Privacy Notice

1.  About this notice

This Privacy Notice explains how HancockHamlin Ltd collects, uses, stores, shares and protects personal data about you. It applies to all visitors to our website, participants in our programmes, coaching clients, prospective clients, research collaborators, and partner organisations.

This notice should be read alongside our Cookie Notice, Data Retention Schedule and Data Breach Procedure, which are available on our website or on request. Where those documents address the same topic, this notice cross-references them rather than repeating the same information.

2.  Who we are

HancockHamlin Ltd is the data controller for personal data processed in connection with our activities.

Registered name: HancockHamlin Ltd

Registered address: 11 & 12 The Courtyard, St Mary’s Chare, Hexham, Northumberland, NE46 1NH

Contact email: dataprotection@hancockhamlin.co.uk

Website: www.hancockhamlin.co.uk

ICO registration number: ZC105661

If you have any questions about how we handle your personal data, or if you wish to exercise any of your rights, please contact us at dataprotection@hancockhamlin.co.uk.

3.  Personal data we collect and how we collect it

We collect personal data through the following channels. For each collection point, the information below sets out what data we collect, why we collect it, and the lawful basis we rely on under UK GDPR.

Website contact / expression of interest form

Data collected: Name, email address, phone number (optional), organisation (optional), message content

Purpose: To respond to your enquiry and, where relevant, to provide information about our programmes

Lawful basis: Legitimate interests (to manage and develop our business relationships)

Retention: See Data Retention Schedule

Newsletter sign-up (website and/or LinkedIn)

Data collected: Name, email address

Purpose: To send our newsletter and updates about programmes and services

Lawful basis: Consent (opt-in); you may withdraw consent at any time

Retention: See Data Retention Schedule

Programme application (pre-programme questionnaire)

Data collected: Name, email, job title, employer/organisation, professional background, and responses to programme-specific questions

Purpose: To assess suitability for and deliver the Beyond the Blueprint programme

Lawful basis: Contract performance (pre-contractual steps)

Retention: See Data Retention Schedule

Programme enrolment and payment (via Stripe)

Data collected: Name, email address, billing address, payment information (processed directly by Stripe — HancockHamlin does not receive or store card data)

Purpose: To process your programme fee payment and issue confirmation of enrolment

Lawful basis: Contract performance; legal obligation (financial records)

Retention: See Data Retention Schedule

Programme delivery (via Zoom)

Data collected: Name, email address, video/audio participation; session recordings where consent is given

Purpose: To deliver the programme; to provide recordings to participants who have given consent

Lawful basis: Contract performance; consent (for recordings)

Retention: See Data Retention Schedule

Alumni community (platform to be confirmed)

Data collected: Name, email address, programme cohort; any profile information you choose to add

Purpose: To maintain ongoing community and communication with programme graduates; to notify you of future programmes and events

Lawful basis: Legitimate interests (alumni community and ongoing professional development relationship). You will be informed of this when enrolling.

Retention: See Data Retention Schedule

Prospect and warm contact management (CRM / LinkedIn)

Data collected: Name, email address, organisation, professional role, nature of prior contact

Purpose: To follow up with individuals who have actively expressed interest in our programmes or services; to notify them of future cohorts

Lawful basis: Legitimate interests (all contacts have actively engaged via our website or direct interaction)

Retention: See Data Retention Schedule

4.  Special category and sensitive data

We do not ask you to provide special category data (as defined by UK GDPR, including health data, ethnicity, religious beliefs, and similar) at any stage of our application or enrolment process.

During coaching sessions or programme activities, you may choose to share information of a sensitive or personal nature. Where this happens:

•       Notes or recordings made during coaching or facilitation sessions are handled strictly in accordance with our Data Retention Schedule.

•       All coaches and facilitators working with us are required to follow our data handling and confidentiality protocols.

•       Recording of sessions requires your explicit consent, given at the start of each session. You may request that any recording is deleted immediately and your request will be honoured without question.

We will never use incidentally disclosed sensitive information for any purpose beyond the immediate delivery of the service in which it arose.

5.  How long we keep your data

Retention periods for all categories of personal data are set out in our Data Retention Schedule, which is available on our website or on request. As a general principle, we hold personal data only for as long as is necessary for the purpose for which it was collected, or as required by applicable law.

You may request deletion of your personal data at any time (subject to any overriding legal obligation to retain it). See Section 9 for details of how to exercise this right.

6.  Who we share your data with

We share personal data only where necessary and only with organisations that are contractually required to handle it in accordance with UK GDPR requirements. Our current data processors and the basis on which data is shared are set out below.

