Privacy Policy

Last updated: 1 April 2025

  1. INTRODUCTION

This privacy notice provides you with details of how we collect and process your personal data through your use of our sites www.carolynspring.com and traumarecoverycommunity.com

By providing us with your data, you warrant to us that you are over 13 years of age.

Carolyn Spring Ltd is the data controller and we are responsible for your personal data (referred to as ‘we’, ‘us’ or ‘our’ in this privacy notice).

Contact Details

Our full details are:

Full name of legal entity: Carolyn Spring Ltd

Company registration: Registered in England, company number 11109933

Email address: info@carolynspring.com

Postal and registered address: Lytchett House, 13 Freeland Park, Wareham Road, POOLE, Dorset, BH16 6FA

Data Protection Officer (DPO): Carolyn Spring

Email: info@carolynspring.com

This privacy policy is compliant with the UK General Data Protection Regulation (‘UK GDPR’) as implemented in UK law following Brexit, and the Data Protection Act 2018 as amended.

It is very important that the information we hold about you is accurate and up to date. Please let us know if at any time your personal information changes by emailing us at info@carolynspring.com.

  1. WHAT DATA DO WE COLLECT ABOUT YOU, FOR WHAT PURPOSE AND ON WHAT GROUNDS WE PROCESS IT

Personal data means any information capable of identifying an individual. It does not include anonymised data.

We may process the following categories of personal data about you:

  • Communication Data that includes any communication that you send to us whether that be through the contact form on our website, through email, text, social media messaging, social media posting or any other communication that you send us. We process this data for the purposes of communicating with you, for record keeping and for the establishment, pursuance or defence of legal claims. Our lawful ground for this processing is our legitimate interests which in this case are to reply to communications sent to us, to keep records and to establish, pursue or defend legal claims.
  • Customer Data that includes data relating to any purchases of goods and/or services such as your name, title, billing address, delivery address email address, phone number, contact details, purchase details and your card details. We process this data to supply the goods and/or services you have purchased and to keep records of such transactions. Our lawful ground for this processing is the performance of a contract between you and us and/or taking steps at your request to enter into such a contract.
  • User Data that includes data about how you use our website and any online services together with any data that you post for publication on our website or through other online services. We process this data to operate our website and ensure relevant content is provided to you, to ensure the security of our website, to maintain back-ups of our website and/or databases and to enable publication and administration of our website, other online services and business. Our lawful ground for this processing is our legitimate interests which in this case are to enable us to properly administer our website and our business.
  • Technical Data that includes data about your use of our website and online services such as your IP address, your login data, details about your browser, length of visit to pages on our website, page views and navigation paths, details about the number of times you use our website, time zone settings and other technology on the devices you use to access our website. The source of this data is from our analytics tracking system. We process this data to analyse your use of our website and other online services, to administer and protect our business and website, to deliver relevant website content and advertisements to you and to understand the effectiveness of our advertising. Our lawful ground for this processing is our legitimate interests which in this case are to enable us to properly administer our website and our business and to grow our business and to decide our marketing strategy.
  • Marketing Data that includes data about your preferences in receiving marketing from us and our third parties and your communication preferences. We process this data to enable you to partake in our promotions, to deliver relevant website content and advertisements to you and measure or understand the effectiveness of this advertising. Our lawful ground for this processing is our legitimate interests which in this case are to study how customers use our products/services, to develop them, to grow our business and to decide our marketing strategy.
  • Training and Consultation Data that includes personal information you may share during training sessions, workshops, consultations, or similar interactions, whether delivered in-person or virtually. This may include personal experiences, case details, professional challenges, or other information you choose to disclose during these sessions. We process this data for the purposes of delivering our services to you, creating recordings and summaries (with your consent), internal learning and development, and improving our services. Our lawful ground for processing is the performance of our contract with you, your explicit consent for recordings, and/or our legitimate interests to improve our services and provide training to our staff.

