GDPR Compliance

Last updated: May 19, 2026

Our Commitment to GDPR

velvet-portal is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. This page outlines how we comply with GDPR requirements and respect your data protection rights.

Data Controller

velvet-portal acts as the data controller for the personal information we collect through our website and services. Our contact details are:

velvet-portal
42 Kensington Gardens Square
London, W2 4BH
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process your personal data based on one or more of the following legal grounds:

Consent

When you provide explicit consent for us to process your personal data for specific purposes, such as:

  • Sending marketing communications
  • Using cookies and tracking technologies
  • Processing your project inquiry

You have the right to withdraw your consent at any time by contacting us.

Contractual Necessity

Processing is necessary to fulfill our contractual obligations or to take steps at your request before entering into a contract, such as:

  • Providing consultation services
  • Managing renovation projects
  • Processing payments and invoicing

Legal Obligation

Processing is required to comply with legal obligations, including:

  • Tax and accounting requirements
  • Building regulations and compliance documentation
  • Health and safety records

Legitimate Interests

Processing is necessary for our legitimate business interests, provided these do not override your rights and freedoms, such as:

  • Improving our website and services
  • Analyzing business performance
  • Protecting against fraud and security threats
  • Internal administration and record-keeping

Your Rights Under GDPR

Right to Access

You have the right to request copies of your personal data. We may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.

Right to Rectification

You have the right to request correction of any information you believe is inaccurate or to complete information you believe is incomplete.

Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data under certain circumstances, including:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw your consent and there is no other legal ground for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • The data must be erased to comply with a legal obligation

Note: This right is not absolute and may be limited by legal retention requirements.

Right to Restriction of Processing

You have the right to request restriction of processing your personal data when:

  • You contest the accuracy of the data
  • Processing is unlawful but you oppose erasure
  • We no longer need the data but you need it for legal claims
  • You have objected to processing pending verification of legitimate grounds

Right to Data Portability

You have the right to request transfer of your personal data to another organization or directly to you in a structured, commonly used, and machine-readable format where technically feasible.

Right to Object

You have the right to object to processing of your personal data where we rely on legitimate interests or perform tasks in the public interest. This includes objecting to direct marketing at any time.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. We do not currently engage in automated decision-making.

How to Exercise Your Rights

To exercise any of your GDPR rights, please:

  • Email us at [email protected] with "GDPR Request" in the subject line
  • Clearly state which right you wish to exercise
  • Provide sufficient information to verify your identity
  • Specify the personal data your request relates to (if applicable)

We will respond to your request within one month of receipt. In complex cases, we may extend this period by two additional months and will inform you of the extension and reasons for delay.

Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest
  • Regular security assessments and audits
  • Access controls and authentication procedures
  • Staff training on data protection
  • Incident response and breach notification procedures
  • Regular backups and disaster recovery planning

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements:

  • Project inquiries: 12 months if no engagement; 7 years if service provided
  • Client contracts and records: 7 years after project completion
  • Financial records: 7 years for tax purposes
  • Marketing communications: Until consent is withdrawn
  • Website analytics: 26 months

International Data Transfers

We primarily process data within the United Kingdom and European Economic Area. If we transfer your data outside these regions, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions confirming adequate data protection
  • Binding Corporate Rules for intra-group transfers

Third-Party Processors

We engage carefully vetted third-party processors who assist us with:

  • Email hosting and communications
  • Website hosting and maintenance
  • Analytics and performance monitoring
  • Payment processing

All processors are bound by data processing agreements ensuring GDPR compliance and appropriate security measures.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Document the breach, its effects, and remedial action taken

Children's Data

Our services are not directed to children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete it promptly.

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have not complied with GDPR requirements. In the UK, the relevant authority is:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire
SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk

Updates to This Document

We may update this GDPR compliance information from time to time to reflect changes in our practices or legal requirements. We will post the updated version on this page with a revised date.

Contact Our Data Protection Officer

For questions specifically related to data protection and GDPR compliance, please contact:

Email: [email protected]
Subject: Data Protection Inquiry