The Power And Control Wheel

support@thepowerandcontrolwheel.co.uk

Privacy Notice (UK GDPR / DPA 2018)

Privacy Notice (UK GDPR / Data Protection Act 2018)

Controller
Sole trader Kevin Webb, trading as The Power And Control Wheel (“we”, “us”, “our”).
Correspondence address: Available on request (we operate online/by phone; no public premises).
Privacy contact / DPO: Kevin Webb — info@thepowerandcontrolwheel.co.uk

Last updated: 8 October 2025

1) What this notice covers

How we collect, use, share, secure and retain personal data for our services, and your rights.

2) What we do

Somatic trauma-informed coaching; education on narcissistic abuse; online educational videos/posts; blogs; 1-to-1 sessions (phone/Zoom); and support groups (in person and online). Online group Zoom sessions are recorded for safeguarding and accurate follow-up (see §9, §11).

3) Data we collect

  • Identity & contact: name (or alias), email, phone, general location/time zone.
  • Service data: bookings, attendance, basic session notes, topics raised.
  • Payments: PayPal transaction metadata and bank-transfer references (no card numbers stored by us).
  • Communications: emails, phone call notes, website comments/messages.
  • Technical: IP address, device/browser info, cookie IDs.
  • Recordings (groups only): video/audio of participants who choose mic/camera; chat content; display names.
  • Self-disclosed experiences: information you voluntarily share about circumstances of abuse.
    We discourage unnecessary detail. If “special category” content is clearly involved (e.g., health), we minimise and handle under §6/§9.

4) How we collect it

  • Directly from you: bookings (shared calendar), emails/phone, Zoom groups, website comments, newsletter sign-ups, and social channels (YouTube, X, Facebook, Messenger, WhatsApp, LinkedIn, TikTok, Instagram).
  • Automatically via essential cookies; optional analytics only with consent (see Cookie Notice).
  • From our service providers (e.g., email, scheduling, payments) to operate services.

5) Purposes & lawful bases

PurposeExamplesLegal basis
Service deliveryBookings, 1-to-1 and groups, follow-upContract (Art.6(1)(b))
Payments & accountsInvoices, tax/auditContract + Legal obligation (Art.6(1)(c))
CommunicationsEnquiries, service noticesLegitimate interests (Art.6(1)(f))
Email marketing/newslettersOptional updatesConsent (Art.6(1)(a))
Security / essential cookiesFraud/abuse prevention, performanceLegitimate interests (Art.6(1)(f))
Safeguarding / serious riskRisk of harm; legal complianceVital interests (Art.6(1)(d)) and/or Legal obligation; if special category data arises: Art.9(2)(c)/(g) + DPA 2018 Sch.1
If special category data clearly arises in routine support, we rely on explicit consent (Art.9(2)(a)) and minimise detail.

6) Your choices in groups

  • Real name optional (aliases allowed).
  • Mic/camera optional (camera preferred but not required).
  • Don’t want to be on a recording? Keep mic/camera off and use an alias; we can mask/remove a visible name where feasible.

7) Online learning (LearnDash)

We provide private online learning using LearnDash on our website. We process:

  • Account data: name/alias, email, username, password (hashed), time zone.
  • Learning activity: enrolments, progress, lesson/quiz completions, certificates.
  • Community interactions (if enabled): comments, forum posts, messages, profile info.
  • Support/admin: enrolment dates, suspension/withdrawal, support requests.
    Bases: course delivery/tracking/certificates — Contract; platform admin/abuse prevention — Legitimate interests; course emails — Legitimate interests; unrelated marketing — Consent; payments via PayPal or bank transferContract + Legal obligation (tax).
    Retention: progress/completions 2 years after last activity/closure; accounts: active while used, otherwise review at 24 months inactivity (keep minimal records up to 6 years if needed for finance/audit/certificate verification).

8) Who we share data with

Processors/partners: FastHosts (web/email hosting); Google Calendar; Microsoft Outlook/Email; Zoom; PayPal; bank transfer (Halifax); WordPress and standard website tools.
We may share data with law enforcement or safeguarding bodies where required to protect vital interests or by law. We do not sell personal data.

9) Recordings (online group sessions)

Purpose: safeguarding and accurate follow-up.
Access: only Kevin Webb (controller/DPO).
Retention: 30 days, then deletion, unless needed to respond to a complaint/legal request, evidence a safeguarding concern, or comply with law. In such cases we retain only the relevant excerpt for as long as necessary.

10) International transfers

Some providers (e.g., Google/Microsoft/Zoom/PayPal) may process/store data outside the UK. Where transfers occur, we use UK-approved safeguards (UK Addendum to SCCs/IDTA) or adequacy regulations. Supplier details available on request.

11) How long we keep data

  • Recordings (group Zoom): 30 days; extend only for legal/safeguarding.
  • Client notes (1-to-1 & groups): 2 years after last interaction or confirmed closure (whichever later).
  • Enquiry emails (no ongoing work): 12 months.
  • Account/booking logs: 6 years (audit trail).
  • Invoices/financial: 6 years (UK tax).
  • Marketing/subscribers: until you unsubscribe or after 24 months inactivity; proof of consent may be kept up to 6 years to evidence compliance.
    We delete or irreversibly anonymise when due.

12) Security

We apply proportionate measures: MFA on admin/email; device encryption and screen-lock; up-to-date OS/AV; VPN on untrusted networks; least-privilege access; locked office storage; secure Zoom settings (waiting room, passwords, host-only recording access); data minimisation; periodic reviews. See Appendix C for a checklist.

13) Your rights

You can request access, rectification, erasure, restriction, objection, portability, and withdraw consent (for consent-based processing).
Contact: info@thepowerandcontrolwheel.co.uk. We respond within one month.
You can complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

14) Children

Services are for adults (18+).

15) Cookies

We use a consent banner that blocks non-essential cookies until accepted and a Cookie Notice listing the cookies, purposes and lifetimes. See our Cookie Notice (link in footer).