Your privacy
is important to us

You can contact Jodie King our General Manager or Joyce Allen our principle Data Protection expert on the details provided below or call our office on the number above and ask to speak to us either of directly.

Jodie King jodie@freevacy.com
Joyce Allen joyce@freevacy.com

Freevacy is committed to upholding the highest standards of training and customer service, including in relation to the collection of personal data. We take any complaints we receive very seriously. If you believe that our collection or use of information is unfair, misleading, or inappropriate, please contact us immediately. 

We also welcome any suggestions for improving our procedures.

This privacy notice does not cover the links we have given you that connect to other websites. We encourage you to read the privacy statements of those other websites.

Freevacy Ltd Privacy Notice v4.0

This notice was last updated in December 2025. 

We review this notice regularly and will post any updates about this website on this page.

Special Category Data needs greater protection. It refers to information you would not want widely known, as it is very personal to you. This includes anything that can reveal your:

• Sexuality and sexual health
• Religious or philosophical beliefs
• Ethnicity
• Physical or mental health
• Trade union membership
• Political opinion
• Genetic/biometric data
• Criminal history

Our Privacy Notice and Cookie Policy take into account several laws, including:

• UK General Data Protection Regulation
• Data Protection Act 2018
• Privacy and Electronic Communications (EC Directive) Regulations 2003

Processing of your personal information is allowed by the laws and regulations detailed above.

At Freevacy, we have a legitimate need to carry out the processing in order to perform a contract with you or because the law requires it. We only use your information for marketing or communications purposes with your consent, which you may remove at any time.

We may need to use some information about you:

• To deliver our services to you
• To continue to offer you customer support
• To investigate any concerns or complaints you may have
• To maintain the quality of services
• To assist with the research and planning of new services
• To keep track of expenses and other service-related costs
• For employee training and HR

There are several legal reasons why we need to collect and use your personal information. Each section of this privacy notice explains which legal reason is being used. Where we collect and use personal information, we do so using one of the following lawful bases:

• You, or your legal representative, have given consent
• You have entered into a contract with us
• It is necessary to protect someone in an emergency
• It is required by law
• It is necessary for employment purposes
• You have made your information publicly available

The law gives you several rights to control what personal information we collect about you and how we use it.

Under the GDPR you have the following legal rights, these are your:

Right to be informed

Freevacy does not usually collect data from any third party or share data with anyone else, without your prior knowledge. An example of this is where your employer has booked you onto a course. Should the occasion arise where we obtained your data from a third party, (such as another training provider), we will notify you as soon as possible or at least within one month, or where we plan to communicate with you, at that first communication. If we were to share that data with someone else, we would tell you, at the latest when that data is shared.

Right to access information we hold on you

You have the right to ask if we hold any personal data relating to you and if that is the case you are entitled to receive a copy of all this information. We are also obligated to inform you about the: [how we collect and process personal data]

• The purposes of the processing
• The sorts of personal data concerned
• Any recipients or types of recipient that your personal data has been or will be disclosed to, including recipients outside the European community
• Where possible, how long your personal data will be stored, or if that is not possible, how to work out how long it will be kept

To request access, you can contact us by letter, electronically or verbally.

Note, before we can release any personal data we hold about to you, you will be required to confirm your identity.

Go to Your personal data for more details about the information we collect and process.

Exempt Data

There are certain situations where the data we hold about you cannot be released. These include any parts of your record which contain:

• Confidential information about other people; or
• If the law believes that giving you the information may stop the prevention or detection of a crime

Right to request a correction

If any of the personal data we hold about you is incorrect, we will correct it as quickly as possible and at least within one month (unless the amount would make it impossible to do so, when we would be entitled to extend the time by up to a further two months).

Note, we will require proof that the information is inaccurate before changing it.

