Create an Account or Sign in Email Password First Name Last Name Nickname By creating an account you are agreeing to the Terms of Service and Privacy Policy. Terms of Service By entering into a contract with us, you agree to these terms and conditions. We intend to rely on these written terms and conditions, so please contact us before agreeing to them if you are not clear about what they mean. We will put any changes, that we agree, in writing to you. Our sole aim is to provide comprehensive support and wholistic care to individuals who require both medical attention and coaching assistance. As professional coaches, we understand the importance of integrating various disciplines to enhance the overall well-being of our clients. We firmly believe that by working in collaboration with medical professionals, we can offer a more comprehensive and effective approach to supporting individuals on their journey towards improved health and personal development. Our coaching services encompass a wide range of areas, including a bespoke map for each individual to explore the root cause of emotional conflicts and release these conflicts with various modalities, NLP, EFT, Matrix Reimprinting, Kinesiology, Breathework etc. By aligning our efforts with the medical profession, we can ensure that our coaching practices are in harmony with the medical recommendations and treatments provided by healthcare professionals. This collaboration will enable us to provide a seamless and integrated approach to our clients’ care, ultimately leading to better outcomes and overall client satisfaction and relief of suffering At no time do we profess to cure anything or anyone. We acknowledge the significance of maintaining confidentiality and adhering to ethical guidelines when working with clients. As such, we are committed to upholding the highest standards of professionalism and confidentiality in all our interactions with clients and medical professionals. If at any time you feel that we have not adhered to our terms of service please click here. Use Of Our Services 1. Our Services We are not licensed medical practitioners unless otherwise stated, but we are complementary and alternative health practitioners, with a background of NLP, Hypnotherapy, EFT, MATRIX Reimprinting, Meta Consciousness, and a trained Master Trainer of EFT, MATRIX Reimprinting, Meta Consciousness. Our associates are all trained to certification level. Please be aware that our services, and any information on our website, or associated web-sites, is not intended to be a substitute for appropriate, qualified medical care from doctors or other health-care providers. Neither the services that we provide, nor the information on our website, are intended to be used to diagnose, treat, cure or prevent any disease or psychological disorder. We strongly advise you to seek professional advice before making any decisions regarding your health, or before deciding to discontinue the use of prescribed medicines or treatment. You understand that your choice to use any of our services is of your own free will and not subject to any outside pressure. Although EFT/Matrix Reimprinting is generally considered an easy and gentle technique to use, you further understand that if you choose to use these Tapping techniques, it is possible that emotional or physical sensations or additional unresolved memories may surface which could be perceived as negative side effects. Emotional material may continue to surface after using EFT/Matrix Reimprinting, indicating other issues may need to be addressed. Previously vivid or traumatic memories may fade which could adversely impact your ability to provide detailed legal testimony regarding a traumatic incident. This web-site offers Meta Consciousness™ as self-improvement material for educational purposes to offer information on other complementary options to help you in your quest for self-development, optimum health and well-being. You may wish to discuss this information with your healthcare providers before implementing any changes. All the information presented here on this, and associated web-sites, is based upon the experiences and research of the author(s). EFT/Matrix Reimprinting/Meta Consciousness™ has produced remarkable clinical results for the relief of emotional and physical distress. EFT appears to have promising mental, spiritual, and physical health benefits but has yet to be fully researched by the Western academic, medical, and psychological communities. Although research into how and why EFT works is ongoing, as EFT has only been used in its current form since the mid-1990s it may be considered a relatively new healing approach and thus still in the experimental stage. Therefore the extent of its effectiveness, as well as its risks and benefits are not yet fully known and all users of EFT, both practitioners and laymen, must take complete and personal responsibility for their use of it. 2. 1 to 1 sessions As part of your signing up to Meta Consciousness™ workshops or partnering with one of Meta Consciousness™ practitioners of your choice, on your self healing journey, you have entered into a contract with us – energetically, emotionally, spiritually, biologically, legally + financially. You are committing to a path of growth and transformation and knowledge. At International Meta Consciousness™ Academy we are committed to your success. We understand that once you turn up and see what is available to you in the online workshops or immerse yourself in the physical workshop, or choose to engage in 1-1 sessions, you will realise that it is not a “push button for instant success and instant transformation”. Instead, it requires dedication and commitment, you may wish to press the eject button and return to where you were before, however that is your choice and we at International Meta Consciousness™ Academy will choose to walk alongside you without judgment, with encouragement and compassion, as this is all about togetherness. We are here to enable expansion. We understand it is hard work. We will fulfill our service promises to you – providing you with workshops, support and access to beautiful safe spaces for yourself and other like-minded people on similar journeys. In return, you must fulfill your end of the bargain by completing the work in whatever way that will be for you and seeing the results happen in your life, in the timeframe that we invite you. If you cannot commit to the timeframes, please advise International Meta Consciousness™ Academy as soon as possible to assist us in assisting you in seeking other alternatives. Remember, this is a journey we are on together. We want you to succeed. You’ve asked us to help you. We can work together to take to take these baby steps to becoming aware of limiting beliefs and transformation and awareness. This is where the real change can happen – when you persevere, and commit, and transform the fear. With many beautiful tools we will and can guide you. Our request to you – give us feedback (penny@changeahead.biz) about what you want to see next in the upcoming training or what you’d like to see differently. We’ll do everything in our power to make that happen. There is much for you to do, learn, grow and see results from inside yourself and for your clients, friends and family. Mainly from YOU. What else is possible? 3. Attending our Workshops You agree to assume and accept full responsibility for any and all risks associated with your use of EFT/Matrix Reimprinting/Meta Consciousness AND any other modalities, and to not go where you have no right to be, e.g. you should never try to treat psychotic or other seriously ill people, unless you are qualified to do so. You agree and understand that the information presented is only for your own personal use. In order to use EFT/Matrix Reimprinting, META Consciousness with others, you understand you need to become sufficiently trained and qualified as an EFT/Matrix Reimprinting/META Consciousness practitioner. We accept no responsibility or liability for the use or misuse of the information contained in this product or on any associated web-sites, other than for any death or personal injury arising from our negligence. If ever you are in doubt, you should always seek the help of a qualified medical practitioner. Please Note: EFT/Matrix Reimprinting is a very flexible process; this web site and any other information that Penny Croal, International Meta Consciousness™ Academy, shares represents her own views or Meta Consciousness practitioners’ views and does not necessarily reflect those of EFT founder, Gary Craig, nor of Karl Dawson Creator of Matrix Reimprinting, nor Rob Williams Founder of Psych-k nor Bandler/Grinder Founders of NLP nor any other body named on this website. Meta Consciousness™ is not a therapy merely an analytical tool to direct you to the underpinning of innate knowledge from the body based on NGM. In a pure EFT/Matrix Reimprinting session there is no diagnosis or prognosis. It can be given in conjunction with any other treatments, HOWEVER it is not a treatment. In Meta Consciousness, once you have a medical diagnoses then International Meta Consciousness™ Academy Associates can offer you further analysis of the root cause and