  • You've objected to processing whilst we verify our legitimate grounds

6. Right to Data Portability

You can request your personal data in a structured, commonly used, machine-readable format and transfer it to another service provider.

What this means for you: If you decide to use another reading service, you can request your reading history and preferences from us in a portable format.

What we provide: Your data in JSON or CSV format, typically including contact details, reading preferences, book lists, and consultation notes.

7. Right to Object

You can object to certain types of processing, particularly for direct marketing or processing based on legitimate interests.

Marketing: You can opt out of marketing communications at any time. Every marketing email includes an unsubscribe link.

Other processing: If we're processing your data based on legitimate interests, you can object. We'll stop unless we can demonstrate compelling legitimate grounds that override your interests.

8. Rights Related to Automated Decision-Making

You have rights regarding decisions made solely by automated means without human involvement.

Our practice: We don't make automated decisions that significantly affect you. All book recommendations and service decisions involve human expertise from our team.

How to Exercise Your Rights

To exercise any of your GDPR rights:

  1. Email us at [email protected] with your request
  2. Include enough information for us to identify you (name and email address associated with our services)
  3. Specify which right you wish to exercise and provide any relevant details

We'll respond within one month. In complex cases, we may extend this by two additional months, and we'll explain why if needed.

No fee required: Exercising your rights is free unless your request is clearly unfounded or excessive.

Identity Verification

To protect your information, we may need to verify your identity before fulfilling certain requests. We'll ask for additional information only when necessary and proportionate.

Our Lawful Bases for Processing

We process your personal data under the following lawful bases:

Contract Performance

When you engage our services, we need to process your information to deliver what you've requested. This includes:

  • Providing personalised book recommendations
  • Delivering curated collections
  • Organising reading group participation
  • Processing payments

Legitimate Interests

We process certain data for legitimate business purposes, provided your rights don't override these interests:

  • Improving our services based on client feedback and preferences
  • Maintaining records of our business relationships
  • Preventing fraud and ensuring security
  • Understanding how our website is used

Consent

For certain activities, we ask for your explicit consent:

  • Sending marketing communications
  • Using non-essential cookies
  • Sharing client testimonials

You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Legal Obligation

Sometimes we must process data to comply with legal requirements, such as:

  • Maintaining financial records for tax purposes
  • Responding to lawful requests from authorities
  • Complying with employment and business regulations

Data Protection Principles

We adhere to the UK GDPR's core principles in all our data processing activities:

Lawfulness, Fairness, and Transparency

We process data lawfully, treat you fairly, and are transparent about our practices.

Purpose Limitation

We collect data for specific, explicit purposes and don't use it for incompatible purposes without informing you.

Data Minimisation

We collect only the data necessary for our stated purposes. We don't gather excessive information.

Accuracy

We take reasonable steps to ensure data accuracy and update or delete inaccurate information promptly.

Storage Limitation

We retain data only as long as necessary and have clear retention schedules.

Integrity and Confidentiality

We implement appropriate security measures to protect against unauthorised or unlawful processing and accidental loss or damage.

Accountability

We take responsibility for our data processing and can demonstrate compliance with these principles.

Data Security Measures

We've implemented technical and organisational measures to protect your data:

  • Encryption of data during transmission and storage
  • Regular security assessments and penetration testing
  • Access controls limiting data access to authorised personnel
  • Staff training on data protection and security
  • Secure backup procedures
  • Incident response procedures for potential breaches
  • Contracts with processors requiring appropriate security measures

Data Breach Procedures

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  1. Notify the Information Commissioner's Office within 72 hours
  2. Inform affected individuals without undue delay if there's a high risk to their rights
  3. Document the breach, its effects, and remedial action taken
  4. Implement measures to prevent recurrence

International Data Transfers

Your data is primarily processed within the United Kingdom. If we transfer data internationally, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions recognising equivalent protection
  • Standard contractual clauses approved by authorities
  • Binding corporate rules where applicable

Children's Data

We do not knowingly process personal data of children under 16 without appropriate consent. If you're a parent or guardian and believe we've collected information about a child, please contact us immediately.

Making a Complaint

If you're concerned about how we handle your data, please contact us first so we can address your concerns.

If you remain dissatisfied, you can lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Tel: 0303 123 1113
Website: www.ico.org.uk

Updates to This Information

We may update this page to reflect changes in our practices or legal requirements. Significant changes will be communicated through our website or direct notification.

Contact Us

For questions about GDPR compliance or to exercise your rights:

Email: [email protected]
Post: Sunlit Plex Limited, 42 Bloomsbury Way, London WC1A 2SE, United Kingdom