GDPR Compliance Statement

Last Updated: May 14, 2026

Our Commitment

nightpulse-arc is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognize the importance of protecting personal data and have implemented comprehensive policies and procedures to ensure lawful, fair, and transparent processing of all personal information.

Legal Basis for Processing

We process personal data under the following legal bases:

• Consent: When you or your child enrolls in our programs, you provide explicit consent for us to process personal information necessary for service delivery.
• Contract: Processing is necessary for fulfilling our contractual obligations to deliver educational services.
• Legitimate Interests: We may process data for legitimate business interests, such as improving our programs, provided this does not override your rights and freedoms.
• Legal Obligation: We process certain data to comply with legal requirements, including safeguarding and financial record-keeping.

Data Subject Rights

Under UK GDPR, you have comprehensive rights regarding your personal data:

Right to Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data along with supplementary information.

Right to Rectification (Article 16)

You can request correction of inaccurate personal data and completion of incomplete data.

Right to Erasure (Article 17)

You can request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, subject to legal retention requirements.

Right to Restriction (Article 18)

You can request that we restrict processing of your personal data in certain circumstances.

Right to Data Portability (Article 20)

You have the right to receive personal data you provided to us in a structured, commonly used, machine-readable format.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing. We do not currently employ automated decision-making processes.

Exercising Your Rights

To exercise any of these rights, please contact us:

• Email: [email protected]
• Mail: nightpulse-arc, 42 Botanic Avenue, Belfast BT7 1JQ, United Kingdom

We will respond to requests within one month. In complex cases, this may be extended by two additional months, and we will inform you of any such extension.

Data Protection Officer

For questions specifically related to data protection, you can contact our designated Data Protection Officer at [email protected].

Data Processing Activities

We maintain records of all data processing activities, including:

• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients to whom data has been disclosed
• Data retention periods
• Technical and organizational security measures

Data Breach Procedures

In the event of a data breach that poses a risk to individuals' rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay if the breach poses a high risk
• Document all breaches and our response actions

International Data Transfers

We primarily process data within the United Kingdom. If we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as:

• Standard contractual clauses approved by the ICO
• Transfers to countries with adequacy decisions
• Binding corporate rules where applicable

Children's Data

Given our work with minors, we take extra care with children's data:

• We obtain verifiable parental consent before processing children's personal data
• We provide age-appropriate privacy information
• We limit collection to data strictly necessary for educational purposes
• We implement enhanced security measures for children's data

Third-Party Processors

We only engage third-party processors who provide sufficient guarantees of GDPR compliance. All processors are bound by written contracts that specify data protection obligations.

Privacy by Design and Default

We implement data protection principles from the initial design of our systems and processes:

• Data minimization: We collect only necessary data
• Purpose limitation: Data is used only for specified purposes
• Storage limitation: Data is retained only as long as necessary
• Integrity and confidentiality: Appropriate security measures protect data

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that pose high risks to individuals' rights and freedoms, particularly when implementing new technologies or programs.

Training and Awareness

All staff members receive regular training on GDPR requirements and data protection best practices to ensure consistent compliance across our organization.

Complaints

If you have concerns about our data processing practices, please contact us first. If you remain dissatisfied, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Website: ico.org.uk

Policy Updates

We review this GDPR compliance statement annually and update it as necessary to reflect changes in legislation or our data processing activities. Material changes will be communicated to affected individuals.

Further Information

For additional details on how we process your personal data, please refer to our Privacy Policy.