Jo's Transforming Lives ('we', 'us', 'our') is a coaching and emotional wellbeing business operated by Jo Brown, based in Aberdeenshire, Scotland. We are the Data Controller for personal information processed in connection with our services.
Contact details:
• Email: [email protected]
• Website: https://www.jostransforminglives.co.uk and https://jobrowncoaching.co.uk
• Address: Oaklands, Whiterashes, Aberdeenshire AB21 0QX, United Kingdom
We are not required to appoint a Data Protection Officer, but if you have any queries about how we handle your data, please contact Jo directly
Under UK GDPR Article 6, we rely on the following lawful bases to process your personal data:
• Contractual necessity (Art. 6(1)(b)): to provide the coaching or wellbeing services you have engaged us for.
• Legitimate interests (Art. 6(1)(f)): to administer our business, manage client communications, and improve our services, where this does not override your rights.
• Legal obligation (Art. 6(1)(c)): to comply with financial, tax, and regulatory requirements.
• Consent (Art. 6(1)(a)): for marketing communications, optional data collection, and the processing of special category data such as health information. Where we process special category data (such as health or wellbeing information), we rely additionally on:
• Your explicit consent under UK GDPR Article 9(2)(a). • Processing for healthcare or social care purposes under Article 9(2)(h) and Schedule 1 of the Data Protection Act 2018
3.1 Information You Provide We may collect the following categories of personal data:
• Identity data: full name, date of birth, gender. • Contact data: email address, telephone number, postal address.
• Special category data: health information, emotional or mental wellbeing information shared during coaching sessions. Collected only with your explicit consent.
• Financial data: billing address and payment records. Card data is processed solely by our payment providers (PayPal, Stripe, Lloyds Bank) and not stored by us.
• Account data: usernames, passwords, and communication preferences.
• Session data: notes and records made during or following coaching sessions, where agreed with you in advance.
3.2 Information Collected Automatically When you visit our website, we automatically collect limited technical data including your IP address, browser type, device information, and pages visited. This is used for security and performance purposes only.
3.3 Information from Third Parties We do not purchase or obtain personal data from third-party data brokers. Where you connect with us via Facebook or another social platform, we may receive basic profile information in accordance with your account settings on that platform
We use your personal data only for specific, documented purposes:
• Delivering the coaching or wellbeing services you have requested.
• Managing bookings, invoices, and payments.
• Communicating with you about your programme or our services.
• Sending marketing communications, including newsletters and offers, where you have given your consent. You may withdraw consent at any time.
• Complying with our legal and regulatory obligations, including financial record-keeping.
• Improving and securing our website and services. We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
We do not sell or rent your personal data. We may share data with trusted third parties only where necessary:
• Payment processors: PayPal, Stripe, and Lloyds Bank, for processing payments. Each has their own privacy policy.
• Website and technology providers: hosting, email, and analytics services (e.g. Google Analytics). These act as data processors under a written agreement with us.
• Professional advisers: accountants or legal advisers, where required, under obligations of confidentiality.
• Regulatory authorities or law enforcement agencies, where required by law. Where any third party acts as a data processor, we ensure an appropriate data processing agreement is in place, consistent with UK GDPR Article 28
Some of our service providers are based outside the UK or EEA. Where data is transferred internationally, we ensure appropriate safeguards are in place in accordance with UK GDPR Chapter V, including:
• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO).
• Transfers to countries with an adequacy decision from the UK Secretary of State. For further detail about specific transfer safeguards, please contact Jo.
We retain personal data only for as long as necessary for the purposes it was collected, or as required by law:
• Client session and health records: 7 years from the end of engagement.
• Financial and transaction records: 7 years, as required by HMRC.
• Marketing consent records: until you withdraw consent, plus 1 year for audit purposes.
• Website technical data (logs, cookies): up to 13 months. When data is no longer required, it is securely deleted or anonymised
Our website uses cookies and similar technologies:
• Strictly necessary cookies: required for the website to function. No consent required.
• Analytics cookies: used via Google Analytics to understand how visitors use our site. Only set with your consent.