Right to request data is deleted

Where the following apply you may have the right to have any personal data we hold about you erased:

• Freevacy no longer needs your personal data for the purpose it was collected or processed for
• You have withdrawn the consent or explicit consent allowing Freevacy to process your personal data and there is no other legal ground for the processing
• Where you have exercised your ‘right to object’ regarding the processing for direct marketing purposes
• Freevacy had unlawfully processed the data
• The personal data should be erased for compliance with a legal obligation

Right to restrict processing

Where any of the following apply, you have the right to restrict further processing of your personal data:

• You believe the accuracy of the personal data Freevacy holds is inaccurate,
• You believe Freevacy has processed your data unlawfully, but you oppose erasure and requests the restriction of its use instead;
• Where Freevacy no longer needs the personal data, but you require it to be retained for the establishment, exercise or defence of legal claims;
• You have objected to processing regarding public interest or legitimate interests of Freevacy, where the legitimate grounds of the Freevacy do not override your interests.

Right to data portability

Freevacy does not currently have the facilities to provide your personal data in a commonly used and machine-readable format.

Right to object

You have the right to object at any time, to Freevacy processing of your personal data where,

• It relates to direct marketing purposes including any profiling
• Where processing is for scientific or historical research purposes or statistical data.

Rights relating to automated decision making and profiling

You have the right to prevent Freevacy from making any decisions based solely on automated means that could legally affect you, including any profiling.

Should Freevacy ever make a decision relating to you based on automated processing, we ensure that a human review of the decision can be made upon request. We would also supply you with any meaningful information about the logic involved in the decision making as well as the significance and consequences for you of that decision.

How long do we retain personal data

We will maintain a record of your contact details for as long as you remain a customer of Freevacy but will remove your details if requested under your ‘right to erasure’ where consent is the only legal condition enabling us to process it.

Customer or Partner contracted services

If you are a Freevacy customer or partner, we may keep your personal information for the duration of our contract between your organisation and ours. At the end of the contracted term, we typically archive and store details of that contract for an extended period, up to seven years. Other items such as invoices are kept for a period of seven years in accordance with the law.

Research & Analysis

If we use your personal information for research or analysis as part of our core training services, we will always anonymise the data in the first instance.

In situations where you agree that your personal information can be used for external research purposes, it will be pseudonymised to keep any personal details securely and separately from the research data. We take these steps to ensure those carrying out the research may not have access to or be able to uncover your personal information at a later date.

Please refer to the Marketing & Communications section in relation to our use of Web Tracking & Analytics data for marketing purposes.

You also have the right at any time to make a complaint to the Information Commissioners Office if you believe Freevacy has failed in its dealings with you.

Exam Register

Freevacy maintains a record of all delegates exam results including exams dates, to enabled delegates to check their details whenever required.

New applicants

From time to time, we may post vacant positions on our site. When applying to work at Freevacy Ltd, we will only use the information supplied to process the application, if we need to disclose information to a third party, for example, to take up a reference we will not do so without the informed consent of the applicant, unless the law requires the disclosure.

Personal information about unsuccessful candidates will be held for 12 months following the recruitment drive. After which time, it will then be destroyed or deleted. We may retain anonymised statistical information to help future recruitment.

We occasionally partner with reed recruiting to post vacancies online.

For more information about how Reed Online Ltd processes data view their Privacy Notice.

Employees (past & present)

Any person taking up employment with Freevacy Ltd will have an employment file created. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once the employment has ended, we will retain the file in accordance with Employment Law and then delete it.

Processing Salaries

Freevacy uses Intuit QuickBooks to process salaries.

For more information about how QuickBooks processes data view their Privacy Notice.

Who we bank with

Freevacy’s Bank account is currently Santander.

For more information about how Santander processes data, please view their Privacy Notice.

Hotel Accommodation

Freevacy has a Business account with Premier Inn Hotels, Trainers and occasionally other employee’s details may be passed to Premier Inn Hotels to book a hotel room. Premier Inn is a UK based Hotel Group.

For more information about how Premier Inn processes data, please view their Privacy Notice.

Freevacy has completed the Cyber Essentials certification, and has been assessed as adequate against cyber-attack. 

