A Curious Idiot Draft v1 · for review
UK GDPR · Data Protection Act 2018

Privacy Policy

What data we collect when you visit, opt in, book a call, or buy coaching - what we do with it, who we share it with, and your rights over it. Written in plain English. Read it in 5 minutes.

Effective [CONFIRM date]
Last updated [CONFIRM]
Controller A Curious Idiot
Contact joe@curiousidiot.co.uk
01
The basics

Who we are

In plain English

Joe Gandy runs A Curious Idiot. He's the person legally responsible for your data. You can email him at joe@curiousidiot.co.uk for anything in this policy.

A Curious Idiot is a trading name of [CONFIRM - Joe Gandy (sole trader) OR A Curious Idiot Ltd, company number XXXXX].

Registered correspondence address
[CONFIRM - service address. Recommended: use accountant's address, not home address]

For the purposes of UK GDPR and the Data Protection Act 2018, we are the data controller for the personal data we collect from you.

We are registered with the UK Information Commissioner's Office (ICO). Our registration number is [CONFIRM - register at ico.org.uk/registration first if not already].

You can contact us about anything in this policy by emailing joe@curiousidiot.co.uk.

02
Scope

What this policy covers

In plain English

Everything we collect, why, and your rights - whether you're a website visitor, newsletter subscriber, free-call applicant, or paying client.

This policy explains what personal data we collect when you interact with us - through our website at curiousidiot.co.uk, our email newsletter, our coaching enquiries, or as a paying coaching client - what we do with that data, who we share it with, and what your rights are over it.

By using our website, opting in to our newsletter, booking a call, or buying our coaching, you accept the practices described in this policy.

03
What we hold

The personal data we collect

In plain English

Visit the site? Anonymous analytics. Opt in? Your email. Book a call? Your name, email, and a few business details. Pay for coaching? All of the above plus billing info, WhatsApp number, and recordings you choose to send Joe.

If you visit our website

  • IP address (used to derive approximate country/region, never stored long-term in a way that identifies you personally)
  • Browser type, device type, operating system
  • Pages you visited, time on page, how you arrived (referrer)
  • Anonymised analytics data via Google Analytics 4 (ID G-6SM9EJR7HN) and Microsoft Clarity (project wk6e9ptbg9). Clarity records anonymised session replays and heatmaps; GA4 records page views, traffic source, and basic device data. Form field content is masked.

If you opt in to our email newsletter

  • Your email address
  • Approximate location (derived from IP)
  • Which page you opted in from
  • Email open and click activity going forward

If you book a free call with Joe

Via our booking form (Cal.com [CONFIRM]) and qualification form (Typeform [CONFIRM if used]):

  • Your full name
  • Your email address
  • [CONFIRM additional fields: phone, business name, current revenue, current pain point]
  • Time zone

If you become a paying coaching client

In addition to the above:

  • Payment details (handled by our payment processor - [CONFIRM - Stripe / direct bank transfer / Wise]. We never see or store your full card number.)
  • Billing address
  • WhatsApp number (for between-session feedback - explicit opt-in at the start of the coaching engagement)
  • Recordings of your real cold calls that you choose to send to Joe for review
  • Session notes Joe takes during coaching
  • WhatsApp message history between you and Joe (stored on Joe's WhatsApp Business client and Meta's servers - see Section 5)

If you email us directly

  • Your email address and any content you include in your email
  • Any attachments you send
04
Lawful basis

Why we collect it

In plain English

The law gives us four valid reasons to hold your data: to deliver something you paid for, to run the business sensibly, because you said yes, or because the law requires it. We rely on whichever of those four fits each piece of data.

We only process your personal data when the law allows us to. We rely on one of the following lawful bases for each type of processing:

Performance of a contract

When you buy coaching, we need to process your data to deliver what you paid for - schedule sessions, review your call recordings, send you feedback, and invoice you.

