GDPR Compliance

Last updated: 9 April 2026

Our Commitment to Data Protection

Optic Venture Limited is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page provides specific information about your GDPR rights and how we comply with data protection requirements.

Data Controller Information

Optic Venture Limited acts as the data controller for personal information collected through our website and business operations.

Data Controller: Optic Venture Limited
Registered Office: 42 Broadwick Street, London W1F 7AF, United Kingdom
Company Number: 11847629
Contact: [email protected]

Lawful Basis for Processing

We only process personal data when we have a lawful basis to do so under GDPR. Our lawful bases include:

Consent

We may ask for your explicit consent to process personal data for specific purposes, such as sending marketing communications. You can withdraw consent at any time by contacting us.

Contract

Processing is necessary to perform a contract with you or to take steps at your request before entering into a contract. This applies when we deliver training services you have purchased.

Legal Obligation

We must process certain personal data to comply with legal requirements, such as maintaining financial records for tax purposes or responding to lawful requests from authorities.

Legitimate Interests

We process data when necessary for our legitimate business interests, provided these interests don't override your rights. Examples include:

  • Responding to enquiries about our services
  • Improving our training programmes based on feedback
  • Maintaining business records and correspondence
  • Ensuring network and information security
  • Managing client relationships

Your GDPR Rights

Under GDPR, you have comprehensive rights regarding your personal data. We respect these rights and have procedures in place to facilitate your requests.

Right to Be Informed

You have the right to clear information about how we collect and use your personal data. We provide this through our Privacy Policy and this GDPR page.

Right of Access

You can request access to the personal data we hold about you. This is commonly known as a "subject access request." We will provide:

  • Confirmation of whether we process your personal data
  • A copy of your personal data
  • Information about how we use your data
  • Details of who we share your data with
  • How long we retain your data
  • Information about your other rights

We will respond within one month of receiving your request. There is no charge for this service unless your request is manifestly unfounded or excessive.

Right to Rectification

If personal data we hold about you is inaccurate or incomplete, you can ask us to correct or complete it. We will make corrections within one month and notify any third parties with whom we've shared the data.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances:

  • The data is no longer necessary for the purposes it was collected
  • You withdraw consent on which processing is based
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • The data must be erased to comply with a legal obligation

This right is not absolute. We may need to retain certain data to comply with legal obligations or for the establishment, exercise, or defence of legal claims.

Right to Restrict Processing

You can ask us to restrict how we use your personal data in specific situations:

  • When you contest the accuracy of the data
  • When processing is unlawful but you don't want the data erased
  • When we no longer need the data but you need it for legal claims
  • When you've objected to processing pending verification of legitimate grounds

When processing is restricted, we can still store the data but not use it without your consent, except for legal claims or to protect others' rights.

Right to Data Portability

You can request a copy of your personal data in a structured, commonly used, and machine-readable format. This right applies when:

  • Processing is based on consent or contract
  • Processing is carried out by automated means

You can request that we transmit this data directly to another organisation where technically feasible.

Right to Object

You have the right to object to processing of your personal data in certain circumstances:

  • Processing based on legitimate interests
  • Processing for direct marketing purposes
  • Processing for research or statistical purposes

For direct marketing, we will stop processing immediately upon receiving your objection. For other objections, we will stop unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

You have rights regarding automated decision-making and profiling that produces legal effects or similarly significantly affects you. We do not currently engage in automated decision-making that would trigger these rights, but if this changes, we will inform you and provide appropriate safeguards.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us:

Email: [email protected]
Post: Data Protection Officer, Optic Venture Limited, 42 Broadwick Street, London W1F 7AF

When making a request, please provide:

  • Your full name and contact details
  • Details of your specific request
  • Proof of identity (to prevent unauthorised disclosure)
  • Any relevant reference numbers or dates

We will respond to valid requests within one month. In complex cases, we may extend this by two months and will explain the reasons for any delay.

Data Protection Principles

We adhere to the GDPR's data protection principles, ensuring that personal data is:

  • Processed lawfully, fairly, and transparently: We are open about how we use data and ensure legal grounds exist for processing
  • Collected for specified, explicit, and legitimate purposes: We clearly define why we collect data and don't use it for incompatible purposes
  • Adequate, relevant, and limited: We only collect data necessary for our stated purposes
  • Accurate and kept up to date: We take steps to ensure data accuracy and correct errors promptly
  • Kept no longer than necessary: We have retention policies and securely delete data when no longer needed
  • Processed securely: We implement appropriate security measures to protect against unauthorised access, loss, or damage

Data Security Measures

We implement technical and organisational measures to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage. These measures include:

  • Encryption of sensitive data
  • Regular security assessments and penetration testing
  • Access controls and authentication requirements
  • Staff training on data protection obligations
  • Incident response procedures
  • Regular backups and disaster recovery planning
  • Secure disposal of data that is no longer required

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Provide information about the nature of the breach, likely consequences, and measures taken
  • Document all breaches, even those not requiring notification

Third-Party Processing

When we engage third parties to process personal data on our behalf, we:

  • Only use processors who provide sufficient guarantees of GDPR compliance
  • Establish written contracts specifying the subject matter, duration, nature, and purpose of processing
  • Require processors to implement appropriate security measures
  • Ensure processors only act on our documented instructions
  • Require processors to assist us in fulfilling our GDPR obligations
  • Ensure processors delete or return data when processing is complete

International Data Transfers

We primarily process data within the United Kingdom. If we transfer personal data to countries outside the UK, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions recognising the destination country's data protection standards
  • Standard contractual clauses approved by regulatory authorities
  • Binding corporate rules for transfers within corporate groups
  • Codes of conduct or certification mechanisms

Children's Data

Our services are not directed at children under 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate consent, we will take steps to delete it.

Complaints and Regulatory Contact

If you're not satisfied with how we've handled your personal data or responded to your rights request, you can complain to the Information Commissioner's Office (ICO), the UK's independent data protection regulator:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: optic-venture.com

We encourage you to contact us first so we can address your concerns, but you have the right to complain directly to the ICO at any time.

Updates to This Information

We may update this GDPR information to reflect changes in our practices or legal requirements. Material changes will be communicated through our website with an updated revision date.

Further Information

For more details about how we handle personal data, please see our Privacy Policy. If you have questions about GDPR compliance or data protection, contact us at [email protected].