Quick Summary: You have the right to access, correct, delete, restrict, or move your personal data. You can also object to certain processing and withdraw consent. Most requests are handled free of charge within one month.

Your Rights Under UK GDPR

1. Right of Access (Subject Access Request)

What it means: You have the right to obtain confirmation that we process your personal data and receive a copy of that data.

What you'll receive:

• A copy of all personal data we hold about you
• Information about how we use that data
• Information about who we share it with
• How long we keep it
• The source of the data (if not obtained directly from you)
• Details of any automated decision-making

Cost: Free in most cases. We may charge a reasonable fee if your request is clearly unfounded, excessive, or repetitive.

Timeframe: We will respond within one month. This may be extended by two further months for complex or numerous requests.

2. Right to Rectification

What it means: You have the right to have inaccurate personal data corrected or incomplete data completed.

Examples:

• Correcting a misspelled name or address
• Updating outdated contact information
• Adding missing prescription details
• Fixing incorrect order information

Process: We will correct the data immediately upon verification and notify you of the changes. If we shared the incorrect data with others, we will inform them of the correction where possible.

Timeframe: Usually within 5 working days for simple corrections; within one month for complex requests.

3. Right to Erasure ("Right to be Forgotten")

What it means: You have the right to request deletion of your personal data in certain circumstances.

When this applies:

• The data is no longer necessary for the purpose we collected it
• You withdraw consent and there's no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data was unlawfully processed
• The data must be erased to comply with a legal obligation

When we may refuse:

• We need the data to comply with legal obligations (e.g., tax records, warranty claims)
• The data is needed for the establishment, exercise, or defense of legal claims
• There is a legal requirement to retain the data (e.g., 6 years for accounting records)

What we will do: Delete all personal data where possible, or anonymize data we must retain for legal reasons.

4. Right to Restriction of Processing

What it means: You can request that we limit how we use your data in certain situations.

When this applies:

• You contest the accuracy of the data (restriction applies while we verify accuracy)
• Processing is unlawful but you don't want the data erased
• We no longer need the data but you need it for legal claims
• You have objected to processing (restriction applies while we verify grounds)

Effect: We will store the data but not use it for other purposes without your consent, except for legal claims or protecting rights of others.

5. Right to Data Portability

What it means: You can request to receive your personal data in a structured, commonly used, machine-readable format and transfer it to another organization.

When this applies:

• The processing is based on your consent or contract performance
• The processing is carried out by automated means

What you'll receive: Your data in JSON or CSV format, including:

• Account details
• Order history
• Prescription data
• Communication preferences

Note: This right doesn't apply to data processed for public interest or official authority tasks.

6. Right to Object

What it means: You have the right to object to certain types of processing.

Processing you can object to:

• Processing based on legitimate interests
• Direct marketing (including profiling for direct marketing)
• Processing for scientific/historical research or statistical purposes

Effect: We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is for legal claims.

Marketing opt-out: You can object to marketing at any time, and we will stop immediately with no questions asked.

7. Rights Related to Automated Decision-Making and Profiling

What it means: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

Our practice: While we use automated systems to check prescription safety parameters, all final decisions about children's orders are made by a registered human Dispensing Optician. You are never subject to purely automated decision-making with significant effects.

If this changes: We will inform you and obtain explicit consent where required by law.

8. Right to Withdraw Consent

What it means: Where we process your data based on consent, you can withdraw that consent at any time.

Effect: We will stop processing that data for that purpose, but this won't affect the lawfulness of processing before withdrawal.

Examples:

• Unsubscribing from marketing emails
• Withdrawing consent for optional data processing
• Opting out of non-essential cookies

How to Submit a Data Request

Step 1: Decide What You Want

Be clear about which right(s) you want to exercise:

• Access my data (Subject Access Request)
• Correct inaccurate data (Rectification)
• Delete my data (Erasure)
• Restrict how you use my data (Restriction)
• Receive my data in portable format (Data Portability)
• Object to processing (Objection)
• Withdraw consent

Step 2: Choose Your Method

Step 3: Provide Required Information

To process your request, we need:

Identity Verification

To protect your privacy and prevent unauthorized disclosure, we must verify your identity before processing your request.

Standard Verification

We will verify your identity using information we already hold, such as:

• Matching your email address and name to our records
• Confirming recent order details
• Verifying your postal address

Enhanced Verification (When Required)

For particularly sensitive requests or if we cannot verify using standard methods, we may request:

• A copy of a valid photo ID (passport or driving license)
• A recent utility bill or bank statement (for address verification)
• Answers to security questions based on your account

Document handling: We will delete verification documents within 30 days of resolving your request and will never use them for any other purpose.

Third-Party Requests

If someone is making a request on your behalf (e.g., solicitor, family member), we require:

• Written authorization from you (signed letter or email from your registered email)
• Proof of the representative's identity
• Proof of their authority to act on your behalf

Parent/Guardian requests: For children's data, we require proof of parental responsibility (birth certificate or court order).

Response Timeframes

Request Type	Standard Response Time	Complex Cases
Subject Access Request	Within 1 month	Up to 3 months (we'll explain why)
Rectification (simple)	Within 5 working days	Within 1 month
Erasure	Within 1 month	Up to 2 months (legal review needed)
Restriction	Within 1 month	Up to 3 months
Data Portability	Within 1 month	Up to 3 months
Objection (marketing)	Immediately	N/A
Objection (other)	Within 1 month	Up to 3 months

Communication: We will always acknowledge your request within 2 working days and keep you updated on progress, especially if we need to extend the response time.