Legitimate interests

We process some of your data because we have a legitimate business interest that is not overridden by your rights. Examples:

  • Operating our website - server logs, basic analytics, security.
  • Responding to enquiries - when you contact us, we use your email to reply.
  • Maintaining business records - keeping a record of who has been a client and what work was done.
  • Preventing fraud and abuse - blocking spam form submissions, suspicious activity.

You can object to this processing at any time (see Section 9).

Consent

For some processing, we ask for your explicit consent:

  • Email marketing - you only receive our newsletter if you have actively opted in. Withdraw consent any time via the unsubscribe link in every email.
  • Non-essential cookies - analytics, advertising, and tracking cookies are only set if you accept them via our cookie banner. See Section 10.
  • Call recordings shared with Joe - when you become a coaching client, you explicitly consent to send recordings of your own calls. You retain ownership and can ask for them to be deleted at any time.

Withdrawing consent doesn't affect anything we processed lawfully before the withdrawal.

Legal obligation

We process some data because the law requires us to - for example, retaining basic financial records for HMRC for six years after a client relationship ends.

05
Third parties

Who we share your data with

"We do not sell your data. Ever. To anyone."

We do share your data with a small number of trusted third-party service providers who help us run the business. Each one is bound by data processing agreements that meet UK GDPR standards.

Provider What they do Region
BeehiivEmail newsletter platformUSA
Cal.com [CONFIRM]Call bookingEU/USA
Typeform [CONFIRM]Lead magnet / qualification formEU
Stripe [CONFIRM]Payment processing (PCI-DSS)EU/USA
Google WorkspaceBusiness email + document storageEU/USA
Google Analytics 4Anonymised page-view analyticsEU/USA
Microsoft ClarityAnonymised session replays + heatmapsEU/USA
Meta (WhatsApp Business)Between-session client commsUSA
Zoom [CONFIRM]Hosting coaching sessionsEU/USA
One.com [CONFIRM]Website hostingEU
CloudflareForm submission worker + CDNGlobal

We may also share data with:

  • Our accountant - limited to billing data, for invoicing and HMRC compliance.
  • Legal or regulatory authorities - if required by UK law, court order, or to defend our legal rights.
  • A buyer of the business - if we ever sell or transfer A Curious Idiot, your data may be transferred under the same protections. We would notify you.
06
Data location

International transfers

In plain English

Some of our tools (Stripe, Meta, Google, Microsoft, Beehiiv) are American. We use the UK government-approved legal mechanisms to make sure your data is protected to UK standards when it's stored there.

Some of our providers are based in the USA or use US-based infrastructure. Where this is the case, we rely on one of the following safeguards:

  • The provider's UK GDPR-compliant Standard Contractual Clauses (SCCs) or International Data Transfer Agreement (IDTA), or
  • The provider's certification under the UK-US Data Bridge (the extension of the EU-US Data Privacy Framework adopted by the UK on 12 October 2023).

Request a copy of the specific safeguard for any transfer by emailing joe@curiousidiot.co.uk.

07
Retention

How long we keep your data

In plain English

Only as long as we actually need it. Financial records have to stay for 6 years (HMRC rule). Everything else gets deleted within 12 months of the relationship ending - or sooner if you ask.

Data type Retention period
Newsletter subscribersUntil you unsubscribe, then 30 days for suppression list
Booking enquiries that didn't convert12 months, then deleted
Coaching client records (sessions, recordings, notes)12 months after last session, unless you ask sooner
Financial records (invoices, payment data)6 years from end of tax year (HMRC requirement)
WhatsApp message history12 months after coaching ends, then deleted
Website analytics data14 months (GA4 default), then aggregated/deleted

If you ask us to delete your data earlier, we will - except where law requires us to keep it.

08
Security

How we keep your data safe

In plain English

Unique passwords, two-factor auth, encrypted devices, vetted suppliers. If something goes wrong, we tell the ICO within 72 hours - that's the law.

  • Encrypted email - TLS encryption in transit on all email to and from joe@curiousidiot.co.uk.
  • Strong passwords + 2FA - unique passwords and two-factor authentication on every business account.
  • Device security - devices used to access your data are password-protected and encrypted at rest.
  • Vetted providers - every third-party we use is UK GDPR-compliant and has signed a Data Processing Agreement with us.