work with you for a bespoke strategy plan to self heal. 4. Meta Consciousness Analysis Coaching Programme/Metacologist Programme COURSE OVERVIEW: The Course is designed to provide coaching and guidance to students (“Students”) seeking to enhance their skills and knowledge in a specific area. The Course will be delivered through a combination of online modules, webinars, assignments, and other resources, as determined by the Provider. REGISTRATION AND ENROLMENT: To enrol in the Course, Students must complete the registration process and pay the applicable fees, as determined by the Provider. Students must provide accurate and up-to-date information during the registration process. The Provider reserves the right to refuse or cancel enrolment if any information provided is found to be false or misleading. COURSE MATERIALS: As part of the Course, Students will be granted access to course materials, including but not limited to online modules, webinars, videos, documents, and other resources (“Materials”). The Materials provided are exclusively for the personal use of Students and may not be shared, distributed, or reproduced without the express written consent of the Provider. COURSE DURATION AND COMPLETION: The Course duration will be clearly communicated to Students upon enrolment. Students are responsible for completing the Course within the specified timeframe, unless otherwise agreed upon in writing. For IMCA (Meta Analysis Coaching) 80% live attendance must be completed unless prior agreement has been made. If for some reason students cannot attend, this must be notified directly to Penny via the membership site or penny@changeahead.biz or WA 07976819321. Failure to comply may result in non certification. Students must fulfil all requirements, including attending webinars, completing assignments, and passing any assessments, to successfully complete the Course. If assignments are not completed in a timely manner or by deadlines set, the Provider has the right to withdraw Student from certification unless prior communication and agreements have been made. STUDENT RESPONSIBILITIES: Students are expected to actively participate in the Course and demonstrate full commitment to their learning journey. This includes participating in questions and answers in the membership site and showing active curiosity. Students must be willing and open with curious mind to explore their own limiting beliefs, communicate fully with Provider, explore their inner self in each and every module that is included in the course as part of the self reflection and deep dive healing of self. If further support is needed then this must be communicated clearly with provider. MaryRose Moses O’Brien acts as a Patron for emotional support – the first session is free, further sessions will incur fee directly to her for £35 per session. Students must adhere to the rules and guidelines set forth by the Provider, which may include codes of conduct, ethical guidelines, and respect for fellow Students and instructors. Students are solely responsible for ensuring they have the necessary technical requirements, including a reliable internet connection, to access and engage with the Course Materials and access to a printer. Students are responsible for their own timekeeping and attendance. Failure to attend or consistent tardiness will result in consequences, unless otherwise agreed with the Provider. Students are responsible for their own manner and agree to IMCA coaching state and take full responsibility for self. FEES AND PAYMENT: Students are required to pay the applicable Course fees, as specified by the Provider, prior to enrolment. All fees paid are non-refundable, except as provided in Clause 8 (Cancellation or Termination). INTELLECTUAL PROPERTY: All intellectual property rights, including copyrights and trademarks, in the Course Materials remain the property of the Provider. Students shall not acquire any ownership or intellectual property rights to the Materials or any other content provided during the Course. Students may cancel their enrolment (see below for details) after enrolment, subject to a reasonable administration fee, as determined by the Provider. No refunds will be provided for cancellations made after the specified period. LIMITATION OF LIABILITY: The Provider shall not be liable for any direct, indirect, or consequential loss or damage incurred by Students arising from or in connection with the Course, including but not limited to any delay, interruption, or inability to access the Course Materials. The Provider’s liability, if any, shall be limited to the amount paid by the Student for the Course. CANCELLATION OR TERMINATION: The Provider reserves the right to cancel or terminate the Course at any time, for any reason, without liability. In such cases, any fees paid by Students shall be refunded in full. By enrolling in the Course, you acknowledge that you have read, understood, and agreed to these Terms and Conditions. Payment And Cancellation 1. Payment Regular offers cannot be used with further offers, discounts or be shared by anyone else. Cash or Personal Cheque with Bankers Card, Credit Card in person, Stripe, GoCardless, Bankers Draft or BACS Transfer are all acceptable methods of payment, however PayPal is our preferred payment choice. By clicking ‘pay deposit’ or ‘pay now’ you make an offer to enter into a contract with us, subject to these terms and conditions, which you have read. A contract comes into existence when we accept your offer by sending a welcome letter. We do not currently penalise for payment plans but we need your commitment to pay monthly by direct debit/paypal. These payments can be taken automatically from your credit card or bank account. If these payments are delayed, you will be charged a £15 administration fee for each month of non-payment and we may also add interest at the statutory rate. We reserve the right to seek recovery of any monies remaining unpaid sixty days from the date of invoice via collection Agencies and/or through the Court . In such circumstances, we will claim any reasonable additional costs that we have incurred and/or court costs and statutory interest. 2. Cancellation of contracts for 1 to 1 Sessions or Workshops You have a right to cancel our contract within 14 days from the day after we agree it with you, without giving any reason. To exercise the right to cancel you must inform us of your decision by a clear statement sent by phone, letter or email. You will have met the deadline to cancel if you have sent your communication to us before the cancellation period has expired. If you cancel this contact, within the cancellation period, we will refund any payments that you have made to us within 14 days of you informing us of your wish to cancel. We will refund using the same means of payment that you originally used, unless you have expressly agreed otherwise. You will not incur any fees for cancelling within the cancellation period. If you have agreed to attend a 1 to 1 Session or a Workshop during the cancellation period, we will deduct an amount from any refund which is in proportion to what has been performed up to the point when you gave us notice of cancellation, in comparison with the full coverage of the contract. Once the above cancellation period has expired, we reserve the charge you in the following circumstances: You cancel an online or phone 1 to 1 session less than one day before the session start time. You do not attend a 1 to 1 session at the agreed date and time – we will wait 15 minutes from the agreed time before treating your absence as a no show. If you cancel a workshop booking, a cancellation fee will be charged, as follows: Up to 6 weeks prior to the workshop – 20% of the full course fee Up to 4 weeks prior to the workshop – 50% of the full course fee Up to 2 weeks prior to the workshop – 100% of the full course fee If we are able to refill your place – a cancellation fee of £50 will be charged. Please note that 1 to 1 sessions or workshops that you purchase under your name can only be used by you and are non-transferable i.e If you purchase 5 sessions it will be for 5 sessions on your account and cannot be transferred to another client’s account. 