GDPR Compliance Statement

Last updated: 20 May 2026

pulse-firmware is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This document explains our approach to data protection and your rights under these laws.

Our Commitment to Data Protection

We recognize that protecting personal data is not just a legal obligation but a fundamental responsibility, especially given that we work with children and young people. Our data protection practices are built on the following principles:

• Lawfulness, Fairness, and Transparency: We process data legally, fairly, and in a transparent manner
• Purpose Limitation: We collect data for specific, explicit purposes and do not use it for unrelated purposes
• Data Minimization: We only collect data that is necessary for our services
• Accuracy: We take reasonable steps to ensure data is accurate and up-to-date
• Storage Limitation: We retain data only as long as necessary
• Integrity and Confidentiality: We protect data with appropriate security measures
• Accountability: We can demonstrate compliance with all these principles

Data Controller Information

For the purposes of UK GDPR, the data controller is:

pulse-firmware
142 Hagley Road
Edgbaston
Birmingham B16 9NX
United Kingdom

Email: [email protected]

Your Rights Under UK GDPR

Right to Be Informed

You have the right to know how we collect and use your personal data. This information is provided through our Privacy Policy and this GDPR statement.

Right of Access (Subject Access Request)

You can request a copy of all personal data we hold about you. We will provide this information:

• Free of charge (for the first request)
• Within one month of receiving your request
• In a clear, structured format
• Including details about how we use your data and who we share it with

Right to Rectification

If your personal data is inaccurate or incomplete, you can request that we correct or complete it. We will respond within one month and notify any third parties with whom we've shared the data.

Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data when:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

Please note: We may need to retain certain information for legal or safeguarding purposes, including:

• Financial records (7 years for tax purposes)
• Safeguarding records (6 years after last contact or until the child reaches age 25, whichever is longer)
• Records subject to legal disputes or investigations

Right to Restrict Processing

You can ask us to restrict how we use your data in certain situations:

• You contest the accuracy of the data (restriction applies while we verify accuracy)
• Processing is unlawful but you don't want the data erased
• We no longer need the data but you need it for legal claims
• You've objected to processing (restriction applies while we verify legitimate grounds)

Right to Data Portability

Where technically feasible, you can request your personal data in a structured, commonly used, machine-readable format. You can also ask us to transfer this data directly to another organization.

This right applies when:

• Processing is based on consent or contract
• Processing is carried out by automated means

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals.

How to Exercise Your Rights

To exercise any of your rights under UK GDPR, please contact us:

Email: [email protected]
Subject Line: GDPR Request - [specify right, e.g., "Subject Access Request"]

Please include:

• Your full name
• Contact details
• Details of your request
• Proof of identity (we may request additional verification to protect your data)

We will respond within one month. In complex cases, we may extend this by two additional months and will notify you of any delay.

Special Category Data

We do not routinely collect special category data (such as health information, ethnicity, or religious beliefs). If we need to collect such data for safeguarding or specific educational requirements:

• We will explain why it's necessary
• We will obtain explicit consent
• We will apply additional security protections
• We will retain it only as long as absolutely necessary

Children's Data

As we provide services to children and young people, we take extra care with their data:

• We obtain parental consent for children under 13 before collecting personal information
• We use age-appropriate language when explaining data practices to young people
• We minimize data collection to only what is necessary for service delivery
• We apply enhanced security measures for children's data
• All staff are trained on safeguarding and data protection

Data Breach Procedures

In the unlikely event of a data breach:

• We will assess the risk to affected individuals within 72 hours
• If there is a high risk to your rights and freedoms, we will notify you directly
• We will report breaches to the ICO where required
• We will take immediate action to contain and remedy the breach
• We will review our security measures to prevent future incidents

Third-Party Data Processors

We work with carefully selected third-party processors who help us deliver our services. All processors:

• Are bound by written contracts that comply with UK GDPR
• Can only process data according to our instructions
• Must implement appropriate security measures
• Must assist us in responding to data subject requests
• Must notify us of any breaches

Current categories of processors include:

• Email service providers
• Payment processors
• Website hosting providers
• Cloud storage services

International Data Transfers

We primarily store and process data within the United Kingdom. If we need to transfer data outside the UK:

• We will ensure the destination provides adequate data protection
• We will use appropriate safeguards (such as Standard Contractual Clauses)
• We will inform you of such transfers where relevant

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for any new processing activities that may pose high risks to individuals' rights and freedoms. This helps us identify and minimize data protection risks.

Staff Training and Awareness

All staff members receive regular training on:

• UK GDPR principles and requirements
• Data security best practices
• Safeguarding obligations
• Recognizing and reporting data breaches
• Responding to data subject requests

Record Keeping

We maintain detailed records of our processing activities as required by UK GDPR, including:

• Purposes of processing
• Categories of data subjects and personal data
• Recipients of personal data
• Retention periods
• Security measures

Complaints and Supervisory Authority

If you're not satisfied with how we've handled your personal data or responded to your request, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom

Telephone: 0303 123 1113
Website: pulse-firmware.com
Report a Concern: pulse-firmware.com/make-a-complaint/

We encourage you to contact us first so we can address your concerns directly.

Updates to This Statement

We review this GDPR compliance statement annually and update it when our practices change or new legal requirements emerge. Significant changes will be communicated through our website and, where appropriate, directly to affected individuals.

Questions About GDPR Compliance

If you have questions about our GDPR compliance, your rights, or our data protection practices, please contact us at [email protected]. We're committed to transparency and will respond to all enquiries within one working day.