Data Protection Policy

DATA PROTECTION POLICY

Coaching South West

Version 1.1 | November 2025

1. INTRODUCTION & PURPOSE

Coaching South West is committed to protecting your privacy and ensuring you have a positive experience on our website and when using our training services. This Data Protection Policy explains how we collect, use, store, and protect your personal data in accordance with UK Data Protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy applies to all learners, website visitors, and anyone who interacts with Coaching South West. It describes:
• What personal data we collect
• Why we collect it
• How we use it
• How long we keep it
• Your rights regarding your data
• How we protect it

2. WHO WE ARE (DATA CONTROLLER)

Coaching South West is the Data Controller responsible for your personal data.

Controller Details:
Name: Zoe McFarlane
Business: Coaching South West
Email: zoe@coachingsouthwest.com
Website: www.coachingsouthwest.com

If you have any questions about how we handle your data, please contact us using the details above.

3. WHAT PERSONAL DATA DO WE COLLECT?

For Course Booking & Attendance:

We collect the following:

  • Full name (required)
  • Email address (required)
  • Payment information (processed by Eventbrite)
  • Course title and date

For Course Delivery:

During the live training session, we collect:

  • Audio recording of your voice during the session (if you speak)
  • Your attendance record (name, date, course attended, duration)
  • Optional: Information about accessibility needs (at your discretion)

For Feedback & Certification:

After your training, we collect:

  • Your name and email (for certificate delivery)
  • Feedback text you provide about your learning experience
  • Your consent choice regarding use of feedback for marketing

4. LEGAL BASIS FOR PROCESSING YOUR DATA

Contract:

We process your name and email because they are necessary to deliver the training course and send you your attendance certificate. This is essential to fulfil our contract with you.

Legitimate Interest:

We record sessions for quality assurance and to investigate complaints. We have a legitimate interest in ensuring high-quality training delivery and protecting ourselves and learners in case of disputes. We balance this against your privacy rights by: (a) informing you clearly that recording is taking place, (b) limiting storage to 30 days, and (c) only using recordings for quality assurance and complaint investigation.

Consent:

We only use your feedback for marketing purposes if you have explicitly consented to this on the feedback form. You can choose to: (1) allow your feedback and name to be used for testimonials, (2) allow your feedback to be used anonymously, or (3) decline consent for marketing use. The choice is yours.

5. HOW WE USE YOUR DATA

  • To deliver your training course via Microsoft Teams
  • To send you your attendance certificate by email
  • To record sessions for quality assurance purposes (improving our training delivery)
  • To record sessions to investigate complaints if they arise
  • To collect feedback to help us improve our courses
  • To use your feedback for marketing purposes (only if you have consented)
  • To comply with CPD accreditation requirements

6. HOW LONG DO WE KEEP YOUR DATA?

Type of Data Retention Period
Email address (for certificate delivery) 1 year from course completion, then deleted
Attendance records (name, date, course, duration) 7 years (for CPD accreditation and compliance purposes)
Session recordings 30 days (deleted automatically via Teams). If a complaint is active, kept until complaint is resolved + 30 days
Feedback responses (named) 1 year. After 1 year, names and identifying information are removed (anonymized)
Feedback responses (anonymized themes) Kept indefinitely for quality improvement and trend analysis
Payment information (via Eventbrite) Held by Eventbrite per their data retention policy

7. WHO CAN ACCESS YOUR DATA?

Internal Access:

Your personal data is only accessed by Zoe McFarlane (Director/sole employee of Coaching South West). We do not share your data internally with anyone else as we are a sole-trader operation.

External Sharing – We DO NOT share your data with third parties for marketing purposes:

Your contact details will NOT be sold, rented, or shared with external marketing companies or other organizations.

External Sharing – Limited Scenarios:

In the following specific circumstances, data may be shared:

  • Complaint investigation: If a formal complaint is upheld and escalated, relevant recordings may be shared with the appropriate professional body (CPD Standards Office, British Psychological Society, Association for Coaching) to support the investigation. Only data relevant to the complaint will be shared.
  • Legal requirement: If required by law (e.g., court order), we may be required to disclose information.
  • CPD Accreditation: We may provide attendance records to our CPD accreditor to demonstrate compliance (anonymized where possible, or minimal identifying information).

