GDPR Compliance

Last Updated: 17 April 2026

Our Commitment to Data Protection

Stellar Transaction Ltd is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take our responsibilities as a data controller seriously and have implemented measures to ensure your personal data is processed lawfully, fairly, and transparently.

Data Controller Information

Data Controller: Stellar Transaction Ltd
Registered Address: 42 Kingsway, London, WC2B 6EX, United Kingdom
Company Number: 09142763
Contact Email: [email protected]

Principles of Data Processing

We adhere to the following data protection principles when processing your personal information:

  • Lawfulness, fairness, and transparency: We process data legally and openly, providing clear information about our practices
  • Purpose limitation: We collect data for specified, explicit purposes and do not use it in ways incompatible with those purposes
  • Data minimisation: We collect only what is necessary for the stated purposes
  • Accuracy: We take reasonable steps to ensure personal data is accurate and up to date
  • Storage limitation: We retain data only as long as necessary for the purposes collected
  • Integrity and confidentiality: We implement appropriate security measures to protect against unauthorised access and data breaches
  • Accountability: We demonstrate compliance through documentation, policies, and procedures

Your Data Protection Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right to Be Informed

You have the right to clear, transparent information about how we use your personal data. This document, along with our Privacy Policy, explains our data processing activities.

Right of Access

You can request a copy of the personal data we hold about you. Subject access requests are free and we will respond within one month. To make a request, email us at [email protected] with proof of identity.

Right to Rectification

If you believe the personal information we hold is inaccurate or incomplete, you can request corrections. We will update records promptly and notify relevant third parties where appropriate.

Right to Erasure

Also known as the "right to be forgotten", you may request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the purpose collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Legal obligations require deletion

This right is not absolute. We may need to retain certain data to comply with legal obligations or establish legal claims.

Right to Restrict Processing

You can request that we limit how we use your data in certain situations, such as when you contest accuracy or object to processing. During restriction, we will store the data but not actively process it without your consent.

Right to Data Portability

Where processing is based on consent or contract performance and carried out by automated means, you can receive your personal data in a structured, commonly used format and transmit it to another controller.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant impacts. We do not currently engage in automated decision making of this nature.

How to Exercise Your Rights

To exercise any of the rights described above, contact us by email at [email protected] or by post at our registered address. Please include:

  • Your full name and contact details
  • A clear description of your request
  • Proof of identity (to protect against fraudulent requests)
  • Any relevant reference numbers or details to help locate your data

We will respond within one month, though this may be extended by two additional months for complex requests. We will inform you of any extension within the initial month.

Lawful Basis for Processing

We rely on the following lawful bases when processing personal data:

Consent

Where you have freely given specific, informed agreement to processing for particular purposes, such as receiving marketing communications. You may withdraw consent at any time.

Contract Performance

Processing necessary to fulfil our contractual obligations when delivering consulting services, including communication, project management, and invoicing.

Legal Obligation

Processing required to comply with legal or regulatory requirements, such as tax reporting, record keeping, and professional indemnity obligations.

Legitimate Interests

Processing necessary for our legitimate business interests, provided these do not override your fundamental rights. Examples include:

  • Improving our website and services
  • Understanding client needs and preferences
  • Detecting and preventing fraud
  • Managing business operations efficiently
  • Pursuing legal claims or defending against them

We conduct legitimate interest assessments to ensure processing is proportionate and respects your privacy.

Data Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data both in transit and at rest
  • Regular security testing and vulnerability assessments
  • Access controls limiting who can view or process data
  • Staff training on data protection responsibilities
  • Secure disposal procedures for data no longer needed
  • Incident response and breach notification procedures
  • Regular backups with secure storage
  • Vendor due diligence and contractual safeguards

Data Breach Procedures

In the unlikely event of a data breach that poses risks to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware
  • Inform affected individuals without undue delay if the breach is likely to result in high risk
  • Document the breach, its effects, and remedial actions taken
  • Take steps to mitigate harm and prevent recurrence

International Transfers

Personal data is primarily processed within the United Kingdom. Where we transfer data internationally, we ensure adequate protection through:

  • Standard contractual clauses approved by the European Commission or UK authorities
  • Transfers to countries deemed to have adequate data protection by UK authorities
  • Other approved transfer mechanisms compliant with UK GDPR

Data Protection Impact Assessments

For processing activities likely to result in high risk to individuals, we conduct data protection impact assessments (DPIAs) to identify and minimise risks. This includes systematic evaluation of processing necessity, proportionality, and mitigation measures.

Children's Data

We do not knowingly process personal data of individuals under 16 years of age. Our services are directed at businesses and adult professionals. If we become aware of inadvertent collection of children's data, we will delete it promptly.

Retention and Deletion

We retain personal data only as long as necessary for the purposes collected or to meet legal obligations. Our retention schedule includes:

  • Client project data: Seven years after project completion
  • Financial records: Seven years as required by law
  • Marketing data: Until consent is withdrawn or two years of inactivity
  • Website analytics: 26 months for identifiable data; indefinitely for aggregated data

When data is no longer needed, it is securely deleted or anonymised to prevent identification.

Third-Party Processors

We engage carefully selected third-party service providers to support our operations. All processors are bound by data processing agreements ensuring GDPR compliance, including:

  • Processing only on documented instructions
  • Maintaining confidentiality and security
  • Assisting with subject access requests and other rights
  • Deleting or returning data upon termination
  • Making available information to demonstrate compliance

Complaints and Supervisory Authority

If you believe we have not handled your personal data appropriately, please contact us first so we can address your concerns. You also have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

Updates to This Statement

We review this GDPR compliance statement regularly to ensure it remains accurate and current. Material changes will be communicated through our website. Continued use of our services following updates constitutes acceptance of the revised terms.

Contact Us

For questions about GDPR compliance or to exercise your rights, contact us:

Email: [email protected]
Post: Stellar Transaction Ltd, 42 Kingsway, London, WC2B 6EX, United Kingdom