• Marketing or preference cookies: only used where you have given explicit consent. You can manage your cookie preferences at any time via the cookie settings on our website or by adjusting your browser settings. To opt out of Google Analytics: https://tools.google.com/dlpage/gaoptout
9. Your Rights Under UK GDPR As a data subject, you have the following rights under UK GDPR. These rights are not absolute and may be subject to exemptions:
• Right of access (Art. 15): to request a copy of the personal data we hold about you (Subject Access Request).
• Right to rectification (Art. 16): to ask us to correct inaccurate or incomplete data. • Right to erasure (Art. 17): to request deletion of your data, where no overriding legal obligation requires us to retain it.
• Right to restrict processing (Art. 18): to ask us to pause processing of your data in certain circumstances.
• Right to data portability (Art. 20): to receive your data in a structured, machine-readable format.
• Right to object (Art. 21): to object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent: at any time, without affecting the lawfulness of prior processing. To exercise any of these rights, contact us at [email protected]. We will respond within one calendar month (UK GDPR Article 12). If you are dissatisfied, you may complain to the ICO: • Website: https://ico.org.uk/make-a-complaint/ • Telephone: 0303 123 1113
We implement appropriate technical and organisational measures including encrypted storage and transmission, access controls, and regular security reviews. If a personal data breach occurs, we will notify the ICO within 72 hours where required (UK GDPR Article 33), and will inform affected individuals without undue delay where there is a high risk to their rights and freedoms
Our services are not directed to anyone under the age of 18. We do not knowingly collect data from minors. If you believe we have inadvertently collected such data, please contact us immediately.
We may update this Privacy Policy periodically. The most current version will always be published on our website at https://www.jostransforminglives.co.uk. Material changes will be communicated to you directly where possible.
• Jo Brown, Jo's Transforming Lives
• Email: [email protected]
• Address: Oaklands, Whiterashes, Aberdeenshire AB21 0QX, United Kingdom
• Contact form: https://jostransforminglives.co.uk/contact-jo.
14.1 European Economic Area (EEA) If you are based in the EEA, your data may be transferred to and processed in the UK. Since 28 June 2021, the European Commission has recognised the UK as providing an adequate level of data protection (the EU Adequacy Decision), meaning your data travels with appropriate protections in place. You retain all rights under EU GDPR, including those listed in Section 9 above. You may also lodge a complaint with your local supervisory authority: https://edpb.europa.eu/about-edpb/about-edpb/members_en
14.2 United States Residents We do not sell personal data as defined under US state law. Residents of the following states have specific rights: • California (CCPA/CPRA): right to know what we collect, right to delete, and right to opt out of sale (we do not sell data). Right to non-discrimination for exercising your rights.
• Colorado, Connecticut, Virginia, and other US states with comprehensive privacy laws: rights to access, correct, delete, and port your data, and to opt out of targeted advertising. We do not use your data for targeted advertising or profiling. We will respond to verifiable consumer requests within 45 days, extendable by a further 45 days where reasonably necessary.
14.3 Canada If you are located in Canada, we process your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation. You have the right to access your information and challenge its accuracy. Complaints may be directed to the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca
14.4 Australia If you are in Australia, we process your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You have the right to access and correct personal information we hold about you. Complaints may be directed to the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au.
14.5 New Zealand If you are in New Zealand, we process your information in accordance with the Privacy Act 2020. You have the right to request access to, and correction of, your personal information. Complaints may be directed to the Office of the Privacy Commissioner at https://www.privacy.org.nz
14.6 South Africa If you are in South Africa, we process your information in accordance with the Protection of Personal Information Act 2013 (POPIA). You have rights to access, correct, and object to the processing of your personal information. Complaints may be directed to the Information Regulator at [email protected].
14.7 All Other Jurisdictions Wherever you are located, we are committed to handling your personal information with respect and transparency. We apply UK GDPR standards as our baseline across all our data processing activities. If your country has specific privacy laws that grant you additional rights, we will make every reasonable effort to honour those rights. Please contact us directly at [email protected].
This Privacy Policy was written with reference to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It supersedes all previous versions.