Cyber Essentials is a UK government-backed scheme designed to help organisations protect themselves against common cyberattacks. It provides a framework of basic security controls that significantly reduce the risk of falling victim to common online threats. 

Cyber Essentials is mandatory for central government contracts which involve handling personal information and providing certain ICT products and services.

Freevacy uses several IT cloud service providers to process your personal data:

Note: link to privacy notice

We also work with the following IT and marketing third-party suppliers who, through the course of facilitating their services to us, may have access to your personal data:

• Web Development: Rejuvenate Digital Ltd
• IT Services: UK Computing Ltd

Freevacy delivers accredited training courses for the IAPP.

Freevacy has signed a Provider Contract with the IAPP, which allows us to deliver the following IAPP Certified training courses:

• IAPP Certified Information Privacy Professional Europe (CIPP/E)
• IAPP Certified Information Privacy Manager (CIPM)
• IAPP Certified Information Privacy Technologist (CIPT)
• APP Certified Information Privacy Professional Europe (CIPP/US)

Freevacy is not a Data Processor for, nor does it process personal data on behalf of the IAPP.

Our IAPP Accredited Training Provider status does not infringe upon our personal data collection practices. We do not share any of your personal data with the IAPP without your prior consent.

Registering with the IAPP

We share the delegates name, job title and employer name (if applicable), a contact address, telephone number and email address. We also share details of which IAPP training course(s) have been booked.

The IAPP use this information to create a customer portal and send an email to the delegate with their login details. The portal contains the course ebooks and examination vouchers along with the 1st year IAPP membership.

The data shared with the IAPP is sent to the US. For more information about how they process data, please view their privacy notice.

Cisco Webex

We use Cisco's Webex video conferencing cloud-based software to deliver live online training. Because Webex enables online collaboration between the trainer and classroom attendees, your personal data is required to use the service.

For more information about how Cisco processes personal data in the delivery of the Webex service, please refer to Cisco's Privacy Data Sheet for Webex and privacy notice.

PDI Europe Ltd

We partner with PDI Europe Ltd (PDI) and Kortext digital learning solutions to supply electronic and printed course materials to delegates attending a course with us.

Lawful basis for processing: delivery of a contract

When sharing your personal data with PDI and Kortext, we rely on the delivery of a contract as the lawful basis for processing under Article 6 of the UK GDPR. This is because it is only possible to fulfil our obligations to you by sharing your information with our partners in order to supply your course materials. We have taken necessary steps to ensure that only the minimum information is passed to our partners, and these organisations are trusted leaders in their field who take the upmost care to secure your data.

Electronic course materials:

PDI are an authorised reseller of Kortext digital learning solutions.

We share the delegate name, email and course information with PDI—who then create a Kortext account on behalf of the user.

Kortext store personal information and the information in delegate accounts for as long as is necessary to provide the account, and for other legal obligations in relation to the running of your account.

Printed course materials:

We share the delegate name, email, address where the materials are to be sent and course information with PDI.

Privacy and data security information:

For more information about how PDI and Kortext processess personal data in the delivery of the electronic and printed course materials, please refer to their Privacy Notices:

• PDI Europe Ltd's data security and privacy notice document can be downloaded from the policy secion on their about page.
• Kortext privacy notice

Direct email

We maintain a copy of emails received relating to course enquiries, quotations, course bookings and customer service to ensure that we have fully complied with the request. 

Online form

When you submit an enquiry using the online form on our website, we collect the information entered. This includes:

• Your name, company name, contact telephone number, email address, information about the type of training required, and / or any other details relating to the nature of your enquiry

If you have filled out a form on our website, you confirm that you have you have read and accepted the terms in this privacy notice and that you understand what data will be collected and processed as outlined in this policy. 

We maintain a copy of online form submissions relating to course enquiries, quotations, course bookings and customer service to ensure that we have fully complied with the request. 

