GDPR Compliance

Last Updated: May 29, 2026

Our Commitment to GDPR

glow-marsh is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR). This page outlines how we comply with GDPR requirements and your rights as a data subject.

Legal Basis for Processing

We process your personal data under the following legal bases:

  • Consent: When you submit a journey planning request or sign up for communications
  • Contract Performance: To provide route planning and travel services you request
  • Legitimate Interest: To improve our services and communicate relevant information
  • Legal Obligation: To comply with applicable laws and regulations

Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

Right to Access

You have the right to request a copy of the personal data we hold about you. We will provide this information in a structured, commonly used, and machine-readable format.

Right to Rectification

If you believe any information we hold about you is incorrect or incomplete, you have the right to request correction or completion of your data.

Right to Erasure (Right to be Forgotten)

You can request that we delete your personal data under certain circumstances, including:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Right to Restriction of Processing

You can request that we limit how we use your data while we investigate concerns you have raised.

Right to Data Portability

You have the right to receive your personal data in a portable format and transmit it to another data controller.

Right to Object

You can object to processing of your personal data where we rely on legitimate interest as the legal basis, or where we use your data for direct marketing purposes.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have not complied with GDPR requirements.

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: [email protected]
Address: 348 Harbour View Street, Victoria, BC V8V 2R5, Canada

We will respond to your request within one month of receipt. In complex cases, we may extend this period by two additional months and will inform you of the extension.

Data Protection Officer

For GDPR-related inquiries, you may contact our Data Protection Officer:

Email: [email protected]

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

  • Journey planning inquiries: Retained for up to 2 years after last contact
  • Active service contracts: Retained for duration of service plus 7 years for legal compliance
  • Marketing communications: Retained until you unsubscribe or request deletion
  • Website analytics: Anonymized after 26 months

International Data Transfers

Your data is primarily stored and processed in Canada. If we transfer data outside the European Economic Area, we ensure appropriate safeguards are in place, including:

  • Standard contractual clauses approved by the European Commission
  • Adequacy decisions by the European Commission
  • Other legally compliant transfer mechanisms

Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest
  • Regular security assessments
  • Access controls and authentication
  • Staff training on data protection
  • Incident response procedures

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach poses a high risk, we will also notify affected individuals without undue delay.

Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

Children's Privacy

Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children without parental consent.

Updates to This Policy

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. Material changes will be communicated through our website or direct notification.