GDPR Privacy Policy

Data controller: Dr Dave Wood

Introduction and Purpose

This Privacy Policy sets out how Metanoeo collects, uses, stores, and protects any personal data that you provide when you use my life coaching or coach training services, website, or communicate with me.

As the sole trader of Metanoeo Coaching and a Director of Metanoeo CIC, I am the Data Controller responsible for your personal data. I am committed to protecting your privacy and handling your data in a transparent, secure, and lawful manner in accordance with the UK GDPR.

The Data I Collect About You

I may collect, use, store, and transfer the following types of personal data:

Identity Data: Name, title, date of birth (if required for age verification or legal reasons).
Contact Data: Billing address, email address, telephone numbers.
Financial Data: Payment card details (processed securely via third-party providers only) and bank account details for refunds/payments.
Contractual Data: Records of services purchased, contracts, and payment history.
Usage Data: Information about how you use my website (via cookies/analytics) and services.
Special Category Data: This includes data concerning health, race, religion, or sexual orientation. This is often disclosed during coaching and/or training sessions but is only processed when directly relevant to the service and with your explicit consent.
Coaching Data: Session notes and progress records—this is highly confidential information, often constituting both personal and special category data.

How and Why I Use Your Personal Data (Lawful Basis)

Under the UK GDPR, every use of personal data must have a lawful basis. I rely on the following (Purpose of Processing - Type of Data Used - Lawful Basis):

To Provide Services: Identity, Contact, Contractual, Coaching, Special Category. Performance of Contract (Coaching / Training) & Explicit Consent (Special Category Data/Session Notes)
Billing and Accounting: Identity, Contact, Financial, Contractual. Legal Obligation (HMRC record-keeping) & Performance of Contract
Marketing (Newsletter): Identity, Contact. Consent (You must positively opt-in)
Website Analytics: Usage. Legitimate Interest (To improve my website and services)
Internal Record Keeping: Contractual, Financial. Legitimate Interest (To manage the business effectively and for insurance purposes)

How Your Data is Collected

I collect data directly from you when you:

Enquire about services via my website, email, or telephone.
Complete an intake form or sign a contract.
Participate in coaching or training sessions.
Subscribe to a newsletter or complete a survey.

Data Sharing and Third Parties

I will never sell your personal data to any third party. I only share data with trusted third parties where necessary for the performance of the contract or where required by law (Third Party - Purpose of Sharing - Data Shared):

Payment Processors (e.g., Stripe, bank): To process payments securely. Financial and Contractual Data.
Cloud Storage (e.g., Google Drive, Dropbox). To securely store digital files and coaching notes. All data types (encrypted).
Email/Mailing Providers (e.g., MailChimp): To send service information or marketing newsletters (with consent). Identity and Contact Data.
Subcontractors/Associates: If another coach/trainer assists, data is shared only with your explicit consent and under a strict confidentiality agreement. Relevant Identity and Coaching Data.
Legal Authorities: If required by a court order or to comply with safeguarding or anti-money laundering legislation. As required by law.

Important Note on International Transfers: When I use cloud services (like those listed above), your data may be stored outside the UK. I ensure that all such providers are certified as offering an adequate level of protection consistent with UK GDPR requirements.

Data Security and Retention

Security: I have implemented strong technical and organisational measures (e.g., password protection, encryption, secure cloud services) to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way.
Retention: I will only retain your personal data for as long as necessary to fulfil the purposes I collected it for, including for satisfying any legal (HMRC), accounting, or professional indemnity requirements. Typically, this is 7 years after the contract ends. After this period, the data will be securely destroyed.

Your Legal Rights

Under the UK GDPR, you have the following rights regarding your personal data:

Right to be Informed: To be informed about how your data is used (which this policy does).
Right of Access: To request a copy of the personal data I hold about you (Subject Access Request - SAR).
Right to Rectification: To request that inaccurate data be corrected.
Right to Erasure ('Right to be Forgotten'): To request that your data be deleted, unless I have a legal obligation to retain it.
Right to Restrict Processing: To request the suppression of your data's processing.
Right to Data Portability: To request that your data be transferred to you or another party.
Right to Object: To object to the processing of your data, particularly for direct marketing.
Right to Withdraw Consent: Where the lawful basis is consent, you can withdraw it at any time.

I will respond to all legitimate requests within one calendar month.

Complaints

If you have any concerns about my use of your personal data, you can contact me directly at the address or email below.

You also have the right to make a complaint at any time to the UK supervisory authority for data protection, the Information Commissioner's Office (ICO).