Privacy Policy

Windlark Ltd (“we”, “us”, “our”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our website and services, and sets out your rights under applicable data protection law, including the UK and EU General Data Protection Regulation (UK/EU GDPR).

This website is not intended for children under the age of 18, and we do not knowingly collect data relating to children.

Please read this policy carefully. It supplements any other privacy or fair-processing notices we may provide and is not intended to override them.

Windlark Ltd is the data controller responsible for your personal data. We have appointed a Data Privacy Manager to oversee questions relating to this policy.

If you have any questions about this Privacy Policy, wish to exercise your legal rights, or have concerns about how we handle your data, please contact us:

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the opportunity to address your concerns before you contact the ICO, so please contact us in the first instance.

We keep this Privacy Policy under regular review and may update it from time to time. Please check back regularly. It is important that the personal data we hold about you is accurate and current — please keep us informed of any changes.

Personal data means any information from which you can be identified. We may collect, use, store and transfer the following categories of personal data:

• Identity Data: first name, last name, title.
• Contact Data: email address, telephone numbers, billing and delivery addresses.
• Organisation Data: company name, job title, business contact details.
• Financial Data: bank account and payment card details.
• Transaction Data: details of payments made and services purchased.
• Technical Data: IP address, browser type and version, login data, time zone, device data.
• Profile Data: username, password, account preferences, survey responses.
• Usage Data: information about how you use our website and services.
• Participant Data: names, job roles, survey and assessment responses, feedback, and session interaction details from training programmes.
• Marketing and Communications Data: your preferences for receiving marketing from us.

We also collect and use Aggregated Data (e.g. statistical or demographic data) for analytical purposes. This is not personal data as it does not identify you individually. We do not collect any Special Categories of Personal Data (such as data about race, health, religion, or sexual orientation) unless you voluntarily provide it to us in specific circumstances, and we do not collect data about criminal convictions.

We collect personal data through:

• Direct interactions: when you fill in forms, contact us by email, phone or post, subscribe to our services, request marketing, complete surveys, or make payments.
• Automated technologies: as you interact with our website, we automatically collect Technical and Usage Data via cookies, server logs, and similar technologies. Please see Section 11 (Cookies) for more details.
• Third parties and public sources: including analytics providers (e.g. Google), payment and delivery service providers, data brokers, and publicly available sources such as Companies House and the Electoral Register.

We will only use your personal data where the law permits. The legal bases we rely on include:

• Performance of a contract: to deliver services you have requested or to take steps before entering into a contract with you.
• Legitimate interests: for business development, improving our services, analytics, and insurance purposes, provided these are not overridden by your rights and interests.
• Legal obligation: to comply with applicable law, regulation, tax, or reporting requirements.
• Consent: for direct marketing communications and any other processing specifically requiring your consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.

We may use your personal data for: delivering our products and services; internal record-keeping; improving our website and service offering; sending marketing communications (where permitted); market research; fraud prevention; and complying with legal obligations.

We will not use your personal data for a purpose incompatible with the purpose for which it was collected without notifying you and, where required, seeking your consent.

We may use your Identity, Contact, Technical, Usage, and Profile Data to form a view on what products, services, or offers may be of interest to you. You will receive marketing communications from us if you have requested information or purchased services from us and have not opted out.

We will obtain your express opt-in consent before sharing your data with any third party for marketing purposes (should there be any). You can ask us (or third parties) to stop sending marketing communications at any time by following the unsubscribe link in any marketing message or by contacting us directly. Opting out of marketing will not affect data processed in connection with a purchase or service.

We may share your personal data with:

• Group companies and affiliates, for administration purposes.
• Employees, agents, and professional advisers (lawyers, accountants, insurers).
• Third-party service providers who process data on our behalf (including IT support, cloud hosting, payment processors, video platforms, CRM and analytics providers, and marketing agencies).
• Relevant authorities, regulators, or law enforcement agencies where required by law.
• Prospective purchasers in the event of a business sale or merger, subject to appropriate confidentiality protections.

All third-party processors are bound by contract to keep your data secure and to process it only on our instructions and for specified purposes. We do not permit them to use your data for their own purposes.

Your personal data is processed and stored primarily in the UK or European Economic Area (EEA). Where we transfer data to countries outside the UK or EEA, we ensure an equivalent level of protection by using one or more of the following safeguards:

• Transfers to countries recognised by the European Commission as providing adequate data protection.
• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Other appropriate contractual or legal mechanisms as required.

We regularly review our international transfer mechanisms to ensure ongoing compliance. Please contact us if you would like further information on the specific safeguards in place.

We have implemented appropriate technical and organisational measures to protect your personal data from accidental loss, unauthorised access, alteration, or disclosure. These include encrypted storage and data transmission, access controls, unique login credentials, SSL/TLS encryption for payments, and procedures for handling suspected data breaches.

Access to your personal data is restricted to employees, agents, and contractors who have a legitimate business need to access it, and they are subject to a duty of confidentiality.

Where you have been given (or chosen) a password to access part of our site, you are responsible for keeping it confidential and must not share it with anyone.

Whilst we take all reasonable steps to protect your data, transmission of information via the internet is inherently at your own risk. We will notify you and the relevant regulator of any data breach where we are legally required to do so.

We retain your personal data only for as long as reasonably necessary to fulfil the purposes for which it was collected, including to meet any legal, regulatory, tax, accounting, or reporting requirements. We will also retain data where we reasonably anticipate a complaint or litigation.

The table below summarises our standard retention periods by data type:

We may anonymise personal data for research or statistical purposes, in which case it may be retained indefinitely without further notice. If you would like details of the retention period applicable to your data, please contact us.

Our website uses cookies — small text files placed on your device — to improve your experience and help us analyse site usage. We use the following types of cookies:

Before placing non-essential cookies on your device, we will request your consent. You can adjust your cookie preferences at any time by changing your browser settings, or by using the cookie consent tool on our site. Please note that disabling certain cookies may affect the functionality of the website. For more information, please see our separate Cookie Policy.

Under data protection law, you have the following rights in relation to your personal data:

• Right of access: to request a copy of the personal data we hold about you.
• Right to rectification: to have inaccurate or incomplete data corrected.
• Right to erasure: to ask us to delete your personal data where there is no good reason for us to continue processing it.
• Right to restrict processing: to ask us to suspend processing of your data in certain circumstances.
• Right to data portability: to receive your data in a structured, machine-readable format and transfer it to another controller (where applicable).
• Right to object: to object to processing based on legitimate interests, or to direct marketing at any time.
• Right to withdraw consent: where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

You will not usually be charged for exercising your rights. We may charge a reasonable fee or refuse a request that is manifestly unfounded, repetitive, or excessive. We will respond to legitimate requests within one month (or notify you if we need longer).

To exercise any of the above rights, please contact our Data Privacy Manager at nick@windlark.co.uk. We may need to verify your identity before processing your request.

Our website may contain links to third-party websites, plug-ins, and applications. We have no control over those sites and are not responsible for their content or privacy practices. We encourage you to read the privacy policy of every website you visit when you leave ours.

You may not transfer any of your rights under this Privacy Policy to another person. We may transfer our rights where we reasonably believe your rights will not be affected, and we will notify you in writing if this occurs.

If any provision of this Privacy Policy is found to be invalid or unenforceable, it will be amended to the minimum extent necessary, and the remaining provisions will continue in full force.

No delay or omission by either party in exercising any right will constitute a waiver of that right.

This Privacy Policy and any disputes arising from it are governed by the law of England and Wales. All disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.