We may use Customer Data, User Data, Technical Data and Marketing Data to deliver relevant website content and advertisements to you (including Facebook adverts or other display advertisements) and to measure or understand the effectiveness of the advertising we serve you. Our lawful ground for this processing is legitimate interests which is to grow our business. We may also use such data to send other marketing communications to you. Our lawful ground for this processing is either consent or legitimate interests (namely to grow our business).

Where we rely on legitimate interests as a lawful basis for processing, we have conducted Legitimate Interest Assessments to ensure our interests are balanced against your rights and freedoms.

Automated Decision Making and Profiling: We do not currently carry out automated decision-making or profiling. Automated decision-making refers to decisions made about you by technological means without human intervention that have legal or similarly significant effects. Profiling involves using your personal data to evaluate certain personal aspects, particularly to analyse or predict aspects concerning your performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

Should our practices change in the future, we will update this policy including with clear information about your rights in relation to such processing, including the right to object to profiling and the right to contest automated decisions.

Records of Processing: In accordance with Article 30 of the UK GDPR, we maintain comprehensive records of our data processing activities, including categories of personal data processed, purposes of processing, data retention periods, and security measures implemented. These records are available to regulatory authorities upon request.

Sensitive Data: We do not collect any Sensitive Data about you. Sensitive data refers to data that includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We do not collect any information about criminal convictions and offences.

Where we are required to collect personal data by law, or under the terms of the contract between us and you do not provide us with that data when requested, we may not be able to perform the contract (for example, to deliver goods or services to you). If you don’t provide us with the requested data, we may have to cancel a product or service you have ordered but if we do, we will notify you at the time.

We will only use your personal data for a purpose it was collected for or a reasonably compatible purpose if necessary.

We may process your personal data without your knowledge or consent where this is required or permitted by law.

  1. HOW WE COLLECT YOUR PERSONAL DATA

We may collect data about you through various channels:

  • Direct provision of data by you through our website forms, email communications, or when you send us correspondence
  • In-person meetings, video conferences (e.g., Zoom calls), telephone conversations, or other direct interactions where you share personal information with us
  • Automatic collection through your use of our website via cookies and similar technologies (please see our cookie policy for more details at www.carolynspring.com/cookies)
  • Third parties such as analytics providers (e.g., Google), advertising networks (e.g., Facebook), search information providers, payment processors, and other technical service providers, some of which may be based outside the UK and/or the EU

  1. MARKETING COMMUNICATIONS

Our lawful ground for processing your personal data to send you marketing communications is either your consent or our legitimate interests (namely to grow our business).

Under the Privacy and Electronic Communications Regulations, we may send you marketing communications from us if (i) you made a purchase or asked for information from us about our goods or services or (ii) you agreed to receive marketing communications and in each case you have not opted out of receiving such communications since. Under these regulations, if you are a limited company, we may send you marketing emails without your consent. However you can still opt out of receiving marketing emails from us at any time.

Before we share your personal data with any third party for their own marketing purposes we will get your express consent.

You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by emailing us at info@carolynspring.com at any time.

If you opt out of receiving marketing communications this opt-out does not apply to personal data provided as a result of other transactions, such as purchases, warranty registrations etc.

  1. DISCLOSURES OF YOUR PERSONAL DATA

We may have to share your personal data with the parties set out below:

  • Service providers who provide IT and system administration services.
  • Professional advisers including lawyers, bankers, auditors and insurers
  • Government bodies that require us to report processing activities.
  • Third parties to whom we sell, transfer, or merge parts of our business or our assets.

We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law. We only allow such third parties to process your personal data for specified purposes and in accordance with our instructions.

