Privacy policy
This Privacy Policy was last updated on 27th October 2025.
Data Controller
Ashleigh Dawkins
ashleigh.dawkins@theprivacylighthouse.com
Your right to object
You have the right to object to any use of your personal data based on legitimate interests. If you do, I’ll stop processing it for that purpose unless I have a compelling reason to continue. More information about your rights is provided in the “Your Rights” section below, and I’ll always let you know when this right applies.
Introduction
Hi, I’m Ash, Founder of The Privacy Lighthouse. I help businesses, charities and ethical organisations protect their client and employee data in a way that actually makes sense for them.
As the Data Controller, I am responsible for deciding how I hold and use personal data about you. This privacy policy explains how I collect, use and keep your personal information safe when you interact with me, whether you book a discovery call, work with me on a project, or send me documents and details I need to do my job. It also outlines what your rights are under data protection legislation. I am deeply committed to handling your data responsibly and with care.
When I say “personal data,” I mean any information that could identify you, either on its own or together with other details. This might include things like your name, contact details, online identifiers, or information about your business that helps me provide my services.
“Processing” is just a fancy word for anything I do with your personal data e.g. collecting it, storing it, using it to deliver services, sharing it with trusted service providers, or securely deleting it when it’s no longer needed.
I handle all personal data in line with the UK and EU GDPR and the Data Protection Act 2018, which set the rules for how personal information must be treated.
Data protection principles
I follow the core principles of data protection law to make sure your personal information is treated properly. This means I ensure that your data is:
Used fairly and transparently — I will always tell you why I need it and how I will use it.
Collected for clear purposes — I only gather the information I need to provide my services and won’t use it for anything else.
Relevant and minimal — I only ask for the details necessary to do my job and provide you with value.
Accurate and up to date — I take care to keep your information correct, and I’ll update it if you tell me anything has changed.
Kept only as long as needed — once the data is no longer required for the purpose it was collected, I securely delete or anonymise it.
Stored securely — your personal information is protected, whether it’s held digitally or on paper.
The personal data I collect
To provide my services and manage our working relationship, I may collect and use personal information about identifiable individuals, including:
Contact details – your name, email address, phone number, job title and your role within your organisation
Service-related communications – emails, messages and notes from discovery calls or meetings
Contractual documents – contracts, NDAs, agreements and any other documents exchanged as part of our working relationship that relate to you as an individual
Financial information – invoicing and payment details linked to you or your organisation
Scheduling information – appointment details from Calendly or other booking tools
Other information you provide – any documents, forms, or information you share that identify you as an individual or are needed to deliver services
I only collect the personal information I need to provide my services and I handle it with care and security at every stage.
Why do I collect your personal data?
I process your personal data so that I can provide my services effectively, manage our working relationship and meet my legal obligations. The table below explains the specific purposes for processing your personal data, the types of data involved, and the lawful basis under UK and EU GDPR for each purpose.
| Purpose | Type of personal data processed | Lawful basis for processing |
|---|---|---|
| Respond to your enquiries via the contact form | Contact details, message content | Consent (Article 6(1)(a)) |
| Schedule and conduct discovery calls with you | Contact details, scheduling info, any info provided to prepare for the call | Legitimate Interests (Article 6(1)(f)) – To grow my business by assessing potential clients |
| Provide you with GDPR consultancy services | Contact details, service-related communications, contractual documents, business info tied to individuals | Performance of a Contract (Article 6(1)(b)) |
| Management of our contractual relationship | Contracts, NDAs, payment information | Performance of a Contract (Article 6(1)(b)) |
| Send you invoices and collect payments from you | Financial information | Performance of a Contract (Article 6(1)(b)) |
| Maintenance of records to comply with my legal, contractual and financial obligations | Contracts, NDAs, invoicing, service-related communications, other client records | Legal obligation (Article 6(1)(c)) – To comply with UK laws on contracts, taxation and record-keeping requirements |
| Communicate updates relevant to your work with me | Contact details, service-related communications | Performance of a Contract (Article 6(1)(b)) |
I will only use your personal data for the specific reasons I’ve told you about, or where the law allows it. And I’ll only use the information that’s actually needed for that purpose, nothing more, nothing less.
Special category personal data
I do not collect or process special category personal data, such as information about race, ethnicity, religion, politics, health, sex life, or sexual orientation, because it is not necessary for me to conduct my business with you.
What if you decide not to provide your personal data?
You don’t have to provide your personal data if you don’t want to. But if you don’t, I may not be able to respond to your enquiry, schedule a discovery call, or deliver my services properly.
How will I collect your personal data?
