My data was affected by a confirmed…
My data was affected by a confirmed cybersecurity incident at Grace Media (Gibraltar) Limited, which operates Royale Lounge. The company's own final response confirmed that name, address, date of birth, transaction history, eKYC results, PEP and sanctions screening data, CCJ data and credit score information were all held in the affected environment.
Despite this, my compensation claim was rejected outright, with the company relying solely on the absence of confirmed exfiltration or financial loss — ignoring that UK GDPR (Article 82) allows compensation for distress and anxiety alone, without needing to prove financial harm or misuse.
I spoke to Alex in the Compliance team about this, who I found unhelpful — no meaningful engagement with the points raised, just a restatement of the company's position and a referral to eCOGRA.
No goodwill gesture, no proactive compensation, no meaningful acknowledgement of customer distress. I was simply told the matter was closed.
I've rejected their final response and this is now proceeding through the Small Claims Court. If your data has been exposed by this company, I'd urge you to read their final response carefully before accepting it — the wording downplays the scope of what was actually confirmed as affected.








