GDPR Compliance

Last updated: April 2026

Our Commitment to Data Protection

Glistain Scrub operates in full compliance with the UK General Data Protection Regulation and the Data Protection Act 2018. We recognise that the personal information entrusted to us by clients deserves careful handling, robust protection, and transparent management.

This page outlines our approach to data protection compliance and explains how we uphold your rights under current legislation.

Data Controller Information

For the purposes of data protection legislation, Glistain Scrub acts as the data controller for personal information collected through our website and services. This means we determine how and why your data is processed.

Our contact details are:

Glistain Scrub
42 Marylebone High Street
London W1U 5HD
United Kingdom
Email: [email protected]

Lawful Bases for Processing

We process personal data only when we have a valid legal basis to do so. The specific basis depends on the purpose of processing:

Contractual Necessity

When you engage our styling services, processing your personal information becomes necessary to fulfil our contractual obligations. This includes maintaining appointment records, storing style preferences, and delivering the services you've purchased.

Legitimate Interests

We process certain data to pursue legitimate business interests, provided these don't override your fundamental rights and freedoms. Examples include analysing website usage to improve functionality, preventing fraudulent activity, and maintaining business records for operational continuity.

Legal Compliance

Some data processing is required to meet legal obligations, such as maintaining financial records for tax purposes, responding to lawful requests from authorities, or complying with accounting regulations.

Explicit Consent

For certain activities, particularly marketing communications, we rely on your explicit consent. You can withdraw this consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.

Your Data Protection Rights

UK GDPR grants individuals comprehensive rights over their personal data. We respect and facilitate the exercise of these rights:

Right of Access

You can request confirmation of whether we process your personal data and obtain a copy of that data. We provide this information free of charge, though we may charge a reasonable fee for additional copies or manifestly unfounded requests.

Right to Rectification

If personal information we hold is inaccurate or incomplete, you can request corrections. We'll update records promptly and notify relevant third parties where appropriate.

Right to Erasure

Under certain conditions, you can request deletion of your personal data. This applies when data is no longer necessary for its original purpose, consent is withdrawn, processing is unlawful, or legal obligations require erasure. Note that legal retention requirements may prevent immediate deletion in some cases.

Right to Restrict Processing

You can ask us to limit how we use your data whilst we verify its accuracy, assess the lawfulness of processing, or respond to an objection you've raised. During restriction, we store the data but don't actively process it without your consent except in specific circumstances.

Right to Data Portability

Where processing is based on consent or contract and conducted by automated means, you can request your data in a structured, commonly used, machine-readable format. You can also ask us to transmit this data directly to another controller where technically feasible.

Right to Object

You can object to processing based on legitimate interests or conducted for direct marketing purposes. For direct marketing, we'll cease processing immediately. For other objections, we'll stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We don't currently employ such automated decision-making in our operations.

Exercising Your Rights

To exercise any of these rights, contact us at [email protected] with details of your request. We'll need to verify your identity before processing requests to protect against unauthorised access to your data.

We aim to respond within one month of receiving a valid request. If your request is particularly complex or we receive multiple requests from you, we may extend this period by two months, explaining the reasons for any delay.

Exercising your rights is generally free of charge. However, we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded, excessive, or repetitive.

Data Protection Principles

Our data handling practices adhere to the core principles established by UK GDPR:

  • Lawfulness, Fairness, Transparency: We process data lawfully, fairly, and in a transparent manner, providing clear information about our practices
  • Purpose Limitation: Personal data is collected for specified, explicit, legitimate purposes and not further processed in ways incompatible with those purposes
  • Data Minimisation: We collect only data that is adequate, relevant, and limited to what's necessary for the intended purpose
  • Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date, erasing or correcting inaccurate data promptly
  • Storage Limitation: Data is retained only as long as necessary for the purposes for which it was collected or as required by law
  • Integrity and Confidentiality: We implement appropriate security measures to protect against unauthorised or unlawful processing and accidental loss, destruction, or damage
  • Accountability: We're responsible for demonstrating compliance with these principles through documentation, policies, and procedures

International Data Transfers

Our operations are based in the United Kingdom, and we primarily store and process data within the UK. In limited circumstances, data may be transferred to countries outside the UK for specific purposes, such as cloud storage or software services.

When international transfers occur, we ensure appropriate safeguards are in place, such as adequacy decisions, standard contractual clauses, or other legally recognised transfer mechanisms. We assess the data protection standards of recipient countries and implement supplementary measures where necessary.

Data Breach Procedures

Despite robust security measures, data breaches can occur. We maintain procedures to detect, report, and investigate suspected breaches promptly.

If a breach is likely to result in a high risk to your rights and freedoms, we'll notify you without undue delay, providing information about the nature of the breach, its likely consequences, and measures taken or proposed to address it.

Where required by law, we'll also report breaches to the Information Commissioner's Office within 72 hours of becoming aware of them.

Privacy by Design and Default

We implement privacy by design and default principles throughout our operations. This means considering data protection implications from the earliest stages of any project or system development.

We incorporate technical and organisational measures to ensure only personal data necessary for each specific purpose is processed. Default settings favour privacy, limiting data collection and retention to what's essential.

Staff Training and Awareness

All team members receive training on data protection principles, UK GDPR requirements, and our internal policies. This ensures consistent, compliant data handling across our organisation.

Access to personal data is restricted to staff members who require it for their role. We maintain clear policies on acceptable use, secure storage, and confidentiality obligations.

Right to Lodge a Complaint

Whilst we strive to address concerns directly, you have the right to lodge a complaint with the UK's supervisory authority for data protection matters:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Telephone: 0303 123 1113
Website: www.ico.org.uk

We encourage you to contact us first so we can attempt to resolve any issues before escalating to the ICO.

Updates to Compliance Measures

Data protection legislation and best practices evolve over time. We regularly review and update our compliance measures to reflect legal changes, regulatory guidance, and technological developments.

This page will be updated to reflect significant changes in our approach or the regulatory environment. Check the "last updated" date at the top to see when the most recent revisions were made.

Questions and Concerns

If you have questions about our GDPR compliance, wish to exercise your data protection rights, or have concerns about how we handle your information, please contact us at [email protected].

We're committed to addressing enquiries promptly and transparently, working with you to resolve any issues regarding your personal data.