GDPR Compliance
Last updated: June 3, 2026
Our Commitment to Data Protection
lavender-petal.com is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take your privacy seriously and have implemented appropriate measures to ensure that your personal data is processed lawfully, fairly, and transparently.
Data Controller Information
For the purposes of data protection legislation, lavender-petal.com is the data controller responsible for your personal information.
Contact details:
[email protected]
47 Thornbury Gardens, Bristol, BS7 8QR, United Kingdom
Your Rights Under GDPR
Under UK GDPR, you have the following rights regarding your personal data:
1. Right to Be Informed
You have the right to be informed about the collection and use of your personal data. We provide this information through our Privacy Policy and this GDPR statement.
2. Right of Access
You have the right to request access to the personal data we hold about you. This is commonly known as a "subject access request." We will provide you with a copy of your personal data free of charge within one month of your request.
3. Right to Rectification
If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. We will respond to your request within one month.
4. Right to Erasure
Also known as the "right to be forgotten," this allows you to request deletion of your personal data in certain circumstances, including:
- The data is no longer necessary for the purpose it was collected
- You withdraw consent and there is no other legal basis for processing
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- Erasure is required to comply with a legal obligation
Please note that we may need to retain certain information for legal or administrative purposes.
5. Right to Restrict Processing
You have the right to request restriction of processing of your personal data in certain situations:
- When you contest the accuracy of the data
- When processing is unlawful but you prefer restriction to erasure
- When we no longer need the data but you need it for legal claims
- When you have objected to processing and are awaiting verification of legitimate grounds
6. Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another data controller where technically feasible. This right applies when processing is based on consent or contract and is carried out by automated means.
7. Right to Object
You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. When you object, we must stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
8. Rights Related to Automated Decision Making
You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. We do not currently engage in automated decision-making of this nature.
How to Exercise Your Rights
To exercise any of your rights under GDPR, please contact us at [email protected]. When making a request, please provide sufficient information to allow us to verify your identity and locate your data.
We will respond to your request within one month. In complex cases, this period may be extended by up to two additional months, and we will inform you of any such extension.
There is no fee for exercising your rights unless your request is clearly unfounded or excessive, in which case we may charge a reasonable fee or refuse to comply with the request.
Lawful Basis for Processing
We only process your personal data when we have a lawful basis to do so. The lawful bases we rely on include:
- Consent: You have given clear consent for us to process your personal data for a specific purpose
- Contract: Processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract
- Legal obligation: Processing is necessary for us to comply with the law
- Legitimate interests: Processing is necessary for our legitimate interests or the legitimate interests of a third party, provided your interests and fundamental rights do not override those interests
Data Security Measures
We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data in transit and at rest
- Regular security assessments and audits
- Access controls and authentication procedures
- Staff training on data protection
- Incident response and breach notification procedures
- Regular backups and disaster recovery plans
Data Breach Notification
In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. We will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by law.
International Data Transfers
When we transfer personal data outside the United Kingdom, we ensure that appropriate safeguards are in place, such as:
- Standard contractual clauses approved by the UK authorities
- Adequacy decisions recognizing that the destination country ensures an adequate level of protection
- Binding corporate rules for transfers within a corporate group
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements. When determining retention periods, we consider:
- The nature and sensitivity of the data
- The purposes for which we process the data
- Legal and regulatory requirements
- Whether we can achieve those purposes through other means
Children's Data
Our services are not directed to children under 18, and we do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate consent, we will take steps to delete it promptly.
Right to Lodge a Complaint
If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
United Kingdom
Website: ico.org.uk
Helpline: 0303 123 1113
We encourage you to contact us first so we can address your concerns directly.
Updates to This Statement
We may update this GDPR compliance statement from time to time to reflect changes in our practices or legal requirements. We will post any updates on this page with a revised "Last updated" date.
Contact Us
If you have any questions about our GDPR compliance or wish to exercise your data protection rights, please contact us: