GDPR (UK) - Data Protection

Introduction to UK GDPR

The UK General Data Protection Regulation (UK GDPR) alongside the Data Protection Act 2018 governs how organizations in the United Kingdom collect, use, and protect personal data. At MirthLane, we are fully committed to complying with these regulations and protecting your privacy rights.

This page explains your rights under UK GDPR, how we comply with data protection law, and how you can exercise your rights.

Data Protection Principles

We process all personal data in accordance with the following UK GDPR principles:

1. Lawfulness, Fairness, and Transparency

We process your data lawfully, fairly, and in a transparent manner. We clearly communicate what data we collect, why we collect it, and how we use it.

2. Purpose Limitation

We collect personal data only for specific, explicit, and legitimate purposes. We do not use your data for purposes beyond what we have communicated to you.

3. Data Minimization

We collect only the minimum amount of personal data necessary to achieve our stated purposes. We do not collect excessive or irrelevant information.

4. Accuracy

We take reasonable steps to ensure the personal data we hold is accurate and up-to-date. You have the right to request correction of inaccurate data.

5. Storage Limitation

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. We have clear data retention policies and securely delete data when no longer needed.

6. Integrity and Confidentiality

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, loss, destruction, or damage.

7. Accountability

We take responsibility for our data processing activities and can demonstrate our compliance with UK GDPR requirements.

Your Rights Under UK GDPR

As a data subject under UK GDPR, you have the following rights regarding your personal data:

1. Right to Be Informed

You have the right to be informed about the collection and use of your personal data. We provide this information through our Privacy Policy and communications with you.

2. Right of Access (Subject Access Request)

You have the right to obtain:

Confirmation that we are processing your personal data
Access to a copy of your personal data
Information about how we process your data

We will provide this information free of charge within one month of your request.

3. Right to Rectification

You have the right to have inaccurate personal data corrected and incomplete data completed. We will respond to rectification requests within one month.

4. Right to Erasure ("Right to Be Forgotten")

You have the right to request deletion of your personal data in certain circumstances:

The data is no longer necessary for the purposes it was collected
You withdraw consent (where processing was based on consent)
You object to processing and there are no overriding legitimate grounds
The data was unlawfully processed
Legal obligations require erasure

Note: This right is not absolute. We may have legal obligations to retain certain data (e.g., age verification records).

5. Right to Restrict Processing

You have the right to request that we restrict processing of your personal data in certain situations:

You contest the accuracy of the data
Processing is unlawful but you don't want data deleted
We no longer need the data but you need it for legal claims
You have objected to processing pending verification of our legitimate grounds

6. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. You can also request that we transmit this data directly to another controller where technically feasible.

This right applies when:

Processing is based on consent or contract performance
Processing is carried out by automated means

7. Right to Object

You have the right to object to processing of your personal data in certain circumstances:

Processing based on legitimate interests: You can object at any time. We must stop processing unless we demonstrate compelling legitimate grounds.
Direct marketing: You have an absolute right to object to processing for direct marketing purposes.
Research purposes: You can object unless processing is necessary for public interest tasks.

8. Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal effects or similarly significantly affect you.

Currently, we do not engage in automated decision-making or profiling. If this changes, we will update our policies and inform you accordingly.

How to Exercise Your Rights

To exercise any of your UK GDPR rights, you can:

Submit a Request

Email: privacy@mirthlane.games

Phone: +44 20 1234 5678

Post: Data Protection Officer, MirthLane Limited, 123 Entertainment Street, London, EC1A 1BB, United Kingdom

What to Include in Your Request

When submitting a request, please provide:

Your full name and contact details
Description of your request and which right(s) you wish to exercise
Any relevant details to help us locate your data
Proof of identity (we may request this to protect your data security)

Our Response Timeline

We will respond to your request:

Within one month as standard
Extended to three months for complex requests (we will notify you if an extension is needed)
Free of charge unless requests are manifestly unfounded or excessive

Data Retention

We retain personal data in accordance with UK GDPR requirements:

Retention Periods

Age Verification Records: Retained as required by law (minimum legal requirement)
User Account Data: Retained while account is active, plus 12 months after closure
Usage and Analytics Data: Typically retained for 12-24 months
Support Communications: Retained for 3 years for customer service quality and dispute resolution
Legal and Compliance Data: Retained for applicable legal limitation periods (typically 6-7 years)

Secure Deletion

When retention periods expire, we:

Securely delete or permanently anonymize personal data
Use industry-standard data destruction methods
Ensure data cannot be recovered or reconstructed
Extend deletion to all backup systems within reasonable timeframes

Data Security Measures

We implement comprehensive security measures to protect your data:

Technical Measures

Encryption: SSL/TLS encryption for data in transit; encryption at rest for sensitive data
Access Controls: Multi-factor authentication and role-based access restrictions
Firewall Protection: Network security and intrusion detection systems
Regular Updates: Security patches and software updates applied promptly
Monitoring: Continuous security monitoring and threat detection

Organizational Measures

Staff Training: All personnel trained on data protection principles and security practices
Access Limitation: Personal data accessible only to authorized personnel on a need-to-know basis
Confidentiality Agreements: All staff and contractors bound by confidentiality obligations
Security Policies: Comprehensive information security policies and procedures
Regular Audits: Periodic security assessments and compliance reviews

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms:

We will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware
We will notify affected individuals without undue delay if the breach poses a high risk
Notifications will include nature of breach, likely consequences, and measures taken
We maintain detailed breach response procedures to minimize impact

International Data Transfers

Your personal data is primarily stored and processed within the United Kingdom. If we transfer data internationally, we ensure:

Adequacy Decisions: Transfers only to countries deemed adequate by UK authorities
Standard Contractual Clauses: Use of UK GDPR-approved contractual protections
Additional Safeguards: Supplementary measures where necessary to ensure data protection
Documentation: Clear records of all international transfers and safeguards

Third-Party Processors

When we use third-party service providers who process personal data on our behalf:

We conduct due diligence to ensure they can meet UK GDPR requirements
We execute written data processing agreements specifying their obligations
We ensure they implement appropriate security measures
We monitor their compliance with data protection requirements
We maintain records of all processing activities

Complaints and Regulatory Authority

If you have concerns about how we handle your personal data, please contact us first. We are committed to resolving any issues promptly and fairly.

Contact Our Data Protection Officer

Email: privacy@mirthlane.games
Phone: +44 20 1234 5678

Right to Lodge a Complaint

You have the right to lodge a complaint with the UK's data protection supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Helpline: 0303 123 1113
Website: www.ico.org.uk
Report Online: ico.org.uk/make-a-complaint

Policy Updates

We may update our data protection practices to reflect changes in UK GDPR requirements or our operations. When we make significant changes:

We will update the "Last Updated" date on this page
We will notify you through prominent website notices
We may send direct notifications for material changes
We will maintain previous versions for your reference

Further Information

For more detailed information about our data practices, please see:

Privacy Policy - Comprehensive overview of our privacy practices
Cookies Policy - Information about cookies and tracking technologies
Terms of Use - Terms governing use of our platform

Last Updated: December 8, 2025