GDPR Compliance

Last updated: April 27, 2026

Our Commitment to GDPR

caratorrid is committed to complying with the General Data Protection Regulation (GDPR) and protecting the personal data of individuals in the European Economic Area (EEA) and the United Kingdom.

Data Controller Information

caratorrid is the data controller responsible for your personal data. Our contact details are:

caratorrid
Unit 14, Riverside Studios
142 Mare Street
London E8 3RH
United Kingdom
Email: [email protected]

Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

1. Right to Access

You have the right to request confirmation of whether we process your personal data and to obtain a copy of the personal data we hold about you.

2. Right to Rectification

You have the right to request correction of inaccurate personal data and to have incomplete personal data completed.

3. Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

4. Right to Restriction of Processing

You have the right to request restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

5. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

6. Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

7. Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you.

8. Right to Withdraw Consent

Where we rely on consent as the legal basis for processing, you have the right to withdraw your consent at any time.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at [email protected] with the following information:

  • Your full name and contact details
  • Description of your request
  • Any relevant details to help us locate your information

We will respond to your request within one month. In complex cases, we may extend this period by two additional months and will inform you of any such extension.

Legal Bases for Processing

We process your personal data based on the following legal grounds:

  • Contract: Processing is necessary for the performance of our rental agreements and service contracts
  • Consent: You have given clear consent for us to process your personal data for specific purposes
  • Legitimate Interests: Processing is necessary for our legitimate business interests, such as improving our services
  • Legal Obligation: Processing is necessary to comply with legal requirements

Data Protection Principles

We adhere to the GDPR data protection principles, ensuring that personal data is:

  • Processed lawfully, fairly, and transparently
  • Collected for specified, explicit, and legitimate purposes
  • Adequate, relevant, and limited to what is necessary
  • Accurate and kept up to date
  • Kept for no longer than necessary
  • Processed in a secure manner

Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication
  • Staff training on data protection
  • Incident response procedures

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

  • Customer data: Duration of the business relationship plus 7 years for legal and accounting purposes
  • Marketing data: Until you unsubscribe or request deletion
  • Website analytics: Up to 26 months

International Data Transfers

If we transfer your personal data outside the EEA or UK, we ensure appropriate safeguards are in place, such as:

  • Standard contractual clauses approved by the European Commission
  • Adequacy decisions by the European Commission
  • Other legally approved transfer mechanisms

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. We will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

Third-Party Processors

We work with third-party service providers who process personal data on our behalf. We ensure that:

  • Written contracts are in place with all processors
  • Processors only process data according to our instructions
  • Appropriate security measures are implemented
  • Processors assist us in meeting our GDPR obligations

Children's Data

We do not knowingly collect or process personal data from children under 16 years of age without parental consent.

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state or UK nation of your habitual residence, place of work, or place of alleged infringement.

For the UK, the relevant supervisory authority is:
Information Commissioner's Office (ICO)
Website: https://ico.org.uk

Updates to This Statement

We may update this GDPR compliance statement from time to time to reflect changes in our practices or legal requirements. We will post any updates on this page with a revised date.

Contact Us

If you have questions about our GDPR compliance or wish to exercise your rights, please contact us at [email protected].