GDPR (UK) Compliance

Last Updated: 1 December 2025

1. Our Commitment to UK GDPR

DazzleAtrium is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page provides transparency about our data processing activities and your rights as a data subject in the United Kingdom.

2. Data Controller Information

Data Controller: DazzleAtrium
Registered Address: 14 Shotover Street, Queenstown 9300, New Zealand
Contact Email: dpo@dazzleatrium.games
Phone: +44 3-442 6400

3. Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so under UK GDPR Article 6. Our lawful bases include:

3.1 Consent (Article 6(1)(a))

Where you have given clear, affirmative consent for us to process your personal data for specific purposes. You may withdraw consent at any time by contacting us.

3.2 Contract (Article 6(1)(b))

Where processing is necessary to fulfil our contractual obligations to you or to take steps at your request before entering into a contract.

3.3 Legal Obligation (Article 6(1)(c))

Where we must process your data to comply with legal requirements, such as age verification or regulatory compliance.

3.4 Legitimate Interests (Article 6(1)(f))

Where processing is necessary for our legitimate business interests, provided these don't override your fundamental rights and freedoms. Our legitimate interests include:

• Maintaining and improving our platform
• Preventing fraud and ensuring security
• Understanding how users interact with our services
• Providing customer support

4. Your Rights Under UK GDPR

As a data subject in the UK, you have the following rights:

4.1 Right to Be Informed (Articles 13-14)

You have the right to clear information about how we collect and use your data. This information is provided in our Privacy Policy and this GDPR Compliance page.

4.2 Right of Access (Article 15)

You can request a copy of all personal data we hold about you. We will provide this free of charge within one month of your request.

4.3 Right to Rectification (Article 16)

You can request correction of any inaccurate or incomplete personal data we hold about you.

4.4 Right to Erasure ("Right to be Forgotten") (Article 17)

You can request deletion of your personal data in certain circumstances, including:

• When the data is no longer necessary for the purpose it was collected
• When you withdraw consent (where consent was the lawful basis)
• When you object to processing based on legitimate interests
• When the data has been unlawfully processed
• When deletion is required by legal obligation

4.5 Right to Restriction of Processing (Article 18)

You can request that we limit how we use your data in certain circumstances, such as when you contest the accuracy of data or object to processing.

4.6 Right to Data Portability (Article 20)

You can request to receive your personal data in a structured, commonly used, machine-readable format, and have the right to transmit this data to another controller.

4.7 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.

4.8 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently engage in such automated decision-making.

5. Exercising Your Rights

To exercise any of your rights, please contact us:

• Email: dpo@dazzleatrium.games
• Phone: +44 3-442 6400
• Post: Data Protection Officer, DazzleAtrium, 14 Shotover Street, Queenstown 9300, New Zealand

We will respond to your request within one month. In complex cases, we may extend this by up to two months and will inform you if this is necessary.

6. Data Protection Principles

We adhere to the UK GDPR's six data protection principles (Article 5):

1. Lawfulness, Fairness, and Transparency: We process data lawfully, fairly, and in a transparent manner
2. Purpose Limitation: We collect data for specified, explicit, and legitimate purposes only
3. Data Minimisation: We collect only data that is adequate, relevant, and necessary
4. Accuracy: We ensure personal data is accurate and kept up to date
5. Storage Limitation: We keep data only as long as necessary
6. Integrity and Confidentiality: We process data securely with appropriate technical and organisational measures

7. Data Security Measures

We implement appropriate technical and organisational measures to ensure data security (Article 32):

• Encryption of data in transit using TLS/SSL
• Encryption of data at rest
• Regular security assessments and penetration testing
• Access controls and multi-factor authentication
• Staff training on data protection and security
• Incident response and breach notification procedures

8. Data Breach Notification

In the event of a personal data breach, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours if the breach poses a risk to individuals' rights and freedoms
• Notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms
• Document all data breaches, including facts, effects, and remedial action taken

9. International Data Transfers

When we transfer your data outside the UK, we ensure appropriate safeguards are in place:

• Transfers to countries with adequacy decisions from the UK government
• International Data Transfer Agreements (IDTAs) or Addendums to Standard Contractual Clauses
• Binding Corporate Rules (where applicable)

10. Data Protection Impact Assessments

Where processing operations are likely to result in high risk to individuals' rights and freedoms, we conduct Data Protection Impact Assessments (DPIAs) in accordance with Article 35.

11. Third-Party Processors

We work with third-party processors who handle data on our behalf. We ensure:

• Written contracts are in place with all processors
• Processors provide sufficient guarantees of appropriate security measures
• Processors process data only on our documented instructions
• Regular audits of processor compliance

12. Children's Data

DazzleAtrium is exclusively for users aged 18 and over. We do not knowingly process data of anyone under 18. If we become aware of such processing, we will delete the data immediately.

13. Record of Processing Activities

We maintain records of our processing activities as required by Article 30, including:

• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients
• International transfers
• Retention periods
• Security measures

14. Supervisory Authority

Our lead supervisory authority is the Information Commissioner's Office (ICO):

• Website: www.ico.org.uk
• Helpline: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

You have the right to lodge a complaint with the ICO if you believe we have not complied with UK GDPR.

15. Updates to This Page

We may update this GDPR Compliance page to reflect changes in our practices or legal requirements. Material changes will be communicated via our website and, where appropriate, directly to you.

16. Contact Information

For any questions about our GDPR compliance or to exercise your rights:

• Data Protection Officer: dpo@dazzleatrium.games
• General Enquiries: privacy@dazzleatrium.games
• Phone: +44 3-442 6400