Privacy policy.

Who is the data controller.

The data controller is Julian Hargrove, trading as Cottidaestack, of 41 Radstock Ave, Birmingham B36 8HD, West Midlands. Contact: [email protected], +44 7842 563 907.

What personal data is collected.

For prospective clients submitting an enquiry: name, email address, phone number (optional), and the contents of the message. For booked clients: any further information you choose to share within sessions, plus invoicing details (name, billing address, optionally a VAT number for business clients).

For website visitors: standard server log data (IP address, user-agent, referer, time of request), retained for 30 days. If you accept analytics cookies, anonymised page-view counts via the analytics provider chosen at deployment time. If you reject analytics cookies, no analytics data is collected.

Lawful basis for processing.

For enquiries and bookings, the lawful basis is performance of a contract or steps preparatory to one (UK GDPR Article 6(1)(b)). For session notes and follow-up correspondence with booked clients, the same. For server logs and security monitoring, legitimate interest under Article 6(1)(f). For optional cookies, your consent under Article 6(1)(a) and PECR.

How long data is retained.

Enquiry messages from people who do not become clients are retained for 12 months and then deleted. Session notes for booked clients are retained for 24 months following the end of the engagement, then deleted. Invoicing records are retained for six years per HMRC requirements (Companies Act 2006 and equivalent record-keeping rules). Server logs are retained for 30 days.

Who else sees the data.

The practice does not sell or share personal data with marketing third parties. Limited sharing occurs with: an accountant for invoicing and tax purposes; an email service provider for transactional correspondence; a video-call platform for online sessions, where the only data shared is your name and the meeting time. All such providers are GDPR-compliant; their identities can be requested in writing.

Your rights.

Under UK GDPR you have the right to: access the personal data held about you, request correction of inaccurate data, request erasure where there is no overriding lawful basis to retain it, object to processing on legitimate-interest grounds, request restriction of processing, and request portability of data you provided. To exercise any of these rights, write to [email protected]. A response will be provided within one calendar month, or you will be told why a longer period is needed.

The right to complain to the regulator.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by post to: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. The ICO is the supervisory authority for data protection in the United Kingdom.

Children's data.

The practice's services are addressed to adults aged 18 and over. The website does not knowingly collect personal data from children. If you believe a child has submitted personal data through the site, please write to [email protected] and the data will be deleted.

International transfers.

Where any of the limited third-party services named above transfer data outside the United Kingdom or European Economic Area, that transfer is governed by the UK International Data Transfer Agreement, the EU-US Data Privacy Framework where applicable, or by Standard Contractual Clauses.

Updates to this policy.

This policy was last updated on 12 January 2026. Material changes will be notified to currently active clients in advance. Visitors to the site can find the current version here at any time.

Statutory references.

This policy is written under UK GDPR and the Data Protection Act 2018. The ICO publishes detailed guidance under those statutes, which interested readers can consult on ico.org.uk.