3. Cancellation of contracts for goods You have a right to cancel this contract, the cancellation period will end 14 days after the day that you take delivery of the goods. You do not have to give any reason for cancelling. You will not have the right to cancel if you are entering into our contract for the purposes of your business”. To exercise the right to cancel you must inform us of your decision by a clear statement sent by phone, letter or email. You will have met the deadline to cancel if you have sent your communication to us before the cancellation period has expired. You will bear the costs of returning the goods. If you cancel this contract, we will reimburse to you all payments received from you, including the costs of delivery (except for the supplementary costs arising if you chose a type of delivery other than the least expensive type of standard delivery offered by us). We may make a deduction from the reimbursement for loss in value of any goods supplied, if the loss is the result of unnecessary handling by you. You will lose your right to cancel if you unseal a DVD that we have supplied you. We will make the reimbursement without undue delay, and not later than: 14 days after the day we receive back from you any goods supplied, or (if earlier) 14 days after the day you provide evidence that you have returned the goods. We will refund using the same means of payment that you originally used, unless you have expressly agreed otherwise. You will not incur any fees for cancelling within the cancellation period. Contract – General 1. Limitations and exclusions of liability 1.1 Nothing in these terms and conditions will:(a) limit or exclude any liability for death or personal injury resulting from negligence;(b) limit or exclude any liability for fraud or fraudulent misrepresentation;(c) limit any liabilities in any way that is not permitted under applicable law; or(d) exclude any liabilities that may not be excluded under applicable law. 1.2 The limitations and exclusions of liability set out in this Section 1 and elsewhere in these terms and conditions:(a) are subject to Section 1.1; and(b) govern all liabilities arising under these terms and conditions or relating to the subject matter of our contract, including liabilities arising in contract, in tort (including negligence) and for breach of statutory duty, except to the extent expressly provided otherwise in this disclaimer. 1.3 To the extent that our website and the information and services on our website are provided free of charge, we will not be liable for any loss or damage of any nature. 1.4 We will not be liable to you in respect of any losses arising out of any event or events beyond our reasonable control. 1.5 We will not be liable to you in respect of any business losses, including (without limitation) loss of or damage to profits, income, revenue, use, production, anticipated savings, business, contracts, commercial opportunities or goodwill. 1.6 We will not be liable to you in respect of any loss or corruption of any data, database or software. 1.7 We will not be liable to you in respect of any special, indirect or consequential loss or damage. 2. Severability 2.1 If a term of this contract is determined by any court or other competent authority to be unlawful and/or unenforceable, the other provisions will continue in effect. 2.2 If any unlawful and/or unenforceable term of this contract would be lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the provision will continue in effect. 3. Law and jurisdiction 3.1 This contract shall be governed by and construed in accordance with English law. 3.2 Any disputes relating to this contract shall be subject to the exclusive jurisdiction of the courts of the United Kingdom. 4. Our details 4.1 Your contract is with Penny Croal. 4.2 Our principal place of business is at 3 Chichester Road, Sandgate, Folkestone, CT20 3BN. 4.3 You can contact us:(a) by post, using the postal address given above;(b) using our website contact form;(c) by telephone, on the contact number published on our website from time to time; or(d) by email, using the email address published on our website from time to time. × Privacy Policy Overview Change Ahead and Change Ahead Associates (CAA) is committed to protecting your privacy online. This privacy notice provides you with details of how we collect and process your personal data through your use of our site bydeesign.com (the “Site”). By providing us with your data, you warrant to us that you are over 18 years of age. Change Ahead is the data controller and we are responsible for your personal data (referred to as “we”, “us” or “our” in this privacy notice). The term “user,” “you” and “your” refers to site visitors, customers and any other users of the site. The term “personal information” is defined as information that you voluntarily provide to us which personally identifies you and/or your contact information, such as your name, phone number and email address. Change Ahead provides a website where users can read articles on health, health analysis, the process of health and resolutions for health both mental and physical and a service where users may purchase digital products related to Health emotions and Therapy, Analysis, Practitioner Skills and in Person events and workshops (the “Service”). Use of change Ahead.biz, including all materials presented herein and all online services provided by CAA, is subject to the following Privacy Policy. This Privacy Policy applies to all site visitors, customers, and all other users of the site. By using the Site or Service, you agree to this Privacy Policy, without modification, and acknowledge reading it. At Change Ahead, we are committed to safeguarding the privacy and personal data of our clients. This policy outlines how we comply with the General Data Protection Regulation ( GDPR ) to protect your information when you engage with our therapy and healthcare services. Scope This policy applies to: All clients, patients, and service users whose personal and health data we process. All employees, contractors, and partners involved in data handling. Definitions Personal Data: Any information that can identify you as an individual ( e.g., name, address, contact details). Special Category Data: Sensitive personal data such as health records, therapy notes, and medical history. Data Controller: Change Ahead, which determines the purpose and means of data processing. Data Processor: Any third party that processes personal data on our behalf. Processing: Any operation on personal data, such as collection, storage, analysis, or destruction. Principles of Data Protection We adhere to the following principles to ensure the safe handling of your personal and health data: Lawfulness, Fairness, and Transparency: Data is processed lawfully, fairly, and in a transparent manner. Purpose Limitation: Data is collected for specific therapeutic or healthcare purposes and not used beyond these purposes without explicit consent. Data Minimization: Only data strictly necessary for the provision of services is collected. Accuracy: Data is kept accurate and updated as required. Storage Limitation: Data is retained only for as long as necessary or required by law. Integrity and Confidentiality: Data is processed securely to prevent unauthorized access, breaches, or misuse. Information We Collect The data we collect about you, for what purpose and on what ground we process it. Personal data means any information capable of identifying an individual. It does not include anonymised data. We may process the following categories of personal data about you: Communication Data that includes any communication that you send to us whether that be through the contact form on our website, through email, text, social media messaging, social media posting or any other communication that you send us. We process this data for the purposes of communicating with you, for record keeping and for the establishment, pursuance or defence of legal claims. Our lawful ground for this processing is our legitimate interests which in this case are to reply to communications sent to us, to keep records and to establish, pursue or defend legal claims. Customer Data that includes data relating to any purchases of goods and/or services such as your name, title, billing address, delivery address email address, phone number, contact details, purchase details and your card details. This information is shared with our e-commerce software providers to ensure the delivery of your order. We use your email to communicate with you about your order and to manage our customer relationship with you. When you place an order you may be added to our mailing list from which you can unsubscribe at any time using the unsubscribe link in each email or by contacting us at penny@changeahead.biz. We collect payment information for each order but we do not store payment information on CAA servers. Your payment information is securely communicated to and processed via our e-commerce software providers. All personal information collected for an order is used for the fulfilment of that order and to manage our customer relationship with you. We process this data to supply the goods and/or services you have purchased and to keep records of such transactions. Our lawful ground for this processing is the performance of a contract between you and us and/or taking steps at your request to enter into such a contract. User Data that includes data about how you use our website and any online services together with any data that you post for publication on our website or through other online services. We process this data to operate our website and ensure relevant content is provided to you, to ensure the security of our website, to maintain back-ups of our website and/or databases and to enable publication and administration of our website, other online services and business. Our lawful ground for this processing is our legitimate interests which in this case are to enable us to properly administer our website and our business. Technical Data that includes data about your use of our website and online services such as your IP address, your login data, details about your browser, length of visit to pages on our website, page