I collect personal data in a few different ways, but always directly from you:
Through enquiries – when you contact me via my website form, email or LinkedIn.
When you book a discovery call – via Calendly or other scheduling tools.
During our work together – any documents, emails, or messages you provide as part of delivering my services.
Payment and invoicing – any information you provide to process invoices and payments.
I won’t collect personal data about you from third parties unless it’s necessary for the services I’m providing, and I’ll always let you know if I do.
Website and cookies
When you visit my website, some technical information (like your IP address or browser type) may be collected automatically by Squarespace to make sure the site functions properly and is secure. I don’t use analytics tools or tracking cookies to monitor your activity.
Squarespace may place necessary cookies on your device to enable the site to load and run correctly; these are essential for basic website functionality and can’t be switched off. You’ll see a banner when you first visit the site with more information about cookies and your options.
If I start using any analytics or optional cookies in the future, I’ll update this policy and ask for your consent before placing them.
Who has access to your data?
Your personal data is only accessible to me and the service providers I use to run my business and deliver my services. These include:
Scheduling providers – to organise discovery calls.
Email and document storage providers – to manage communications and store files securely.
Communication tools – for virtual meetings.
Website forms – to collect enquiries and other information you provide through my website.
Accounting and payment tools – for invoicing and payment processing.
I only work with service providers who handle your personal data securely and in line with the GDPR. I’ve made sure they process information responsibly, in accordance with Article 28 of the UK and EU GDPR. I don’t share your personal data with anyone else unless required by law or with your explicit consent.
International data transfers
Some of the service providers I use may transfer personal data outside the UK or EU. For example, Squarespace and Google Workspace may involve transfers to the US. These transfers are protected under the EU-US and UK-US Data Privacy Frameworks, which ensure your information is handled securely and in line with GDPR.
If I transfer your personal data to any other provider outside the UK or EU in the future, I will make sure appropriate safeguards are in place and update this privacy notice with the relevant details.
How I protect your data
I take the security of your personal data seriously. I use a combination of practical measures and secure tools to keep it safe, including:
Secure storage of files and communications using trusted services like Google Workspace.
Strong password protection and access controls on all accounts.
Regular backups to prevent loss of information.
Keeping software and tools up to date to protect against vulnerabilities.
I also ensure that any service providers I work with handle your data securely and in line with GDPR. While no system can be guaranteed 100% secure, I take all reasonable steps to protect your information.
Meetings and calls
I do not record any meetings or discovery calls, nor do I use AI tools to generate meeting transcripts or notes. Google Meet provides the technical capability to record or use such features, but I do not enable them for any of my sessions. This means your conversations with me remain private and are not stored or processed beyond what is necessary to provide my services.
How long I keep your data
I only keep your personal data for as long as it’s needed for the purposes I’ve told you about, or as required by law. This usually includes:
Client records, contracts, and communications – kept for the duration of our work together, plus up to six years afterwards to meet tax and accounting obligations.
Discovery call notes and enquiry details – kept only until they are no longer needed to assess your needs or follow up on your enquiry.
Once your data is no longer required, I securely delete or anonymise it.
Your rights
You have rights over your personal data, and I want to make it easy for you to exercise them. These include:
Access – You can ask me what personal data I hold about you.
Correction – If any of your personal data is inaccurate or incomplete, you can ask me to update it.
Deletion – You can ask me to delete your personal data when it’s no longer needed, or when you object to my processing (where allowed by law).
Restriction – You can ask me to limit how I process your personal data in certain circumstances.
Objection – You can object to my processing of your personal data based on legitimate interests. If you do, I’ll stop processing it for that purpose unless I have a compelling reason to continue.
Data portability – You can request a copy of your personal data in a structured, commonly used, machine-readable format so you can move it elsewhere if you wish.
Withdraw consent – Where I rely on your consent for processing, you can withdraw it at any time.
To exercise any of these rights, or if you have any questions about how I use your personal data, please contact me at: ashleigh.dawkins@theprivacylighthouse.com.
If you’re not satisfied with how I’ve handled your personal data, you have the right to raise a complaint with the Information Commissioner’s Office (ICO) in the UK, or with the relevant supervisory authority in the Member State of your habitual residence, place of work, or where an alleged GDPR infringement occurred.
Thanks for reading
Thank you for taking the time to read this Privacy Policy. The whole idea behind The Privacy Lighthouse is to make data protection simple, human and trustworthy and that starts here. If you have any questions or want to talk about how your information is used, I’d love to hear from you. You can get in touch via email at ashleigh.dawkins@theprivacylighthouse.com.