Privacy Policy
Document ref. BCL-PP-001 v2.0
Who we are
BrightOak Consultancy Limited is a limited company incorporated in England and Wales (Company Number 07247910), with our registered office at 84 Lodge Road, Southampton, England, SO14 6RG.
Our website address is https://www.brightoak.uk
BrightOak is the data controller for personal data collected through this website and in connection with our training, consultancy and coaching services. We are registered with the Information Commissioner’s Office (ICO Registration ZA904053).
Any questions about this policy or how we handle your personal data should be directed to Adam Poppleton, Managing Director, at office@brightoak.uk.
What Information Do We Collect?
We do not collect information that we do not need or that a reasonable person would consider excessive, inappropriate or unethical.
Technical Information
When you visit our website, our hosting infrastructure automatically collects certain technical information, including:
- your IP address and approximate geographic location (country/region level);
- the type and version of browser you are using;
- the operating system and device type you are using;
- the pages you visit on our site and the time and date of your visit;
- the web page that referred you to our site (the ‘referring URL’);
- the duration of your visit and the pages you navigated to.
This information is collected automatically by our hosting provider (WP Engine) and website analytics tools. It is used in aggregate form to help us understand how our website is used and to improve it. It is not used to identify you personally.
Information About Your Visit To This Website
We use Google Analytics to collect anonymised information about how visitors use our website. Google Analytics uses cookies to collect data such as the number of visitors, the pages most visited, and how visitors move through the site. This information is processed by Google and shared with us only in aggregated, anonymised form. We do not use Google Analytics in a way that allows us to identify individual visitors.
For more information about how Google uses data collected via our website, see: https://policies.google.com/privacy
Information About You
We collect personal information about you when you:
- complete our ‘Get In Touch’ contact form (name, phone number, email address, message content);
- complete our ‘Book A Meeting’ form (name, company, phone number, email address, course interest, message);
- complete a course interest or enquiry form (name, company, phone number, email address, course details, preferred delivery format, number of delegates, timescale);
- book or register for a training course (name, job title, organisation, email address, dietary requirements, accessibility needs, any relevant pre-requisite certification details);
- correspond with us by email or telephone in connection with our services;
- engage us for consultancy, advisory or coaching services (name, job title, organisation, contact details, and any information you share in connection with the engagement).
Where you provide information about other individuals (for example, when booking training for delegates within your organisation), you are responsible for ensuring you have the right to share that information with us and that those individuals have been informed about how their data will be used.
How Do We Collect Information?
Cookies
Our website uses cookies — small text files stored on your device — to enable certain functionality and to help us understand how our site is used.
We use the following types of cookies:
- Strictly necessary cookies: required for the website to function (e.g. session management, security). These cannot be disabled.
- Analytics cookies: used by Google Analytics to collect anonymised usage data. You can opt out of these via our cookie banner or by installing the Google Analytics opt-out browser add-on.
- Functional cookies: set if you leave a comment or log in to the site, to remember your preferences. These persist for up to two weeks (login) or one year (preferences).
You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the website.
"Get In Touch" Form
Our ‘Get In Touch’ contact form collects your name, phone number, email address and the content of your message. This information is transmitted to us by email and stored in our contact management system (HubSpot). We use it solely to respond to your enquiry and, where appropriate, to follow up on services you have expressed interest in.
"Book A Meeting" Form
Our ‘Book A Meeting’ feature is provided by Microsoft Bookings (via Microsoft 365). When you use this feature, your name and email address are shared with Microsoft Bookings to facilitate the scheduling of your meeting. Microsoft’s privacy policy applies to this processing: https://privacy.microsoft.com/en-gb/privacystatement
Embedded Content From Other Websites
Pages on this site may include embedded content (such as videos, maps or social media feeds). Embedded content from other websites behaves in the same way as if you had visited those websites directly, and those websites may collect data about you, use cookies, and monitor your interaction with that embedded content. We have no control over this processing and recommend you review the privacy policies of those third-party sites.
What Do We Do With Your Information?
Purposes of Processing
We use the personal information we collect for the following purposes:
- To respond to your enquiries and communicate with you about our services;
- To process and administer training course bookings, including registering delegates with accreditation bodies (such as PeopleCert) as required;
- To deliver training, consultancy, coaching and advisory services you have engaged us to provide;
- To send you joining instructions, course materials and post-course communications;
- To issue invoices and manage payments;
- To understand how our website is used and to improve it;
- To comply with our legal obligations (including accreditation body requirements and financial record-keeping);
- To send you occasional information about our services and upcoming courses where you have consented to receive such communications or where we have a legitimate interest in doing so.
