GDPR Compliance

Last updated: May 14, 2026

Our Commitment to GDPR

grimrock-path is committed to complying with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. We take the protection of your personal data seriously and have implemented appropriate measures to ensure compliance.

Legal Basis for Processing

We process your personal data under the following legal bases:

  • Consent: When you register for our programmes or subscribe to communications, you provide explicit consent for us to process your information.
  • Contract Performance: Processing is necessary to fulfill our obligations when you enrol in our programmes.
  • Legitimate Interests: We may process data for legitimate business interests, such as improving our services, provided these interests do not override your rights.
  • Legal Obligation: We may process data to comply with legal requirements.

Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

Right to Access

You have the right to request a copy of the personal data we hold about you. We will provide this information in a commonly used electronic format.

Right to Rectification

If you believe any information we hold about you is inaccurate or incomplete, you have the right to request correction.

Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the purposes it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Right to Restrict Processing

You can request that we limit how we use your personal data in certain situations, such as when you contest the accuracy of the data or object to processing.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transfer it to another controller.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes at any time.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling in our services. All decisions regarding programme enrollment and delivery involve human review.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at:

Email: [email protected]
Address: 27 Cathedral Road, Cardiff, CF11 9HA, United Kingdom

We will respond to your request within one month. In complex cases, we may extend this period by two additional months and will inform you of such extension.

Data Protection Officer

For questions about data protection or to exercise your rights, you can contact our data protection representative at [email protected].

Children's Data

When processing data about children (individuals under 18), we:

  • Obtain consent from parents or guardians
  • Collect only the minimum necessary information
  • Use data solely for delivering educational services
  • Implement enhanced security measures
  • Allow parents to access, modify, or delete their child's data

Data Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption of data in transit and at rest
  • Regular security assessments
  • Access controls limiting data access to authorized personnel
  • Staff training on data protection practices
  • Incident response procedures

Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware
  • Inform affected individuals without undue delay if the breach poses a high risk
  • Provide clear information about the nature of the breach and steps taken

International Data Transfers

We primarily process data within the United Kingdom. If we transfer data internationally, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the UK Information Commissioner's Office.

Data Retention

We retain personal data only as long as necessary:

  • Programme registration data: 3 years after programme completion
  • Email correspondence: 2 years from last contact
  • Website analytics: 26 months
  • Legal or regulatory requirements may necessitate longer retention

Third-Party Processors

We may engage third-party service providers to process data on our behalf. All processors are carefully selected and required to:

  • Process data only on our instructions
  • Implement appropriate security measures
  • Maintain confidentiality
  • Comply with GDPR requirements

Complaint to Supervisory Authority

If you believe we have not handled your data properly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Updates to This Notice

We may update this GDPR compliance notice to reflect changes in our practices or legal requirements. Material changes will be communicated through our website and, where appropriate, via email.

Contact Information

For any questions about GDPR compliance or data protection:

Email: [email protected]
Address: 27 Cathedral Road, Cardiff, CF11 9HA, United Kingdom