Privacy Rights

If you are located in the European Economic Area or the United Kingdom, you have the right to:

• Access the personal data we hold about you.
• Rectify data that is inaccurate or incomplete.
• Erase your data (“right to be forgotten”), subject to legal exceptions.
• Restrict processing in certain circumstances.
• Object to processing based on our legitimate interests.
• Portability of data you have provided, in a structured, machine-readable format.
• Withdraw consent at any time, where processing is based on consent.
• Lodge a complaint with your local data-protection authority (in the UK, the Information Commissioner’s Office at ico.org.uk).

If you are a California resident, you have the right to:

• Know what categories of personal information we have collected, the sources, the purposes for collection, and the categories of third parties (if any) with whom we have shared it in the past 12 months.
• Delete personal information we hold about you, subject to legal exceptions.
• Correct inaccurate personal information.
• Opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioural advertising, so there is no opt-out mechanism to surface.
• Limit the use of sensitive personal information. We do not collect sensitive personal information as defined by CPRA.
• Non-discrimination: we will not deny you service, charge a different price, or provide a different level of quality because you exercised your rights.

Residents of states with comprehensive privacy laws similar to CCPA (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and others) generally have rights of access, deletion, correction, portability, and opt-out of certain processing. We honour these requests under the same process described below.

Submit your request via our contact form. Include:

• the right you wish to exercise (e.g., access, deletion);
• enough information for us to identify the data you are asking about (for example, the email address you used to contact us, the approximate date of contact, the IP-address range if known);
• your jurisdiction (so we apply the correct law).

To protect your privacy, we may need to verify your identity before fulfilling a request. For most requests, matching the email address used in a prior contact submission is sufficient. For broader requests we may ask for additional information to confirm you are the data subject. We will not use verification information for any other purpose.

We will acknowledge your request promptly and respond substantively within 30 days under GDPR / UK GDPR and within 45 days under CCPA / CPRA. We may extend the period by an additional 45 days where reasonably necessary, in which case we will notify you of the extension and the reason.

You may designate an authorised agent to submit a request on your behalf. We may ask the agent to provide proof of authorisation and may also contact you directly to confirm. Authorised-agent requests can be submitted via the same contact form.

If you are unsatisfied with our response to a privacy request, you may submit an appeal through the contact form within 60 days. We will review the appeal and respond in writing. Residents of jurisdictions with statutory appeal rights (including several US states and the EEA / UK) retain the right to lodge a complaint with their data-protection authority.

We do not charge a fee for honouring privacy requests, unless the request is manifestly unfounded or excessive (for example, repetitive). In those rare cases we may charge a reasonable administrative fee or decline to act, and we will explain our reasoning.