GDPR Compliance

UK General Data Protection Regulation

Our Commitment to GDPR Compliance

VUNA Exchange Ltd (Company No. 16840719), incorporated in England and Wales, is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. As a B2B platform operating in the United Kingdom and processing personal data of UK residents, we recognize our obligations as both a data controller and data processor.

This document outlines our GDPR compliance framework, your rights as a data subject, and our mechanisms for ensuring data protection by design and by default.

1. GDPR Principles We Uphold

1.1 Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and transparently. Our legal bases for processing include:

  • Contractual Necessity: Processing required to provide Services under our Terms of Service
  • Legitimate Interests: Platform operations, fraud prevention, security
  • Legal Obligations: Compliance with UK and international regulations
  • Consent: Marketing communications and optional features (where required)

1.2 Purpose Limitation

Personal data is collected for specified, explicit, and legitimate purposes and not further processed in ways incompatible with those purposes. We clearly communicate processing purposes at collection time.

1.3 Data Minimization

We collect only data that is adequate, relevant, and limited to what is necessary for our stated purposes. Unnecessary data fields are not requested or stored.

1.4 Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. Users can update their information through account settings. Inaccurate data is corrected or deleted without delay.

1.5 Storage Limitation

Personal data is retained only for as long as necessary for the purposes processed. We maintain documented retention schedules and automated deletion procedures.

1.6 Integrity and Confidentiality

We implement appropriate technical and organizational measures to ensure security, including protection against unauthorized processing, accidental loss, destruction, or damage.

1.7 Accountability

We maintain comprehensive records of processing activities, conduct Data Protection Impact Assessments (DPIAs), and can demonstrate compliance with all GDPR principles.

2. Your Rights as a Data Subject

Under UK GDPR, you have the following rights regarding your personal data:

Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your data and receive a copy of your personal data in a commonly used format. Response time: Within 1 month of request.

Right to Rectification (Article 16)

You can request correction of inaccurate personal data and completion of incomplete data. Updates are processed without undue delay.

Right to Erasure / Right to be Forgotten (Article 17)

You can request deletion of your personal data when: (a) no longer necessary for original purpose, (b) consent withdrawn, (c) objection to processing, (d) unlawfully processed, or (e) required by legal obligation. Exceptions apply for legal claims and compliance obligations.

Right to Restriction of Processing (Article 18)

You can request limitation of processing when accuracy is contested, processing is unlawful, data no longer needed but required for legal claims, or pending objection verification.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller. Applies to data processed by automated means based on consent or contract.

Right to Object (Article 21)

You can object to processing based on legitimate interests, direct marketing (including profiling), or processing for scientific/historical research purposes.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our matching algorithms include human oversight for significant decisions.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time. Withdrawal does not affect lawfulness of processing before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not complied with GDPR. ICO contact: ico.org.uk

3. Technical and Organizational Measures

3.1 Security Measures

  • Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
  • Authentication: Multi-factor authentication available; bcrypt password hashing
  • Access Controls: Role-based access control (RBAC); principle of least privilege
  • Network Security: Firewall protection; intrusion detection systems; DDoS mitigation
  • Monitoring: 24/7 security monitoring; automated threat detection; incident response procedures
  • Backups: Encrypted daily backups; geographically distributed storage; tested recovery procedures

3.2 Organizational Measures

  • Data Protection Officer: Designated DPO overseeing GDPR compliance
  • Staff Training: Mandatory GDPR training for all employees handling personal data
  • Policies and Procedures: Documented data protection policies; incident response plans
  • Vendor Management: GDPR-compliant data processing agreements with all subprocessors
  • Privacy by Design: Data protection integrated into system design and development
  • Regular Audits: Internal and external security audits; penetration testing

4. Data Processing Records

In accordance with Article 30 UK GDPR, we maintain comprehensive records of processing activities including:

  • Controller and processor contact details
  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • International data transfers and safeguards
  • Retention periods
  • Technical and organizational security measures

5. Data Breach Notification

We have implemented procedures to detect, report, and investigate personal data breaches:

5.1 ICO Notification

If a breach is likely to result in a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach.

5.2 Individual Notification

If a breach is likely to result in a high risk to individuals, we will notify affected individuals without undue delay, providing:

  • Nature of the breach
  • Contact point for more information
  • Likely consequences
  • Measures taken to mitigate adverse effects

5.3 Documentation

All breaches are documented, including facts, effects, and remedial action taken, regardless of notification requirements.

6. International Data Transfers

When transferring personal data outside the UK, we ensure adequate safeguards:

  • Adequacy Decisions: Transfers to countries recognized as providing adequate protection
  • Standard Contractual Clauses: EU/UK-approved model clauses for other jurisdictions
  • Binding Corporate Rules: Internal policies for intra-group transfers
  • Derogations: Explicit consent or necessary for contract performance

7. Data Protection Impact Assessments

We conduct DPIAs for processing operations likely to result in high risk to individuals' rights and freedoms, particularly:

  • Systematic and extensive profiling with significant effects
  • Large-scale processing of special categories of data
  • Systematic monitoring of publicly accessible areas at large scale
  • Use of new technologies or innovative applications

8. Third-Party Processors

We ensure all third-party processors:

  • Provide sufficient guarantees of GDPR compliance
  • Execute written data processing agreements (Article 28)
  • Process data only on our documented instructions
  • Maintain appropriate security measures
  • Assist with data subject rights requests
  • Assist with breach notifications and DPIAs

9. Exercising Your Rights

To exercise any GDPR rights:

  • Email our DPO at: dpo@vunaexchange.com
  • Use the data subject request form in your account settings
  • Write to: Data Protection Officer, VUNA Exchange Ltd, [Address]

We will respond to requests within one month. Complex requests may require up to three months (with notification).

Requests are generally free. Manifestly unfounded or excessive requests may incur a reasonable fee or be refused.

10. Contact Information

Data Protection Officer

VUNA Exchange Ltd

Email: dpo@vunaexchange.com

Privacy: privacy@vunaexchange.com

UK Supervisory Authority:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Helpline: 0303 123 1113

We value your privacy

Vuna Exchange uses essential cookies to operate securely. With your consent, we also use analytics cookies to improve the platform during beta testing. Cookie Policy