GDPR Compliance

What is UK GDPR?

The UK General Data Protection Regulation (UK GDPR) is the United Kingdom's data protection framework following Brexit, based on the EU GDPR but adapted for UK law. It works alongside the Data Protection Act 2018 to regulate how organizations collect, use, and protect personal data.

At CrownSpinScout, we are fully committed to compliance with UK GDPR and ensuring your personal data is handled lawfully, fairly, and transparently.

Data Controller Information

Under UK GDPR, we are classified as a Data Controller for the personal information we collect and process through this website.

Lawful Basis for Processing Personal Data

We only process your personal data when we have a valid lawful basis under UK GDPR. We rely on the following legal grounds:

1. Consent (Article 6(1)(a))

When you explicitly agree to our processing of your personal data for specific purposes, such as:

• Subscribing to our newsletter or marketing communications
• Accepting cookies for analytics and advertising purposes
• Participating in surveys, polls, or promotional campaigns

Your right: You can withdraw consent at any time by unsubscribing, adjusting cookie settings, or contacting us.

2. Legitimate Interests (Article 6(1)(f))

When processing is necessary for our legitimate business interests that do not override your rights and freedoms:

• Analyzing website traffic and user behavior to improve our services
• Detecting and preventing fraud, spam, or security threats
• Managing affiliate partnerships and tracking referrals
• Sending service-related communications about site updates

Balancing test: We regularly assess whether our interests are proportionate and respect your privacy rights.

3. Legal Obligation (Article 6(1)(c))

When we must process data to comply with UK legal requirements:

• Age verification to ensure compliance with UK gambling regulations
• Responding to lawful requests from authorities or courts
• Maintaining records as required by tax and accounting laws
• Complying with UK Gambling Commission regulations

4. Contract Performance (Article 6(1)(b))

When processing is necessary to fulfill our obligations or provide services you've requested:

• Responding to your inquiries and support requests
• Delivering content, reviews, and information services
• Managing your account or preferences (if applicable)

Your Data Protection Rights Under UK GDPR

UK GDPR grants you comprehensive rights regarding your personal data. We are committed to facilitating the exercise of these rights.

How to Exercise Your Rights

To exercise any of these rights, please contact us using the following methods:

• Email: privacy@crownspinscout.co.uk (preferred method)
• Phone: +44 20 7123 4567
• Post: CrownSpinScout, Data Protection Team, London, United Kingdom

Response time: We will respond to your request within 30 days (1 month) as required by UK GDPR. In complex cases, we may extend this by an additional 2 months and will inform you accordingly.

Free of charge: We do not charge fees for exercising your rights, unless requests are manifestly unfounded or excessive.

Data Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, or resolve disputes.

Specific Retention Periods:

Data Type	Retention Period	Reason
Newsletter Subscriptions	Until unsubscribe or deletion request	Ongoing consent
Contact Form Inquiries	2 years from last communication	Customer service & follow-up
Website Analytics (Google Analytics)	26 months (anonymized after)	Service improvement & insights
Cookie Consent Records	12-24 months	Compliance evidence
Age Verification Records	Session duration only	Legal compliance (no storage)
Affiliate Tracking Data	6 years	Financial & tax obligations
Legal/Compliance Records	6-7 years (as required by law)	UK legal obligations

Secure Deletion: When retention periods expire, we securely delete or anonymize personal data using industry-standard methods to prevent recovery or unauthorized access.

Data Security & Technical Safeguards

We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage (UK GDPR Article 32).

Technical Measures:

• Encryption: SSL/TLS encryption for data transmission across our website
• Secure Hosting: Protected servers with encrypted storage and regular backups
• Access Controls: Role-based access with strong authentication requirements
• Firewall Protection: Network security measures to prevent unauthorized access
• Regular Security Updates: Timely patches and updates to prevent vulnerabilities

Organizational Measures:

• Staff Training: Regular data protection and security awareness training
• Data Minimization: Collecting only necessary personal data
• Privacy by Design: Integrating data protection into all processes
• Vendor Due Diligence: Ensuring third-party processors meet GDPR standards
• Incident Response Plan: Procedures for detecting and responding to data breaches

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

• We will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware
• We will inform affected individuals without undue delay if there is a high risk to their rights
• Notifications will include the nature of the breach, likely consequences, and measures taken

International Data Transfers

Your personal data is primarily processed and stored within the United Kingdom and European Economic Area (EEA).

Transfers Outside UK/EEA:

If we transfer personal data to countries outside the UK/EEA, we ensure appropriate safeguards are in place as required by UK GDPR (Chapter V):

• Adequacy Decisions: Transfers to countries recognized by the UK as providing adequate data protection (e.g., EU member states under the EU-UK adequacy decision)
• Standard Contractual Clauses (SCCs): Approved by the UK ICO for transfers to non-adequate countries
• Binding Corporate Rules: For multinational service providers with approved internal policies
• Specific Safeguards: Additional measures (e.g., encryption) where required

Third-Party Processors: We ensure all service providers handling your data on our behalf comply with UK GDPR through contractual agreements (Data Processing Agreements).

Automated Decision-Making & Profiling

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you (UK GDPR Article 22).

Limited Automated Processing:

We use automated tools for the following limited purposes only:

• Analytics: Automated aggregation of anonymized website usage data
• Spam Prevention: Automated filtering of contact form submissions
• Cookie Management: Automated application of your cookie preferences

None of these activities involve decisions that legally or significantly affect individuals.

Children's Data Protection

Our website is intended solely for individuals 18 years of age and older. We do not knowingly collect or process personal data from children under 18.

• Age Verification: We require age confirmation before accessing our site
• No Child Data: We do not target or collect data from minors
• Immediate Deletion: If we discover we've collected data from a minor, we delete it immediately
• Parental Rights: Parents/guardians can contact us to request deletion of any child's data

If you believe we have inadvertently collected information from someone under 18, please contact us immediately at privacy@crownspinscout.co.uk.

Data Protection Officer (DPO)

While not legally required to appoint a DPO under UK GDPR (as we are not a public authority and our processing activities do not meet the threshold), we have designated a Data Protection Team responsible for overseeing GDPR compliance.

Supervisory Authority & Complaints

You have the right to lodge a complaint with the UK's data protection supervisory authority if you believe we have not complied with UK GDPR.

We Encourage Direct Contact First: While you have the right to complain directly to the ICO, we encourage you to contact us first so we can address your concerns promptly and effectively.

Updates to GDPR Compliance Practices

We regularly review and update our GDPR compliance practices to ensure ongoing adherence to UK data protection laws and best practices.

When We Update:

• Changes in UK GDPR legislation or guidance from the ICO
• Implementation of new technologies or processing activities
• Periodic compliance audits and assessments
• Feedback from data subjects or supervisory authorities

This page was last updated on 9 December 2025. Material changes will be communicated via our website and Privacy Policy.