  1. INTERNATIONAL TRANSFERS

Where you are within the United Kingdom:

We are subject to the provisions of the UK General Data Protection Regulations that protect your personal data. When we transfer your data to third parties outside of the UK, we will ensure appropriate safeguards are in place:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection by the UK government
  • Where we use certain service providers based outside the UK, we may use specific contracts approved by the UK government known as International Data Transfer Agreements (IDTAs) or the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
  • For transfers to the US, we only use providers certified under the UK Extension to the EU-US Data Privacy Framework (DPF) or equivalent approved mechanisms

We maintain a register of all international data transfers and regularly review the safeguards in place.

If none of the above safeguards is available, we may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time.

Where you are within the EEA:

We are subject to the provisions of the EU General Data Protection Regulations that protect your personal data. Where we transfer your data to third parties outside of the EEA, we will ensure that certain safeguards are in place to ensure a similar degree of security for your personal data. As such:

  • We may transfer your personal data to countries that the European Commission has approved as providing an adequate level of protection for personal data by; or
  • If we use US-based providers that are part of an EU approved privacy framework, we may transfer data to them, as they have equivalent safeguards in place; or
  • Where we use certain service providers who are established outside of the EEA, we may use specific contracts or codes of conduct or certification mechanisms approved by EU regulators which give personal data the same protection it has in the EEA.

If none of the above safeguards is available, we may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time.

  1. DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed without authorisation. These measures include:

  • Encryption of personal data where appropriate
  • Regular security assessments of our systems and providers
  • Staff training and confidentiality agreements
  • Access controls and authentication protocols
  • Regular backups and disaster recovery protocols
  • Incident response procedures

We also allow access to your personal data only to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they must keep it confidential.

We regularly test, assess and evaluate the effectiveness of our security measures.

We have procedures in place to deal with any suspected personal data breach and will notify you and the Information Commissioner’s Office (ICO) of a breach where we are legally required to do so, within the timeframes specified by the UK GDPR.

  1. DATA RETENTION

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

We have established a data retention policy that sets out retention periods for different categories of data in respect of relevant purposes. The criteria used to determine these retention periods includes:

  • The nature and sensitivity of the personal data
  • The potential risk of harm from unauthorised use or disclosure
  • The purposes for which we process the data and whether we can achieve those purposes through other means
  • Legal, regulatory, or contractual requirements to retain data for certain periods
  • Industry guidelines

We regularly review our retention periods to ensure they remain appropriate and compliant with current regulations.

In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

  1. YOUR LEGAL RIGHTS

Under the UK GDPR, you have the following rights in relation to your personal data:

  • The right to be informed about how we use your personal data (the purpose of this privacy notice)
  • The right of access to the personal data we hold about you
  • The right to rectification – to have inaccurate or incomplete personal data corrected
  • The right to erasure (also known as the ‘right to be forgotten’) – to have your personal data deleted in certain circumstances
  • The right to restrict processing – to request the temporary suspension of processing of your data
  • The right to data portability – to request your data in a structured, commonly used, machine-readable format for transfer to another controller
  • The right to object to processing – particularly processing based on legitimate interests or for direct marketing
  • Rights related to automated decision making and profiling – though we do not currently engage in automated decision-making or profiling

To exercise any of these rights, please email us at info@carolynspring.com. We will respond to all legitimate requests within one month. This period may be extended by up to two further months where necessary, taking into account the complexity and number of requests.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive or refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

If you are within the UK and are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We should be grateful if you would contact us first if you do have a complaint so that we can try to resolve it for you.

If you are within the EU and are not happy with any aspect of how we collect and use your data, you have the right to complain to the data protection authority of the country in which you are based. We should be grateful if you would contact us first if you do have a complaint so that we can try to resolve it for you.

  1. THIRD-PARTY LINKS

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

  1. COOKIES

Our website uses cookies to distinguish you from other users of our website. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree.

We use explicit cookie consent mechanisms that allow you to make clear and informed choices about the cookies we use. Upon your first visit to our website, you will be presented with a comprehensive cookie banner that:

  • Categorises cookies by purpose (strictly necessary, performance, functionality, targeting)
  • Allows you to selectively consent to non-essential cookies
  • Provides information about each cookie’s purpose, duration, and the third parties who may access the information collected

Strictly necessary cookies do not require consent as they are essential for the website to function. For all other cookie types, we will only set them if you have given your explicit consent.

