GDPR Compliance Statement

Last Updated: January 2026

Our Commitment to GDPR Compliance

deep-train is committed to complying with the General Data Protection Regulation (GDPR) and protecting the privacy rights of individuals within the European Economic Area and the United Kingdom. This statement outlines our approach to GDPR compliance and your rights under this regulation.

Data Controller Information

For the purposes of GDPR, the data controller is:

deep-train Ltd
42 Kingsway House
Bristol BS1 4QP
United Kingdom
Email: [email protected]

Types of Personal Data We Process

We process the following categories of personal data:

• Identity Data: Name, job title, organisation name
• Contact Data: Email address, postal address
• Technical Data: IP address, browser type, device information
• Usage Data: Information about how you use our website and services
• Training Data: Programme attendance, certifications, assessment results
• Communications Data: Correspondence and enquiries you send to us

Lawful Basis for Processing

We process your personal data only when we have a lawful basis to do so under GDPR Article 6:

• Consent: You have given clear consent for us to process your personal data for a specific purpose
• Contract: Processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract
• Legal Obligation: Processing is necessary for us to comply with the law
• Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights and interests

Your Rights Under GDPR

You have the following rights regarding your personal data:

1. Right to Be Informed

You have the right to clear, transparent information about how we use your personal data. This information is provided through our Privacy Policy and this GDPR statement.

2. Right of Access

You can request a copy of the personal data we hold about you. This is known as a Subject Access Request (SAR). We will provide this information free of charge within one month of receiving your request.

3. Right to Rectification

You have the right to have inaccurate personal data corrected or completed if it is incomplete. We will action valid requests within one month.

4. Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, including:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to the processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

5. Right to Restrict Processing

You can request that we limit the way we use your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

6. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

7. Right to Object

You have the right to object to processing based on legitimate interests or the performance of a task in the public interest. You also have an absolute right to object to processing for direct marketing purposes.

8. Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significant effects. We do not currently engage in automated decision-making.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at [email protected]. Include the following information in your request:

• Your full name and contact details
• Specific details of your request
• Proof of identity (if required to verify your identity)

We will respond to valid requests within one month. In complex cases, we may extend this period by up to two months, in which case we will inform you of the extension and the reasons for it.

Data Protection Principles

We adhere to the following GDPR data protection principles:

• Lawfulness, Fairness, and Transparency: We process data lawfully, fairly, and in a transparent manner
• Purpose Limitation: We collect data for specified, explicit, and legitimate purposes only
• Data Minimisation: We collect only the data that is adequate, relevant, and necessary
• Accuracy: We keep data accurate and up to date
• Storage Limitation: We retain data only as long as necessary
• Integrity and Confidentiality: We process data securely using appropriate technical and organisational measures
• Accountability: We take responsibility for compliance and can demonstrate it

Data Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data
• Regular security assessments and audits
• Access controls and authentication procedures
• Staff training on data protection and security
• Incident response procedures

Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

International Data Transfers

When we transfer personal data outside the UK or European Economic Area, we ensure appropriate safeguards are in place, such as:

• Standard contractual clauses approved by the European Commission
• Adequacy decisions confirming adequate protection in the destination country
• Binding corporate rules

Third-Party Processors

We use carefully selected third-party processors for certain services. All processors are required to:

• Process data only on our documented instructions
• Implement appropriate security measures
• Maintain confidentiality
• Assist us in meeting GDPR obligations
• Delete or return data upon termination of services

Consent Management

Where we rely on consent as the legal basis for processing, we ensure that:

• Consent is freely given, specific, informed, and unambiguous
• Consent requests are clearly distinguishable from other matters
• You can withdraw consent at any time as easily as you gave it
• We maintain records of consent

Children's Data

Our services are not directed at children under 18. We do not knowingly collect or process personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

Complaints

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Tel: 0303 123 1113
Website: ico.org.uk

Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. Material changes will be communicated through our website with an updated "Last Updated" date.

Contact Us

For questions about GDPR compliance or to exercise your rights, contact us at:

Email: [email protected]
Post: deep-train Ltd, 42 Kingsway House, Bristol BS1 4QP, United Kingdom