Legal

Privacy Policy.

How we collect, use, and protect your personal information when you visit our website or engage with our consulting and training services.

Last updated: 1 May 2026

1. Introduction

GCSA Consulting UK LTD ("we", "us", "our") is committed to protecting and respecting your privacy. This privacy policy explains how we handle the personal information of clients, prospective clients, training participants, website visitors, and other individuals who interact with us.

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). This policy should be read alongside our Terms of Use and Cookie Preferences page.

2. Who we are

GCSA Consulting UK LTD is a management consulting firm registered in England and Wales, with our registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ. We are the data controller responsible for your personal information unless otherwise stated in this policy.

For any data protection enquiries, please contact our Data Protection lead at info@gcsaconsulting.co.uk.

3. Information we collect

We may collect and process the following categories of personal data:

3.1 Information you provide directly

  • Identity information — name, job title, employer, professional background
  • Contact information — email address, phone number, postal address, country of residence
  • Engagement information — details of your enquiry, training application, or consulting brief
  • Payment information — billing address and payment confirmation (card details are processed by Stripe and never stored by us)
  • Communication preferences — newsletter subscriptions and marketing consents

3.2 Information collected automatically

  • Technical information — IP address, browser type and version, device identifiers, operating system
  • Usage information — pages visited, time spent, navigation patterns, referrer URLs
  • Cookie and similar tracking data — see Section 10 and our Cookie Preferences page

3.3 Information from third parties

  • Public business directories and professional networks (e.g. LinkedIn) where you have made information publicly available
  • Referrals from existing clients or partners
  • Payment confirmation data from Stripe (our payment processor)

4. How we use your information

We use your personal information to:

  • Respond to enquiries and deliver the consulting or training services you have requested
  • Process payments and send confirmation, receipts, and onboarding materials
  • Manage our contractual relationship and provide ongoing client support
  • Send service communications (cohort logistics, schedule changes, important programme updates)
  • Send newsletters and marketing communications where you have consented or where there is a legitimate interest under PECR's soft opt-in
  • Operate, maintain, secure, and improve our website and services
  • Comply with our legal, regulatory, and accounting obligations
  • Defend or pursue legal claims where necessary

5. Lawful basis for processing

We process personal data only where we have a lawful basis to do so under Article 6 of the UK GDPR. The bases we rely on are:

  • Contract — to deliver the services you have requested or to take steps before entering a contract
  • Legitimate interests — to operate our business, maintain client relationships, prevent fraud, secure our systems, and conduct limited direct marketing where appropriate
  • Consent — for marketing communications, optional cookies, and any sensitive processing
  • Legal obligation — for accounting records, tax obligations, and regulatory compliance

Where we rely on consent, you may withdraw it at any time by contacting us or using the unsubscribe link in our communications. Withdrawing consent does not affect the lawfulness of processing already carried out.

6. Sharing your information

We do not sell your personal data. We share it only with carefully selected processors and partners who help us deliver our services:

  • Stripe Payments Europe Ltd — for processing programme payments (Stripe is the data controller for card data)
  • Cloud and email infrastructure providers — for hosting, email delivery, and document storage
  • Professional advisers — accountants, auditors, insurers, and legal counsel under appropriate confidentiality obligations
  • Regulators, law enforcement, and courts — where we are legally required to disclose information
  • Successors in interest — in the event of a merger, acquisition, or restructuring of GCSA

All third-party processors are bound by written agreements that include UK GDPR-compliant data protection terms.

7. International transfers

Where personal data is transferred outside the United Kingdom or the European Economic Area, we ensure appropriate safeguards are in place. These typically include:

  • Transfers to countries with a UK adequacy decision
  • Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
  • The UK International Data Transfer Agreement (IDTA) or Addendum
  • Other appropriate safeguards required under UK GDPR

You may request a copy of the safeguards we use by contacting info@gcsaconsulting.co.uk.

8. Data retention

We retain personal information only for as long as necessary for the purposes set out in this policy or as required by law:

  • Client engagement records — for the duration of the engagement and up to 7 years thereafter, in line with HMRC and contractual record-keeping requirements
  • Training participant records — for 3 years after programme completion, to support certification verification and alumni communications
  • Marketing contacts — until you withdraw consent or unsubscribe, plus reasonable suppression-list retention
  • Website analytics data — typically up to 26 months
  • Enquiry records where no engagement follows — up to 24 months

Once retention periods expire, data is securely deleted or anonymised.

9. Your rights

Under UK GDPR you have the following rights:

  • Right of access — to request a copy of the personal data we hold about you
  • Right to rectification — to have inaccurate or incomplete data corrected
  • Right to erasure — to request deletion of your personal data in certain circumstances
  • Right to restrict processing — to limit how we use your data in certain circumstances
  • Right to data portability — to receive your data in a structured, commonly used format
  • Right to object — to processing based on legitimate interests, including direct marketing
  • Right to withdraw consent — at any time where we rely on consent
  • Right not to be subject to solely automated decision-making — we do not currently make decisions about you using solely automated means

To exercise any of these rights, contact us at info@gcsaconsulting.co.uk. We respond to all valid requests within one calendar month.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk. We would, however, appreciate the chance to address your concerns first.

10. Cookies

Our website uses cookies and similar technologies to operate correctly, remember your preferences, and (with your consent) measure performance. You can manage your preferences at any time from our Cookie Preferences page.

11. Security

We have implemented appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or disclosure. These include encryption of data in transit, access controls on internal systems, vendor due diligence, and staff data-protection training.

While we work hard to protect your information, no method of transmission over the internet is 100% secure. If we become aware of a personal data breach affecting your rights or freedoms, we will notify the ICO and (where required) you within the timeframes set by UK GDPR.

12. Children's privacy

Our services are directed at professionals and organisations and are not intended for children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

13. Changes to this policy

We review this policy regularly and may update it from time to time to reflect changes in our practices or in applicable law. The "last updated" date at the top of the page indicates when the policy was last revised. Material changes will be notified through our website or by email where appropriate.

14. Contact us

For questions, requests, or complaints regarding this policy:

Have questions?

Our team is here to help.

Contact UsCookie Preferences