Exercising your rights, made operational.
This page is the public companion to our Privacy notice. It documents the procedure we follow when someone exercises a UK GDPR right — what we verify, who handles it, what we deliver, and how long it takes. The one-click rights centre on the Privacy notice is the way to start.
Last updated: 10 June 2026
Who handles your request
YionStack is the controller for personal data about visitors, account holders and our own employees. For data your business processes about its end-users (your customers, your employees, your learners) the customer (the business admin) is the controller and YionStack is the processor under the Data Processing Agreement. If a request reaches us about business data we redirect it to the business and tell you we have done so.
How we handle a request
- 01Receive
Request arrives via privacy@yionstack.co.uk or one of the rights-centre buttons. Logged with timestamp + originating channel.
- 02Acknowledge — within 5 working days
Real human reply confirming we received it, the article(s) we are treating it under, and any identity-verification we need.
- 03Verify identity
Proportionate to the sensitivity of the data — usually a sign-in challenge from the registered email. Heavier verification for special-category data.
- 04Action — within 1 calendar month
Compile the response. Where the request requires complex assembly we may extend by up to two further months under Art. 12(3) — with notice to you.
- 05Deliver
Access requests delivered as a structured export (JSON or CSV) over an authenticated channel. Erasures confirmed in writing once complete.
- 06Log
Every request and outcome logged in the DSR register. Reviewed monthly to spot patterns (e.g. recurring data-quality issues).
Per-right detail
Each UK GDPR right has slightly different mechanics. Here's the article-by-article breakdown of how we handle it.
| Right | Who handles | SLA | What we need |
|---|---|---|---|
Access Art. 15 | YionStack as controller (visitors / accounts) · Customer as controller (business data) | 1 calendar month | Identity verification matching the data we hold |
Rectification Art. 16 | Same — split by who is the controller of that data | 1 calendar month | Description of what is incorrect + the correct value |
Erasure Art. 17 | Same — but limited by retention obligations (e.g. accounting records) | 1 calendar month | Identity verification + clear statement of which data |
Restriction Art. 18 | Same | 1 calendar month | Reason (one of the four permitted grounds in Art. 18(1)) |
Portability Art. 20 | Same — applies only to data we hold on lawful bases of consent or contract | 1 calendar month | Identity verification |
Objection Art. 21 | Same — strongest where processing is based on legitimate interests or for direct marketing | Without undue delay | No reason needed for direct marketing; reason needed for legitimate interests |
Automated decision-making Art. 22 | YionStack — relevant only where automated decisions have legal or similarly significant effects | 1 calendar month | Description of the decision in question |
Withdraw consent Art. 7(3) | YionStack as controller (cookies / marketing) · Customer as controller (business-driven consent) | Immediate | None — withdrawal must be as easy as giving consent |
When we may refuse or charge
Most requests are free and we action them. UK GDPR Art. 12(5) allows us to charge a reasonable fee or refuse where requests are manifestly unfounded or excessive (for example repetitive). We use this sparingly and document our reasoning in writing.
Erasure (Art. 17) does not extend to data we are obliged to keep — e.g. invoices retained for 6 years under HMRC and Companies Act 2006 requirements. In those cases we restrict processing to the legal-obligation purpose and tell you we have.
privacy@yionstack.co.uk
Or use the one-click buttons in the rights centre on the Privacy notice.
Send email →Escalate to the ICO
You have the right to lodge a complaint with the Information Commissioner's Office under Article 77.
ico.org.uk/make-a-complaint