views and navigation paths, details about the number of times you use our website, time zone settings and other technology on the devices you use to access our website. The source of this data is from our analytics tracking system. We process this data to analyse your use of our website and other online services, to administer and protect our business and website, to deliver relevant website content and advertisements to you and to understand the effectiveness of our advertising. Our lawful ground for this processing is our legitimate interests which in this case are to enable us to properly administer our website and our business and to grow our business and to decide our marketing strategy. Marketing Data that includes data about your preferences in receiving marketing from us and our third parties and your communication preferences. We process this data to enable you to partake in our promotions such as competitions, prize draws and free give-aways, to deliver relevant website content and advertisements to you and measure or understand the effectiveness of this advertising. Our lawful ground for this processing is our legitimate interests which in this case are to study how customers use our products/services, to develop them, to grow our business and to decide our marketing strategy. We may use Customer Data, User Data, Technical Data and Marketing Data to deliver relevant website content and advertisements to you (including Facebook adverts or other display advertisements) and to measure or understand the effectiveness of the advertising we serve you. Our lawful ground for this processing is legitimate interests which is to grow our business. We may also use such data to send other marketing communications to you. Our lawful ground for this processing is either consent or legitimate interests (namely to grow our business). Sensitive DataWe do not collect any Sensitive Data about you. Sensitive data refers to data that includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We do not collect any information about criminal convictions and offences. Personal Information: Name, address, date of birth, contact information, emergency contact details. Health and Therapy Data: Medical history, therapy notes, diagnoses, treatment plans, medication details. Administrative Data: Payment information, insurance details, appointment records. Rights of Data Subjects Under the Act, data subjects have the following rights: The right to access a copy of their personal data held by the Company by means of a Subject Access Request (for which, see Part 8 of this Policy); The right to object to any processing of his or her personal data that is likely to cause (or that is causing) damage or distress. Data subjects should make any such objection in writing to Penny Croal Founder of Change Ahead and the Company shall respond within 21 days either notifying the data subject of its compliance, or explaining why the Company feels that any aspect of the data subject’s request is unjustified; The right to prevent processing for direct marketing purposes; The right to object to decisions being taken by automated means (where such decisions will have a significant effect on the data subject) and to be informed when any such decision is taken (in which case the data subject has the right to require the data controller (by written notice) to reconsider the decision; The right to have inaccurate personal data rectified, blocked, erased or destroyed in certain circumstances; The right to claim compensation for damage caused by the Company’s breach of the Act. Personal Data Personal data is defined by the Act as data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. The Act also defines “sensitive personal data” as personal data relating to the racial or ethnic origin of the data subject; their political opinions; their religious (or similar) beliefs; trade union membership; their physical or mental health condition; their sexual life; the commission or alleged commission by them of any offence; or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings. The Company only holds personal data that is directly relevant to its dealings with a given data subject. That data will be collected, held, and processed in accordance with the data protection principles and with this Policy. The following data may be collected, held and processed by the Company: Details of age, race and gender, for best possible service for your health and well being Details of past and present medical records, for best possible service for your health and wellbeing Details of medication, pharmaceutical or recreational past and present for your best possible service for your health and wellbeing Details of religion, or your faiths so that the practitioner from CAA can abide by and honour your own belief system Details regarding physical, sexual or any other activity that the practitioner from CAA may think is relevant for sessions and for the best possible service for you Processing Personal Data (Data Retention) We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, see section regarding insurance requirement and reporting requirements. When deciding what the correct time is to keep the data for we look at its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure, the processing purposes, if these can be achieved by other means and legal requirements. We process your personal and health data for: Providing therapy, counselling, or healthcare services. Creating and maintaining accurate health records. Facilitating appointments, communications, and follow-ups. Complying with legal and regulatory requirements. Internal audits, quality assurance, and training ( where anonymized) For tax purposes, the law requires us to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers. In some circumstances, we may anonymise your personal data for research or statistical purposes in which case we may use this information indefinitely without further notice to you. Any and all personal data collected by the Company (as detailed in Part 2 of this Policy) is collected in order to ensure that the Company can provide the best possible service to its customers, and can work effectively with its partners, associates and affiliates and efficiently manage its employees, contractors, agents and consultants. The Company may also use personal data in meeting certain obligations imposed by law. Certain data collected by the Company, such as IP addresses, certain information gathered by cookies, pseudonyms and other non-identifying information will nonetheless be collected, held and processed to the same standards as personal data. Personal data may be disclosed within the Company, provided such disclosure complies with this Policy. Personal data may be passed from one department to another in accordance with the data protection principles and this Policy. Under no circumstances will personal data be passed to any department or any individual within the Company that does not reasonably require access to that personal data with respect to the purpose(s) for which it was collected and is being processed. In particular, the Company shall ensure that: All personal data collected and processed for and on behalf of the Company by any party is collected and processed fairly and lawfully; Data subjects are always made fully aware of the reasons for the collection of personal data and are given details of the purpose(s) for which the data will be used; Personal data is only collected to the extent that is necessary to fulfil the purpose(s) for which it is required; All personal data is accurate at the time of collection and kept accurate and up to date while it is being held and/or processed; No personal data is held for any longer than necessary in light of the purpose(s) for which it is required; legally our Insurance company Holistic Insurance, requires us to hold data for 5 years for adults. For anyone under the age of 21 then by law we are required to keep data for as long as the insurance company requires and can be 10 years or more. A suitable online privacy policy is implemented, maintained and followed; Whenever cookies or similar technologies are used online by the Company, they shall be used strictly in accordance with the requirements of the Privacy and Electronic Communications Regulations, providing full details of cookie use and guidance on privacy; Individuals are provided with a simple, accessible method of amending any data submitted by them online; Individuals are informed if any data submitted by them online cannot be fully deleted at their request under normal circumstances (for example, because a file uploaded by a user has been backed up) and how to request that the Company deletes any other copies of that data, where it is within the individual’s right to do so; All personal data is held in a safe and secure manner, as detailed in Part 3 of this Policy, taking all appropriate technical and organisational measures to protect the data; All personal data is transferred securely, whether it is transmitted electronically or in hard copy, by www.therachat.io a HIPAA compliant app or encrypted on to CAA website, Xero Accounts, Mailchimp, Kartra and Zoom. No personal data is transferred