By submitting a form on our website, you understand we may collect the URLs of any pages viewed or links clicked on our website and connect them to your profile. In response to you filling out a form, if you open or click a link in an email or newsletter we have sent you, that information may also be connected to your profile. This helps us monitor the performance of our website, which in turn enables us to enhance your user experience. 

Book a meeting

We use the cloud-based scheduling platform, Calendly, to simplify appointment booking by allowing Freevacy site visitors, customers and other users to view our availability and schedule meetings.

For more information about how Calendly processes data, view its privacy notice. 

We use the third-party payment provider, Stripe, to facilitate secure online bookings of our training courses and services. By completing the online booking process on the Freevacy website, your payment will be authorised and processed by Stripe.

When booking online, you will be asked by Stripe to provide your contact details and payment information (e.g., your debit or credit card details, and your invoice/billing address, etc.), some of which constitutes personal data.

For more information about how Stripe processes data, view its privacy notice. 

Freevacy Ltd website www.freevacy.com uses a number of third-party services to gather data on our website statistics, which is used to measure the effectiveness of our online services, and also for interest-based advertising. 

None of the services we use tell us who you are. We only ever know who you are if you willingly choose to identify yourself.

Google Analytics

This website uses Google Analytics to collect standard internet log information and details relating to visitor behaviour patterns. We use this anonymous data to identify trends that indicate sections of content to add, improve or remove in order to enhance your user experience. 

Examples of data we collect and measure within Google Analytics include:

• A count of which pages are viewed the most along with the average time users spend on a page
• We measure new versus returning visitor statistics including bounce rates (where a visitor leaves a page before interacting with it) 
• We record the date, time of day and what country/city visitors are from
• We identify the different types of devices (mobile/tablet/desktop) visitors use to access the website 
• We measure page interactions such as when a user clicks on a button to reveal more information or an external link
• We record how far down the page visitors scroll on average before exiting to another page or leaving the site altogether 
• We record how often we receive emails, telephone calls, newsletter signups and contact form submissions
• We record the number of online course bookings and transactions completed through Eventbrite
• We are also interested in how users arrive on our website, for example: whether they reach us from a direct search, through a search engine such as Google or Bing, an email campaign, a partner website like the BCS, or an online advert (see Internet Adverting below for more information)

Freevacy does not use Google Analytics to track or collect any data that personally identifies an individual such as a person’s name, email address or billing information. Nor do we use Google Analytics data with any other service to uncover the identity of visitors to our website. 

To further protect your privacy we have activated IP anonymisation on this website. Even though your IP address is not visible to us in any Google Analytics reports, Google does use them to provide geo-location data. The impact of this change means we have less accurate insight into your location. Also, your IP address would otherwise be stored on Google’s servers. Taking this action means part of your IP address is masked and therefore prevents Google from seeing your IP data.

All data collected by Google Analytics is deleted after 14 months.

For more information about how Google Analytics processes data view their privacy notice.

Prevent your personal data being used by Google Analytics

Google Tag Manager

We use Google Tag Manager to send additional statistical information to Google Analytics such as when visitors complete specific tasks or events on our website.

Google Tag Manager collects no personal data. The technology works by listening for interactions in web browsers, which are transferred to Google Analytics. 

For more information about how Google Analytics processes data view their privacy notice.

We receive information when you visit our website, known as internet log data, even if you have not initiated direct contact with us. This information is separate from the internet log data used by Google Analytics and is recorded as part of regular website operations by our internet facing servers. 

Freevacy does not actively use this internet log data for any statistical analysis or research. However, it could be required for security purposes or if we have to conduct information audit.

The information our internet log records include:

• your IP address, browser type, operating system, device type and mobile carrier
• referring web page, along with any pages visited on our website
• your location, search terms, and cookie information

In accordance with the GDPR compliance guidelines from the Internet Engineering Task Force (IETF), dated 22^nd April 2018, our internet facing servers are configured to:

• Store entire IP addresses only for as long as is necessary to provide the specific service requested by the user
• We also anonymise IP addresses when logging and only retain logs for a maximum of 3 days
• We do not store unnecessary identifiers including source port number, time stamps, transport protocol numbers or destination port number
• Access to our Internet logs is restricted to authorised personnel only
• Our logs are maintained on a secure server

Freevacy only ever conducts ethical and transparent digital advertising practices.

