Privacy Policy
Updated: 04/10/2023
Private Policy
1. Purpose
This Privacy Policy (“Policy”) sets out how Wondrous People Limited, registered in England and Wales, No. 6451106, (“Wondrous” or the “Company”) collects, uses, stores, shares and protects any information that you provide when you engage with us in relation to our services or use our website. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.
We are committed to ensuring that your privacy is protected, and we comply with the UK General Data Protection Regulation (UK GDPR). We are also subject to the EU General Data Protection Regulation (EU GDPR) in relation to services we offer in the European Economic Area (EEA). Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this Policy.
Wondrous is registered with the Information Commissioner’s Office (ICO) as a Data Controller, registration number: Z1871422.
Wondrous may change this Policy from time to time by updating the website. You should check the website from time to time to ensure that you are happy with any changes.
For personal data to be processed lawfully, we must process it on one of the legal grounds set out in the data protection laws.
For the processing of ordinary personal data in our organisation these may include, among other things:
- the data subject has given their consent to the processing;
- the processing is necessary for the performance of a contract with the data subject;
- the processing is necessary for the compliance with a legal obligation to which the data controller is subject; or
- the processing is necessary for legitimate interest reasons of the data controller or a third party
e. you are processing someone’s personal data in ways they would reasonably expect it to be processed and which have a minimal privacy impact on the data subject or where there is a compelling justification for the processing.
2. What information do we collect from you?
Wondrous uses your personal data to manage and administer your account/programme and to keep in contact with you for these purposes. If you do not provide personal data we ask for, it may delay or prevent us from providing these services to you.
We may collect the following information:
- name and job title;
- contact information including email address and telephone number;
- basic employment details;
- demographic information such as your region;
- information for technical security monitoring purposes such as your IP address and the version of your browser; and
- Depending on the service we provide to you as an individual or your company, we may also request more detailed information about your employment. For example, the department, function, or team you work in, the grade or level of your employment, the length of employment and professional experience and goals.
We may collect personal data in the following ways:
- Data disclosed by the individual directly.
- Data disclosed by an authorised third party (e.g., employer) on the individual’s behalf.
- Data obtained from a linked system or database.
- Data generated through user interaction with systems and/or services.
- Where an individual’s data is provided to Wondrous People Ltd by an authorised third party such as your employer (e.g., programme delegate lists), it is the third party’s responsibility to ensure they have the correct lawful basis in place to share this data with Wondrous People Ltd.
- Why do we collect this information?
Under data protection law, we can only use your personal data if we have a proper reason e.g:
- where you have given consent;
- to comply with our legal and regulatory obligations;
- for the performance of a contract with you or to take steps at your request before entering into a contract; or
- for our legitimate interests or those of a third party.
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own.
Wondrous People Ltd will always tell you what we intend to use your personal data we collect from you for. However, the main purpose of collecting your personal data is to provide the service you have requested, or we are contracted to provide in relation to your account/programme e.g., executive, or individual coaching, leadership, and team development.
We collect this information to understand your needs and provide you with a better service, and in particular for the following reasons:
- Internal record keeping.
- To improve our products and services.
- To contact you in response to a specific enquiry.
- We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided.
- From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax, or mail. We may use the information to customise the website according to your interests. Where we rely on your consent, such as any consent we seek for email marketing, you can withdraw this consent at any time.
Where we process special categories of data e.g., racial, or ethnic origin or data concerning health, we will also ensure we are permitted to do so under data protection laws e.g:
- we have explicit consent;
- the processing is necessary to protect your (or someone else’s) vital interests where you are physically or legally incapable of giving consent; or
- the processing is necessary to establish, exercise or defend legal claims.
- Who we share your information with and transferring your information out of the UK and EEA
Wondrous work with a number of Network Members coaches and facilitators and your data may be shared directly with any Network Member that is directly associated with your project/account/programme. In particular, any coaching programmes where sensitive information may emerge during the course of the coaching is bound and held in strict confidence. The lawful basis for collecting this data is covered under our contract with you. Wondrous People Limited will not supply your data to third parties for marketing purposes.
We only allow third parties to handle your personal data if we are satisfied, they take appropriate measures to protect your personal data.
To deliver services to you, it is sometimes necessary for us to share your personal data outside the UK/EEA e.g:
- with our service providers located outside the UK/EEA;
- if you are based outside the UK/EEA;
- where there is a European and/or international dimension to the services we are providing to you; or
- to our Network Members in order to provide the services to you.
Under data protection law, we can only transfer your personal data to a country or international organisation outside the UK/EEA where:
- the UK government or, where the EU GDPR applies, the European Commission, has decided the particular country or international organisation ensures an adequate level of protection of personal data (known as an ‘adequacy decision’);
- there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or
- a specific exception applies under data protection law.
