Privacy Policy
Privacy Policy
This privacy policy explains how I collect, use and protect your personal data when you visit my websites or use my coaching, supervision and consulting services.
I’m UK-based, and since the UK is no longer pgrt of the European Union, my handling of personal data is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025 – rather than by the EU’s own version of the GDPR. If you’re based in the EU or EEA, see ‘International transfers of your personal data’ below for how that affects you.
Introduction
I, Sandra Cunningham, am committed to safeguarding the privacy of visitors to my websites – outsidein.coach and walkingcoach.net – and of everyone who uses my coaching, supervision and consulting services, whether offered under the Outside In Coaching, Outside In Coaching & Supervision, or Walking Coach name. (In this notice, “I”, “me” and “my” refer to Sandra Cunningham, trading as Outside In Coaching.)
I operate as a sole trader rather than a limited company. I am the data controller for the personal data of my website visitors and service users – in other words, I’m the one who decides why and how that data is used. I’m registered with the Information Commissioner’s Office; my registration reference is ZC171217.
This notice tells you how I collect and process your personal data through your use of my websites and my services.
If you’re not happy with any aspect of how I collect or use your data, you can raise it with me directly and I’ll look into it and respond without undue delay – my contact details are at the end of this notice. You also have the right to complain at any time to the Information Commissioner’s Office (ICO), the UK’s data protection regulator, at ico.org.uk. (The ICO is in the process of being replaced by a new body, the Information Commission, as part of the 2025 reforms; until that transition completes, the ICO remains the right point of contact.)
It’s important that the information I hold about you is accurate and up to date. Please let me know if your personal details change, by emailing sandracunningham@outlook.com.
What Data Do I Collect About You?
Personal data means any information capable of identifying an individual. It does not include anonymised data.
I may process the following types of personal data about you:
• Identity Data – your name, and where relevant, title and date of birth. This may also include photography or video featuring your image.
• Contact Data – your address, email address and telephone number.
• Transaction Data – details of payments between us and other purchases you’ve made.
• Profile Data – your interests, preferences, feedback and survey responses, along with any other professional or personal information relevant to your situation and how I might help you.
• Service Data – records of our coaching or supervision conversations and any reflection or fieldwork notes you submit as part of the process, which may include recordings of sessions conducted over platforms such as Zoom.
• Usage Data – your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and navigation paths, along with the timing and pattern of your use of my services.
• Marketing and Communications Data – your preferences for receiving marketing from me and your communication preferences.
Where I’m required to collect personal data by law, or under the terms of a contract between us, and you don’t provide that data when asked, I may not be able to perform the contract (for example, to deliver a service you’ve booked). If that happens I’ll let you know at the time.
How I Collect Your Personal Data
I collect data about you through a variety of methods, including:
Direct interactions: you may provide data by filling in forms on my site or by contacting me by post, phone, email or otherwise – including when you contract my services, subscribe to my Insights or other publications, request resources, or give me feedback.
Cookies: like most websites, outsidein.coach and walkingcoach.net use ‘cookies’ – small packets of data stored in your browser. Cookies help me understand how the site is used and on what devices.
I also use Google Analytics and my website platform, Squarespace, to analyse data and aggregate patterns of use, so I can tailor the site to the people using it.
You can manage how your browser handles cookies, or refuse them, through your browser settings. aboutcookies.org has useful guidance on this.
Some analytics cookies that don’t profile you individually may be used without asking your consent first, provided you’re told about them and can easily opt out – this is a change introduced by the 2025 reforms to UK cookie law. All other non-essential cookies still require your consent, which you give by continuing to use the site or via the cookie banner where one is shown.
How I Use Your Personal Data
I will only use your personal data when legally permitted. The most common grounds are:
• To provide my services and communicate with you.
• Where I need to perform a contract between us, or take steps at your request before entering one.
• Where it’s necessary for my legitimate interests – namely the proper running of my website and business – and your interests and rights don’t override those.
• Where I need to comply with a legal or regulatory obligation, or to protect my business from risk.
Marketing emails (such as my Insights essays, or updates about my coaching, supervision or consulting work) work a little differently, under the UK’s e-marketing rules (PECR). If you’ve engaged me for a service – coaching, supervision or consulting – I may send you marketing about my own similar services on the strength of that relationship, without asking separately for consent; this is sometimes called the ‘soft opt-in’. It only applies where I gave you a clear chance to opt out at the time I collected your details, and every marketing email gives you an easy way to unsubscribe.
If you haven’t engaged me for a service – for example, you’ve signed up to Insights directly through the website – I rely on your consent instead, given when you sign up.
Either way, you can opt out of marketing at any time, by using the unsubscribe link or by emailing sandracunningham@outlook.com.
Video Calls
Most of my coaching, supervision and consulting conversations take place by video call, most often via Zoom, rather than in person. The platform doesn’t collect your personal information on my behalf, and sessions aren’t recorded unless you’ve expressly agreed to it.
Occasionally, with your express permission, I retain a recording of a session – audio, video, or both – for my own training or supervision purposes. I keep it only for as long as that purpose needs, then delete it – and in any case no later than three months after the session. Anyone I might reflect with on a recording, such as my own coaching supervisor, is themselves bound by professional confidentiality.
Video calls use encryption to keep them confidential. You’ll be sent details of your session by email or calendar invitation – if you want to keep these private, please use an email address only you have access to.
