GDPR Compliance

Last updated: May 4, 2025

1. Introduction to GDPR

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas.

At DrinkLoyal, we are committed to ensuring the privacy and protection of your personal data in compliance with GDPR and other applicable data protection laws.

2. Data Controller

DrinkLoyal Ltd acts as the data controller for personal information collected through our website, mobile applications, and services. As a data controller, we determine the purposes and means of processing personal data.

Our contact details are:

DrinkLoyal Ltd
24 Market Square
Manchester, M1 1PZ
United Kingdom
Email: [email protected]
Phone: +44 (0) 1244 911028

3. Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this GDPR compliance policy. If you have any questions about this policy or how we handle your personal information, please contact the DPO using the details below:

Data Protection Officer
DrinkLoyal Ltd
24 Market Square
Manchester, M1 1PZ
United Kingdom
Email: [email protected]
Phone: +44 (0) 1244 911028

4. Your GDPR Rights

Under the GDPR, you have several rights regarding your personal data. These include:

4.1 Right to Be Informed

You have the right to be informed about the collection and use of your personal data. We provide this information in our Privacy Policy.

4.2 Right of Access

You have the right to request a copy of the personal data we hold about you and information about how we process it.

4.3 Right to Rectification

You have the right to have inaccurate personal data rectified or completed if it is incomplete.

4.4 Right to Erasure (Right to be Forgotten)

You have the right to request the deletion or removal of your personal data where there is no compelling reason for its continued processing.

4.5 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances.

4.6 Right to Data Portability

You have the right to obtain and reuse your personal data for your own purposes across different services.

4.7 Right to Object

You have the right to object to the processing of your personal data in certain circumstances, including processing for direct marketing.

4.8 Rights Related to Automated Decision Making and Profiling

You have rights related to automated decision making and profiling. However, DrinkLoyal does not currently make decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on individuals.

5. How to Exercise Your Rights

You can exercise your rights by contacting our Data Protection Officer using the contact details provided above. We will respond to your request within one month of receiving it. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.

If we decide not to take action on your request, we will inform you of the reasons for not taking action and of your right to lodge a complaint with a supervisory authority.

We will not charge a fee to process your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

6. Data Security

We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data
  • Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services
  • Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • Regular testing, assessing, and evaluating of the effectiveness of technical and organizational measures for ensuring the security of the processing

7. Data Processing Records

In accordance with Article 30 of the GDPR, we maintain records of our data processing activities. These records include:

  • Name and contact details of our organization
  • Purposes of the processing
  • Categories of individuals and personal data
  • Categories of recipients of personal data
  • Details of transfers to third countries and documentation of suitable safeguards
  • Retention schedules
  • Description of technical and organizational security measures

8. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing operations that are likely to result in a high risk to the rights and freedoms of individuals. DPIAs help us to identify and minimize data protection risks.

9. Data Breach Procedures

In the event of a personal data breach, we will notify the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay.

10. International Data Transfers

When we transfer your personal data outside the European Economic Area (EEA), we ensure that a similar degree of protection is afforded to it by implementing at least one of the following safeguards:

  • Transferring to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission
  • Using specific contracts approved by the European Commission which give personal data the same protection it has in Europe
  • Using providers based in the US that are part of the EU-US Privacy Shield or similar frameworks

11. Complaints

If you wish to make a complaint about how we process your personal data, please contact our Data Protection Officer. You also have the right to lodge a complaint with the supervisory authority in your country of residence or place of work, or the place where the alleged infringement of data protection laws took place.

For individuals in the UK, the supervisory authority is the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Website: ico.org.uk

12. Changes to This GDPR Compliance Policy

We may update this GDPR Compliance Policy from time to time. Any changes will be posted on this page with an updated revision date. If we make significant changes, we may also notify you by other means such as sending an email.

The date at the top of this Policy indicates when it was last updated.