GDPR Compliance Statement

Last updated: May 10, 2026

Our Commitment to Data Protection

whispering-route is fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines how we meet our obligations as a data controller.

Data Controller Information

Data Controller: whispering-route
Address: 27 Thornton Square, Leeds, West Yorkshire, LS6 2BW, United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data under the following lawful bases:

1. Contract (Article 6(1)(b))

Processing is necessary for the performance of our service contract with you, including:

• Preparing benefit applications
• Submitting claims to government agencies
• Representing you in appeals
• Communicating about your case

2. Consent (Article 6(1)(a))

We obtain your explicit consent before:

• Contacting medical professionals on your behalf
• Sharing information beyond what's necessary for application processing
• Using non-essential cookies on our website

3. Legal Obligation (Article 6(1)(c))

We process data to comply with legal requirements, including:

• Record retention for financial and tax purposes
• Responding to court orders or regulatory requests
• Anti-money laundering checks

4. Legitimate Interests (Article 6(1)(f))

We may process data based on legitimate business interests that don't override your rights:

• Improving our services and website functionality
• Fraud prevention and security
• Internal administrative purposes

Special Category Data

Benefit applications often require processing special category (sensitive) personal data including:

• Health information
• Data concerning disability
• Information about social welfare benefits

We process this data under Article 9(2)(b) (employment and social security) and Article 9(2)(h) (health and social care) with appropriate safeguards in place.

Your Rights Under UK GDPR

1. Right of Access (Article 15)

You can request confirmation of whether we process your data and obtain a copy of that data. We respond to access requests within one month.

2. Right to Rectification (Article 16)

If your personal data is inaccurate or incomplete, you can request correction. We update records promptly.

3. Right to Erasure (Article 17)

You can request deletion of your data in certain circumstances:

• The data is no longer necessary for its original purpose
• You withdraw consent and no other legal basis applies
• You object to processing and no overriding legitimate grounds exist
• The data was unlawfully processed

Exception: We may retain data if required by law (e.g., financial records for 6 years).

4. Right to Restriction (Article 18)

You can request we limit processing while:

• Verifying accuracy of contested data
• Processing is unlawful but you don't want erasure
• We no longer need the data but you need it for legal claims
• You've objected to processing pending verification

5. Right to Data Portability (Article 20)

You can receive your data in a structured, commonly used format and transmit it to another controller where:

• Processing is based on consent or contract
• Processing is carried out by automated means

6. Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.

7. Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

How to Exercise Your Rights

To exercise any of these rights, contact us:

• Email: [email protected] (preferred method)
• Post: 27 Thornton Square, Leeds, West Yorkshire, LS6 2BW, United Kingdom

Include your full name and enough information to identify you. We may request additional identification to verify your identity before responding.

Response Time: We respond within one month. If your request is complex, we may extend this by two months and will inform you.

Cost: Requests are free unless manifestly unfounded or excessive.

Data Security Measures

We implement appropriate technical and organizational measures:

• Encryption of data in transit and at rest
• Access controls and authentication systems
• Regular security assessments
• Employee training on data protection
• Secure backup systems
• Incident response procedures

Data Breach Notification

If a data breach occurs that poses a risk to your rights and freedoms:

• We will notify the ICO within 72 hours of becoming aware
• We will notify you without undue delay if the breach poses a high risk
• Notification will describe the nature of the breach and measures taken

International Data Transfers

We primarily process data within the United Kingdom. If we transfer data internationally, we ensure adequate protection through:

• UK adequacy decisions
• Standard contractual clauses approved by the ICO
• Other approved transfer mechanisms

Data Retention

We retain personal data only as long as necessary:

• Active cases: Duration of service provision plus 6 years
• Financial records: 6 years after the end of the financial year
• Marketing consent: Until withdrawn or 3 years of inactivity
• Website analytics: 26 months maximum

Third-Party Processors

We only work with processors who provide sufficient guarantees of GDPR compliance. All processors are bound by data processing agreements.

Children's Data

Our services are not directed at children under 18. Where we process data of minors (e.g., in family benefit applications), we ensure:

• Parental or guardian consent is obtained
• Extra safeguards are applied
• Data is minimized to what's necessary

Changes to This Statement

We review and update this statement annually or when processing activities change. Updates are posted with a new "last updated" date.

Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Phone: 0303 123 1113
Website: whispering-route.com

Contact Our Data Protection Team

For questions about data protection or to exercise your rights:

Email: [email protected]
Address: 27 Thornton Square, Leeds, West Yorkshire, LS6 2BW, United Kingdom