Data Protection Policy

1. Introduction 

Bold Moves Coaching Ltd collects and processes personal data relating to clients, associates, and suppliers as part of our business activities. We are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. 
 
The purpose of this policy is to set out how we handle personal data to ensure it is processed lawfully, fairly, and securely. 
 
Data Protection Lead: 
Liz Boswell, Managing Director 
Email: liz@boldmovescoach.co.uk 

​

2. Key Principles 

We are a Data Controller. All personal data we process must follow the UK GDPR principles: 
- Processed lawfully, fairly, and transparently. 
- Collected for specified, explicit, and legitimate purposes. 
- Adequate, relevant, and limited to what is necessary. 
- Accurate and kept up to date. 
- Not kept longer than necessary. 
- Kept secure and confidential. 

​

3. Lawful Basis for Processing 

We will only process personal data where a lawful basis applies, including: 
- Consent of the data subject. 
- Contract performance (e.g. delivering coaching services). 
- Compliance with legal obligations (e.g. HMRC). 
- Legitimate interests (e.g. client communications, business operations). 

 

4. Privacy Notices 

We issue clear privacy notices explaining why data is collected, how it is used, retention periods, and the rights of data subjects. Notices are available on our website and provided to clients/associates. 

 

5. Data Security 

We use technical and organisational measures to protect personal data, including: 
- Secure cloud storage (Microsoft OneDrive, Dubsado CRM) with encryption and two-factor authentication. 
- Password-protected files and devices. 
- Limited access to personal data (restricted to the Managing Director and authorised associates). 
- Confidentiality agreements with all associates/contractors. 
- Secure disposal of paper records and permanent deletion of digital files when no longer required. 

 

6. Data Retention 

- Client records and contracts: retained for 7 years (legal/insurance purposes). 
- Financial data: retained for 7 years (HMRC). 
- Enquiries: retained up to 12 months unless consent is given for ongoing marketing. 
- Training/workshop records: anonymised where possible and retained up to 2 years. 
Data is securely deleted or anonymised once retention periods expire. 

 

7. Data Subject Rights 

Individuals have the right to: 
- Access their personal data. 
- Request correction or deletion. 
- Object to processing or restrict it. 
- Withdraw consent (where consent is the basis). 
- Be informed of a breach affecting their data. 
 
All requests will be acknowledged within statutory timescales. 

 

8. Data Breaches 

Any personal data breach will be reported immediately to the Data Protection Lead. Where required, the ICO and affected individuals will be notified within 72 hours. 

 

9. International Transfers 

Bold Moves Coaching Ltd does not routinely transfer data outside the UK. Where third-party providers (e.g. Dubsado, SurveyMonkey) host data outside the UK/EU, transfers are protected by appropriate safeguards such as Standard Contractual Clauses (SCCs). 

 

10. Training & Awareness 

All associates and contractors working with Bold Moves Coaching Ltd are required to read and comply with this policy. GDPR compliance is reviewed annually. 

 

11. Review 

This policy was last updated on 1st August 2025.