Lawful Basis For Collecting Your Information
Under the UK General Data Protection Regulation (UK GDPR), we must have a lawful basis for processing your personal data. The lawful bases we rely on are:
- Contractual necessity: where processing is necessary to perform a contract with you or to take steps at your request before entering into a contract — for example, processing a course booking or delivering a consultancy engagement;
- Legal obligation: where we are required to process your data to comply with a legal obligation — for example, financial record-keeping requirements or accreditation body requirements;
- Legitimate interests: where processing is necessary for our legitimate business interests and these are not overridden by your interests or rights — for example, responding to enquiries, improving our website, and communicating with past clients about relevant new services;
- Consent: where you have given us clear consent to process your data for a specific purpose — for example, subscribing to our mailing list or accepting analytics cookies.
Where Is Your Data Stored?
Your personal data is stored and processed within the United Kingdom and the European Economic Area (EEA). Specifically:
- Website data and forms: hosted on WP Engine servers located in the UK/EEA;
- Contact and CRM data: stored in HubSpot (US-based, operating under the EU-US Data Privacy Framework with appropriate safeguards);
- Meeting scheduling: processed by Microsoft 365/Bookings (operating under Microsoft’s standard contractual clauses);
- Email communications: stored in Microsoft 365 (UK data residency).
Where data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements.
How Long Do We Keep The Information?
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Our standard retention periods are:
- Enquiry and contact form data: up to 2 years from last contact, unless you become a client;
- Training booking and delegate data: 7 years from the date of the course (to meet financial and accreditation record-keeping requirements);
- Consultancy and coaching engagement records: 7 years from the end of the engagement;
- Financial records (invoices, payments): 7 years from the relevant financial year end (as required by HMRC);
- Website analytics data: aggregated data retained indefinitely; individual session data retained in line with Google Analytics default settings (26 months).
Who Do We Share Your Information With?
We do not sell your personal data to any third party. We may share your data with:
- Accreditation bodies (such as PeopleCert, EXIN, DevOps Institute): where required to register you for examinations or certifications in connection with a course you have booked;
- Our technology providers: HubSpot (CRM), Microsoft 365 (email and scheduling), WP Engine (hosting) — all engaged under appropriate data processing agreements;
- Associates and freelance trainers: where your data is necessary for them to deliver a course or engagement on our behalf, under appropriate confidentiality obligations;
- Professional advisers: such as our accountant or legal adviser, where necessary and under obligations of confidentiality;
Regulatory or law enforcement bodies: where we are legally required to do so.
Your Rights
BrightOak adheres fully to the requirements of the UK GDPR. Under the UK GDPR, you have the following rights in relation to your personal data:
Your Right to be Informed
You have the right to be informed about the collection and use of your personal data. This Privacy Policy fulfils that obligation.
Your Right of Access
You have the right to request a copy of the personal data we hold about you (a ‘Subject Access Request’). We will respond within one month of receiving a valid request.
Your Right to Rectification
You have the right to have inaccurate personal data corrected, or incomplete data completed.
Your Right to Erasure
You have the right to request that we delete your personal data (‘the right to be forgotten’). This right may not apply where we are required to retain data for legal or contractual reasons.
Your Right to Restrict Processing
You have the right to ask us to restrict or suppress the processing of your personal data in certain circumstances.
Your Right to Data Portability
You have the right to receive a copy of personal data you have provided to us in a structured, machine-readable format, and to request that we transfer it to another organisation where technically feasible.
Your Right to Object
You have the right to object to the processing of your personal data where we rely on legitimate interests as our lawful basis. You may also object at any time to your data being used for direct marketing purposes.
Rights Related to Automated Decision-Making and Profiling
We do not use automated decision-making processes or profiling that produce legal or similarly significant effects on individuals.
Contacting Us About Your Data
If you have any questions about this Privacy Policy, wish to exercise any of your rights, or have any data protection queries or concerns, please contact:
Adam Poppleton, Managing Director
BrightOak Consultancy Limited
84 Lodge Road, Southampton, England, SO14 6RG
Email: office@brightoak.uk
Telephone: +44 (0)330 520 1776
Making a Complaint
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the data protection regulator in the UK:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
Web: https://ico.org.uk/for-the-public/
We would, however, welcome the opportunity to resolve any concern you have directly before you contact the ICO. Please get in touch with us first.
Changes to This Privacy Policy
We will update this Privacy Policy from time to time to reflect changes in our practices, technology or legal requirements. The ‘Last updated’ date at the top of this document indicates when it was last revised. Where changes are significant, we will notify affected individuals by email where appropriate. We encourage you to check this page periodically.