Privacy Policy

Effective Date: 14 November 2025

Jepson-Lay Consultancy Limited (“we”, “us”, “our”) is committed to protecting your privacy and handling your personal data in a transparent, secure, and lawful way. This Privacy Policy explains how we collect, use, store, and protect your information when you visit our website, engage with our services, or participate in assessments such as the Impact Congruence Health Check.

This policy complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

1. Who We Are

Thomas Jepson-Lay Leadership and Coaching
Registered company: Jepson-Lay Consultancy Limited.
Registered office: 39 Ashmeads Close, Rumwell, Somerset, TA4 1FL
Email: hello@thomasjepsonlay.com

We provide leadership coaching, organisational development consultancy, and diagnostic tools including the Impact Congruence Framework and Health Check.

2. Personal Data We Collect

We may collect the following categories of personal data:

A. Identification and Contact Data

  • Name

  • Email address

  • Phone number

  • Job title, organisation, team/department

B. Client and Coaching Data

  • Notes voluntarily provided during coaching

  • Reflections, goals, or assessment responses

  • Pre-workshop or programme questionnaires

We do not intentionally collect special category data (e.g., health, ethnicity). If voluntarily disclosed during coaching, we treat this with heightened confidentiality.

C. Survey & Health Check Data

  • Responses to Likert-based surveys

  • Anonymous or pseudonymised organisational diagnostic inputs

  • High-level organisational descriptors (e.g., team, function)

We ensure survey links never request unnecessary personal data unless required for context—and when collected, it is only with explicit consent.

D. Website & Technical Data

  • IP address

  • Browser type

  • Device information

  • Pages visited

  • Time spent on site

  • Cookie data (see Cookie Policy below)

Collected through Squarespace analytics and consented cookies only.

E. Transaction & Billing Data

  • Payment record

  • Invoices

  • Service history

Handled via Stripe or your banking provider (no card details stored by us).

3. How We Use Your Data

We process personal data for the following purposes:

A. To deliver services

  • Coaching, consultancy, workshops

  • Organisational Health Check analysis

  • Programme communications and logistics

Legal basis: Contractual necessity.

B. To analyse surveys and generate reports

This includes the use of AI-assisted synthesis, where technology helps collate patterns, but human interpretation always determines final insights.

Legal basis: Legitimate interests (providing diagnostic insights to organisations), or consent where required.

C. To operate and improve our website

Legal basis: Legitimate interests + consent (for analytics cookies).

D. To send newsletters, insights, or updates

Only sent if:

  • you opted in, or

  • the "soft opt-in" under PECR applies (i.e., you are an existing client receiving similar services).

Legal basis: Consent or legitimate interests.

E. To comply with the law

Including taxation, accounting, and data protection obligations.

Legal basis: Legal obligation.

4. AI Processing

Your survey and assessment data may be processed using AI tools to support:

  • Response aggregation

  • Theme identification

  • Pattern and sentiment analysis

AI does not make decisions about you or your organisation.

All outputs are reviewed, interpreted, and moderated by a human consultant.

No personally identifiable information is used for AI model training.

5. Data Sharing

We share data only with trusted processors necessary to deliver our services, including:

  • SquareSpace (website hosting and analytics)

  • Tally (survey platform)

  • Google Workspace / Microsoft / Apple iCloud (email and file preparation / storage)

  • Intuit QuickBooks (invoicing and payment processing)

  • OpenAI / Anthropic (AI-assisted analysis)

Each processor is contractually bound to comply with UK GDPR.

We do not sell or rent your personal data.

6. International Transfers

Some processors (e.g., Squarespace, OpenAI, Google) store data outside the UK.

All transfers are protected by:

  • UK International Data Transfer Agreements (IDTA)

  • Standard Contractual Clauses (SCCs)

  • UK Addendum to SCCs

  • Additional technical and organisational measures

7. Data Retention

We retain data only as long as necessary:

  • Client records: 6 years after final engagement (legal obligation)

  • Organisational survey data: 24 months (to support follow-up analysis)

  • Email enquiries: 48 months

  • Mailing list details: Until you unsubscribe

  • Technical & analytics data: Up to 26 months (per analytics provider settings)

  • Contract & billing records: 6 years

  • You can request deletion at any time where the law permits.

  • We retain identifiable survey data only for as long as necessary to deliver organisational insights, conduct follow-up analysis, and meet our contractual obligations. This period is normally 24 months, after which the data is anonymised or pseudonymised so that individuals and small groups cannot be identified. Once anonymised, survey response data may be retained indefinitely and used to:

  • improve the Impact Congruence Framework,

  • enhance our diagnostic tools,

  • train and evaluate algorithms and AI systems used to support analysis,

  • build historical benchmarks and comparative datasets.

Anonymised data contains no personal identifiers and cannot be linked to any individual respondent or organisation.

8. Your Rights

Under UK GDPR you have the right to:

  • Access your data

  • Rectify inaccurate data

  • Erase data (where lawful)

  • Restrict processing

  • Object to processing

  • Withdraw consent

  • Receive data portability (where applicable)

  • Lodge a complaint with the ICO

Contact: hello@thomasjepsonlay.com

9. Security

We use appropriate technical and organisational measures including:

  • encrypted cloud storage

  • access controls

  • device-level security

  • secure transfer protocols

  • MFA on all accounts

  • privacy-by-design for survey tools

10. Data Breach Policy

If a data breach occurs, we will:

  1. Investigate immediately

  2. Assess risk to individuals

  3. Report to the ICO within 72 hours if required

  4. Notify affected individuals where significant risk exists

11. Updates

This policy may be updated periodically. The most recent version is always available on our website.