Squarespace (USA)

Role: Data processor — website hosting, analytics, member areas (if used)

Data shared: Website visitor data (including form submissions), analytics data, member account data (if applicable)

Safeguard: Squarespace Privacy Policy and Data Processing Agreement; EU/UK Standard Contractual Clauses

Stripe (USA)

Role: Data processor — payment processing

Data shared: Name, email, billing address, payment card data (Stripe processes card data directly and does not share it with us)

Safeguard: Stripe Privacy Policy; EU/UK Standard Contractual Clauses; PCI DSS compliant

Zoom Video Communications (USA)

Role: Data processor — programme session delivery and recording

Data shared: Name, email address, session participation data, recordings (where consent given)

Safeguard: Zoom Privacy Policy and Data Processing Agreement; EU/UK Standard Contractual Clauses

HubSpot (USA)

Role: Data processor — contact relationship management (CRM)

Data shared: Contact names, email addresses, organisational details, notes on prior interactions

Safeguard: HubSpot Data Processing Agreement; EU/UK Standard Contractual Clauses

WhatsApp / Meta (USA) — where used for participant communication

Role: Messenger platform — ad hoc participant communication only

Data shared: Phone number, name, message content

Safeguard: WhatsApp Privacy Policy; end-to-end encryption; used only with explicit participant agreement. We recommend use of individual WhatsApp only, not broadcast groups.

We do not sell, rent, or otherwise trade personal data. We do not share personal data with any third party for their own marketing purposes.

7.  International data transfers

All of the third-party processors listed in Section 6 are based in, or process data in, the United States of America. As a UK company, we are required to ensure that any transfer of personal data to a country outside the UK is accompanied by appropriate safeguards.

For each of the processors listed above, we rely on one or more of the following safeguards:

•       UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office, incorporated into our agreements with each processor;

•       The processor’s own Data Processing Agreement, which incorporates UK-compliant transfer mechanisms.

If you would like further details of the specific safeguards in place for any particular transfer, please contact us at dataprotection@hancockhamlin.co.uk.

Note for US-based participants: If you are based in the United States, your personal data will be processed in the UK by HancockHamlin Ltd. The UK is not currently covered by a US adequacy determination, but we are committed to handling your data in accordance with UK GDPR standards, which provide strong privacy protections equivalent to those in the EU.

8.  Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

Access: You may request a copy of the personal data we hold about you.

Rectification: You may ask us to correct any inaccurate or incomplete personal data.

Erasure: You may ask us to delete your personal data, subject to any overriding legal obligation to retain it.

Restriction: You may ask us to restrict the processing of your personal data in certain circumstances.

Portability: Where processing is based on consent or contract and carried out by automated means, you may request a machine-readable copy of your data.

Objection: You may object to processing based on legitimate interests at any time. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms.

Withdraw consent: Where we process your data on the basis of consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact us at dataprotection@hancockhamlin.co.uk. We will respond within one calendar month. We will not charge you for exercising your rights unless a request is manifestly unfounded or excessive.

If you are not satisfied with how we have handled your request or with our processing of your personal data more generally, you have the right to complain to the UK Information Commissioner’s Office (ICO):

•       Website: www.ico.org.uk

•       Telephone: 0303 123 1113

•       Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

US-based participants: You may also have rights under applicable US state privacy laws (for example, the California Consumer Privacy Act if you are a California resident). Please contact us at dataprotection@hancockhamlin.co.uk to exercise any such rights and we will respond in accordance with the applicable law.

9.  Cookies

Our website uses cookies. Our Cookie Notice (available at www.hancockhamlin.co.uk/cookies) sets out what cookies we use, why we use them, and how you can manage them. Our cookie consent banner will appear when you first visit our website and allows you to make an informed choice.

10.  Data security and breaches

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction or damage. Our Data Breach Procedure (available on request) sets out how we identify, manage and report data breaches in line with our obligations under UK GDPR.

Where a breach is likely to result in a risk to your rights and freedoms, we will notify you without undue delay.

11.  Changes to this notice

We may update this Privacy Notice from time to time. When we do, we will update the version number and date at the top of this document and, where the changes are material, we will notify programme participants by email. The current version of this notice is always available at www.hancockhamlin.co.uk/privacy.

12.  Contact us

If you have any questions, concerns or requests relating to this Privacy Notice or to your personal data, please contact:

 Email: dataprotection@hancockhamlin.co.uk

Post: HancockHamlin Ltd, Tynevale House, Main Street, Acomb, Hexham, Northumberland, NE46 4PW, UK

We aim to respond to all enquiries within five working days.