Privacy Policy

Last updated: April 2026 · Version 1.1

Plain English summary: This website does not use contact forms, cookies, or tracking. The only way your personal data reaches me is if you choose to contact me directly by email, telephone, or through the booking calendar. I hold data only for as long as I need to, I never sell it, and you can ask me to delete it at any time.

This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Note for site owner: Once registered with the ICO, replace [YOUR ICO REGISTRATION NUMBER] in Section 1. Registration costs £40/year for organisations with turnover under £632,000. Register at ico.org.uk/registration.

1. Who I am and how to contact me

This privacy policy applies to helenforsyth.com and the commercial services offered through it, operated by:

Data Controller: Helen Forsyth
Trading as: Something Other
Email: helen@something-other.com
Telephone: 07846 974137
ICO Registration Number: [YOUR ICO REGISTRATION NUMBER]

As a sole trader, I am not required to appoint a Data Protection Officer. For any data-related queries, contact me directly at the address above.

2. What personal data I collect, why, and the legal basis

I collect personal data only when you voluntarily provide it. The table below sets out what I collect, why, and the legal basis under UK GDPR Article 6:

What I collect	Why	Legal basis (UK GDPR Art. 6)
Name, email address, and message content (when you email me)	To respond to your enquiry and assess a potential commercial relationship	Legitimate interests (6(1)(f))
Name and telephone number (when you call me)	To follow up on your enquiry	Legitimate interests (6(1)(f))
Name and email address (via Notion Calendar booking)	To confirm and manage the appointment	Legitimate interests (6(1)(f))
Contact details, correspondence, and business information (during an active engagement)	To deliver contracted commercial advisory services	Contract performance (6(1)(b))
Financial records, invoices, and payment information (clients only)	To meet statutory tax and accounting obligations	Legal obligation (6(1)(c))

Legitimate interests assessment: Where I rely on legitimate interests, I have assessed that processing is necessary, proportionate, and does not override your rights and freedoms. You have the right to object at any time (see Section 7).

3. How long I keep your data

Enquiries that do not lead to an engagement: Retained for no longer than 12 months from our last communication, unless you ask me to remove it sooner.
Client engagement records and correspondence: Retained for the duration of the engagement and for two years after it ends, unless a longer period is required by law or contract.
Financial records and invoices: Retained for a minimum of six years from the end of the relevant tax year, as required by HMRC.
Booking calendar records: Managed by Notion. Notes from calls where no engagement follows are retained for up to 12 months.

4. Who I share your data with

I do not sell, rent, or share your personal data with third parties for marketing purposes.

Your data may be processed by the following third-party service providers:

Google LLC (Google Workspace — email, calendar, document storage): Processes data under Standard Contractual Clauses. Privacy policy: policies.google.com/privacy
Notion Labs Inc. (booking calendar and note-taking): Processes data under Standard Contractual Clauses. Privacy policy: notion.so/privacy
HM Revenue & Customs: Financial information is disclosed where required by law.

5. International transfers of personal data

Google LLC and Notion Labs Inc. are headquartered in the United States. When these services process your data, it may be transferred outside the United Kingdom.

Both providers use Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner as the lawful transfer mechanism. This means they are contractually required to protect your data to UK GDPR standards.

No other international transfers of your personal data take place.

6. Cookies and tracking

This website sets no cookies and uses no analytics, tracking, or advertising technology. It is a static HTML file with no third-party scripts. No cookie consent banner is required.

The Notion Calendar booking page (linked from this site) is operated by Notion and subject to their own cookie practices.

If cookies or tracking are added to this website in future, this policy will be updated and an appropriate consent mechanism will be put in place before any tracking begins.

7. Your rights under UK GDPR

You have the following rights. Exercising them is free of charge. I will respond within one calendar month (extendable by two further months in complex cases, with notice to you).

Right of access (Article 15): Request a copy of the personal data I hold about you and information about how it is processed.
Right to rectification (Article 16): Request correction of inaccurate or incomplete data without undue delay.
Right to erasure (Article 17): Request deletion of your data. This right is subject to legal retention requirements.
Right to restriction of processing (Article 18): Request that I limit use of your data while a dispute about accuracy or lawfulness is resolved.
Right to data portability (Article 20): Receive your data in a structured, machine-readable format where processing is based on consent or contract and carried out by automated means.
Right to object (Article 21): Object at any time to processing based on legitimate interests. I will stop unless I can demonstrate compelling legitimate grounds that override your interests, or the processing is for legal claims.
Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. Note: most processing described in this policy is based on legitimate interests or contract, not consent.

To exercise any of these rights, contact me at helen@something-other.com or 07846 974137. I may need to verify your identity before processing your request.

8. Automated decision-making and profiling

I do not carry out any automated decision-making or profiling as defined under Article 22 of the UK GDPR. No decisions with legal or similarly significant effects are made about individuals through automated means. Human review is involved in all commercial decisions.

9. Data security

I implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. These include:

Google Workspace encryption in transit (TLS) and at rest for all stored data
Password protection and two-factor authentication on all accounts used to process personal data
Access to personal data limited to me alone
Secure deletion of data no longer required in line with the retention periods in Section 3

In the event of a personal data breach that poses a risk to your rights and freedoms, I will notify the ICO within 72 hours of becoming aware of it, and will notify affected individuals without undue delay where the risk to them is high.

10. Right to complain to the ICO

You have the right to lodge a complaint with the UK supervisory authority if you believe your data has been handled unlawfully:

Information Commissioner’s Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

I would welcome the opportunity to address any concerns directly before you contact the ICO. Please email me first at helen@something-other.com.

11. Changes to this policy

This policy may be updated to reflect changes in how I operate, in applicable law, or in the services I use. The version number and last updated date at the top of this page always reflect the current version. Where changes are material, I will notify active clients directly.

12. Contact

Helen Forsyth
Something Other
helen@something-other.com
07846 974137