outside of the European Economic Area (as appropriate) without first ensuring that the destination country offers adequate levels of protection for personal data and the rights of data subjects; and All data subjects can fully exercise their rights with ease and without hindrance. Data Protection Registration Registration reference: ZB815292 Data Protection Procedures The Company shall ensure that all of its employees, agents, contractors, or other parties working on behalf of the Company comply with the following when working with personal data: All emails containing personal data must be encrypted using TLS encryption; Personal data may be transmitted over secure networks only – transmission over unsecured networks is not permitted in any circumstances; Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable; Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted; Where Personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data; Where Personal data is to be transferred in hardcopy form it should be passed directly to the recipient or sent using a trackable mail delivery service (Royal Mail Special Delivery). No personal data may be shared informally and if an employee, agent, sub-contractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from Penny Croal Founder of CAA penny@changeahead.biz. All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet or similar; No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without the authorisation of Penny Croal Founder of CAA penny@changehead.biz; Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors or other parties at any time; If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it; Any unwanted copies of personal data (i.e. printouts or electronic duplicates) that are no longer needed should be disposed of securely. Hardcopies should be shredded and electronic copies should be deleted securely using secure file deletion software to remove files and prevent recovery; No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets and smartphones), whether such device belongs to the Company or otherwise [without the formal written approval of Penny Croal Founder of CAA at penny@changeahead.biz and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary]. No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the Act (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken); All personal data stored electronically should be backed up daily with backups stored in Dropbox and Microsoft OneDrive for Business. All backups should be encrypted using industry cryptographic standards such as TLS/SSL and AES to protect the confidentiality and integrity of customer data All electronic copies of personal data should be stored securely using passwords and industry cryptographic standards such as TLS/SSL and AES data encryption; All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols [. All software used by the Company is designed to require such passwords]; Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords; All personal data held by the Company shall be regularly reviewed for accuracy and completeness. Where the Company has regular contact with data subjects, any personal data held about those data subjects should be confirmed at least annually. If any personal data is found to be out of date or otherwise inaccurate, it should be updated and/or corrected immediately where possible. If any personal data is no longer required by the Company, it should be securely deleted and disposed of within 1 year; Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of Penny Croal Founder of CAA at penny@changeahead.biz to ensure that no data subjects have added their details to any marketing preference databases including, but not limited to, the Telephone Preference Service, the Mail Preference Service, the Email Preference Service, and the Fax Preference Service. Such details should be checked at least annually. Data Sharing and Confidentiality We prioritise confidentiality in all aspects of our services. Your data will only be shared: With healthcare providers directly involved in your treatment, with your consent. With legal or regulatory authorities if required by law. For billing purposes with insurance providers ( if applicable), with your explicit consent. For emergency situations where your health or safety is at risk. All third parties involved in data processing are contractually obligated to comply with GDPR. Marketing Communications Our lawful ground of processing your personal data to send you marketing communications is either your consent or our legitimate interests (namely to grow our business). Under the Privacy and Electronic Communications Regulations, we may send you marketing communications from us if (i) you made a purchase or asked for information from us about our goods or services or (ii) you agreed to receive marketing communications and in each case you have not opted out of receiving such communications since. Under these regulations, if you are a limited company, we may send you marketing emails without your consent. However, you can still opt out of receiving marketing emails from us at any time. Before we share your personal data with any third party for their own marketing purposes we will get your express consent. You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or OR by emailing us at penny@changeahead.biz at any time. If you opt out of receiving marketing communications this opt-out does not apply to personal data provided as a result of other transactions, such as purchases, warranty registrations etc. Disclosures of your Personal Data We may have to share your personal data with the parties set out below: Service providers who provide IT and system administration services. Professional advisers including lawyers, bankers, auditors and insurers Government bodies that require us to report processing activities. Third parties to whom we sell, transfer, or merge parts of our business or our assets. We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law. We only allow such third parties to process your personal data for specified purposes and in accordance with our instructions. These trusted third parties agree to keep this information confidential. Your personal information will never be shared with unrelated third parties. International Transfers Countries outside of the European Economic Area (EEA) do not always offer the same levels of protection to your personal data, so European law has prohibited transfers of personal data outside of the EEA unless the transfer meets certain criteria. Many of our third parties service providers are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA. Whenever we transfer your personal data out of the EEA, we do our best to ensure a similar degree of security of data by ensuring at least one of the following safeguards is in place: We will only transfer your personal data to countries that the European Commission have approved as providing an adequate level of protection for personal data by; or Where we use certain service providers, we may use specific contracts or codes of conduct or certification mechanisms approved by the European Commission which give personal data the same protection it has in Europe; or If we use US-based providers that are part of EU-US Privacy Shield, we may transfer data to them, as they have equivalent safeguards in place. If none of the above safeguards is available, we may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time. Data Retention We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, (see section accounting, or reporting requirements). When deciding what the correct time is to keep the data for we look at its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure, the processing purposes, if these can be achieved by other means and legal requirements. For tax purposes, the law requires us to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers. In some circumstances, we may anonymise your personal data for research or statistical purposes in which case we may use this information indefinitely without further notice to you. Data Breaches In the unlikely event of a data breach: Affected individuals will be notified immediately if there is a high risk to their rights and freedoms. Relevant authorities ( e.g., the Information Commissioner’s Office ) will be informed within 72 hours of discovering the breach. Consent We will obtain your explicit consent before processing sensitive health and therapy data, except in emergencies or where legally required. Consent may be withdrawn at any time without affecting the services provided. Your Legal Rights Under data protection laws you have rights in relation to your personal data that include the right to request access, correction, erasure, restriction, transfer, to object to processing, to portability of data and (where the lawful ground of processing is consent) to withdraw consent. You can see more about these rights at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/ If you wish to exercise any of the rights set out above, please email us at penny@changeahead.biz Under GDPR, you have the following rights concerning your data: Right to Access: Request access to your data and obtain a copy. Right to Rectification: Request corrections to inaccurate or incomplete data. Right to Erasure: Request deletion of your data ( except where required for legal or medical purposes) Right to Restrict Processing: Limit the use of your data in certain circumstances. Right to Data Portability: Obtain your data in a structured, commonly used format. Right to Object: Object to the processing of your data for non-therapeutic purposes. Right to Withdraw Consent: Withdraw consent for data processing at any time. