Book a free discovery call

← Back to Legal

Privacy Policy

Last updated: April 2026

Nobody reads privacy policies. I know that, you know that, we all know that. But they matter, and this one is written to actually make sense rather than to make a lawyer feel better about themselves.

The short version: I collect only what I need, I keep it only as long as I have to, I don’t sell it to anyone, and I treat your information with the same care I’d want someone to treat mine. If you’re a client, a newsletter subscriber, or just someone who filled in the contact form, this policy covers you.

The slightly longer version is below. It’s been generated with the help of the ICO‘s own privacy notice tool, so it covers everything required under UK GDPR. I’ve also made sure it lines up with the Data Privacy Policy document I give to clients during onboarding, so there are no surprises wherever you encounter my policies.

If you want to know what I hold on you, want something changed or removed, or just have a question about any of this, drop me an email at privacy@carolynnicholson.co.uk and I’ll come back to you within a month – though usually much faster than that.

Privacy Policy

This privacy notice tells you what to expect us to do with your personal information.

Contact details

Telephone: 07884 075 762 Email: privacy@carolynnicholson.co.uk

What information we collect, use, and why

To provide services and goods, including delivery
  • Names and contact details
  • Addresses
  • Purchase or account history
  • Payment details (including card or bank information for transfers and direct debits)
  • Account information
  • Website user information (including user journeys and cookie tracking – please see our separate Cookie Policy)
  • Records of meetings and decisions
  • Information relating to compliments or complaints
For the operation of customer accounts and guarantees
  • Names and contact details
  • Addresses
  • Payment details (including card or bank information for transfers and direct debits)
  • Purchase history
  • Account information, including registration details
  • Marketing preferences
For service updates or marketing purposes
  • Names and contact details
  • Addresses
  • Marketing preferences
  • Location data
  • Purchase or viewing history
  • IP addresses
  • Website and app user journey information
  • Records of consent, where appropriate
For research or archiving purposes
  • Names and contact details
  • Addresses
  • Location data
  • Purchase or viewing history
  • IP addresses
  • Website and app user journey information
  • Personal information used for administration of research
  • Personal information used for the purpose of research
  • Records of consent, where appropriate
To comply with legal requirements
  • Name
  • Contact information
  • Financial transaction information
For dealing with queries, complaints or claims
  • Names and contact details
  • Address
  • Payment details
  • Account information
  • Purchase or service history
  • Customer or client accounts and records
  • Financial transaction information
  • Correspondence

Lawful bases and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO‘s website. Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:
  • Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for.
  • Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete.
  • Your right to erasure – You have the right to ask us to delete your personal information.
  • Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information.
  • Your right to object to processing – You have the right to object to the processing of your personal data.
  • Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you.
  • Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time.
If you make a request, we must respond to you without undue delay and in any event within one month. To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for the collection and use of your data

Providing services and goods

  • Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
  • Client Relationship Management: Understanding client business context and specific needs; maintaining accurate client records; providing personalised and efficient support; following up on ongoing projects and potential future collaborations.
  • Quality and Performance Improvement: Tracking service effectiveness; gathering feedback; analysing workflow efficiency; identifying opportunities for process optimisation.

Operation of customer accounts and guarantees

  • Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object.
  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

Service updates or marketing purposes

  • Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object.
  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
  • Direct Marketing Purposes: Sending relevant service updates; sharing targeted communications about new offerings; informing about improvements or expanded capabilities; providing industry-specific insights valuable to clients.
  • Business Development: Understanding client needs and preferences; tailoring services to specific market segments; developing more responsive and personalised service offerings.
  • Communication and Engagement: Maintaining professional relationships; sharing thought leadership content; providing value-added information relevant to client industries.
  • Performance Tracking: Analysing marketing effectiveness; understanding client engagement patterns; improving communication strategies; measuring service satisfaction.

Research or archiving purposes

  • Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object.
  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. Our legitimate interests are:
  • Academic and Scientific Research: Advancing knowledge in specific fields; conducting longitudinal studies; understanding professional trends and developments.
  • Historical Documentation: Preserving professional histories; creating comprehensive industry archives; maintaining institutional memory.
  • Statistical and Analytical Purposes: Tracking professional trends; developing benchmarking data; analysing industry demographics.
  • Professional Development: Understanding skill evolution; mapping career trajectories; identifying training and education needs.

Legal requirements

  • Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object.
  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

Queries, complaints or claims

  • Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object.
  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

Where we get personal information from

  • Directly from you
  • Suppliers and service providers

How long we keep information

  1. Active client data
    • During active service engagement: Full, current data
    • 1 year after service completion: Minimal essential records
    • 3 years after service: Archived, limited information
  1. Financial and contractual records
    • Invoices and contracts: 7 years (tax and legal compliance)
    • Payment records: 7 years
    • Tax-related documents: 7 years
  1. Communication records
    • Email communications: 2-3 years
    • Project correspondence: 3-5 years after project completion
    • Support ticket/inquiry records: 2 years
  1. Personal identifiable information (PII)
    • Active clients: Current, full information
    • Inactive clients: Anonymised or minimal data after 1 year
    • Consent-based marketing lists: Annual review and cleanup
  1. Research or training data
    • Anonymised data: Up to 5 years
    • Consent-based research data: As per research agreement

Who we share information with

Data processors Stripe: Technology, financial services, financial technology – online payment processing and payment infrastructure. Headquartered in the USA but a global company. This data processor does the following activities for us: The company provides payment processing software and APIs that allow me to accept online payments, manage subscriptions, and handle various financial transactions across different platforms and countries. MailerLite: Technology, email marketing services – email marketing platform and automation. Headquartered in Vilnius, Lithuania (European Union) and operating under EU GDPR, which is recognised as providing adequate protection for UK data transfers. This data processor does the following activities for us: MailerLite provides the platform through which we manage our mailing lists, send newsletters and automated email sequences, and analyse email engagement. Names and email addresses of subscribers are held within MailerLite in accordance with their data privacy policy and terms of service. Others we share personal information with
  • Organisations we need to share information with for safeguarding reasons
  • Financial or fraud investigation authorities
  • Relevant regulatory authorities
  • External auditors or inspectors
  • Organisations we’re legally obliged to share personal information with
  • Debt collection agencies
  • Suppliers and service providers
International data transfers (added April 2026) Some of our data processors operate outside the United Kingdom. Where this is the case, we only use processors based in countries or regions that provide an adequate level of data protection as recognised under UK GDPR, or where appropriate contractual safeguards are in place. Stripe is headquartered in the United States, which operates under the UK-US Data Bridge arrangement. MailerLite is based in the European Union, which is recognised as adequate under UK GDPR.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice. If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO. The ICO’s address: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Helpline number: 0303 123 1113 Website: ICO Complaints