GDPR Compliance

Last updated: April 14, 2026

Our Commitment to Data Protection

Shadow Praxis is fully committed to compliance with the UK General Data Protection Regulation and the Data Protection Act 2018. As a financial services firm, we recognize that protecting your personal data is not just a legal obligation but a fundamental aspect of the trust you place in us.

This page provides specific information about your GDPR rights and how we fulfill our responsibilities as a data controller.

Data Controller Information

Data Controller: Shadow Praxis
Registered Address: 42 Colmore Row, Birmingham B3 2BS, United Kingdom
Contact Email: [email protected]

We are registered with the Information Commissioner's Office as a data controller and comply with all applicable data protection regulations governing financial services.

Lawful Basis for Processing

We process your personal data only when we have a lawful basis to do so. The specific legal grounds we rely on include:

Performance of a Contract

When you engage our financial planning services, we enter into a contractual relationship. Processing your personal and financial information is necessary to fulfill our obligations under this contract and deliver the services you've requested.

Legal Compliance

Financial services are subject to extensive regulation. We must process certain personal data to comply with legal obligations including:

  • Anti-money laundering and counter-terrorism financing regulations
  • Financial conduct and suitability requirements
  • Tax reporting obligations
  • Record-keeping requirements for client files
  • Regulatory reporting to financial authorities

Legitimate Interests

We process some data based on legitimate business interests, provided these interests don't override your rights and freedoms. Examples include:

  • Maintaining accurate client records for service continuity
  • Analyzing service usage to improve our offerings
  • Detecting and preventing fraud
  • Network and information security

Consent

For certain processing activities, particularly marketing communications, we rely on your explicit consent. You can withdraw this consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Your Data Protection Rights

Under UK GDPR, you have the following rights concerning your personal data:

Right of Access

You have the right to obtain confirmation that we process your personal data and to receive a copy of that data along with supplementary information about how we use it. We will provide this information free of charge, typically within one month of your request.

Right to Rectification

If personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. We encourage you to keep your information up to date and will promptly make corrections when you notify us of errors.

Right to Erasure

Also known as the "right to be forgotten," this allows you to request deletion of your personal data in certain circumstances. However, this right is not absolute. We may need to retain information to comply with legal obligations, particularly the regulatory requirement to maintain client records for specified periods.

Right to Restrict Processing

You can request that we limit how we use your data in specific situations, such as when you contest the accuracy of the data or object to our processing. When processing is restricted, we can store the data but not actively use it without your consent, except for legal claims or to protect others' rights.

Right to Data Portability

Where processing is based on consent or contract performance and carried out by automated means, you can request your data in a structured, commonly used, machine-readable format. You can also request that we transfer this data directly to another controller where technically feasible.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. For marketing, we will stop processing immediately upon receiving your objection. For other objections, we will assess whether we have compelling legitimate grounds that override your rights.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently employ automated decision-making of this nature, but if we did, we would inform you and provide options for human review.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us in writing:

Email: [email protected]
Post: Shadow Praxis, 42 Colmore Row, Birmingham B3 2BS, United Kingdom

When making a request, please provide sufficient information to allow us to identify you and verify your identity. This protects your data from unauthorized access. We may need to ask for additional identification documents in some cases.

We will respond to your request within one month, though this may be extended by up to two additional months for complex or numerous requests. We will inform you of any extension within the first month and explain the reasons for the delay.

Data Protection Principles

We adhere to the core data protection principles established by UK GDPR:

Lawfulness, Fairness, and Transparency

We process data lawfully, fairly, and in a transparent manner. We are clear about what data we collect and how we use it.

Purpose Limitation

We collect data for specific, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.

Data Minimization

We collect only the personal data that is adequate, relevant, and necessary for the purposes for which we process it.

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. Inaccurate data is corrected or deleted promptly.

Storage Limitation

We retain personal data only for as long as necessary for the purposes for which it was collected, subject to legal retention requirements.

Integrity and Confidentiality

We process data securely, implementing appropriate technical and organizational measures to protect against unauthorized or unlawful processing and accidental loss, destruction, or damage.

Accountability

We take responsibility for our compliance and can demonstrate adherence to these principles through our policies, procedures, and practices.

Data Security Measures

Protecting your data is a top priority. Our security measures include:

  • End-to-end encryption for sensitive financial data
  • Secure, password-protected systems with multi-factor authentication
  • Regular security audits and vulnerability assessments
  • Staff training on data protection and information security
  • Strict access controls limiting who can view client data
  • Secure data backup and disaster recovery procedures
  • Confidentiality agreements with all staff and third-party processors

Data Breach Procedures

Despite our security measures, if a data breach occurs that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware of the breach
  • Inform affected individuals without undue delay if the breach poses a high risk
  • Provide clear information about the nature of the breach and steps we're taking to address it
  • Offer guidance on measures you can take to protect yourself

International Data Transfers

We primarily store and process data within the United Kingdom. If we need to transfer personal data outside the UK, we ensure appropriate safeguards are in place:

  • Transfers to countries with adequacy decisions recognizing equivalent data protection
  • Use of standard contractual clauses approved by the UK authorities
  • Implementation of additional technical and organizational measures where necessary

We will inform you if your data will be transferred internationally and explain the safeguards in place.

Third-Party Processing

Some personal data processing is carried out by third-party service providers acting as data processors on our behalf. These include:

  • Investment platform providers
  • Pension administrators
  • IT service providers and cloud hosting services
  • Professional indemnity insurers

All processors are carefully selected and bound by written contracts that require them to:

  • Process data only on our documented instructions
  • Implement appropriate security measures
  • Maintain confidentiality
  • Assist with data subject rights requests
  • Delete or return data when processing is complete

Retention Periods

We retain personal data for different periods depending on the type of information and legal requirements:

  • Client files and financial advice records: minimum of 6 years after the relationship ends, as required by financial regulations
  • Anti-money laundering documentation: 5 years from the end of the business relationship
  • Tax-related information: as required by HMRC regulations
  • Website analytics data: typically 2 years
  • Marketing consent records: until consent is withdrawn plus a reasonable period to process the withdrawal

Once retention periods expire, we securely delete or anonymize data unless there is a legal requirement to retain it longer.

Complaints and Concerns

If you have concerns about how we handle your personal data, please contact us first so we can address your concerns:

Email: [email protected]
Address: Shadow Praxis, 42 Colmore Row, Birmingham B3 2BS, United Kingdom

You also have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office
Website: ico.org.uk
Helpline: 0303 123 1113

We take all complaints seriously and will investigate thoroughly, providing you with a response and, where appropriate, taking corrective action.

Updates to This Information

We review and update our GDPR compliance information regularly to reflect changes in legislation, regulatory guidance, or our data processing practices. Material changes will be communicated to existing clients via email. The date at the top of this page shows when it was last updated.