Last updated: [07/01/2026]

I operate in line with GDPR requirements, am registered with the Information Commissioner’s Office (ICO), and hold public liability insurance.

1. Who I am

I am Neil Collingbourne, a recovery coach based in London. I provide non-clinical coaching services to men in the later stages of recovery from alcohol or drug use.

If you have any questions about this Privacy Notice or how your data is handled, you can contact me at: [email protected]

2. What personal data I collect

I keep personal data collection to an absolute minimum.

I may temporarily process:

• Your name

• Your email address

• Your phone number

• Information you choose to share with me during coaching sessions or via email/text

I do not:

• Use contact forms

• Maintain email mailing lists

• Keep written client notes

• Use automated decision-making or profiling

3. How I use your information

Your information is used only to:

• Communicate with you about coaching sessions

• Deliver the agreed coaching programme

• Handle scheduling, payments, or practical arrangements

I do not use your data for marketing, newsletters, or third-party purposes.

4. How long I keep your data

I retain personal data only for the duration of your coaching programme.

Once the programme has ended:

• All emails, messages, and related communications are permanently deleted

• No client records or notes are retained

5. Legal basis for processing

Under UK GDPR, I process personal data on the basis of:

• Consent – you choose to contact and work with me

• Contract – data is required to deliver the agreed coaching service

6. How your data is stored

During your programme, your data may be stored temporarily within:

• Email services

• Mobile phone messaging

Reasonable steps are taken to keep this information secure until deletion.

7. Sharing your data

I do not share your personal data with:

• Third parties

• Other professionals

• Organisations or agencies

Unless required by law.

8. Your rights

Under UK GDPR, you have the right to:

• Ask what personal data I hold about you

• Request correction of inaccurate information

• Request deletion of your data

• Withdraw consent at any time

You can exercise these rights by contacting me using the details above.

9. Complaints

If you have concerns about how your data is handled, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):
www.ico.org.uk

10. Changes to this notice

This Privacy Notice may be updated occasionally. The latest version will always be published on this website.

Data Subject Rights Procedure

1. Purpose

This procedure explains how the business responds to requests from individuals (“data subjects”) exercising their rights under the UK GDPR and the Data Protection Act 2018. It ensures requests are handled lawfully, fairly, transparently, and within statutory time limits.

2. Scope

This procedure applies to all personal data processed by the business, including client invoices, contact details, correspondence, and any digital or paper records.

3. Data Subject Rights Covered

Individuals have the right to:

Be informed about how their data is used

Access their personal data (Subject Access Request – SAR)

Rectification of inaccurate or incomplete data

Erasure (“right to be forgotten”) where applicable

Restriction of processing

Data portability (where processing is based on consent or contract and carried out electronically)

Object to processing (including direct marketing)

Rights related to automated decision-making (if applicable)

4. Receiving a Request

Requests may be made verbally or in writing (email, letter, message).

Requests do not need to mention the law to be valid.

All staff must treat any request relating to personal data seriously and promptly.

5. Verification of Identity

Before responding, the business will:

Take reasonable steps to verify the identity of the requester

Request additional information only if necessary

Avoid collecting excessive identity data

6. Logging the Request

The following details must be recorded:

Date received

Name and contact details of requester

Type of request

Deadline for response

Actions taken and outcome

7. Time Limits

Requests must be responded to within one calendar month of receipt

The period may be extended by up to two months for complex or multiple requests; the individual must be informed within the first month

8. Responding to Requests

Access Requests

Provide a copy of the personal data

Include purposes of processing, categories of data, retention periods, and rights

Information should be clear and understandable

Rectification

Correct inaccurate or incomplete data promptly

Notify third parties where relevant

Erasure

Delete data where there is no lawful basis to retain it

Retain data where required by law (e.g. invoices for tax purposes), explaining this clearly

Restriction / Objection

Assess the request against legal obligations and legitimate interests

Suspend processing where required

Data Portability

Provide data in a commonly used, machine-readable format where applicable

9. Refusal of Requests

Requests may be refused or partially refused if:

An exemption applies

The request is manifestly unfounded or excessive

Any refusal must:

Be explained clearly

Reference the legal basis

Inform the individual of their right to complain to the ICO

10. Complaints

If an individual is dissatisfied, they will be informed of their right to:

Raise the matter internally

Complain to the Information Commissioner’s Office (ICO)

Personal Data Breach Response Plan

1. Purpose

This plan sets out how the business identifies, manages, and responds to personal data breaches to minimise harm and meet legal obligations.

2. Definition of a Personal Data Breach

A breach is any incident leading to:

Accidental or unlawful destruction

Loss

Alteration

Unauthorised disclosure of, or access to, personal data

Examples include misdirected emails, lost devices, unauthorised access, or ransomware attacks.

3. Immediate Actions (First 24 Hours)

Upon discovering a potential breach:

Contain the breach (e.g. recover data, shut down access, change passwords)

Preserve evidence (do not delete logs or emails)

Assess what data is involved and whose data it affects

Record the incident immediately

4. Breach Assessment

The following must be assessed:

Type and sensitivity of data involved

Number of individuals affected

Likelihood of harm (financial, identity theft, distress)

Whether data was encrypted or protected

5. ICO Notification

The ICO must be notified within 72 hours if the breach is likely to result in a risk to individuals’ rights and freedoms

Notification will include:

Nature of the breach

Categories and approximate number of individuals affected

Likely consequences

Measures taken or proposed

If notification is not made, reasons must be documented.

6. Notification to Individuals

Individuals must be informed without undue delay if there is a high risk to them

Communication must be clear and plain-language

It must include advice on how they can protect themselves

7. Documentation

All breaches must be documented, including:

Facts of the incident

Effects

Remedial actions taken

This applies even if the breach is not reportable.

8. Recovery and Prevention

After resolution:

Review how the breach occurred

Update security measures or procedures

Provide additional training if required

9. Responsibility

Overall responsibility for data protection and breach management rests with the business owner.

10. Review

This procedure will be reviewed annually or following any significant data breach.

Essential cookies

These cookies are required for the website to function securely and cannot be switched off.

Embedded media cookies (YouTube)

This website includes an embedded YouTube video. Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.