Website Privacy Notice

Last updated: November 2020



This privacy notice provides you with details of how we collect and process your personal data through your use of our site including any information you may provide through our site when you contact us for coaching or consulting services.

By providing us with your data, you warrant to us that you are over 18 years of age.



Stepchange Coaching Ltd (referred to as ‘we’, ‘us’ or ‘our’ in this privacy notice) is a company registered in England and Wales.

Our full details are:

Stepchange Coaching Ltd, Registered No. 08459916
Registered Office: Popeshead Court Offices, Peter Lane, York, Y01 8SU

Contact:  Sally Learoyd
Phone:+ 44 7912 521164

We are a registered data controller with the Information Commissioner’s Office under number A8479428.



Personal data means any information capable of identifying an individual. It does not include anonymised data.

We may process certain types of personal data about you as follows:

* Identity Data may include your first name, maiden name, last name, job title and gender;

* Contact Data may include your email address and telephone numbers.;

* Technical Data may include your login data, internet protocol addresses, browser type and version, browser plug-in types and versions, time zone setting and location, operating system and platform and other technology on the devices you use to access this site;

* Profile Data may include your interests, preferences, feedback and survey responses.



Further Data Collection in providing services:  

When Stepchange Coaching Ltd contracts with you to provide you or your organisation with coaching or consulting services we will also need to collect some or all of the following data in order to deliver services: 

* Contact data including the billing and delivery address of you/your organisation and the work email addresses and telephone numbers of your employees where applicable;

* Identity data including employment start date/tenure of you/your employees;

* Financial/transaction data including bank account and details of our invoices to and payments from you/your organisation;

* Records of our email/written correspondence;

* Marketing and communications data including your preferences in receiving marketing from us and your communication preferences.


Organisational Clients:

* Profile data including the interests, preferences, feedback and survey responses of your employees

* General data including information regarding employee performance, skills, development needs/plans and remuneration.


Coaching Clients: 

* Documents you may provide to us such as your c.v., Linkedin profile, job/role description, personal development plan, personality/behavioural profiles.

We may also collect, store and use the following more sensitive types of personal information:

– Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions if/where it is relevant to your coaching context, goals or issues and which you share with us in the course of coaching sessions.

– Information about your health, including any medical condition if/where it is relevant to your coaching context, goals or issues and which you share with us in the course of coaching sessions.

We require explicit consent for processing sensitive data, so when you decide you would like to work with us, we will send you a further communication within our contract of services asking for you to confirm your consent to this processing. This document will also set out any further details of data processing relevant to our service provision to you – be that coaching or consulting.



We collect personal data about you through a variety of different methods including:

Direct interactions: You may provide data by filling in forms on our site (or via email) or by communicating with us by phone, email or otherwise, including when you:

– Enquire about or order our services;
– Subscribe to our publications;
– Request resources or marketing be sent to you;
– Give us feedback.

Third parties or publicly available sources: We may receive personal data about you from various third parties and public sources as set out below.
analytics providers such as Google based outside the EU.



We only use personal data where lawfully permitted.  The most common lawful bases for our collection of personal data are:

* Where it is an essential requirement for us to be able to deliver services to you or your organisation, called ‘performance of a contract’.

* Where it is in our ‘legitimate interests’ to do so, and your interests and fundamental rights do not override those interests.

* Where we need to comply with a legal or regulatory obligation.


Situations in which we will use your personal information:

We need all the categories of information in the list above to allow us to perform our contract with you and to enable us to comply with our legal obligations.  The situations in which we will process your personal information are listed below.



Type of data

Lawful basis for processing including basis of legitimate interest

To register you as a new client

·       Identity

·       Contact

–       Performance of a contract with you.

To process and deliver your coaching or consulting services including:

(a) Manage payments, fees and charges

(b) Collect and recover money owed to us

·       Identity

·       Contact

·       Financial

·       Transaction

·       Marketing and Communications

·       Profile

·       General



–       Performance of a contract with you.

–       Necessary for our legitimate interests (and where applicable to recover debts due to us).

