Privacy Policy

We collect personal data directly from you when you:

• visit our website;

• fill in a contact form or questionnaire;

• purchase a report or consultation;

• send us emails or messages;

• attend a video consultation;

• upload or send supporting documents.

We may also receive limited information from third-party service providers you use to interact with us, such as payment processors, website form providers, booking tools, analytics providers, hosting providers, or video conferencing platforms. If we obtain personal data from another source, UK data protection law still requires us to provide privacy information within the required timeframe.

4. How we use your information

We may use your personal data to:

• respond to enquiries;

• provide our report and consultation services;

• verify, prepare, personalise, and deliver your report;

• arrange and hold video consultations;

• process payments and maintain transaction records;

• communicate with you about your order or booking;

• improve our website, forms, and services;

• keep records, manage complaints, and protect our business;

• send marketing communications where we are allowed to do so.

5. Our lawful bases for using your information

Data protection law requires us to have a lawful basis for using personal data. Depending on the circumstances, we may rely on:

• contract — where use of your information is necessary to provide the report, consultation, booking, or other service you have asked us for;

• legitimate interests — for example, to run and improve our service, keep records, respond to non-service enquiries, prevent misuse, and manage our business, where those interests are not overridden by your rights;

• consent — where we specifically ask for it, such as certain marketing or certain cookie uses;

• legal obligation — where we must keep or disclose information to comply with the law.

Where cookies or similar technologies require consent under PECR, we will seek that consent before using them unless an exemption applies, such as where they are strictly necessary for the service you requested.

6. Sensitive information

Please only provide information that is reasonably necessary for us to deliver the service you have requested. If you choose to provide sensitive or special category data, we will only process it where we are permitted to do so under data protection law, including where you have given explicit consent or another valid condition applies. Special category data requires both a lawful basis under Article 6 and an additional condition under Article 9 of the UK GDPR.

If you provide information about another adult or a child, you should only share what is necessary and you should make sure you are entitled to provide it. We may ask for further information where needed before acting on a request made on behalf of someone else. The ICO’s subject access guidance also recognises that third parties may act on someone’s behalf, but authority may need to be evidenced.

7. Reports, AI assistance, and automated processing

We may use software tools, templates, or AI-assisted systems to help organise information, draft content, or support service delivery. However, we do not intend to make solely automated decisions about you that produce legal or similarly significant effects without the safeguards required by law. UK data protection law places specific restrictions on solely automated decisions of that kind.

8. Who we share your information with

We may share personal data, where necessary, with trusted service providers that help us operate our business, such as website hosts, form providers, payment processors, document generation providers, email providers, cloud storage providers, video conferencing providers, and professional advisers. We may also share information where required by law, to establish or defend legal claims, or to protect our rights and interests. Data sharing must have a lawful basis.

We require service providers acting for us to handle personal data appropriately and only for authorised purposes. Replace this section with the names of your actual providers if you want your policy to be more specific and transparent. The ICO recommends that privacy notices explain who information is shared with.

9. International transfers

Some of our service providers may store or process personal data outside the UK. If we transfer personal data internationally, we will take steps required by UK data protection law to protect it, such as relying on an adequacy decision or appropriate safeguards where needed. Privacy notices should explain international transfers and the basis relied on where applicable.

10. How long we keep your information

We will not keep personal data for longer than we need it. We will generally retain information for as long as necessary to provide the service, deal with follow-up queries or complaints, keep required business and tax records, and protect or defend legal claims. If we do not set a single fixed period, we use retention criteria such as the nature of the service, legal requirements, dispute risk, and whether you remain an active customer. The ICO says you should tell people either your retention period or the criteria used to decide it.

Suggested wording you may tailor:

• enquiry data: [e.g. 12 months]

• completed reports and supporting information: [e.g. 6 years]

• payment/transaction records: [e.g. 6 years plus current financial year]

• marketing suppression records: as long as needed to respect opt-out requests.

11. Marketing

If you subscribe to updates or otherwise consent to marketing, we may send you service news, offers, or related updates. You can unsubscribe or withdraw consent at any time using the unsubscribe link in the message or by contacting us. For many marketing emails or texts to individuals, PECR requires specific consent, subject to limited exceptions. If consent is withdrawn, it should be as easy to withdraw as it was to give.

12. Cookies and similar technologies

Our website may use cookies and similar technologies for essential website functions and, where you agree, for analytics or other optional purposes. We will tell you about the technologies we use and, where required, ask for consent before using non-essential cookies or similar technologies. PECR applies not only to cookies but also to technologies such as tracking pixels, scripts, tags, web storage, and fingerprinting techniques.

You can manage cookie preferences through our cookie banner or your browser settings, although disabling some technologies may affect how the site works.

13. Your rights

Depending on the circumstances, you may have the right to:

• be informed about how your information is used;

• access your personal data;

• have inaccurate data corrected;

• have data erased;

• restrict how data is used;

• object to certain processing;

• receive a copy of data in a portable format in some cases;

• withdraw consent where consent is the lawful basis;

• raise concerns about certain automated decision-making.

Organisations generally must respond to rights requests without undue delay and normally within one calendar month, although that can sometimes be extended for complex requests.

To exercise your rights, contact us at [insert email address]. We may need to verify your identity before responding.

14. Security

We use appropriate technical and organisational measures to reduce the risk of loss, misuse, or unauthorised access to personal data. However, no internet transmission or storage system can be guaranteed to be completely secure, so we cannot promise absolute security. This is a practical statement rather than a specific statutory phrase, but it aligns with the general UK GDPR requirement to process data securely.

15. Complaints

If you have a concern about how we use your personal data, please contact us first and we will try to resolve it. You also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection. The ICO recommends first raising the matter with the organisation and then, if needed, complaining to the ICO.

ICO website: Information Commissioner’s Office
Complaint guidance: available on the ICO website. If you plan to mention timing, the ICO says people should normally raise complaints with it within three months of their last meaningful contact with the organisation.

16. Changes to this policy

We may update this privacy policy from time to time. If we make material changes, we will update the “last updated” date and, where appropriate, take additional steps to bring the changes to your attention. The ICO says privacy information should be reviewed and updated, especially before starting new processing purposes