Fees and Charges

Free Requests

The vast majority of requests are handled completely free of charge, including:

• Your first Subject Access Request
• All rectification requests
• All erasure requests
• All objection requests
• Reasonable follow-up or clarification requests

When We May Charge a Fee

We may charge a reasonable fee (based on administrative costs) if:

• Your request is clearly unfounded (e.g., made to cause distress rather than exercise rights)
• Your request is excessive (e.g., requesting the same information multiple times without valid reason)
• You request multiple copies of the same information
• Your request is unusually complex or requires extensive resources to fulfill

Notice: If we intend to charge a fee, we will inform you of the amount and justification before proceeding. You can then decide whether to continue with the request.

When We May Refuse

We may refuse to act on a request if it is:

• Manifestly unfounded (e.g., intended to harass or disrupt)
• Manifestly excessive (e.g., identical requests submitted repeatedly)

If we refuse a request, we will explain why and inform you of your right to complain to the ICO and seek judicial remedy.

Special Considerations

Children's Data

Children have the same data protection rights as adults. For requests concerning a child's personal data:

• If a child is able to understand their rights and the request, we will normally respond directly to the child
• A parent/guardian may exercise the child's rights on their behalf if the child authorises this, or if it is evident that doing so is in the child's best interests
• We assess each request based on the child's maturity and understanding, not solely on age

Proof of parental responsibility required when making requests on behalf of a child: Birth certificate, court order showing parental responsibility, or other official documentation.

Deceased Persons

Requests for data about deceased persons are not covered by UK GDPR. However, we may consider requests from:

• Executors of the estate (with proof)
• Next of kin (in certain circumstances)

Contact us to discuss on a case-by-case basis.

Third-Party Information

If your data includes information about other people (e.g., someone else mentioned in correspondence), we will:

• Redact that person's information before sharing with you
• Only share it if the other person consents or it's reasonable to do so

This protects the privacy rights of others while respecting your right to access your own data.

What Happens After You Submit a Request?

1. Acknowledgment (Within 2 Working Days)

We will send you an acknowledgment confirming:

• We have received your request
• Reference number for tracking
• Expected response date
• Any additional information we need from you

2. Verification (If Required)

If we need to verify your identity, we will contact you with specific instructions. The clock stops on your request until verification is complete.

3. Processing

We will:

• Search all relevant systems and records
• Compile the requested information
• Redact any third-party information (if applicable)
• Prepare a clear and understandable response

4. Response

For Subject Access Requests, we will provide:

• A document summarizing the data we hold
• Copies of the actual data (in accessible format)
• Explanation of how we use it and who we share it with
• Details of retention periods
• Information about your rights

Delivery method: Secure email (encrypted if sensitive), secure portal, or registered post depending on your preference and the sensitivity of the data.

5. Follow-Up

If you have questions about our response or believe we missed something, contact us. We're happy to clarify or supplement our response if needed.

If You're Not Satisfied

Internal Complaint

If you're unhappy with how we handled your request:

1. Contact us at support@relensify.co.uk with your concerns
2. We will review your complaint and respond within 10 working days
3. If still unresolved, we will escalate to senior management

Information Commissioner's Office (ICO)

You have the right to complain to the UK's data protection regulator:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Website: ico.org.uk
Helpline: 0303 123 1113
Live Chat: Available on their website

Legal Action

You also have the right to seek judicial remedy through the courts if you believe we have violated your data protection rights.

Data We Hold About You

To help you understand what data you might want to request access to, here's an overview of the types of personal data we typically hold:

Account & Contact Data

• Name, email address, phone number
• Billing and delivery addresses
• Account creation date and login history

Order & Transaction Data

• Order history and order details
• Payment information (last 4 digits of card only)
• Delivery tracking information
• Returns and refund records

Prescription & Child Data

• Child's name and date of birth
• Prescription details (SPH, CYL, AXIS, ADD, PD)
• Optician review notes and approval decisions
• Any special requirements or notes

Communication Data

• Email correspondence with our support team
• Phone call notes (we don't record calls)
• Marketing preferences and consent records

Technical Data

• IP address and browser type (if logged for security)
• Cookie data (see our Cookie Policy)
• Website usage data (if analytics enabled - currently not used)

Legal & Compliance Data

• Dispensing Optician approval records
• Audit logs for compliance purposes
• Records of any complaints or disputes

Frequently Asked Questions

How long does a Subject Access Request take?

We aim to respond within one month. For complex requests, this may extend to three months, but we'll let you know if this is the case and explain why.

Can I request all my data in a specific format?

For data portability requests, we can provide data in JSON or CSV format. For standard Subject Access Requests, we provide data in PDF and readable text formats. If you have specific accessibility needs, please let us know.

What if I only want certain types of data deleted?

You can request deletion of specific data types. However, some data must be retained for legal compliance (e.g., order records for tax purposes). We'll explain what can and cannot be deleted.

Can I withdraw consent for data processing after placing an order?

You can withdraw consent for marketing and optional processing. However, data necessary for contract performance (processing your order) or legal compliance must be retained until those purposes no longer apply.

How do I know if you've really deleted my data?

When we delete your data, we send you a confirmation listing what was deleted, what was anonymized, and what was retained (with legal justification). You can request verification by submitting a follow-up Subject Access Request.

Will deleting my data affect warranty or returns?

If you delete your account data before the warranty period expires or before potential returns are resolved, we must retain order and product information for these purposes. We'll anonymize your personal identifiers but keep essential transaction records.

Can I get my child's prescription data to use elsewhere?

Yes, you can request a data portability export that includes prescription details in a machine-readable format. However, prescription data should always be verified by your child's optometrist, as we only store the information you provided to us.

Contact Us

For all data protection requests and enquiries:

Email: support@relensify.co.uk

For general enquiries: Visit our Contact page

Related Information

• Privacy Notice for Parents - How we use your data
• Cookie Policy - How we use cookies
• Terms & Conditions - Legal terms of service
• Compliance Information - Regulatory compliance details