Privacy & Cookies Policy

1. Introduction

This Privacy & Cookies Policy (“Policy”) explains how PushPals collects, uses, stores, and protects your personal data when you visit our website at pushpals.com (the “Website”) or use any of our services, programmes, or products (collectively, the “Services”).

We are committed to protecting your privacy and ensuring that your personal data is handled in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

By using our Website or Services, you acknowledge that you have read and understood this Policy. We encourage you to read it carefully. If you have any questions, please contact us using the details provided in Section 15.

2. Who We Are

PushPals is a UK-based provider of entrepreneurship education and business support. For the purposes of data protection law, PushPals is the “data controller” — meaning we determine the purposes and means of processing your personal data.

• Company name: [TBC — full legal entity name]
• Registered address: [TBC]
• Company number: [TBC]
• Data Protection Officer: [TBC — name or role]
• Contact email: hello@pushpals.com

3. What Data We Collect

We may collect and process the following categories of personal data:

3.1 Identity & Contact Data

• Full name (first name, last name)
• Email address
• Phone number
• Postal address (where required for in-person events)

3.2 Professional & Business Data

• Business name and website URL
• Job title or role
• Industry or sector
• Business stage (e.g. idea stage, early revenue, established)

3.3 Educational & School Data

• School or establishment name
• Role within the school (e.g. teacher, head of year, careers lead)
• Student age ranges (for programme suitability — we do not collect individual student names or details unless required for a specific programme with parental consent)

3.4 Payment Data

• Billing name and address
• Payment card details (processed securely by our third-party payment provider — we do not store full card numbers on our servers)
• Transaction records and invoices

3.5 Usage & Technical Data

• IP address
• Browser type and version
• Operating system and device type
• Pages visited, time spent on pages, and navigation paths
• Referring website or source
• Cookie identifiers (see Section 8)

3.6 Communication Data

• Messages, enquiries, and feedback submitted via forms, email, or social media
• Survey responses
• Testimonials or reviews (where voluntarily provided)

4. How We Collect Data

We collect personal data through the following means:

• Directly from you: When you fill in forms on our Website (e.g. contact forms, booking forms, registration forms), subscribe to our newsletter, register for a programme, make a purchase, or correspond with us by email, phone, or social media.
• Automatically via cookies and similar technologies: When you browse our Website, we automatically collect certain technical and usage data through cookies, pixels, and analytics tools. See Section 8 for full details.
• From third parties: We may receive data from third-party platforms you use to interact with us, such as Skool (community platform), Stripe or other payment processors, Zoom (for webinars and online sessions), and social media platforms where you engage with our content.

5. How We Use Your Data

We use your personal data for the following purposes:

5.1 Service Delivery

• To process bookings, registrations, and payments for our programmes and services.
• To deliver our educational content, workshops, webinars, retreats, and other offerings.
• To manage your account or membership on platforms such as Skool.
• To provide customer support and respond to your enquiries.

5.2 Communications

• To send you service-related communications, such as booking confirmations, reminders, and updates about programmes you are enrolled in.
• To send you our newsletter and marketing emails, where you have given your consent or where we have a legitimate interest to do so (e.g. you are an existing customer).
• To notify you of changes to our Terms, this Policy, or our Services.

5.3 Marketing (with consent)

• To send promotional communications about new programmes, events, products, or services that may be of interest to you.
• To display targeted advertising on third-party platforms (e.g. Meta, Google) using anonymised or pseudonymised data.

You can opt out of marketing communications at any time by clicking the “unsubscribe” link in any email or by contacting us at hello@pushpals.com.

5.4 Improvement & Analytics

• To analyse how our Website is used and improve its performance, content, and user experience.
• To conduct research and gather feedback to develop new programmes and services.
• To monitor and prevent fraud, errors, and security issues.

6. Legal Basis for Processing

Under the UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:

• Consent: Where you have given clear, affirmative consent for us to process your data for a specific purpose, such as subscribing to our newsletter or opting in to marketing communications. You may withdraw consent at any time.
• Contractual necessity: Where processing is necessary to perform a contract with you, such as delivering a programme you have booked and paid for, or to take steps at your request before entering into a contract (e.g. responding to an enquiry about our services).
• Legitimate interest: Where processing is necessary for our legitimate business interests, provided those interests are not overridden by your rights. Examples include analysing website usage to improve our services, sending marketing to existing customers about similar services, and preventing fraud.
• Legal obligation: Where processing is necessary to comply with a legal obligation, such as maintaining financial records for tax purposes.

7. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. We may share your data with trusted third parties who assist us in operating our Website and delivering our Services, including:

• Payment processors: Such as Stripe, to securely process payments. These providers have their own privacy policies governing how they handle your data.
• Email and marketing platforms: Such as Mailchimp, ConvertKit, or similar services, to manage our mailing lists and send communications.
• Analytics providers: Such as Google Analytics, to help us understand how our Website is used. Data shared with analytics providers is typically anonymised or pseudonymised.
• Community and learning platforms: Such as Skool, where we host our online community and courses.
• Video conferencing platforms: Such as Zoom, for delivering webinars, workshops, and online sessions.
• Hosting and infrastructure providers: Who store and serve our Website and data securely.
• Professional advisors: Such as accountants, lawyers, or auditors, where necessary for legal or financial compliance.

