GDPR Compliance Statement

Last updated: 25 June 2026

orchard-lemur is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable UK data protection laws. This page explains how we comply with these regulations and your rights under them.

Data Controller

orchard-lemur acts as the data controller for the personal information collected through this website and our services.

Contact details:
Email: [email protected]
Address: 42 Kingsway, Holborn, London WC2B 6EX, United Kingdom

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so under Article 6 of the GDPR:

• Consent (Article 6(1)(a)): When you submit enquiries or contact forms
• Legitimate interests (Article 6(1)(f)): For website analytics, security, and service improvement
• Legal obligation (Article 6(1)(c)): When required to comply with applicable laws
• Contract (Article 6(1)(b)): To provide services you have requested

Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR:

Right to Access (Article 15)

You have the right to obtain confirmation that we are processing your personal data and to request a copy of that data.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data we hold about you.

Right to Erasure (Article 17)

You have the right to request deletion of your personal data in certain circumstances, including when:

• The data is no longer necessary for the purposes it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

Right to Restriction of Processing (Article 18)

You can request that we limit how we process your personal data in specific circumstances, such as when you contest the accuracy of the data.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

Right to Object (Article 21)

You can object to processing of your personal data where we rely on legitimate interests as the legal basis for processing.

Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at [email protected]. We will respond to your request within one month, though this may be extended by two months for complex requests.

When submitting a request, please provide sufficient information to allow us to verify your identity and locate your data. We may request additional information if necessary.

Data Protection Principles

We process personal data in accordance with the following GDPR principles:

• Lawfulness, fairness, and transparency: We process data lawfully and inform you about how we use it
• Purpose limitation: We collect data for specific, explicit purposes and do not use it in incompatible ways
• Data minimisation: We collect only the data necessary for our stated purposes
• Accuracy: We take reasonable steps to ensure personal data is accurate and up to date
• Storage limitation: We retain data only as long as necessary
• Integrity and confidentiality: We implement appropriate security measures to protect your data
• Accountability: We demonstrate compliance with these principles

Data Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit and at rest
• Regular security assessments and updates
• Access controls and authentication mechanisms
• Staff training on data protection
• Incident response procedures

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. We will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by law.

International Data Transfers

If we transfer your personal data outside the UK or European Economic Area, we ensure appropriate safeguards are in place, such as:

• Standard contractual clauses approved by the European Commission
• Adequacy decisions recognising equivalent data protection standards
• Other legally recognised transfer mechanisms

Third-Party Data Processors

We may engage third-party service providers to process personal data on our behalf. When we do so, we ensure that:

• Data processing agreements are in place
• Processors comply with GDPR requirements
• Appropriate security measures are implemented
• Processors act only on our documented instructions

Children's Data

Our services are not directed to children under 18. We do not knowingly collect or process personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates GDPR.

UK Supervisory Authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk

Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. The updated version will be indicated by a revised "Last updated" date.

Contact Information

For questions about our GDPR compliance or to exercise your rights, please contact us:

Email: [email protected]
Address: 42 Kingsway, Holborn, London WC2B 6EX, United Kingdom