The ChronoKings Data Protection Policy

Effective date: 14 March 2026 Version: 1.0

1. Policy Purpose

This Data Protection Policy explains how THE LUXURY EXCHANGE GROUP LTD, trading as The ChronoKings, governs the collection, handling, security, retention, and lawful use of personal data across its business operations.This is an organizational governance policy and should be read alongside:
  1. The ChronoKings Privacy Policy.
  2. The ChronoKings Terms and Conditions.
  3. Internal information security, access control, and incident response procedures.

2. Organization Details

Legal entity: THE LUXURY EXCHANGE GROUP LTD (Company Number: 16650862) Trading name: The ChronoKings Registered office: Bartle House, Oxford Court, Manchester, United Kingdom, M2 3WQ Contact email for data protection matters: admin@thechronokings.comFor UK GDPR purposes, the company acts as a data controller when deciding how and why personal data is used.

3. Scope

This policy applies to:
  1. All employees, contractors, consultants, and service providers processing personal data on behalf of the company.
  2. All personal data processed in relation to customers, prospective customers, suppliers, partners, and website visitors.
  3. All systems and records (digital and paper) used to process personal data.

4. Applicable Law and Standards

The company processes personal data in line with:
  1. UK GDPR.
  2. Data Protection Act 2018.
  3. Privacy and Electronic Communications Regulations (PECR), where relevant.
  4. Other applicable consumer, anti-fraud, AML, and sanctions obligations.

5. Data Protection Principles

The company applies the following core principles:
  1. Lawfulness, fairness, and transparency.
  2. Purpose limitation (use data only for clear, stated purposes).
  3. Data minimization (collect only what is necessary).
  4. Accuracy (keep data up to date).
  5. Storage limitation (retain only as long as necessary).
  6. Integrity and confidentiality (security by design and default).
  7. Accountability (evidence of compliance and governance decisions).

6. Lawful Bases for Processing

Personal data is processed only where a lawful basis applies, including:
  1. Contract performance or pre-contract steps.
  2. Legal obligation (for example, accounting, AML, sanctions, consumer law).
  3. Legitimate interests (for example, fraud prevention, service quality, business continuity).
  4. Consent (for specific marketing and non-essential cookies where required).
  5. Legal claims and dispute handling where relevant.

7. Special Category Data and Criminal Offence Data

  1. The company does not intentionally process special category data unless strictly necessary and legally permitted.
  2. Criminal offence or fraud-prevention-related data is processed only where lawful, proportionate, and necessary for compliance or legal claims.
  3. Additional safeguards are applied where higher-risk data is processed.

8. Individual Rights Management

The company supports individual rights under UK GDPR, including:
  1. Right of access.
  2. Right to rectification.
  3. Right to erasure (where applicable).
  4. Right to restriction of processing.
  5. Right to data portability (where applicable).
  6. Right to object (including direct marketing objections).
  7. Rights related to automated decision-making, where applicable.
Operational requirements:
  1. Rights requests are logged and tracked.
  2. Identity verification is completed before disclosure.
  3. Requests are answered without undue delay and within statutory time limits.

9. Data Security and Access Control

The company implements technical and organizational controls, including:
  1. Encryption in transit and secure hosting.
  2. Role-based access controls and least privilege.
  3. Strong authentication and password management.
  4. Logging and monitoring where appropriate.
  5. Regular patching and vulnerability management.
  6. Vendor risk controls for processors.
Access to personal data is granted only to personnel who need it for legitimate business tasks.

10. Data Retention and Deletion

  1. Personal data is retained according to defined retention schedules aligned to legal and operational requirements.
  2. Data is securely deleted or irreversibly anonymized when no longer required.
  3. Backups and archived records are managed to support legal, audit, and resilience requirements.
  4. Suppression records are retained as needed to honor marketing opt-outs.

11. International Transfers

Where personal data is transferred outside the UK, the company applies appropriate safeguards such as:
  1. UK adequacy regulations.
  2. UK International Data Transfer Agreement (IDTA) or UK Addendum.
  3. Contractual and technical controls proportionate to transfer risk.

12. Processors and Third Parties

  1. Processors are selected with due diligence and documented contracts.
  2. Contracts include data protection obligations, confidentiality, security requirements, and audit/cooperation clauses where appropriate.
  3. Processors may act only on documented instructions from the company.
  4. Data sharing with regulators, law enforcement, or courts is limited to what is legally required.

13. Privacy by Design and DPIAs

  1. New systems, tools, and processes are reviewed for privacy impact before launch.
  2. Data Protection Impact Assessments (DPIAs) are completed for higher-risk processing.
  3. Risks are documented and mitigated before go-live.
  4. Business owners remain accountable for implementing agreed controls.

14. Personal Data Breach Response

  1. If a personal data breach is suspected or confirmed: It must be escalated internally without delay.
  2. The incident is assessed, contained, and investigated.
  3. Decisions and actions are documented in an incident log.
  4. ICO and affected individuals are notified where legally required.
  5. Corrective actions are implemented to reduce recurrence risk.

15. Training, Awareness, and Governance

  1. Staff handling personal data receive periodic data protection and security awareness training.
  2. This policy is reviewed at least annually or when legal/operational changes require updates.
  3. Governance records are maintained to evidence compliance decisions and risk controls.

16. Contact

Data protection queries and rights requests: admin@thechronokings.com Website contact: Use the website contact form Registered office: Bartle House, Oxford Court, Manchester, United Kingdom, M2 3WQ