Key points about our advertising practices:

• We only place contextual ads. By this, we mean targeting specific keywords or subjects on search engines and third-party websites, a practice that requires no personal information.
• We never show ads to visitors who have been to our website by placing advertising cookies on their devices.
• None of the advertising services we use tell us who you are.
• We only ever know who you are if you willingly choose to identify yourself by making direct contact.

If you use any of services below, their privacy policy may allow them to connect the fact that you have been to our website and the pages you have viewed with your profile. Your anonymous browsing behaviour may, in turn, be shared by the following partners as outlined in their privacy policies. Freevacy Ltd does not share any personal information with these vendors.

• Google: Google's privacy notice (Google Ads, Doubleclick & Google's display ads).
• LinkedIn: LinkedIn’s privacy notice (LinkedIn Ads).
• Twitter: X's privacy notice (X ads).
• Bing: Microsoft’s privacy policy (Bing Ads).
• Facebook: Facebook’s privacy notice (Facebook Ads).

If you receive any of our email communications, we keep a record of your personal information to maintain your subscription.

Our email communications include:

• Periodic Training Announcements to existing and prospective customers
• A curated weekly newsletter containing a roundup of the latest industry news

Privacy Newsfeed

Once a week we deliver a roundup of latest GDPR, Privacy, Cybersecurity, and FOI industry news.

We use a web form consent process to subscribe to this service and we always offer a simple method for you to wthdraw consent by clicking on the unsubscribe link or by contacting us directly.

Training Announcements

Training Announcements are emailed every 4 to 6 weeks providing information about our products, promotions, campaigns and other news.

We use a web form consent process to subscribe to this service or a Soft-Opt-in exemption, which allows us to send details of our training courses and related services to existing customers and people who have expressed an interest in our service offering. You can to wthdraw consent from our marketing communications by clicking on the unsubscribe link or by contacting us directly.

Opting out of future email communications (Suppression lists)

Freevacy maintains two separate suppression lists for customers who ask us to stop sending email them communications. If you require us to remove all details of you from our systems, we will do so. However, we recommend you allow us to maintain a record of you within the relevant suppression list(s) as this will prevent you from being accidentally added to an email list anytime in the future.

Mailjet

Freevacy uses Mailjet to deliver our email communications.

The emails we send through Mailjet contain a tracking code, which is stored in a database for future analysis. This enables us to monitor when emails are delivered, opened and whether any links are clicked. We use this information to improve future email engagement by supplying recipients with more relevant content.

For more information about how Mailjet processes data view their privacy notice.

Any communication, engagement and actions taken through external social media platforms (such as Twitter or LinkedIn) are subject to the terms of service and privacy policies held by each social media platform respectively.

Users are advised to use social media wisely and only communicate or engage on posts and comments published by Freevacy, or via direct communication, with due care and caution regarding their own privacy and personal information. 

Freevacy may use social sharing buttons, which help share web content directly from pages on this website to social media platforms. Users are advised before using social sharing buttons that the social media platform may track and save your action through your social media platform account.

• LinkedIn: Read LinkedIn’s privacy notice here.
• X: Read X’s privacy notice here.
• Facebook: Read Facebook’s privacy notice here

To collect and manage customer reviews, we use Reviews.io. You can view the comments our customers have to say about our training services on Freevacy's account on www.reviews.co.uk or via this website. 

We have also incorporated the customer reviews we receive on Google into our Reviews.io account. This enables us to respond to feedback using a single platform while ensuring prospective customers can easily find out about the experiences of others from one location. 

If you publish a review about Freevacy, we may choose to share that review across social media, via an integrated feature linking our reviews.io account directly with our Twitter profile. 

For more information about how Reviews.io processes data, view their privacy notice.