To manage our relationship with you which will include:

(a)  Notifying you about changes to our terms or privacy policy


·       Identity

·       Contact

·       Marketing and Communications

–       Performance of a contract with you

–       Necessary to comply with a legal obligation

–       Necessary for our legitimate interests (to keep our records updated)

Notifying you about services we provide

·       Identity

·       Contact

·       Marketing and Communications

–       Consent


Generally, we do not rely on consent as a legal ground for processing personal data, other than in relation to sending marketing communications via email.  You have the right to withdraw consent to marketing at any time by emailing us.


We will only use data you provide us with, or which we collect directly, for the purposes for which we obtained it which we will communicate in advance, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.



In order to provide services to you/your organisation  (“performance of a contract”) and/or in order to operate, safeguard, and ensure the good governance of our business (our “legitimate interests”) we may have to share some limited personal data with the parties set out below:

* Service providers who provide IT and system administration services. 

* Professional advisers including lawyers, bankers, accountants, and insurers who provide consultancy, legal, banking, accounting and insurance services.

* Providers of behavioural/personality profiling tools.

* HM Revenue and Customs regulators and other authorities based in the United Kingdom, and other relevant jurisdictions who require reporting of processing activities in certain circumstances.

We require all third parties to whom we transfer personal data to respect the security of personal data and to treat it in accordance with the law. We only allow such third parties to process personal data for specified purposes and in accordance with our instructions.



Countries outside of the European Economic Area (EEA) do not always offer the same levels of protection to your personal data, so European law has prohibited transfers of personal data outside of the EEA unless the transfer meets certain criteria.

In providing our coaching and consulting services we share personal data with third parties some of whom may be located outside the EEA as follows.

– Suppliers of behavioural/personal profiling tools
– Suppliers who provide IT, database and system administration services, based in the US.


Where personal data is transferred outside the EEA we take all reasonable steps to ensure that personal data is treated securely and in accordance with this Privacy Policy and the requirements of law. Such measures include, where applicable, by ensuring that the recipients to which it is sent are:

* Within countries where the European Commission has made an adequacy decision with respect to the data protection laws of such country, or

* Certified under the EU-US Privacy Shield Framework or Swiss-US Privacy Shield Framework, or;

* Covered through the entering into of EU standard contractual clauses for transfers of data (also referred to as model contracts) or binding corporate rules, and monitoring such protections to ensure the adequacy of such measures.

A current list of the third parties to whom we transfer personal data outside the EEA together with the relevant safeguard mechanism is available on request.



We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know such data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.



We only retain personal data for as long as is necessary to fulfil the purposes for which we obtained it including for the purposes of satisfying our business insurance, accounting, legal and reporting requirements.  The maximum retention period we apply to data that we process, control or joint control with clients is six years.  In seeking to minimise the amount of data we store and the duration for which we retain it, we consider the nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data;  this may result in us storing some data for shorter time periods than six years.

By law we have to keep basic information about our clients (including contact, identity, financial and transaction data) for six years after they cease being clients for tax purposes. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you.

In some circumstances you can ask us to delete your data: see Your legal rights below for further information.

In some circumstances we may anonymise personal data (so that it can no longer be associated with your organisation/your employees) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.



The General Data Protection Regulations provides individuals whose personal data is controlled directly by Stepchange Coaching with the following rights: 

* Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. 

* Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

* Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

* Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

* Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

– If you want us to establish the data’s accuracy.
– Where our use of the data is unlawful but you do not want us to erase it.
– Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
– You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

* Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. 

* Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

For the avoidance of doubt, the exercise of these rights in certain circumstances may mean that it is not possible for us to perform the contract for coaching or consulting services and in such circumstances the contract will be terminated. 

*No fee usually required:  You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances. 

* What we may need from you:  We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

* Time limit to respond:   We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

The General Data Protection Regulations also provides individuals whose personal data is controlled directly by Stepchange Coaching with the right to complain.

If you have such a complaint, please contact us in the first instance using the details provided in Section 2. and we will do our utmost to address your concern. If you are then still dissatisfied, you can register a complaint about our handling of your personal data with the ICO, who are the UK’s supervisory authority for GDPR. Please refer to the following link:


The ICO’s address is:

Information Commissioner’s Office
Wycliffe House
Water Lane

Helpline number: 0303 123 1113



Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.



You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Policy