10 Charlotte Square, Edinburgh · Mon–Fri 9:00–18:00 GMT Call +44 7555 445566 · [email protected]
Legal · UK GDPR

Privacy Policy

How Coontie Flow Ltd collects, uses and protects your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Last updated: 1 April 2026 · Version 3.0

1. Who we are

Coontie Flow Ltd (“Coontie Flow”, “we”, “our”, “us”) is the “data controller” of the personal data we hold about you, as that term is defined in the UK GDPR. We are a company registered in England and Wales with our registered office at 10 Charlotte Square, Edinburgh EH2 4DR.

If you have any question about this Privacy Policy or about how we handle your personal data, you can contact us at:

Coontie Flow Ltd — Data Protection
10 Charlotte Square, Edinburgh EH2 4DR, United Kingdom
Email: [email protected]
Phone: +44 7555 445566

2. What this policy covers

This Privacy Policy explains what personal data we collect when you visit coontieflow.digital, when you enquire about or book any of our services, and when you attend a consultation, workshop or coaching engagement. It tells you what we do with that data, how long we keep it, who we share it with, and what rights you have in relation to it.

This policy does not cover third-party websites we may link to. When you follow an external link, you become subject to the privacy policy of that third party.

3. The personal data we collect

We collect personal data from you in the following situations:

3.1 When you fill in a form on our website

Our lead form and booking form collect: first name, last name, email address, telephone number, current career level or intended role, the service you are interested in, and any free-text comments you choose to provide. This information is submitted by the form to our service provider FormSubmit (see section 7) and delivered to our mailbox at [email protected].

3.2 When you engage with us as a client

During a coaching engagement we will collect whatever information is reasonably necessary to deliver the service, including: your CV and cover letters, LinkedIn profile links, details of your education and work history, salary expectations, information about previous interviews, feedback you share with us, and any notes we take during sessions. In some cases, and only with your consent, we may also hold your passport photo page or Right-to-Work documentation when verifying visa context.

3.3 When you visit our website

When you browse coontieflow.digital, we automatically receive limited technical information: your IP address (which may indicate approximate location), the pages you view, your browser type, the referring URL, and similar log data. We also set cookies — but only the strictly necessary cookies load by default. Analytics and marketing cookies (including Google Analytics and Google Ads) load only after you consent via our cookie banner. See section 8 for details.

4. Our lawful bases for processing

Under Article 6 of the UK GDPR we must have a lawful basis for every type of processing. We rely on the following bases:

  • Contract (Art. 6(1)(b)) — when we process your personal data to provide the service you have booked, to communicate with you about your engagement, or to take steps at your request before entering into a contract (for example, arranging a discovery call).
  • Consent (Art. 6(1)(a)) — when you explicitly opt in to analytics or marketing cookies, to marketing emails, or to any other non-essential use of your data. You may withdraw your consent at any time.
  • Legitimate interests (Art. 6(1)(f)) — when we need to process data to run our business safely (for example, responding to enquiries, protecting our site from fraud and abuse, keeping anonymised records of past work for quality assurance). We only rely on this basis where we have balanced our interests against your rights and concluded that the processing is proportionate and expected.
  • Legal obligation (Art. 6(1)(c)) — when we are required to keep certain records by UK law (for example, accounting and tax records).

5. How we use your personal data

We use the personal data we collect to:

  • Respond to your enquiries and schedule consultations;
  • Deliver the coaching, CV or workshop service you have booked;
  • Issue invoices and keep proper accounting records;
  • Communicate with you about scheduling, pre-work and feedback;
  • Improve our website and our services through aggregate analytics (where you have consented);
  • Measure and optimise our advertising on Google Ads and similar platforms (where you have consented);
  • Respond to legal requests, protect our rights and prevent fraud;
  • Send you occasional updates about our services, but only if you have opted in.

