GDPR Compliance

Last updated: April 2026

tronic-flash Ltd is committed to protecting your personal data and respecting your privacy rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page provides detailed information about our data protection practices.

Our Role Under GDPR

tronic-flash Ltd acts as the data controller for personal information we collect and process. This means we determine why and how your data is processed and are responsible for ensuring compliance with data protection requirements.

Contact details for the data controller:
tronic-flash Ltd
Suite 412, Meridian House
47 Wellington Street
Manchester, M2 6EQ
Email: [email protected]

Lawful Basis for Processing

We only process personal data when we have a valid legal basis. The bases we rely on include:

Contract

Processing necessary to perform a contract with you or take steps at your request before entering into a contract. This includes processing to provide our psychology and coaching services.

Legal Obligation

Processing necessary to comply with legal requirements we are subject to, including professional regulations, safeguarding duties, and tax obligations.

Legitimate Interests

Processing necessary for our legitimate interests or those of third parties, where your interests and fundamental rights do not override those interests. Examples include improving our services and maintaining security.

Consent

Where you have given clear consent for us to process your personal data for specific purposes. You have the right to withdraw consent at any time.

Vital Interests

In rare circumstances, processing necessary to protect someone's life.

Special Category Data

Health information and other sensitive data requires additional protections. We process such data based on:

  • Explicit consent
  • Provision of health or social care treatment
  • Establishment, exercise, or defence of legal claims

Your Rights Under GDPR

The UK GDPR provides you with specific rights regarding your personal data:

Right to Be Informed

You have the right to clear, transparent information about how we use your data. This is provided through our Privacy Policy and this GDPR page.

Right of Access

You can request a copy of the personal data we hold about you. This is known as a Subject Access Request. We will respond within one month of receiving your request.

Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to have it corrected. We will respond to rectification requests within one month.

Right to Erasure

Also known as the "right to be forgotten", you can request deletion of your personal data in certain circumstances. This right is not absolute and may be limited by legal or professional obligations to retain records.

Right to Restrict Processing

You can ask us to limit how we use your data while issues are resolved, for example if you are contesting accuracy or objecting to processing.

Right to Data Portability

You can request your personal data in a structured, commonly used, machine-readable format for transfer to another service provider, where processing is based on consent or contract and carried out by automated means.

Right to Object

You can object to processing based on legitimate interests. We must stop unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision Making

You have rights regarding decisions made solely by automated means that significantly affect you. We do not currently use automated decision-making of this kind.

Exercising Your Rights

To exercise any of these rights, contact us at [email protected]. We may need to verify your identity before processing your request. We will respond within one month, though this may be extended by two months for complex requests.

There is no fee for most requests. However, we may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests.

Data Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data in transit and at rest
  • Access controls limiting data access to authorised personnel
  • Regular security assessments and updates
  • Staff training on data protection
  • Secure disposal of records when no longer needed
  • Business continuity and backup procedures

Data Breach Procedures

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

International Data Transfers

We primarily process data within the United Kingdom. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as:

  • Transfers to countries with adequacy decisions
  • Standard contractual clauses approved by the ICO
  • Binding corporate rules for transfers within corporate groups

Data Retention

We retain personal data only as long as necessary for the purposes collected. Clinical records are retained according to professional guidelines, typically for at least seven years from the end of treatment, or longer where required for legal or professional reasons.

Children's Data

We may provide services to young people with appropriate parental or guardian consent. We take particular care to protect children's data and ensure processing is fair and in their best interests.

Complaints

If you are concerned about how we handle your personal data, please contact us first so we can address your concerns. You also have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk

Updates

We review our data protection practices regularly and may update this page. The date at the top indicates when it was last revised.