8. THIRD-PARTY PROCESSORS (DATA PROCESSORS)

We use the following third-party services that may process your personal data. These providers are Data Processors who act on our instructions and are bound by confidentiality:

Microsoft Teams:

Used for: Course delivery and recording
Data processed: Your name, audio (if you speak), video (if camera is on), attendance
Microsoft’s privacy policy: https://privacy.microsoft.com/
GDPR compliance: Microsoft is UK GDPR compliant

Google Drive & OneDrive:

Used for: Storage of attendance records, feedback responses, complaint-related recordings
Data processed: Your attendance information, feedback (including name and email)
Google/Microsoft’s privacy policy: https://www.google.com/policies/privacy/ | https://privacy.microsoft.com/
GDPR compliance: Both are UK GDPR compliant

Eventbrite:

Used for: Course booking and payment processing
Data processed: Your name, email, payment information
Eventbrite’s privacy policy: https://www.eventbrite.co.uk/support/articles/en_US/Troubleshooting/eventbrite-privacy-policy
GDPR compliance: Eventbrite is UK GDPR compliant. Payment information is PCI DSS compliant.
Data Processing Agreement: Available on request from Eventbrite

Gmail:

Used for: Sending certificates and course information
Data processed: Your email address
Google’s privacy policy: https://www.google.com/policies/privacy/
GDPR compliance: Google is UK GDPR compliant

Names.co.uk Webmail:

Used for: Business email hosting (zoe@coachingsouthwest.com) for course communications, certificates, and learner contact
Data processed: Learner email addresses, course information, certificates, attachments, email content
Names.co.uk privacy policy: https://www.names.co.uk/support
GDPR compliance: Names.co.uk is UK GDPR compliant. Data Processing Agreement available on request.
Data retention: Emails are retained on your account. Deleted emails are retained in trash for 30 days before auto-deletion.

All third-party processors are contractually bound to process data only on our instructions and to maintain appropriate security measures.

9. SESSION RECORDINGS

Recording Disclosure:

All training sessions delivered via Microsoft Teams are recorded. You will be notified of this recording via:

  • A verbal announcement at the start of each session (“This session is being recorded for quality assurance and complaint investigation purposes”)
  • A notice on the first slide of the training presentation

What is recorded:

The entire session is recorded, including audio. Your video will only be captured if your camera is on. Even if your camera is off, your audio will be recorded if you speak during the session. By joining the session, you consent to being recorded.

How recordings are used:

  • Quality Assurance: To review training delivery, content, and trainer performance
  • Complaint Investigation: If a complaint is made about the training, we may review the recording to investigate
  • Professional Body Investigation: If a complaint is escalated to a professional body (CPD, BPS, AC), the recording may be shared to support investigation

Recording storage & deletion:

Recordings are stored in Microsoft Teams/OneDrive and are automatically deleted after 30 days. However, learners are provided with a shareable link to their session recording for personal review purposes. This link is sent via the certificate email and is set to expire after 7 days. After 7 days, the link stops working and learners can no longer access the recording, though the recording itself remains on our secure OneDrive for backup purposes. Recordings are for personal study only and must not be shared or distributed.

If a formal complaint is active relating to a recording, the recording is downloaded and kept separately until the complaint is resolved, plus an additional 30 days. After this period, the recording is securely deleted from all locations.

Transcripts:

Transcripts of training sessions are automatically generated via Microsoft Teams. Learners can request transcripts by emailing zoe@coachingsouthwest.com within 7 days of course completion. Transcripts will be provided in text format via email within 5 working days of request.

