GDPR Compliance Policy

CompellingStory | compellingstory.co.uk

Last updated: 20 February 2026

1. Introduction

This GDPR Compliance Policy sets out how CompellingStory ("we", "us", "our") collects, processes, and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We are committed to handling personal data responsibly, transparently, and in accordance with our legal obligations. This policy applies to all personal data we process, whether collected through our website, by email, by telephone, or in any other way.

2. Data Controller

CompellingStory is the Data Controller for the purposes of UK GDPR. This means we are responsible for determining how and why personal data is processed.

Contact details:

  • Business name: CompellingStory

  • Email: hello@compellingstory.co.uk

  • Phone: +44 20 3811 8558

  • Website: www.compellingstory.co.uk

We do not currently have a statutory obligation to appoint a Data Protection Officer (DPO), as we are not a public authority and do not carry out large-scale systematic processing or processing of special category data. However, any data protection queries should be directed to the above contact details.

3. Data Protection Principles

We adhere to the six core principles of UK GDPR. All personal data we process must be:

  • Processed lawfully, fairly, and in a transparent manner

  • Collected for specified, explicit, and legitimate purposes and not processed in a manner that is incompatible with those purposes

  • Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed

  • Accurate and, where necessary, kept up to date

  • Kept in a form that permits identification of data subjects for no longer than is necessary

  • Processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage

4. What Personal Data We Collect

We collect the following categories of personal data:

  • Name — provided voluntarily via contact forms or email enquiries

  • Email address — provided voluntarily via contact forms, newsletter sign-ups, or direct correspondence

We do not collect sensitive (special category) personal data such as health information, financial details, or identification documents as part of our standard operations.

5. Lawful Basis for Processing

We process personal data on the following lawful bases under Article 6 of UK GDPR:

  • Legitimate Interests (Article 6(1)(f)) — processing is necessary for the purposes of our legitimate business interests, specifically to respond to enquiries and provide our consultancy services, where those interests are not overridden by your data protection rights

  • Consent (Article 6(1)(a)) — where you have given clear consent for us to process your personal data for a specific purpose, such as subscribing to our newsletter. You may withdraw consent at any time by contacting us at hello@compellingstory.co.uk or using the unsubscribe link in any marketing email

6. How We Use Personal Data

We use personal data for the following purposes:

  • To respond to enquiries and contact form submissions

  • To send our newsletter to subscribers who have given consent

  • To arrange and follow up on discovery calls or consultancy meetings

  • To fulfil our contractual and pre-contractual obligations

  • To comply with our legal obligations

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. Our retention periods are as follows:

  • Contact form enquiries: up to 2 years from the date of receipt, unless ongoing engagement continues

  • Newsletter subscriber data: retained until the subscriber unsubscribes or requests deletion

  • Business correspondence: up to 6 years in line with statutory limitation periods

After the relevant retention period, personal data will be securely deleted or anonymised.

8. Data Security

We take appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:

  • Use of secure email and communication platforms

  • Password-protected access to systems holding personal data

  • Limiting access to personal data to authorised individuals on a need-to-know basis

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, in accordance with Article 33 of UK GDPR.

9. Data Sharing and Third Parties

We do not sell, rent, or share personal data with third parties for their own marketing purposes.

We may share personal data with carefully selected third-party service providers who process data on our behalf, such as email marketing platforms or website hosting services. All third-party processors are required to process data in accordance with UK GDPR and are bound by appropriate data processing agreements.

We may also disclose personal data where we are legally required to do so, such as by a court order or regulatory authority.

10. International Data Transfers

Where we use third-party tools or platforms that may transfer personal data outside the UK or the European Economic Area (EEA), we ensure that adequate safeguards are in place in accordance with Chapter V of UK GDPR. This may include transfers to countries recognised as providing adequate protection, or transfers subject to Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA).

11. Your Rights as a Data Subject

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right to be informed — you have the right to know how your data is collected and used (provided via our Privacy Policy and this document)

  • Right of access — you may request a copy of the personal data we hold about you (Subject Access Request)

  • Right to rectification — you may ask us to correct inaccurate or incomplete data

  • Right to erasure ("right to be forgotten") — you may request deletion of your personal data in certain circumstances

  • Right to restrict processing — you may ask us to restrict how we use your data in certain circumstances

  • Right to data portability — you may request your data in a structured, commonly used, machine-readable format

  • Right to object — you may object to processing based on legitimate interests or for direct marketing purposes

  • Rights in relation to automated decision-making — we do not carry out solely automated decision-making or profiling that produces legal or similarly significant effects

To exercise any of these rights, please contact us at hello@compellingstory.co.uk. We will respond within one calendar month. We may need to verify your identity before fulfilling your request.

12. Complaints

If you are unsatisfied with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the supervisory authority for data protection in the UK:

  • Website: ico.org.uk

  • Helpline: 0303 123 1113

  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the opportunity to address any concerns directly before you approach the ICO. Please contact us in the first instance at hello@compellingstory.co.uk.

13. Policy Review

This GDPR Compliance Policy will be reviewed annually or whenever there is a significant change to our business operations, legal obligations, or the data we process. The most current version will always be available on our website.

14. Contact

For any data protection queries, to exercise your rights, or to raise a concern, please contact:

  • Email: hello@compellingstory.co.uk

  • Phone: +44 20 3811 8558

  • Website: www.compellingstory.co.uk