GDPR Compliance

Your data protection rights under UK GDPR and how we uphold them.

Last updated: 1 March 2026

Our Commitment to Data Protection

cold-wood Ltd takes data protection seriously. We are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page provides specific information about how we meet our obligations under this legislation.

Data Controller Information

cold-wood Ltd acts as the data controller for personal information collected through our website and in connection with our services.

Data Controller: cold-wood Ltd
Address: 47 Marchmont Street, London WC1N 1AP
Email: [email protected]
Company Number: 09847256

Lawful Bases for Processing

Under UK GDPR, we must have a valid lawful basis to process your personal data. The bases we rely on include:

Contractual Necessity

When you book a service with us, we process your data to fulfil that contract. This includes your contact details, appointment information, and any details necessary to provide the specific service you've requested.

Legitimate Interests

We process certain data based on our legitimate business interests, provided these interests do not override your fundamental rights. Examples include:

  • Maintaining records of client interactions to improve our services
  • Analysing website traffic to understand user behaviour
  • Protecting our business from fraud

Consent

For some processing activities, we rely on your explicit consent. This includes:

  • Sending you marketing communications
  • Storing non-essential cookies on your device
  • Using photographs you provide for before/after comparisons (where relevant)

Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

Legal Obligation

We may process data to comply with legal requirements, such as maintaining financial records for tax purposes.

Your Rights Under UK GDPR

UK GDPR grants you specific rights regarding your personal data. We are committed to facilitating these rights:

Right of Access

You can request a copy of the personal data we hold about you. We will provide this free of charge within one month of your request. In exceptional circumstances, where requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse the request.

Right to Rectification

If you believe any data we hold about you is inaccurate or incomplete, you can request that we correct it. We will respond within one month.

Right to Erasure

You can request that we delete your personal data in certain circumstances, including:

  • The data is no longer necessary for its original purpose
  • You withdraw consent (where consent was the basis for processing)
  • You object to processing based on legitimate interests, and we have no overriding grounds
  • The data has been unlawfully processed

Note that we may need to retain certain data for legal or legitimate business reasons.

Right to Restrict Processing

You can ask us to restrict processing of your data while we verify its accuracy, consider your objection to processing, or if processing is unlawful but you prefer restriction over erasure.

Right to Data Portability

Where technically feasible, you can request your data in a structured, commonly used, machine-readable format and have it transferred to another controller.

Right to Object

You can object to processing based on legitimate interests. We must stop unless we can demonstrate compelling legitimate grounds that override your interests. You can always object to direct marketing, and we must stop immediately.

Rights Related to Automated Decision-Making

We do not make decisions based solely on automated processing that produce legal or similarly significant effects. Our styling services involve human judgement throughout.

How to Exercise Your Rights

To exercise any of your rights, please contact us at [email protected]. Please provide sufficient information to verify your identity. We will respond to valid requests within one month, though this may be extended by two months for complex requests, in which case we will inform you.

Data Retention

We retain personal data only as long as necessary for the purposes collected. Specific retention periods are outlined in our Privacy Policy. When data is no longer needed, we securely delete or anonymise it.

International Data Transfers

We primarily store and process data within the United Kingdom. Should we need to transfer data internationally, we ensure appropriate safeguards such as Standard Contractual Clauses approved by the ICO.

Data Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data in transit and at rest
  • Access controls limiting data access to authorised personnel
  • Regular security assessments
  • Staff training on data protection

Data Breaches

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours. If the breach is likely to result in a high risk to you, we will also notify you directly.

Complaints

If you are unhappy with how we handle your data, please contact us first so we can try to resolve the matter. If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk

Updates to This Information

We review our data protection practices regularly. This page will be updated if our practices change significantly.