GDPR Compliance

Last updated: April 9, 2026

Our Commitment to Data Protection

Mindora Journey Limited is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we comply with these regulations and what rights you have regarding your personal information.

Data Controller Information

Mindora Journey Limited is the data controller responsible for your personal information:

Company Name: Mindora Journey Limited
Registered Address: 42 Thomas Street, Manchester M4 1NA, United Kingdom
Company Number: 09847562
Contact Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. Our processing activities rely on the following legal grounds:

Contractual Necessity

We process your data to fulfill our contractual obligations when you engage our photography services. This includes managing bookings, delivering services, processing payments, and providing ongoing client support.

Legitimate Interests

We process data based on legitimate business interests, including:

  • Maintaining client records for service quality and continuity
  • Improving our services based on client feedback and usage patterns
  • Protecting our business against fraud or legal claims
  • Operating and securing our website and IT infrastructure
  • Communicating about services similar to those you've previously used

We carefully balance these interests against your rights and do not process data in ways you would not reasonably expect.

Consent

Where required, we obtain explicit consent before processing your data, particularly for:

  • Using your images for marketing or portfolio purposes
  • Sending promotional communications about new services or offers
  • Setting non-essential cookies on our website

You can withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing conducted before withdrawal.

Legal Obligations

We process certain data to comply with legal requirements, such as maintaining financial records for tax purposes and responding to lawful requests from authorities.

Your GDPR Rights

Under GDPR, you have specific rights regarding your personal data:

Right of Access

You can request access to the personal data we hold about you. We will provide a copy of this information, along with details about how we use it, within one month of your request.

Right to Rectification

If personal information we hold about you is inaccurate or incomplete, you have the right to have it corrected. We will make corrections within one month and notify any third parties with whom we've shared the data.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there's no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Deletion is required to comply with a legal obligation

This right is not absolute. We may need to retain certain information to comply with legal obligations or establish legal claims.

Right to Restriction of Processing

You can request that we restrict how we use your personal data in specific situations:

  • You contest the accuracy of the data while we verify it
  • Processing is unlawful but you prefer restriction over deletion
  • We no longer need the data but you require it for legal claims
  • You've objected to processing while we verify our legitimate grounds

Right to Data Portability

You can request a copy of your personal data in a structured, commonly used, machine-readable format. This right applies to data you've provided to us based on consent or contract, and where processing is automated.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests or we need the data for legal claims.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects. All decisions regarding our services involve human judgment.

How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected] with your request. Please include:

  • Your full name and contact information
  • Description of the specific right you wish to exercise
  • Any relevant details to help us locate your information
  • Proof of identity if requested for security purposes

We will respond to your request within one month. In complex cases, we may extend this by two additional months and will inform you of any delay.

Data Security Measures

We implement appropriate technical and organizational measures to ensure data security:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls limiting data access to authorized personnel only
  • Staff training on data protection principles and practices
  • Secure backup and disaster recovery procedures
  • Confidentiality agreements with all staff and contractors
  • Regular software updates and security patches

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware
  • Inform affected individuals without undue delay if the risk is high
  • Provide clear information about the nature of the breach and steps being taken
  • Offer guidance on measures you can take to protect yourself

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

  • Client project files and photographs: 7 years after project completion
  • Financial and accounting records: 6 years as required by law
  • Marketing consent records: Until consent is withdrawn
  • Website analytics: Anonymized after 26 months
  • Correspondence: 3 years after final communication

After these periods, we securely delete or anonymize information in accordance with data protection principles.

Third-Party Processors

We work with carefully selected third-party service providers who process personal data on our behalf:

  • Payment processors for transaction handling
  • Cloud storage providers for data backup
  • Email service providers for communications
  • Website hosting providers for online presence

All processors are bound by data processing agreements ensuring GDPR compliance. We ensure they implement appropriate security measures and process data only according to our instructions.

International Data Transfers

We primarily store and process data within the United Kingdom. If we transfer data to countries outside the UK, we ensure adequate protection through:

  • Adequacy decisions recognizing equivalent protection standards
  • Standard contractual clauses approved by UK authorities
  • Other appropriate safeguards as required by law

Children's Data

We do not knowingly process data of children under 16 without parental consent. When photographing minors, we obtain appropriate consent from parents or legal guardians and handle such data with particular care.

Changes to Our Practices

We regularly review our data protection practices to ensure ongoing compliance. Any significant changes will be communicated through our website and, where appropriate, directly to affected individuals.

Complaints and Supervisory Authority

If you have concerns about how we handle your personal data, please contact us first so we can address the issue. If you remain unsatisfied, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Telephone: 0303 123 1113
Website: ico.org.uk

Contact for Data Protection Queries

For any questions regarding our GDPR compliance or data protection practices, contact us:

Email: [email protected]
Post: Mindora Journey Limited, 42 Thomas Street, Manchester M4 1NA, United Kingdom

We aim to respond to all enquiries within 5 business days.