Privacy Notice

Key information

This is the Privacy Notice for Lucy Cartwright. I am a self-employed consultant based at 18-22 Ashwin Street, London E8 3DL, UK. My ICO registration number is ZB939687. You can contact me via the contact form on my website or directly by emailing info@lucycartwright.co.uk.

Effective Date: 01-Jul-2025
Last Updated: 25-Jul-2025

Lawful basis for processing personal data

I rely on different lawful bases under the UK GDPR depending on the nature of my interaction with you. These include consent, the performance of a contract, legal obligations, and my legitimate interests as a self-employed consultant.

Your rights

You have the following rights:

  • The right to be informed – being told what data I hold about you and what I do with it.
  • The right of access – being able to request a copy of your data I hold.
  • The right to rectification – being able to have inaccurate or missing data corrected.
  • The right to erasure – being able to ask me to delete / destroy your data.
  • The right to restrict processing – being able to limit the amount or type of data used.
  • The right to data portability – requesting to move your data electronically to another business.
  • The right to object – being able to request me to stop using your data.
  • The right to withdraw consent – at any time, if processing is based on consent.
  • The right to lodge a complaint – with the Information Commissioner’s Office (ICO).

You can exercise your rights by contacting me in writing or verbally, in person, on the phone, or by email. I will respond within one month.

Why do I hold data and what do I do with it?

I collect, use and hold personal information about employees, suppliers and customers. This may include:

  • Name

  • Professional address

  • Professional email address

  • Website addresses

  • Phone numbers

  • Computer IP address

  • Social media addresses such as LinkedIn and Facebook

  • Information you choose to share with me via contact forms, emails and during meetings.

I do not hold sensitive data.

I collect and hold personal data:

  • For employees, to meet legal and regulatory obligations such as payroll and pensions, and to enable communication
  • For suppliers and strategic partners, to make payments and manage contracts and potential collaborations
  • For customers (past, present and potential), to propose, arrange, and deliver services, invoice for payment, and satisfy regulatory checks (e.g. anti-money laundering)

In short, I only process personal data where there is a lawful basis, which may include a contract, a legal obligation, a legitimate interest, or your consent.

How do I get the data?

  • From publicly available sources such as websites or social media

  • Through my website when you submit a contact form, book a call, or sign up to my newsletter

  • From paper forms, such as sign-up sheets at events

  • Through correspondence or documents you choose to share

I will always clarify whether the information requested is essential or optional.

Data that is collected through my website

My website is built using WordPress and hosted with A2 Hosting.

Currently, the only data I collect through the website includes:

  • Your name and email address
  • Any message submitted via the contact form
  • Whether you have signed up to receive my newsletter / blog via email

I use Brevo to route transactional emails from my website. I also record contact details for people who have submitted the contact form and / or who have signed up to receive my newsletter / blog.

This information may be routed via third-party tools such as Make and Zapier for automation purposes.

I make use of Google Analytics to understand how people access and use my website.

For information about cookies please see my Cookie Policy here.

Data that is collected when you book a call

I use TidyCal for call bookings, which is linked to Google to send you a calendar invite.

Currently, the only data I collect when you book a call is:

  • Your name and email address
  • Your answers to any questions in the booking form

I keep a record of all contacts in Brevo (I'll only send you newsletter / blog mailings if you explicitly sign up to receive them). I use Make and Zapier to link TidyCal to Brevo and send notifications of bookings to my iPhone (iOS).

How long will I keep the data?

I will not hold personal data for longer than is necessary for the purposes explained in this notice.

I hold data about past and current customers and suppliers on my financial system, QuickBooks Online, and check this annually to ensure that it is up to date and that I still have a legitimate need to retain it, either to facilitate ongoing business relationships or for tax records.

I hold data about past, present and potential customers within Microsoft 365 (email / file systems), Brevo (email marketing platform, formerly known as 'Send in Blue') and TidyCal (appointment scheduling) and check this annually to ensure that it is up to date and that, if it is not in the public domain, I have either consent or am required to retain the data for compliance purposes.

I hold contact details (professional phone number and/or email address) as part of my professional network and check this annually to ensure that it is up to date and that, if it is not in the public domain, I have consent.

Client data is retained for six years from the close of the engagement. After that, summary details of the work we did together may be kept but all personal data will be destroyed.

Main accounting ledgers and supporting documents will be retained for six years following the end of the financial year to which they relate.

How do I keep your data secure?

I use Microsoft 365 for communication, document processing and file storage. Access is restricted to myself and any necessary personnel. Data about individuals will be restricted to business, not personal, contact details. Emails pertinent to prospective, current or past service provision are held within the system, together with notes of phone calls and activity. I do not keep paper records.

I use:

  • Strong, unique passwords and two-factor authentication (2FA) on all platforms
  • Secure platforms such as QuickBooks, TidyCal, Brevo, Make, Zapier and WordPress
  • Biometric or passcode access on devices (M365 and iCloud) where contact data is stored
  • When on public wifi networks I use a secure VPN (Proton)

In all cases, only business-related contact information is stored and access is restricted.

What will I do if I suffer a data protection breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

If a breach of personal data occurs that risks people’s rights and freedoms, I will report it to the ICO. If the breach presents a high risk to individuals, I will notify those affected directly and without undue delay.

What else do I do with data?

  • I do not make automated decisions or carry out profiling

  • I will only share data for legal or compliance purposes and will inform you unless prohibited by law

  • I may request organisational data to carry out consultancy work; this is only held with your consent and processed within your systems where possible

  • If external advisors or service providers require access to your data (e.g. for bookkeeping), they are only permitted to do so under my instruction and are bound by law to safeguard your information

International transfers

If I need to transfer your data outside the UK or European Economic Area (EEA) - for example, to a service like Brevo or TidyCal - I will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), adequacy decisions, or binding agreements.

I use UK- and EU-hosted platforms whenever possible and will notify you and seek your consent if a transfer is necessary.

Do I have a Data Protection Officer?

I am a sole trader, and my core activities do not require large scale, regular and systematic monitoring of inviduals nor large scale processing. Therefore I am not required to appoint a Data Protection Officer.

How can you complain to the ICO?

You can complain to the ICO if you are unhappy with how I have used your data.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113
https://ico.org.uk

©Lucy Cartwright 2025

Privacy Notice | Cookie Policy | Top of Page