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive or refuse to comply with your request in these circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you. If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would be grateful if you would contact us first if you do have a complaint so that we can try to resolve it for you. Third Party Links The Site may contain links to third-party websites, plug-ins and applications.. Except as otherwise discussed in this Privacy Policy, this document only addresses the use and disclosure of information we collect from you on our Site. Other sites accessible through our site via links or otherwise have their own policies in regard to privacy. We are not responsible for the privacy policies or practices of third parties. When you leave our website, we encourage you to read the privacy notice of every website you visit. Security We maintain security measures to protect your personal information from unauthorized access, misuse or disclosure. However, no exchange of data over the Internet can be guaranteed as 100% secure. While we make every effort to protect your personal information shared with us through our Site, you acknowledge that the personal information you voluntarily share with us through this Site could be accessed or tampered with by a third party. You agree that we are not responsible for any intercepted information shared through our Site without our knowledge or permission. Additionally, you release us from any and all claims arising out of or related to the use of such intercepted information in any unauthorized manner. Sharing. Please be aware that when you use our Site to post comments and share other information, any information that you provide may not be secure and can be collected and used by others. As a result, you should exercise caution before you make such disclosures. Children. To access or use the Site, you must be 18 years or older and have the requisite power and authority to enter into this Privacy Policy. Children under the age of 18 are prohibited from using the Site. We implement stringent security measures to protect your data, including: Encryption for electronic records. Secure storage for paper records, where applicaable. Restricted access, ensuring only authorized personnel handle your data. Regular staff training on data protection and confidentiality. Regular audits to identify and address vulnerabilities. Cookies You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our cookie policy ICO. Data Protection Registration Number Registration reference: ZB815292 How to Update Your Information If you opt-in to our mailing list, the option to unsubscribe or update will be included in every email. You may also access and correct your personal information and privacy preferences by contacting us with your request at penny@changeahead.biz Notification of Changes to this Policy You acknowledge and agree that it is your responsibility to review this Site and this Policy periodically and to be aware of any modifications. Updates to this Policy will be posted on this page. Date of last update – December 9th 2024 Contact If you have questions about our Privacy Policy, please contact us via email: penny@changeahead.biz By engaging with our services , you acknowledge that you have read, understood, and agreed to this GDPR compliance policy. Change Ahead and Change Ahead Associates (CAA) is committed to protecting your privacy online. This privacy notice provides you with details of how we collect and process your personal data through your use of our site bydeesign.com (the “Site”). By providing us with your data, you warrant to us that you are over 18 years of age. Change Ahead is the data controller and we are responsible for your personal data (referred to as “we”, “us” or “our” in this privacy notice). The term “user,” “you” and “your” refers to site visitors, customers and any other users of the site. The term “personal information” is defined as information that you voluntarily provide to us which personally identifies you and/or your contact information, such as your name, phone number and email address. Change Ahead provides a website where users can read articles on health, health analysis, the process of health and resolutions for health both mental and physical and a service where users may purchase digital products related to Health emotions and Therapy, Analysis, Practitioner Skills and in Person events and workshops (the “Service”). Use of change Ahead.biz, including all materials presented herein and all online services provided by CAA, is subject to the following Privacy Policy. This Privacy Policy applies to all site visitors, customers, and all other users of the site. By using the Site or Service, you agree to this Privacy Policy, without modification, and acknowledge reading it. Information We Collect The data we collect about you, for what purpose and on what ground we process it. Personal data means any information capable of identifying an individual. It does not include anonymised data. We may process the following categories of personal data about you: Communication Data that includes any communication that you send to us whether that be through the contact form on our website, through email, text, social media messaging, social media posting or any other communication that you send us. We process this data for the purposes of communicating with you, for record keeping and for the establishment, pursuance or defence of legal claims. Our lawful ground for this processing is our legitimate interests which in this case are to reply to communications sent to us, to keep records and to establish, pursue or defend legal claims. Customer Data that includes data relating to any purchases of goods and/or services such as your name, title, billing address, delivery address email address, phone number, contact details, purchase details and your card details. This information is shared with our e-commerce software providers to ensure the delivery of your order. We use your email to communicate with you about your order and to manage our customer relationship with you. When you place an order you may be added to our mailing list from which you can unsubscribe at any time using the unsubscribe link in each email or by contacting us at penny@changeahead.biz. We collect payment information for each order but we do not store payment information on CAA servers. Your payment information is securely communicated to and processed via our e-commerce software providers. All personal information collected for an order is used for the fulfilment of that order and to manage our customer relationship with you. We process this data to supply the goods and/or services you have purchased and to keep records of such transactions. Our lawful ground for this processing is the performance of a contract between you and us and/or taking steps at your request to enter into such a contract. User Data that includes data about how you use our website and any online services together with any data that you post for publication on our website or through other online services. We process this data to operate our website and ensure relevant content is provided to you, to ensure the security of our website, to maintain back-ups of our website and/or databases and to enable publication and administration of our website, other online services and business. Our lawful ground for this processing is our legitimate interests which in this case are to enable us to properly administer our website and our business. Technical Data that includes data about your use of our website and online services such as your IP address, your login data, details about your browser, length of visit to pages on our website, page views and navigation paths, details about the number of times you use our website, time zone settings and other technology on the devices you use to access our website. The source of this data is from our analytics tracking system. We process this data to analyse your use of our website and other online services, to administer and protect our business and website, to deliver relevant website content and advertisements to you and to understand the effectiveness of our advertising. Our lawful ground for this processing is our legitimate interests which in this case are to enable us to properly administer our website and our business and to grow our business and to decide our marketing strategy. Marketing Data that includes data about your preferences in receiving marketing from us and our third parties and your communication preferences. We process this data to enable you to partake in our promotions such as competitions, prize draws and free give-aways, to deliver relevant