Home About Coaching UGCA For Universities Free resources Testimonials Contact us

Privacy Policy (UK)

Last updated: 02/09/2025

UKey is committed to protecting your privacy. This notice explains how we collect, use, disclose and protect your personal data under the UK GDPR, the Data Protection Act 2018, PECR, and applicable reforms.

1. Who we are and how to contact us

Controller: UKey Limited

Company number: 16426335

Registered office: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, Lancashire, England, BL6 6HG

ICO registration number: ZB976096 

Contact: [email protected]

If you have concerns, email us first. You also have the right to complain to the Information Commissioner’s Office (ICO).

2. What data we collect

2.1 You provide

  • Identification and contact: name, email, phone, address, nationality (optional).
  • Account data: login, preferences, community posts.
  • Purchase and booking details: products purchased, dates/times, invoices.
  • Coaching information: education/work history, career aims, CVs, LinkedIn profiles, notes from sessions and homework tasks.
  • Communications: emails, messages, survey responses, support queries.
  • Marketing preferences and consent records.

2.2 Collected automatically (cookies/SDKs)

  • Device and usage data: IP address, device type, browser, pages visited, time on page, referring URL.
  • Analytics: Google Analytics 4 (“GA4”). Non-essential analytics cookies are used only with your consent. See the Cookie Policy below for details and opt-out controls.

2.3 From third parties

  • Payment processors (transaction references, status).
  • Scheduling and video platforms (booking timestamps, attendance).
  • Advertising partners (consented campaign performance data).
  • Public sources (e.g. LinkedIn, when you share a URL for review).

We do not intentionally collect special category data. If you share such data during coaching (e.g. health or ethnicity), we will handle it with enhanced care and only as necessary for your request and with your consent where required.

3. Purposes and lawful bases

Purpose Lawful basis Examples
Provide services, fulfil contracts Performance of a contract Deliver coaching sessions, course access, downloads
Account administration & support Legitimate interests Keep your account working; answer queries
Payments and fraud prevention Legitimate interests / legal obligation Payment verification, chargeback handling, tax records
Analytics and site improvement Consent (PECR/UK GDPR) GA4 cookies/SDKs enabled only after opt-in
Marketing by email/SMS Consent; or soft opt-in for similar products to existing customers Newsletters, offers; unsubscribe anytime
Testimonials & case studies Consent (and anonymisation where possible) Publishing your feedback on Site/social
Legal compliance Legal obligation Consumer law, tax, data-protection compliance
Defending legal claims Legitimate interests Establish/exercise/defend claims

Where we rely on legitimate interests, we balance our interests against your rights and freedoms.

4. Children

Our services are for adults. If we process a child’s data in exceptional cases (e.g. parental purchase for a 16–17 year-old), UK law sets the digital consent age at 13. We will verify parental responsibility where applicable and use plain language appropriate for children.

5. Data retention

  • Contract and finance records: 6 years after the end of the tax year.
  • Coaching records and notes: 3 years after last interaction, unless you ask us to delete earlier and we have no overriding legal reason to keep them.
  • Marketing preferences: until you opt-out or after 24 months of inactivity.
  • Google Analytics 4: user-level/event data retained for 14 months; aggregated reports may persist without identifying individuals.

6. Sharing your data

  • Service providers under contract (hosting, payment, scheduling, video, CRM, email, analytics, form tools).
  • Professional advisers (legal/accounting), insurers, and authorities where required by law.
  • Prospective buyers or investors in connection with a corporate transaction (subject to confidentiality).

We do not sell personal data.

7. International transfers

We may transfer data outside the UK:

  • To vendors in countries with UK adequacy regulations (including the UK-US Data Bridge for DPF-certified recipients).
  • Where no adequacy decision applies, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, plus transfer risk assessments and supplementary measures as needed.

You can request information about specific safeguards for your data.

8. Your rights

You have rights to: access; rectification; erasure; restriction; portability; object to processing based on legitimate interests; and withdraw consent at any time for consent-based processing. To exercise these, contact [email protected]. You also have the right to complain to the ICO.

9. Marketing choices

Consent: We only send electronic marketing to individuals with consent, or under the soft opt-in when you bought something similar from us and didn’t opt out. You can unsubscribe at any time via the link in our emails or by contacting us.

We do not use dark patterns; refusal of consent will not affect essential services.

10. Security

We use administrative, technical and organisational measures appropriate to risk, including encryption in transit, access controls, least-privilege principles, and vendor due diligence. No system is perfectly secure.

11. Cookies and similar technologies (Cookie Policy)

11.1 How we use cookies

  • Strictly necessary cookies: required for core functionality (security, load balancing, session management). No consent required.
  • Analytics (non-essential): GA4 to understand Site usage and improve UX. Consent required under PECR; disabled by default.
  • Advertising/measurement (if used): enabled only with consent.

11.2 Managing consent

  • Our banner and preference centre allow you to: accept/decline categories; change choices at any time; view a live list of cookies; withdraw consent easily.
  • We keep records of consent. If you clear cookies or change devices/browsers, we will re-ask.

11.3 Google Analytics 4

If you consent to analytics:

  • GA4 may set cookies such as _ga, _ga_[property-id], and _gcl_au; retention is 14 months per our setting; IP addresses are not stored in GA4 reports; we use regional settings to limit data collection where available.
  • Data may transfer to the US. Where the recipient is certified under the UK-US Data Bridge, transfers rely on that adequacy framework; otherwise we use IDTA/Addendum safeguards.
  • You can revoke consent in our preference centre at any time.

11.4 Example cookie table (for your banner to auto-populate)

Cookie Type Purpose Duration
_ga Analytics (GA4) Distinguishes users 14 months
_ga_[property-id] Analytics (GA4) Session/engagement per property 14 months
_gcl_au Ads/measurement (if used) Campaign attribution 3 months
platform_session Strictly necessary Session management Session

12. Automated decision-making

We do not make decisions with legal or similarly significant effects solely by automated means. If this changes, we will explain the logic, significance and consequences and your rights.

13. Changes to this notice

We may update this notice and will post the new date at the top. Significant changes will be notified within the Site or by email where appropriate.