All third-party processors are contractually required to process your data only on our instructions and in accordance with applicable data protection law. We take reasonable steps to ensure that any third party with whom we share data provides an adequate level of protection.

We may also disclose your data if required to do so by law, regulation, or legal process, or if we believe disclosure is necessary to protect our rights, safety, or the rights of others.

8. Cookies

Cookies are small text files placed on your device when you visit our Website. They help us provide you with a better experience and allow certain features to function properly.

8.1 Types of Cookies We Use

8.2 Managing Cookies

When you first visit our Website, you will be presented with a cookie consent banner that allows you to accept or reject non-essential cookies. You can change your cookie preferences at any time by clicking the cookie settings link in the footer of our Website.

You can also control cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or alert you when a cookie is being set. Please note that disabling certain cookies may affect the functionality of our Website.

For more information about cookies and how to manage them, visit www.allaboutcookies.org.

9. Data Retention

We retain your personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. Our general retention periods are:

• Customer and booking data: Retained for 6 years after the end of the relevant service or contract, in line with UK tax and accounting obligations.
• Marketing and newsletter data: Retained until you unsubscribe or withdraw consent, after which we will delete or anonymise your data within 30 days.
• Website analytics data: Typically retained for up to 26 months in an anonymised or aggregated form.
• Financial and transaction records: Retained for a minimum of 6 years as required by HMRC and UK tax legislation.
• Enquiry and correspondence data: Retained for 2 years after the last communication, unless the enquiry leads to a contractual relationship.

When data is no longer needed, we will securely delete or anonymise it. We periodically review our data holdings to ensure we are not retaining data beyond its useful or lawful retention period.

10. Your Rights Under GDPR

Under the UK GDPR, you have the following rights in relation to your personal data. You can exercise any of these rights by contacting us at hello@pushpals.com.

• Right of access: You have the right to request a copy of the personal data we hold about you (known as a “Subject Access Request”).
• Right to rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
• Right to erasure (“right to be forgotten”): You have the right to request that we delete your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected.
• Right to data portability: You have the right to request that we provide your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to object: You have the right to object to processing of your personal data where we are relying on a legitimate interest, or where data is being processed for direct marketing purposes.
• Right to restrict processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
• Right to withdraw consent: Where we are relying on your consent to process data, you have the right to withdraw that consent at any time. This does not affect the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint: If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). You can contact the ICO at ico.org.uk or by calling 0303 123 1113.

We will respond to any valid request within one calendar month. In exceptional cases, where the request is complex or we receive a high volume of requests, we may extend this by a further two months, but we will notify you of any extension and the reasons for it.

We do not charge a fee for exercising your rights, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

11. Children’s Data

Some of our Services are designed for young people under the age of 18, including our School Visits, Holiday Camps, Entrepreneurs Club, and Student Skool Community. We take special care when handling data relating to children and young people.

• For participants under 13, we require verifiable parental or guardian consent before collecting any personal data.
• For participants aged 13–17, we require parental or guardian consent for programme registration and data collection. Where appropriate, we also seek the informed agreement of the young person themselves.
• We collect only the minimum data necessary to deliver the relevant programme safely and effectively.
• Children’s data is never used for marketing purposes without explicit parental consent.
• We do not knowingly share children’s personal data with third parties for marketing purposes.
• Parents and guardians can request access to, correction of, or deletion of their child’s personal data at any time by contacting us at hello@pushpals.com.

If we discover that we have collected personal data from a child without appropriate consent, we will take steps to delete that data as promptly as possible.

12. International Transfers

PushPals is based in the United Kingdom. However, some of the third-party service providers we use (such as analytics tools, email platforms, or cloud hosting services) may process data outside of the UK.

Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place to protect your data, including:

• Transfers to countries that the UK Government has determined provide an adequate level of data protection (an “adequacy decision”).
• Use of Standard Contractual Clauses (SCCs) approved by the Information Commissioner’s Office.
• Transfers to organisations that participate in recognised certification schemes or binding corporate rules.

If you would like more information about the specific safeguards we apply to international transfers, please contact us at hello@pushpals.com.

13. Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (SSL/TLS) and at rest where appropriate.
• Secure access controls and authentication for internal systems.
• Regular reviews of our data processing practices and security measures.
• Limiting access to personal data to authorised personnel who need it to perform their duties.
• Use of reputable, secure third-party service providers with appropriate data protection commitments.

While we take all reasonable steps to protect your data, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any data breach in accordance with our legal obligations. In the event of a breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform you without undue delay where required.

14. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, the Services we offer, or applicable laws and regulations. The “Last updated” date at the top of this page indicates when this Policy was last revised.

Where we make material changes that significantly affect how we process your personal data, we will endeavour to notify you by email or by placing a prominent notice on our Website before the changes take effect.

We encourage you to review this Policy periodically. Your continued use of the Website or Services following any changes constitutes your acceptance of the updated Policy.

15. Contact Us

If you have any questions about this Policy, your personal data, or wish to exercise any of your rights, please contact us:

• Data Protection Officer: [TBC — name or role]
• Email: hello@pushpals.com
• Address: [TBC — registered business address]

We aim to respond to all data protection enquiries within 5 working days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

• Website: ico.org.uk
• Telephone: 0303 123 1113