6. How long we keep your data

We do not keep personal data longer than we need to. Our standard retention periods are:

  • Enquiry data (form submissions that did not convert to a booking): up to 12 months from the date of the enquiry, then deleted.
  • Client engagement data (CVs, session notes, correspondence): up to 3 years from the end of the engagement, after which we archive a minimal record of the engagement (name, dates, service delivered) for legal-defence purposes for a further 3 years.
  • Accounting and tax records: 6 years from the end of the relevant financial year, as required by HMRC.
  • Marketing opt-ins: until you unsubscribe, and for 12 months afterwards to honour the unsubscribe request.
  • Website analytics: up to 14 months, aggregated and pseudonymised, via Google Analytics 4.

7. Who we share your data with

We do not sell your personal data to anyone. We share it only with carefully chosen service providers that help us run our business, and only to the extent necessary. These include:

  • FormSubmit (form delivery service) — receives and relays form submissions to our email address. Data is processed solely for delivery.
  • Email and office providers (Microsoft 365 / Google Workspace) — used to send and receive correspondence and to store documents you share with us.
  • Payment processors (Stripe or bank transfer) — process card payments and record transactions. We never see or store your full card number.
  • Google Analytics 4 (Google Ireland Ltd, acting for Google LLC) — receives pseudonymised usage data only if you consent via our cookie banner. IP addresses are anonymised.
  • Google Ads & conversion measurement (Google Ireland Ltd) — receives conversion events and measurement data only if you consent to marketing cookies. Used to measure and optimise the performance of our advertising campaigns.
  • Professional advisers (accountants, lawyers) — where required, and under appropriate confidentiality obligations.
  • UK public authorities — where we are required to disclose information by law (for example, in response to a valid court order or to HMRC).

7.1 International transfers

Some of our service providers, including Google, are based in the United States or transfer data outside the United Kingdom. Where that happens, we rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or a UK adequacy decision, as appropriate, to ensure your data is protected to the standard required by UK GDPR.

8. Cookies and similar technologies

We use a small number of cookies. Our cookie banner, which appears the first time you visit, lets you decide which categories you accept. You can change your choices at any time by clicking “Cookie settings” in the footer.

8.1 Strictly necessary cookies (always on)

These cookies are essential for the website to work. They store your cookie preferences (bp_consent_v1), maintain session security and keep forms working. We do not ask for consent for these because the site cannot function without them.

8.2 Analytics cookies (optional)

If you accept, Google Analytics 4 sets pseudonymised cookies that help us understand how visitors use our pages. We do not use these cookies to identify you personally. IP addresses are anonymised before processing. Data is retained for up to 14 months.

8.3 Marketing cookies (optional)

If you accept, Google Ads sets cookies that allow us to measure which visits come from our paid campaigns, to attribute conversions, and to show relevant ads on Google properties. We use Google Consent Mode v2 so that, until you consent, no marketing or analytics data is sent to Google. When you consent, the consent signal is sent with every subsequent event.

9. Your rights under UK GDPR

You have the following rights in relation to the personal data we hold about you:

  • Right of access — to ask for a copy of the personal data we hold about you (a “subject access request”).
  • Right to rectification — to ask us to correct data that is inaccurate or incomplete.
  • Right to erasure — to ask us to delete your personal data where we no longer have a lawful basis to hold it.
  • Right to restrict processing — to ask us to stop actively processing your data while a concern is being resolved.
  • Right to data portability — to receive the data you have provided in a structured, machine-readable format.
  • Right to object — to object to processing based on our legitimate interests or for direct marketing.
  • Right to withdraw consent — where we are relying on your consent, you can withdraw it at any time.
  • Rights related to automated decision-making — we do not make decisions about you by purely automated means.

To exercise any of these rights, please email [email protected]. We will respond within one month of receiving your request (or tell you if we need longer for a complex request). There is normally no fee.

10. How to complain

If you are unhappy with the way we have handled your personal data, we would like the chance to put it right — please contact us first. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection regulator, at any time:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk

11. Children

Our services are intended for adults. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, disclosure or destruction. These include encryption in transit (HTTPS), limited access to client records, and regular review of our security practices. No system is ever entirely risk-free, but we take the responsibility seriously.

13. Changes to this policy

We review this Privacy Policy regularly and may update it from time to time to reflect changes in our practice, our service providers, or the law. Significant changes will be announced on this page with a new version number and date.