If you ever suspect your data has been compromised through us, email joe@curiousidiot.co.uk immediately. We are legally required to report personal data breaches to the ICO within 72 hours where the breach is likely to result in a risk to your rights.

09
UK GDPR

Your rights

In plain English

You can ask us what we hold, fix it, delete it, take it elsewhere, or tell us to stop. Email joe@curiousidiot.co.uk and we'll respond within a month.

Under UK GDPR, you have the following rights over your personal data. To exercise any of them, email joe@curiousidiot.co.uk. We will respond within one month.

Right What it means
To be informedWhat this policy is for.
Of accessAsk us for a copy of all personal data we hold about you.
To rectificationAsk us to correct anything inaccurate or incomplete.
To erasureAsk us to delete your data, subject to legal retention.
To restrict processingAsk us to pause processing while a request is being resolved.
To data portabilityAsk us to send your data to you or another provider in a machine-readable format.
To objectObject to processing based on legitimate interests, including direct marketing.
Automated decision-makingWe don't make automated decisions that materially affect you.

We don't charge a fee for any of the above unless the request is clearly unfounded, repetitive, or excessive.

If you're unhappy with how we've handled your data, you have the right to complain to the ICO at ico.org.uk/make-a-complaint - but we'd appreciate the chance to put it right first.

10
Tracking

Cookies and similar technologies

In plain English

Essential cookies run no matter what. Everything else - analytics, ads, embedded videos - only fires if you click "Accept" on the banner. Change your mind any time via "Cookie Settings" in the footer.

Strictly necessary (always on)

These cookies don't need consent because the site can't work without them. Examples: session cookies, security cookies, cookie-consent state cookies. Not used for tracking.

Cookies we only set if you consent

Everything else is set only after you click "Accept" on our cookie banner:

  • Google Analytics 4 - page views, time on site, traffic source. IP anonymisation enabled.
  • Microsoft Clarity - anonymised session replays so we can see where the page confuses people. Form-field content is masked by default.
  • Meta Pixel [CONFIRM] - measures Facebook/Instagram ad performance and retargets visitors.
  • YouTube embedded videos - if you watch an embedded video, YouTube sets cookies. We use youtube-nocookie.com embeds where possible.

You can change your cookie choices at any time by clicking Cookie Settings in our website footer, or by clearing cookies in your browser.

11
Email

Marketing emails

In plain English

If you opted in, we send you the newsletter. Don't want it? Hit unsubscribe - we stop within 24 hours. We never give your email to anyone else for their marketing.

If you opt in to our newsletter, we will send you regular emails covering cold calling tips, coaching announcements, and offers from A Curious Idiot. We never share your email with third parties for their own marketing.

Unsubscribe at any time - every email has a one-click unsubscribe link. Once you unsubscribe, we'll stop sending marketing emails within 24 hours.

We may still send you non-marketing emails relating to a specific coaching engagement (session reminders, invoices) - those are part of the service you bought, not marketing.

12
Age

Children

In plain English

Our service is for adults. We don't knowingly collect data on under-16s. If we ever do, tell us and we'll delete it.

Our services are not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with data, email joe@curiousidiot.co.uk and we will delete it.

13
Updates

Changes to this policy

In plain English

We may update this policy. The date at the top tells you when. Big changes? We'll email you.

We may update this policy from time to time. The "Last updated" date at the top tells you when we last revised it.

If we make a material change - meaning a change that significantly affects what we do with your data - we will email anyone whose data we hold to let them know.

14
Get in touch

Contact

In plain English

Questions, complaints, anything else - email Joe directly. If we can't sort it, you can complain to the ICO.

For anything in this policy - questions, concerns, requests to exercise your rights, complaints - email joe@curiousidiot.co.uk.

For complaints we cannot resolve, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
ico.org.uk/make-a-complaint
0303 123 1113