website content and advertisements to you and measure or understand the effectiveness of this advertising. Our lawful ground for this processing is our legitimate interests which in this case are to study how customers use our products/services, to develop them, to grow our business and to decide our marketing strategy. We may use Customer Data, User Data, Technical Data and Marketing Data to deliver relevant website content and advertisements to you (including Facebook adverts or other display advertisements) and to measure or understand the effectiveness of the advertising we serve you. Our lawful ground for this processing is legitimate interests which is to grow our business. We may also use such data to send other marketing communications to you. Our lawful ground for this processing is either consent or legitimate interests (namely to grow our business). Sensitive DataWe do not collect any Sensitive Data about you. Sensitive data refers to data that includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We do not collect any information about criminal convictions and offences. Rights of Data Subjects Under the Act, data subjects have the following rights: The right to access a copy of their personal data held by the Company by means of a Subject Access Request (for which, see Part 8 of this Policy); The right to object to any processing of his or her personal data that is likely to cause (or that is causing) damage or distress. Data subjects should make any such objection in writing to Penny Croal Founder of Change Ahead and the Company shall respond within 21 days either notifying the data subject of its compliance, or explaining why the Company feels that any aspect of the data subject’s request is unjustified; The right to prevent processing for direct marketing purposes; The right to object to decisions being taken by automated means (where such decisions will have a significant effect on the data subject) and to be informed when any such decision is taken (in which case the data subject has the right to require the data controller (by written notice) to reconsider the decision; The right to have inaccurate personal data rectified, blocked, erased or destroyed in certain circumstances; The right to claim compensation for damage caused by the Company’s breach of the Act. Personal Data Personal data is defined by the Act as data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. The Act also defines “sensitive personal data” as personal data relating to the racial or ethnic origin of the data subject; their political opinions; their religious (or similar) beliefs; trade union membership; their physical or mental health condition; their sexual life; the commission or alleged commission by them of any offence; or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings. The Company only holds personal data that is directly relevant to its dealings with a given data subject. That data will be collected, held, and processed in accordance with the data protection principles and with this Policy. The following data may be collected, held and processed by the Company: Details of age, race and gender, for best possible service for your health and well being Details of past and present medical records, for best possible service for your health and wellbeing Details of medication, pharmaceutical or recreational past and present for your best possible service for your health and wellbeing Details of religion, or your faiths so that the practitioner from CAA can abide by and honour your own belief system Details regarding physical, sexual or any other activity that the practitioner from CAA may think is relevant for sessions and for the best possible service for you Processing Personal Data (Data Retention) We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, see section regarding insurance requirement and reporting requirements. When deciding what the correct time is to keep the data for we look at its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure, the processing purposes, if these can be achieved by other means and legal requirements. For tax purposes, the law requires us to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers. In some circumstances, we may anonymise your personal data for research or statistical purposes in which case we may use this information indefinitely without further notice to you. Any and all personal data collected by the Company (as detailed in Part 2 of this Policy) is collected in order to ensure that the Company can provide the best possible service to its customers, and can work effectively with its partners, associates and affiliates and efficiently manage its employees, contractors, agents and consultants. The Company may also use personal data in meeting certain obligations imposed by law. Certain data collected by the Company, such as IP addresses, certain information gathered by cookies, pseudonyms and other non-identifying information will nonetheless be collected, held and processed to the same standards as personal data. Personal data may be disclosed within the Company, provided such disclosure complies with this Policy. Personal data may be passed from one department to another in accordance with the data protection principles and this Policy. Under no circumstances will personal data be passed to any department or any individual within the Company that does not reasonably require access to that personal data with respect to the purpose(s) for which it was collected and is being processed. In particular, the Company shall ensure that: All personal data collected and processed for and on behalf of the Company by any party is collected and processed fairly and lawfully; Data subjects are always made fully aware of the reasons for the collection of personal data and are given details of the purpose(s) for which the data will be used; Personal data is only collected to the extent that is necessary to fulfil the purpose(s) for which it is required; All personal data is accurate at the time of collection and kept accurate and up to date while it is being held and/or processed; No personal data is held for any longer than necessary in light of the purpose(s) for which it is required; legally our Insurance company Holistic Insurance, requires us to hold data for 5 years for adults. For anyone under the age of 21 then by law we are required to keep data for as long as the insurance company requires and can be 10 years or more. A suitable online privacy policy is implemented, maintained and followed; Whenever cookies or similar technologies are used online by the Company, they shall be used strictly in accordance with the requirements of the Privacy and Electronic Communications Regulations, providing full details of cookie use and guidance on privacy; Individuals are provided with a simple, accessible method of amending any data submitted by them online; Individuals are informed if any data submitted by them online cannot be fully deleted at their request under normal circumstances (for example, because a file uploaded by a user has been backed up) and how to request that the Company deletes any other copies of that data, where it is within the individual’s right to do so; All personal data is held in a safe and secure manner, as detailed in Part 3 of this Policy, taking all appropriate technical and organisational measures to protect the data; All personal data is transferred securely, whether it is transmitted electronically or in hard copy, by www.therachat.io a HIPAA compliant app or encrypted on to CAA website, Xero Accounts, Mailchimp, Kartra and Zoom. No personal data is transferred outside of the European Economic Area (as appropriate) without first ensuring that the destination country offers adequate levels of protection for personal data and the rights of data subjects; and All data subjects can fully exercise their rights with ease and without hindrance. Data Protection Procedures The Company shall ensure that all of its employees, agents, contractors, or other parties working on behalf of the Company comply with the following when working with personal data: All emails containing personal data must be encrypted using TLS encryption; Personal data may be transmitted over secure networks only – transmission over unsecured networks is not permitted in any circumstances; Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable; Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted; Where Personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data; Where Personal data is to be transferred in hardcopy form it should be passed directly to the recipient or sent using a trackable mail delivery service (Royal Mail Special Delivery). No personal data may be shared informally and if an employee, agent, sub-contractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from Penny Croal Founder of CAA penny@changeahead.biz. All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet or similar; No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without the authorisation of Penny Croal Founder of CAA penny@changehead.biz; Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors or other parties at any time; If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it; Any