GDPR Compliance Statement

Last Updated: May 20, 2026

Our Commitment to GDPR

amber spree is committed to compliance with the General Data Protection Regulation (GDPR) and UK data protection laws. We take the privacy and security of your personal information seriously and have implemented appropriate measures to ensure lawful, fair, and transparent processing of personal data.

Data Controller Information

For the purposes of GDPR, the data controller is:

amber spree
47 Riverside Gardens
Portsmouth, Hampshire PO1 2EJ
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data under the following lawful bases:

Consent

Where you have given clear consent for us to process your personal data for specific purposes, such as marketing communications.

Contract

Where processing is necessary for the performance of a contract with you, such as providing veterinary services you've requested.

Legal Obligation

Where we must process your data to comply with legal obligations, including veterinary record-keeping requirements and tax regulations.

Legitimate Interests

Where processing is necessary for our legitimate interests, such as improving our services, preventing fraud, and ensuring network security, provided these interests do not override your fundamental rights.

Your Rights Under GDPR

Under GDPR, you have the following rights regarding your personal data:

Right of Access

You have the right to request copies of your personal data. We may charge a reasonable fee if your request is manifestly unfounded or excessive.

Right to Rectification

You have the right to request correction of inaccurate personal data and to have incomplete personal data completed.

Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected. This right is not absolute and may not apply where we have legal obligations to retain data.

Right to Restrict Processing

You have the right to request restriction of processing your personal data in certain circumstances, such as when you contest the accuracy of the data.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

Right to Object

You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis for processing.

Rights Related to Automated Decision Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals.

How to Exercise Your Rights

To exercise any of your rights, please contact us at [email protected]. We will respond to your request within one month, though this may be extended by two additional months where necessary, taking into account the complexity and number of requests.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data.

Data Protection Measures

We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit and at rest
• Regular security assessments and updates
• Access controls and authentication procedures
• Staff training on data protection practices
• Incident response and breach notification procedures

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal, accounting, or reporting requirements. Specific retention periods include:

• Medical records: 7 years from last appointment
• Financial records: 6 years for tax purposes
• Marketing consent: Until consent is withdrawn
• Website analytics: 26 months

International Data Transfers

We primarily store and process your data within the United Kingdom and European Economic Area. If we transfer data outside these regions, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the European Commission.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. We will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by law.

Complaints

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Telephone: 0303 123 1113
Website: www.ico.org.uk

Updates to This Statement

We may update this GDPR compliance statement from time to time to reflect changes in our practices or legal requirements. We encourage you to review this page periodically.

Contact Us

For any questions about our GDPR compliance or to exercise your rights, please contact us at [email protected].