10. LEARNER RESPONSIBILITY & CONFIDENTIALITY

By attending our training, you agree to:

• Not disclose any confidential client information or case details during the session
• Respect the privacy of other learners on the call
• Comply with your professional duty of confidentiality as a therapist/counsellor/mental health worker
• Not record the session independently (only Coaching South West records, with your consent)
• Not share session links or access credentials with unauthorized people

Coaching South West is not responsible for any breaches of confidentiality that occur due to your actions
(e.g., if you discuss a client case during training and it is recorded).

11. HOW DO WE PROTECT YOUR DATA?

  • Access Control: Data is only accessible to Zoe McFarlane. Strong passwords protect all accounts.
  • Encryption: Data in transit (emails, Teams) is encrypted. Data at rest (Google Drive, OneDrive) is secured by the provider’s encryption.
  • Backup: Data is backed up via cloud services (OneDrive, Google Drive) with automatic redundancy.
  • Deletion: When data is deleted, it is securely removed and not recoverable (via bin deletion).
  • Monitoring: Account activity is monitored for unauthorized access.
  • Breach Response: We have a Data Breach Response Plan in place. See Section 14 for details.

12. FEEDBACK & MARKETING CONSENT

At the end of your training, you will be asked to provide feedback and indicate your consent for marketing use:

  • I agree: Your feedback and name can be used in testimonials, case studies, and marketing materials
  • I agree but wish to remain anonymous: Your feedback can be used for marketing, but without your name or identifying information
  • I do not agree: Your feedback will not be used for marketing purposes (but may be used for internal quality improvement)

If you do not provide explicit consent, your feedback will not be used for marketing purposes and will be kept confidential. Your choice does not affect your certificate or your ability to attend future courses.

13. YOUR RIGHTS (DATA SUBJECT RIGHTS)

Under UK GDPR, you have the following rights:

Right to Access:

You can request a copy of the personal data we hold about you (Subject Access Request). Contact: zoe@coachingsouthwest.com. We will respond within 30 days.

Right to Rectification:

If your personal data is inaccurate, you can request we correct it (e.g., if your name is spelled incorrectly). Contact us at zoe@coachingsouthwest.com.

Right to Erasure (Right to be Forgotten):

You can request deletion of your personal data in certain circumstances. However, we may need to retain minimal attendance records (course date, course title) for CPD accreditation and legal compliance. Contact: zoe@coachingsouthwest.com.

Right to Restrict Processing:

You can request that we limit how we use your data in certain circumstances. Contact: zoe@coachingsouthwest.com.

Right to Data Portability:

You can request your data in a portable format. Contact: zoe@coachingsouthwest.com.

Right to Object:

You can object to processing of your data (e.g., for marketing). Contact: zoe@coachingsouthwest.com.

All requests should be submitted to: zoe@coachingsouthwest.com with subject line “Data Subject Request”.

14. DATA BREACH NOTIFICATION

If we discover a data breach (unauthorized access, loss, or theft of your data), we are committed to responding quickly and transparently.

Our Process:

  • We will identify and contain the breach
  • We will assess the risk to you
  • We will notify you and the relevant authorities (Information Commissioner’s Office) if there is a high risk to your rights
  • We will provide you with information about what happened and what steps you should take
  • We will investigate how it happened and take steps to prevent future breaches

Please see our separate Data Breach Response Plan for full details of our breach response procedure. For queries about a breach, contact: zoe@coachingsouthwest.com

15. CHANGES TO THIS POLICY

This Data Protection Policy will be reviewed at least annually. Any changes will be posted on our website and communicated to learners. Your continued use of our services following any changes constitutes your acceptance of the updated policy.

16. CONTACT US

If you have any questions about this Data Protection Policy or how we handle your data, please contact:

  • Name: Zoe McFarlane
  • Email: zoe@coachingsouthwest.com
  • Website: www.coachingsouthwest.com
  • Address: [Add if applicable]

Information Commissioner’s Office (ICO):

If you believe we are not complying with this policy or data protection law, you have the right to lodge a complaint with the ICO:

Website: www.ico.org.uk
Phone: 0303 123 1113
Email: casework@ico.org.uk

________________________________________________________________________________

Signed:

Zoe McFarlane
Director
Coaching South West
November 2025