These are explained below:
Adequacy Decision
We may transfer your personal data to certain countries, on the basis of an adequacy decision. These include:
- all European Union countries, plus Iceland, Liechtenstein, and Norway (collectively known as the “EEA”);
- Gibraltar; and
- Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay.
The list of countries that benefit from adequacy decisions will change from time to time. We will always seek to rely on an adequacy decision, where one exists.
Other countries or international organisations we are likely to transfer personal data to do not have the benefit of an adequacy decision. This does not necessarily mean they provide poor protection for personal data, but we must look at alternative grounds for transferring the personal data, such as ensuring appropriate safeguards are in place or relying on an exception, as explained below.
Transfers with appropriate safeguards
Where there is no adequacy decision, we may transfer your personal data to another country or international organisation, if we are satisfied the transfer complies with data protection law, appropriate safeguards are in place, and enforceable rights and effective legal remedies are available for data subjects.
The safeguards will usually include using legally approved standard data protection contract clauses. To obtain a copy of the standard data protection contract clauses and further information about relevant safeguards, please contact us.
Transfers under an exception
In the absence of an adequacy decision or appropriate safeguards, we may transfer personal data to a third country or international organisation where an exception applies under relevant data protection law, e.g:
- you have explicitly consented to the proposed transfer after having been informed of the possible risks;
- the transfer is necessary for the performance of a contract between us or to take pre-contract measures at your request;
- the transfer is necessary for a contract in your interests, between us and another person; or
- the transfer is necessary to establish, exercise or defend legal claims.
We may also transfer information for the purpose of our compelling legitimate interests, so long as those interests are not overridden by your interests, rights, and freedoms. Specific conditions apply to such transfers, and we will provide relevant information if and when we seek to transfer your personal data on this ground.
- How long do we keep hold of your information?
Wondrous People Ltd will hold your data while you have an account with us, or we are providing services to you. Thereafter, we will keep your data for as long as is necessary:
- to respond to any questions, complaints or claims made by you or on your behalf;
- to show that we treated you fairly; and/or
- to keep records required by law.
We will not keep your data for longer than necessary.
Where data is held by our Network Members or third parties, in support of the services we provide to you, they are contractually bound to delete data upon our request, delete data at the end of our contract with them, or to anonymise data after 2 years of receipt.
- Your rights
You have the following rights which you can exercise free of charge:
Access | The right to be provided with a copy of your personal data |
Rectification | The right to require us to correct any mistakes in your personal data |
Erasure (also known as the right to be forgotten) | The right to require us to delete your personal data – in certain situations |
Restriction of processing | The right to require us to restrict processing of your personal data in certain circumstances e.g., if you contest the accuracy of the data |
Data portability | The right to receive the personal data you provided to us, in a structured, commonly used, and machine-readable format and/or transmit that data to a third party – in certain situations |
To object | The right to object:
· At any time to your personal data being processed for direct marketing (including profiling);
· In certain other situations to our continued processing of your personal data e.g., processing carried out for the purpose of our legitimate interests. |
Not to be subject to automated individual decision making | The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you |
To contact us about your personal data and your rights, please contact us at the address below. If you have unresolved concerns, you have the right to complain to the Information Commissioner’s Office (ICO).
- Security
We are committed to ensuring that your information is secure. To prevent unauthorised access or disclosure we have put in place suitable physical, electronic, and managerial procedures to safeguard and secure the information we collect online.
- Data Breach
Wondrous has a Data Breach Management Procedure in place. A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity, or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted, or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
When a personal data breach has occurred, we will establish the likelihood and severity of the resulting risk. If the nature of the data breach requires Wondrous People Ltd to inform the ICO, we will do so within 72 hours of becoming aware of the data breach. If you are notifying us of a data breach, notifications must include: your name and contact details, the date and time of the breach you are reporting, the date and time it was detected and any other information that will help us investigate the issue.
- How we use cookies
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added, and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about webpage traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
- Links to other websites
Our website may contain links to other websites of interest. When you use these links to leave our site, note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
- Controlling your personal information
You may choose to restrict the collection or use of your personal information in the following ways:
- Whenever you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes.
- If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by contacting us by email, by writing to us or calling us.
- We will not sell, distribute, or lease your personal information to third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.
- You may request details of personal information which we hold about you under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018). If you would like a copy of the information held on you, please write to:
Wondrous People Ltd,
201 Borough High Street,
London, United Kingdom,
SE1 1JA.
Your journey to flourishing starts here
Let's Talk