GDPR Compliance Statement

Last Updated: 10 May 2026

1. Our Commitment to Data Protection

crystal-api Limited is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognize that protecting your personal data is not just a legal obligation but a fundamental aspect of the trust you place in us as your financial advisor.

2. Data Controller

For the purposes of UK GDPR, the data controller is:

crystal-api Limited
14 Threadneedle Street
London EC2R 8AY
United Kingdom
Company Registration Number: 08475930
Email: [email protected]

3. What Personal Data We Collect

In order to provide comprehensive pension and retirement planning services, we may collect and process the following categories of personal data:

3.1 Identity Information

• Full name
• Date of birth
• National Insurance number
• Identification documents (passport, driving license)

3.2 Contact Information

• Postal address
• Email address
• Telephone number

3.3 Financial Information

• Employment details and income
• Pension scheme information
• Investment portfolio details
• Bank account information
• Tax status and history
• Assets and liabilities

3.4 Special Category Data

With your explicit consent, we may process special category data including:

• Health information (relevant to life expectancy projections)
• Information about dependents or family circumstances

4. Lawful Basis for Processing

We process your personal data under the following lawful bases:

4.1 Contractual Necessity

Processing is necessary to perform our contract with you to provide financial advisory services.

4.2 Legal Obligation

We must process certain data to comply with:

• Financial Conduct Authority (FCA) regulations
• Anti-money laundering legislation
• Tax reporting requirements
• Professional indemnity insurance requirements

4.3 Legitimate Interests

Processing is necessary for our legitimate business interests, such as:

• Improving our services
• Fraud prevention
• Network and information security

4.4 Consent

For marketing communications and processing special category data, we rely on your explicit consent, which you may withdraw at any time.

5. How We Protect Your Data

We implement robust technical and organizational measures to ensure data security:

5.1 Technical Measures

• End-to-end encryption for data transmission
• Encrypted storage of sensitive data
• Regular security updates and patches
• Firewall and intrusion detection systems
• Secure backup procedures

5.2 Organizational Measures

• Strict access controls (role-based permissions)
• Confidentiality agreements with all staff
• Regular data protection training
• Clear data handling procedures
• Regular security audits

6. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

6.1 Right of Access

You can request a copy of all personal data we hold about you. We will respond within one month and provide the information free of charge (unless the request is excessive or unfounded).

6.2 Right to Rectification

You can request that we correct any inaccurate or incomplete personal data.

6.3 Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data in certain circumstances. However, we may be required to retain some data to comply with legal obligations (e.g., FCA record-keeping requirements).

6.4 Right to Restriction of Processing

You can request that we limit how we use your data in certain situations, such as when you contest the accuracy of the data.

6.5 Right to Data Portability

You can request that we provide your personal data in a structured, commonly used, machine-readable format.

6.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

6.7 Rights Related to Automated Decision Making

We do not use automated decision-making or profiling in our advisory process. All recommendations are made by qualified human advisors.

7. How to Exercise Your Rights

To exercise any of your rights, please contact us in writing:

• Email: [email protected] (Subject: Data Rights Request)
• Post: Data Protection Officer, crystal-api Limited, 14 Threadneedle Street, London EC2R 8AY

We will respond to your request within one month. If your request is complex, we may extend this by two additional months and will inform you of the extension and the reasons.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Active clients: Throughout our professional relationship
• Former clients: Minimum of 6 years after the end of our relationship (FCA requirement)
• Prospective clients: 2 years from last contact, unless you request earlier deletion
• Marketing data: Until you withdraw consent or 3 years of inactivity

9. International Data Transfers

We primarily store and process data within the United Kingdom. If we need to transfer data outside the UK, we ensure adequate safeguards are in place, such as:

• Adequacy decisions by the UK government
• Standard contractual clauses approved by the ICO
• Binding corporate rules

10. Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office within 72 hours
• Inform affected individuals without undue delay
• Provide clear information about the breach and steps being taken
• Offer guidance on protecting yourself from potential consequences

11. Third-Party Data Processors

We only work with third-party service providers who demonstrate GDPR compliance. We have data processing agreements in place with all processors, including:

• Cloud storage providers
• IT support services
• Email service providers
• Document management systems

12. Children's Privacy

Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will delete it promptly.

13. Updates to This Statement

We review this GDPR Compliance Statement regularly and update it as necessary to reflect changes in our practices or legal requirements. Material changes will be communicated to clients via email or through our website.

14. Questions and Complaints

If you have questions about our GDPR compliance or wish to make a complaint, please contact us:

Email: [email protected]

You also have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
Website: www.crystal-api.com