unwanted copies of personal data (i.e. printouts or electronic duplicates) that are no longer needed should be disposed of securely. Hardcopies should be shredded and electronic copies should be deleted securely using secure file deletion software to remove files and prevent recovery; No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets and smartphones), whether such device belongs to the Company or otherwise [without the formal written approval of Penny Croal Founder of CAA at penny@changeahead.biz and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary]. No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the Act (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken); All personal data stored electronically should be backed up daily with backups stored in Dropbox and Microsoft OneDrive for Business. All backups should be encrypted using industry cryptographic standards such as TLS/SSL and AES to protect the confidentiality and integrity of customer data All electronic copies of personal data should be stored securely using passwords and industry cryptographic standards such as TLS/SSL and AES data encryption; All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols [. All software used by the Company is designed to require such passwords]; Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords; All personal data held by the Company shall be regularly reviewed for accuracy and completeness. Where the Company has regular contact with data subjects, any personal data held about those data subjects should be confirmed at least annually. If any personal data is found to be out of date or otherwise inaccurate, it should be updated and/or corrected immediately where possible. If any personal data is no longer required by the Company, it should be securely deleted and disposed of within 1 year; Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of Penny Croal Founder of CAA at penny@changeahead.biz to ensure that no data subjects have added their details to any marketing preference databases including, but not limited to, the Telephone Preference Service, the Mail Preference Service, the Email Preference Service, and the Fax Preference Service. Such details should be checked at least annually. Marketing Communications Our lawful ground of processing your personal data to send you marketing communications is either your consent or our legitimate interests (namely to grow our business). Under the Privacy and Electronic Communications Regulations, we may send you marketing communications from us if (i) you made a purchase or asked for information from us about our goods or services or (ii) you agreed to receive marketing communications and in each case you have not opted out of receiving such communications since. Under these regulations, if you are a limited company, we may send you marketing emails without your consent. However, you can still opt out of receiving marketing emails from us at any time. Before we share your personal data with any third party for their own marketing purposes we will get your express consent. You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or OR by emailing us at penny@changeahead.biz at any time. If you opt out of receiving marketing communications this opt-out does not apply to personal data provided as a result of other transactions, such as purchases, warranty registrations etc. Disclosures of your Personal Data We may have to share your personal data with the parties set out below: Service providers who provide IT and system administration services. Professional advisers including lawyers, bankers, auditors and insurers Government bodies that require us to report processing activities. Third parties to whom we sell, transfer, or merge parts of our business or our assets. We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law. We only allow such third parties to process your personal data for specified purposes and in accordance with our instructions. These trusted third parties agree to keep this information confidential. Your personal information will never be shared with unrelated third parties. International Transfers Countries outside of the European Economic Area (EEA) do not always offer the same levels of protection to your personal data, so European law has prohibited transfers of personal data outside of the EEA unless the transfer meets certain criteria. Many of our third parties service providers are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA. Whenever we transfer your personal data out of the EEA, we do our best to ensure a similar degree of security of data by ensuring at least one of the following safeguards is in place: We will only transfer your personal data to countries that the European Commission have approved as providing an adequate level of protection for personal data by; or Where we use certain service providers, we may use specific contracts or codes of conduct or certification mechanisms approved by the European Commission which give personal data the same protection it has in Europe; or If we use US-based providers that are part of EU-US Privacy Shield, we may transfer data to them, as they have equivalent safeguards in place. If none of the above safeguards is available, we may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time. Data Retention We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, (see section accounting, or reporting requirements). When deciding what the correct time is to keep the data for we look at its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure, the processing purposes, if these can be achieved by other means and legal requirements. For tax purposes, the law requires us to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers. In some circumstances, we may anonymise your personal data for research or statistical purposes in which case we may use this information indefinitely without further notice to you. Your Legal Rights Under data protection laws you have rights in relation to your personal data that include the right to request access, correction, erasure, restriction, transfer, to object to processing, to portability of data and (where the lawful ground of processing is consent) to withdraw consent. You can see more about these rights at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/ If you wish to exercise any of the rights set out above, please email us at penny@changeahead.biz You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive or refuse to comply with your request in these circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you. If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We should be grateful if you would contact us first if you do have a complaint so that we can try to resolve it for you. Third Party Links The Site may contain links to third-party websites, plug-ins and applications.. Except as otherwise discussed in this Privacy Policy, this document only addresses the use and disclosure of information we collect from you on our Site. Other sites accessible through our site via links or otherwise have their own policies in regard to privacy. We are not responsible for the privacy policies or practices of third parties. When you leave our website, we encourage you to read the privacy notice of every website you visit. Security We maintain security measures to protect your personal information from unauthorized access, misuse or disclosure. However, no exchange of data over the Internet can be guaranteed as 100% secure. While we make every effort to protect your personal information shared with us through our Site, you acknowledge that the personal information you voluntarily share with us through this Site could be accessed or tampered with by a third party. You agree that we are not responsible for any intercepted information shared through our Site without our knowledge or permission. Additionally, you release us from any and all claims arising out of or related to the use of such intercepted information in any unauthorized manner. Sharing. Please be aware that when you use our Site to post comments and share other information, any information that you provide may not be secure and can be collected and used by others. As a result, you should exercise caution before you make such disclosures. Children. To access or use the Site, you must be 18 years or older and have the requisite power and authority to enter into this Privacy Policy. Children under the age of 18 are prohibited from using the Site. Cookies You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our cookie policy How to Update Your Information If you opt-in to our mailing list, the option to unsubscribe or update will be included in every email. You may also access and correct your personal information and privacy preferences by contacting us with your request at penny@changeahead.biz Notification of Changes to this Policy You acknowledge and agree that it is your responsibility to review this Site and this Policy periodically and to be aware of any modifications. Updates to this Policy will be posted on this page. Date of last update – 25 May 2018 Contact If you have questions about our Privacy Policy, please contact us via email: penny@changeahead.biz ×