Skip to main content

Data Subject Rights Request

UK GDPR & EU GDPR (Regulation 2016/679) — Articles 15 to 22

Version 1.0 | Last updated: 11 May 2026

SummitBridge Horizon Ltd | Companies House 16419201 | ICO ZC112810

If you are an individual whose personal data we process — including visitors, customers, candidates assessed via HumanBaseIQ, prospects, and contacts — you have statutory rights under the UK GDPR, the Data Protection Act 2018, and the EU GDPR (Regulation 2016/679). This page explains those rights and how to exercise them.

Your rights at a glance

  • Right of access (Art. 15): obtain confirmation that we process your data and receive a copy of it (commonly known as a SAR — Subject Access Request).
  • Right to rectification (Art. 16): correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): request deletion where applicable (“right to be forgotten”).
  • Right to restriction (Art. 18): require us to stop processing while accuracy or lawfulness is contested.
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format (JSON or CSV).
  • Right to object (Art. 21): object to processing based on legitimate interests or direct marketing.
  • Rights related to automated decision-making (Art. 22): request human review of any solely automated decision with significant effect.
  • Right to withdraw consent at any time where processing relies on Article 6(1)(a) consent.

How to submit a request

You may submit a request through any of the following channels:

  • Email (preferred): [email protected]
  • Postal mail: Data Protection Officer, SummitBridge Horizon Ltd, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom
  • Customer portal: registered customers may use the in-app erasure and export tools available under Account > Privacy.

To help us locate your data quickly and prevent disclosure to the wrong person, please include in your request:

  • Full name and any aliases you have used with us;
  • Email address(es) and phone number(s) used with our services;
  • The specific right you wish to exercise (access, erasure, etc.);
  • Sufficient information to verify your identity (we may request a copy of an ID document; we will delete it immediately after verification).

Our response timeline

We will respond within one calendar month from receipt of a valid, verified request (UK GDPR Art. 12(3); EU GDPR Art. 12(3)). For complex or numerous requests we may extend this period by up to two further months, in which case we will notify you within the first month with reasons.

For erasure requests under Art. 17 affecting active production systems, we typically complete deletion within 72 hours of identity verification and notify you upon completion.

Cost

Requests are processed free of charge. A reasonable fee may be charged only where a request is manifestly unfounded or excessive (UK GDPR Art. 12(5); EU GDPR Art. 12(5)) — for example, repeated identical requests within a short period.

If you are in the European Union

As SummitBridge Horizon Ltd is established in the United Kingdom (a third country under EU GDPR), we have appointed an EU representative under Article 27 GDPR to receive requests from EU data subjects and supervisory authorities. The appointment is in its final selection phase; until completed, EU data subjects may contact us directly via the channels above or via /legal/eu-representative.

Right to lodge a complaint

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority — in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

  • United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk/make-a-complaint
  • European Union: Find your national supervisory authority via the European Data Protection Board — edpb.europa.eu
  • Germany: the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) or the competent Land authority.

Data we typically hold

For customers and prospects: name, email, phone, company, billing data, support tickets, license keys, order history. For candidates assessed via HumanBaseIQ: CV/résumé, interview transcripts, aggregated scores (no biometric templates — see our AI Transparency Report). For visitors: server logs (max 90 days), cookie identifiers (see the Cookie Policy).