GDPR Compliance

Last updated: 17 April 2026

Our Commitment to Data Protection

Mystic Claim Limited is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take our responsibilities regarding the protection of personal data seriously and have implemented comprehensive policies and procedures to ensure compliance.

This page provides specific information about how we fulfil our obligations under GDPR and how you can exercise your data protection rights.

Data Controller Information

For the purposes of UK GDPR, the data controller is:

Mystic Claim Limited
Company Registration Number: 11234789
Registered Address: 42 Threadneedle Street, London EC2R 8AY, United Kingdom
Email: [email protected]

We do not currently have a designated Data Protection Officer as we are not required to appoint one under GDPR. However, data protection queries should be directed to the email address above.

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. The legal grounds we rely on include:

Contract Performance

Processing is necessary to fulfil our contractual obligations when we provide consulting services to you or your organisation. This includes:

  • Managing client relationships and delivering agreed services
  • Communicating about active projects
  • Processing payments and maintaining financial records

Legitimate Interests

We process data where necessary for our legitimate business interests, provided these do not override your fundamental rights. Examples include:

  • Responding to enquiries from prospective clients
  • Conducting business development and marketing activities
  • Improving our services and website functionality
  • Protecting against fraud and ensuring network security
  • Managing our business operations efficiently

Legal Compliance

Processing is necessary to comply with legal obligations, including:

  • Tax and accounting requirements
  • Professional indemnity insurance obligations
  • Regulatory reporting requirements
  • Legal proceedings and dispute resolution

Consent

Where we rely on consent, we will:

  • Obtain clear and explicit consent before processing
  • Provide easy ways to withdraw consent at any time
  • Keep records of when and how consent was given

Your Rights Under GDPR

UK GDPR grants you specific rights regarding your personal data. We respect these rights and have procedures in place to facilitate their exercise.

Right of Access

You have the right to obtain confirmation about whether we process your personal data and to receive a copy of that data. We will provide this information free of charge within one month of your request.

Right to Rectification

If you believe information we hold about you is inaccurate or incomplete, you can request that we correct or complete it. We will respond within one month and make corrections where appropriate.

Right to Erasure

Also known as the "right to be forgotten", you can request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the purposes it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

This right is not absolute – we may need to retain certain information to comply with legal obligations or to establish, exercise, or defend legal claims.

Right to Restriction of Processing

You can request that we limit how we use your data in specific situations:

  • You contest the accuracy of the data while we verify it
  • Processing is unlawful but you prefer restriction over erasure
  • We no longer need the data but you require it for legal claims
  • You have objected to processing while we verify our legitimate grounds

Right to Data Portability

Where technically feasible, you can request to receive personal data you provided to us in a structured, commonly used, machine-readable format. You may also request that we transmit this data directly to another controller.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision Making

We do not currently use automated decision-making or profiling that produces legal or similarly significant effects. If this changes, we will update this notice and ensure appropriate safeguards are in place.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us using the following methods:

  • Email: [email protected]
  • Post: Data Protection Enquiries, Mystic Claim Limited, 42 Threadneedle Street, London EC2R 8AY

What We Need From You

To process your request efficiently and securely, please provide:

  • Your full name and contact details
  • Details of your specific request and which right you are exercising
  • Any relevant dates or reference numbers
  • Proof of identity (we may request this to prevent unauthorised disclosure)

Our Response Timeline

We aim to respond to all requests within one month. If your request is complex or we receive multiple requests, we may extend this period by up to two additional months. We will inform you of any extension within the first month, explaining the reasons for the delay.

Charges

We do not charge fees for exercising your rights unless:

  • Your request is clearly unfounded or excessive
  • You request multiple copies of the same information

Where a charge applies, we will inform you before proceeding with your request.

Data Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

Technical Safeguards

  • Encryption of personal data both in transit and at rest
  • Regular security testing and vulnerability assessments
  • Secure authentication and access controls
  • Firewall protection and intrusion detection systems
  • Regular backup procedures with secure off-site storage

Organisational Safeguards

  • Data protection training for all staff handling personal information
  • Clear policies and procedures for data handling
  • Regular audits of data processing activities
  • Confidentiality agreements with employees and contractors
  • Incident response and breach notification procedures

Data Breach Procedures

In the event of a personal data breach that poses a risk to individuals' rights and freedoms, we will:

  • Notify the Information Commissioner's Office within seventy-two hours of becoming aware of the breach
  • Document the breach, including facts, effects, and remedial action taken
  • Inform affected individuals without undue delay if the breach poses a high risk to them
  • Take immediate steps to mitigate the breach and prevent recurrence

Third-Party Processors

Where we engage third-party service providers to process personal data on our behalf, we ensure:

  • Written contracts are in place detailing processing obligations
  • Processors provide sufficient guarantees of appropriate security measures
  • Processors only process data according to our documented instructions
  • Appropriate due diligence is conducted before engagement
  • Regular reviews of processor compliance are carried out

International Transfers

Personal data is primarily stored and processed within the United Kingdom. Any transfers to countries outside the UK or European Economic Area are protected by appropriate safeguards, including:

  • Standard Contractual Clauses approved by the UK authorities
  • Transfers to countries recognised as providing adequate protection
  • Binding Corporate Rules for intra-group transfers

Data Protection Impact Assessments

Where our processing activities are likely to result in high risk to individuals' rights and freedoms, we conduct Data Protection Impact Assessments (DPIAs). These assessments help us identify and minimise data protection risks in our operations.

Complaints and Concerns

If you have concerns about how we handle your personal data, please contact us first so we can address the issue. You also have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom

Telephone: 0303 123 1113
Website: www.mystic-claim.com

Updates to This Notice

We regularly review our GDPR compliance procedures and may update this notice to reflect changes in our practices or legal requirements. Please check this page periodically for updates. Material changes will be communicated through appropriate channels.

Additional Information

For comprehensive details about how we collect, use, and protect your personal data, please also review our Privacy Policy and Cookies Policy.