You can manage your cookie preferences at any time by clicking on ‘Cookie Settings’ in the website footer. You can also set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies.

If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. In particular, the ‘completion certificate’ on our online courses will not work unless strictly necessary cookies are enabled and neither will the checkout and payment process.

For more detailed information about the cookies we use, please see www.carolynspring.com/cookies.

  1. USE OF ARTIFICIAL INTELLIGENCE SERVICES

12.1 We may use artificial intelligence (AI) and machine learning technologies to process your personal data for specific purposes including:

  • Customer service automation
  • Content personalisation
  • Website and service optimisation
  • Data analysis and insights generation
  • Creating summaries of consultation or training sessions for learning and development purposes

12.2 When using AI services, we implement the following safeguards:

  • We only engage AI service providers who are compliant with UK data protection laws
  • We conduct data protection impact assessments before implementing new AI technologies
  • We maintain human oversight of all AI-driven decisions that may affect you
  • We regularly audit AI systems to ensure they process data in accordance with our instructions

12.3 We explicitly prohibit the use of your personal data for training, developing, or improving AI models beyond the specific purposes outlined in this policy. Our contracts with AI service providers include:

  • Explicit prohibitions against using your data to train their general AI models
  • Requirements to delete your data after processing for the specified purpose
  • Obligations to implement technical measures preventing data retention or repurposing
  • Regular compliance audits and certifications

12.4 In addition to your other data protection rights, you have specific rights regarding AI processing of your data:

  • The right to know when your data is being processed by AI systems
  • The right to object to AI processing of your personal data
  • The right to human intervention in any significant decision made by an AI system
  • The right to an explanation of how an AI-driven decision affecting you was reached

12.5 We are committed to transparency in our AI usage. Upon request, we will provide:

  • Information about which of your data is processed by AI systems
  • The purposes and legal basis for AI processing
  • The safeguards in place to protect your data
  • The source of any AI technologies used to process your data

  1. DATA PROTECTION IMPACT ASSESSMENTS

Where our processing activities are likely to result in a high risk to your rights and freedoms, we conduct Data Protection Impact Assessments (DPIAs) in accordance with UK GDPR requirements. These assessments help us identify and minimise data protection risks.

We conduct DPIAs in scenarios including, but not limited to:

  • Implementation of new technologies, including AI systems
  • Systematic monitoring of individuals on a large scale
  • Processing special category data on a large scale
  • Profiling activities that have significant effects on individuals

  1. CONSULTATION RECORDINGS AND MEETING SUMMARIES

14.1 With your explicit consent, we may record consultation sessions conducted via video conferencing platforms or in-person meetings. These recordings are:

  • Created for the purpose of providing you with a record of the consultation
  • Created for our internal learning and development purposes
  • Stored securely with appropriate technical and organizational measures
  • Shared only with individuals who participated in the consultation unless otherwise agreed

14.2 Recordings may be stored and shared through:

  • Password-protected cloud storage services (such as Google Drive)
  • Private, password-protected video hosting platforms (such as Vimeo)
  • Other secure file transfer methods

Access to these recordings is restricted by password protection and/or limited sharing permissions.

14.3 We may use AI technology to create summaries of consultation meetings. In such cases:

  • The AI processing is subject to the safeguards outlined in Section 12 of this policy
  • Summaries may be used for our internal purposes including quality assurance, learning and development, and service improvement
  • Summaries may be provided to individuals who participated in the consultation
  • Original recordings or transcripts used to generate summaries are subject to our data retention policies
  • We maintain human oversight of all AI-generated summaries before they are shared

14.4 We maintain a specific retention schedule for consultation recordings and summaries, which we review regularly to ensure compliance with data protection principles.