The video platform’s software may remain on your device after the session ends, and may leave cookies, but these won’t contain identifiable information about you or your session.
AI Note-Taking and Transcription Tools
From time to time I use Zoom’s built-in AI Companion to generate a transcript or summary of a session, which helps with my own notes. This is processed within Zoom’s own systems; Zoom states that it doesn’t use meeting audio, video or transcript content to train its own or third-party AI models. When AI Companion is switched on you’ll see an in-meeting notice, and I’ll also tell you directly that I’m using it – you’re welcome to ask me to turn it off for all or part of a session.
Occasionally, and on a case-by-case basis, I use a separate AI platform (such as Claude or ChatGPT) to support my own reflection on our work – for example, to help me think through a recurring theme, to support my own supervision of practice, or to summarise notes or transcripts from our conversations. Where I do this, I only use a business or enterprise account with appropriate data protection terms in place, never a free consumer account, and I take care to remove or avoid identifying details of you or anyone else you mention wherever I can. I’ll always tell you if this applies to our work together.
Images and Films
During group events or workshops I may photograph or film those involved, always with their express permission, for the purpose of capturing and sharing the work. I will never use an image or recording of you in my marketing or on my website without your prior written agreement.
Providing Your Personal Data to Others
I may disclose your personal data to my insurers and professional advisers, where reasonably necessary for obtaining or maintaining insurance, managing risk, getting professional advice, or establishing, exercising or defending legal claims.
I may disclose service, enquiry or correspondence data to subcontractors or associates where reasonably necessary to deliver a contract between us.
I don’t take payments through my website – I invoice separately, and you pay by bank transfer. That payment is processed through the ordinary UK banking system rather than a separate online payment provider, so the only data involved is whatever your own bank requires to make the transfer, plus the reference you choose to include.
Beyond the disclosures set out above, I may share your personal data where necessary to comply with a legal obligation, or to protect your vital interests or those of another person.
International Transfers of Your Personal Data
There are circumstances in which your personal data may be transferred outside the UK.
My website and email distribution platform, Squarespace, is based in the USA. Transfers of personal data from the UK to US organisations certified under the UK Extension to the EU–US Data Privacy Framework (known as the ‘UK–US Data Bridge’) are recognised by UK law as offering an adequate level of protection, so no further safeguards are required for those transfers. Where I use a supplier that isn’t covered by that framework, I rely on other approved transfer mechanisms required by law, such as the UK’s International Data Transfer Agreement.
If you’re based in the EU or EEA: the European Commission has separately confirmed, through its own adequacy decisions (most recently renewed in December 2025, running to December 2031), that it regards UK data protection law as offering an equivalent standard of protection. This means personal data can also flow between the EU/EEA and the UK without additional safeguards.
You acknowledge that personal data you submit for publication through my website – a testimonial, for example – may be available via the internet, around the world. I cannot prevent the use or misuse of such data by others.
Retaining and Deleting Personal Data
I don’t keep personal data for longer than is necessary for the purpose it was collected for.
Coaching, supervision and consulting data is retained for a minimum of five years and a maximum of six years from the end of our working relationship – our last session or point of contact – in line with the requirements of my Professional Indemnity Insurance.
As a sole trader, I’m required by HMRC to keep records supporting my self-assessment tax return for at least five years after the 31 January submission deadline for the relevant tax year – longer if HMRC opens a check into a return, or if a transaction spans more than one tax year.
Where it isn’t possible to specify a retention period in advance, I’ll determine it based on the nature, use and sensitivity of the data, in line with the data minimisation principle in UK GDPR Article 5(1)(e).
Notwithstanding the above, I may retain your personal data for longer where necessary to comply with a legal obligation, or to protect your vital interests or those of another person.
Amendments
I may update this policy from time to time by publishing a new version on my website. Please check this page occasionally to make sure you’re happy with any changes. Where appropriate, I’ll notify you of significant changes by email.
Your Rights
Under UK GDPR, you have the right to:
• Be informed about how your personal data is used – which this notice is intended to do.
• Access the personal data I hold about you.
• Have inaccurate personal data corrected, or incomplete data completed.
• Ask me to erase your personal data, in certain circumstances.
• Restrict the processing of your personal data, in certain circumstances.
• Receive a copy of personal data you’ve provided to me, in a structured, commonly used format, in certain circumstances.
• Object to my processing of your personal data, in certain circumstances.
I don’t use automated decision-making or profiling that produces legal or similarly significant effects on you.
To exercise any of these rights, email sandracunningham@outlook.com. I’ll respond within one calendar month, extendable to three months for complex requests, as the law allows. I’ll carry out reasonable and proportionate searches to answer your request, and may withhold information, or charge a reasonable fee, where the law permits – for example, where a request is manifestly unfounded or excessive.
You can also stop me processing your data for marketing purposes at any time – see ‘How I Use Your Personal Data’ above for how marketing consent and opt-outs work.
Queries and Complaints
If you have a comment, query, or complaint about how I handle your personal data, please email sandracunningham@outlook.com. I’ll investigate and respond without undue delay and keep you informed of progress.
You also have the right to complain to the Information Commissioner’s Office at any time, at ico.org.uk – you don’t need to raise it with me first, though I’d welcome the chance to put things right.