Privacy Policy

Summary:

Last Updated: 21 May 2026

Next Review Date: 21 May 2027

I only collect the minimum amount of data needed to deliver high-impact consulting services, share valuable insights, and run a secure business. I never sell your data, I don’t use dubious tracking tactics, and I protect your information using industry-standard encryption and security controls. You have complete control over your data at all times.

1. Who Is Behind This Policy?

This website and consultancy are operated by Lush Coaching Ltd, a company registered in England and Wales.

For the purposes of the UK and EU General Data Protection Regulation (GDPR), I am the Data Controller. This means I determine why and how your personal data is processed. Because I believe in transparency and marketing with compassion, this policy explains exactly what happens to your information when you interact with me.

If you have any questions or want to exercise your data rights, you can reach me directly at: andrea@lushcoaching.com.

2. The Data I Collect, Why I Need It, and the Legal Basis

The law requires me to have a valid legal reason (called a "lawful basis") to process your data. I rely primarily on Contractual Necessity, Legitimate Interests, and explicit Consent.

3. How Long I Keep Your Information

I practice data minimisation—I only keep your data for as long as it is actively serving the purpose it was collected for, or to meet legal obligations.

  • Newsletter Subscribers: Until you unsubscribe. Once you hit "unsubscribe," your data is immediately deactivated and permanently purged from the active list within 30 days.

  • Inquiries & Discovery Calls (that don’t convert): Purged 3 years after our last communication.

  • Active Clients: Kept for the duration of our contract plus 6 years following the end of the financial year of our last project. This timeline is strictly to comply with UK corporate tax laws and HMRC audit requirements.

4. Who I Share Your Data With (The Tools I Use)

I never rent, sell, or trade your data. To run a modern, efficient digital workflow, I securely pass your data to trusted third-party applications. These platforms act as Data Processors and are strictly vetted to ensure they protect your privacy to UK/EU standards.

  • Email Marketing & Newsletter: [Substack] — to deliver my updates.

  • Scheduling & Discovery Calls: [Cal.com] — to manage my calendar bookings.

  • Workspace & Communication: [Google Drive / Zoom] — for secure email, video calls, and document collaboration.

  • Invoicing & Accounting: [Xero / Stripe] — to process secure payments and file corporate taxes.

  • Professional Workflow Automation: Only secure APIs are used to process information; your text data is never used by these third parties to train public AI models.

International Data Transfers: Some of these software providers store data on servers located outside the UK or EEA (primarily the United States). Where this occurs, I ensure standard legal safeguards are active, including Standard Contractual Clauses (SCCs) or verified Data Privacy Framework agreements.

5. Your Legal Rights (And How to Use Them)

Under the GDPR, you hold significant rights over your data. Because I run a solo advisory, you don't have to navigate a complex ticketing system to use them. Just email me at andrea@lushcoaching.com, and I will fulfill your request within one calendar month, free of charge.

  • The Right to Access: You can ask for a copy of all the personal data I hold about you.

  • The Right to Rectification: If something is wrong or out of date, tell me and I will fix it instantly.

  • The Right to Erasure ("Right to be Forgotten"): You can ask me to delete your data. I will do so immediately, provided it does not conflict with my statutory obligations to HMRC.

  • The Right to Object or Restrict: You can opt out of direct marketing instantly via the unsubscribe link in any email footer.

If you believe I have handled your data incorrectly, I would appreciate the chance to fix it with you directly. However, you have the absolute right to lodge a formal complaint at any time with the UK regulator, the Information Commissioner’s Office (ICO) atico.org.uk.

6. Security Measures (How Your Data Is Protected)

To ensure this policy isn't just empty words, my internal technical setup includes:

  1. Full Device Encryption: All business laptops and smartphones are fully encrypted at the hardware level. If a device is physically lost or stolen, your data remains completely unreadable.

  2. Hardware Multi-Factor Authentication (MFA): Access to my email, cloud storage, and CRM is protected by mandatory, multi-factor authentication.

  3. Session Auto-Lock: All screens auto-lock after 2 minutes of inactivity to prevent unauthorized physical access.