GDPR Information

Last updated: April 2026

Our Commitment to GDPR Compliance

lunar-dock is committed to protecting your personal data in accordance with the UK General Data Protection Regulation and Data Protection Act 2018. This page provides specific information about our GDPR compliance and your rights under this legislation.

For comprehensive details about our data practices, please also review our Privacy Policy.

Data Controller Information

Data Controller: lunar-dock
Address: 15 Eastcheap, London EC3M 1BU, United Kingdom
Email: [email protected]

As the data controller, we determine how and why personal data is processed. We're responsible for ensuring this processing complies with data protection law.

Legal Basis for Processing

We process personal data under several legal bases as defined by GDPR:

Contractual Necessity

Processing is necessary to provide financial services you've requested or to take steps before entering into a service agreement. This covers most client service activities including financial planning, investment management, and advisory services.

Legal Obligation

We must process certain data to comply with legal requirements, including FCA regulations, anti-money laundering laws, tax legislation, and record-keeping obligations applicable to financial services.

Legitimate Interests

We process data where necessary for legitimate business interests, provided these don't override your fundamental rights and freedoms. Examples include:

  • Maintaining client relationship records
  • Internal business administration and quality assurance
  • Fraud prevention and security measures
  • Improving our services
  • Defending legal claims

We carefully balance these interests against your privacy rights and conduct assessments where appropriate.

Consent

In certain situations, we ask for explicit consent before processing data, such as sharing information with third-party advisors beyond what's necessary for service delivery, or using information for purposes not covered by other legal bases.

When we rely on consent, you can withdraw it at any time by contacting us. Withdrawal doesn't affect the lawfulness of processing before withdrawal.

Your GDPR Rights Explained

GDPR grants you specific rights regarding personal data. Here's what each means in practice:

Right of Access

You can request confirmation of whether we process your personal data and obtain a copy of that data. We'll provide this information in a clear, accessible format within one month of receiving a valid request.

The first copy is provided free of charge. For additional copies or manifestly unfounded or excessive requests, we may charge a reasonable administrative fee.

Right to Rectification

If personal data we hold is inaccurate or incomplete, you can request correction. We'll rectify errors promptly and notify any third parties to whom we've disclosed the data where appropriate.

You can also supplement incomplete data with additional information relevant to the processing purposes.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of personal data in specific circumstances:

  • The data is no longer necessary for the original purpose
  • You withdraw consent and there's no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is required for legal compliance

This right has limitations. We may refuse erasure when retention is necessary for legal compliance, establishing or defending legal claims, or fulfilling regulatory obligations. Financial services regulations typically require us to maintain client records for at least seven years.

Right to Restriction of Processing

You can request that we limit how we use your data in certain situations:

  • You contest data accuracy during verification
  • Processing is unlawful but you prefer restriction over erasure
  • We no longer need the data but you require it for legal claims
  • You've objected to processing pending verification of our legitimate grounds

When processing is restricted, we store the data but don't otherwise process it without your consent, except for legal claims or protecting others' rights.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you can request that we provide your personal data in a structured, commonly used, machine-readable format. Where technically feasible, we can transmit this directly to another controller.

This right applies to data you've provided to us, not data generated through our analysis or observations.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

When you object to processing based on legitimate interests, we'll cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for establishing, exercising, or defending legal claims.

For direct marketing, we'll stop processing immediately upon objection.

Rights Related to Automated Decision-Making

You have rights regarding decisions made solely through automated processing that produce legal effects or similarly significantly affect you.

We don't typically make significant decisions about clients through fully automated means. Our advisory process involves human judgment and expertise. If this changes, we'll inform you and ensure appropriate safeguards.

How to Exercise Your Rights

To exercise any GDPR rights, contact us at [email protected] or write to our postal address. Please include sufficient detail to identify yourself and specify which right you're exercising.

We may need to verify your identity before responding to requests, particularly for access requests or requests to delete or modify data. This protects your information from unauthorized disclosure or alteration.

We'll respond to valid requests within one month. In complex cases or when handling multiple requests, we may extend this by two additional months. We'll inform you of any extension within the first month, explaining the reasons for delay.

Data Protection Principles

We adhere to GDPR's core data protection principles, ensuring personal data is:

Processed Lawfully, Fairly, and Transparently

We have valid legal grounds for processing and explain our practices clearly through this notice and other communications.

Collected for Specified, Explicit, and Legitimate Purposes

We identify clear purposes for data collection and don't use information in ways incompatible with those purposes without informing you.

Adequate, Relevant, and Limited

We collect only information necessary for identified purposes. We don't gather excessive data "just in case" it might be useful later.

Accurate and Kept Up to Date

We take reasonable steps to ensure data accuracy and update information when you inform us of changes. Inaccurate data is corrected or deleted promptly.

Retained Only as Long as Necessary

We maintain personal data only while needed for specified purposes or to meet legal obligations. We have retention policies determining appropriate periods for different data categories.

Processed Securely

We implement appropriate technical and organizational measures to protect against unauthorized or unlawful processing and accidental loss, destruction, or damage.

International Data Transfers

We primarily process data within the United Kingdom. When transfers outside the UK are necessary, we ensure adequate protection through:

  • Transfers to countries deemed to provide adequate protection by UK authorities
  • Standard contractual clauses approved for international transfers
  • Other appropriate safeguards recognized under UK data protection law

You can request details of safeguards applied to specific international transfers by contacting us.

Data Breach Notification

Despite robust security measures, data breaches can occur. We have procedures to detect, report, and investigate breaches.

If a breach is likely to result in high risk to your rights and freedoms, we'll notify you without undue delay, providing information about the breach's nature, likely consequences, and measures taken or proposed to address it.

We'll also notify the Information Commissioner's Office of breaches as required by regulation.

Privacy by Design and Default

We implement privacy considerations into our business processes and systems from the outset. This includes:

  • Conducting privacy impact assessments for new processing activities
  • Implementing data minimization in our procedures
  • Building security measures into systems and processes
  • Training staff on data protection requirements
  • Regular review and updating of data protection practices

By default, we process only personal data necessary for each specific purpose and retain it only as long as needed.

Children's Data

We don't offer services directly to children under 16 or knowingly collect their personal data for marketing purposes. When financial planning involves children as family members or dependants, we process only information necessary for the service and with appropriate parental or guardian consent where required.

Third-Party Data Processors

We engage third-party service providers who process personal data on our behalf. These processors are selected carefully and bound by contracts requiring them to:

  • Process data only according to our documented instructions
  • Maintain appropriate security measures
  • Assist with data subject rights requests
  • Delete or return data upon termination of services
  • Demonstrate compliance with data protection obligations

We maintain records of processing activities and can provide information about our processors upon request.

Questions and Complaints

If you have questions about our GDPR compliance or wish to raise concerns about data handling, please contact us at [email protected]. We take all queries seriously and respond promptly.

You also have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

We appreciate the opportunity to address concerns directly before escalation to the regulator, but you have the unconditional right to contact the ICO at any time.

Updates to This Information

We may update this GDPR information periodically to reflect changes in our practices or legal requirements. Updated versions will be posted on our website with revision dates. Significant changes affecting client data will be communicated directly.