Website Privacy Policy

Effective Date: 6 April 2026. Last substantively updated: 6 April 2026.

ICO Registration Number: ZA505303, registered as a Data Controller under the Data Protection (Charges and Information) Regulations 2018. Verify on the ICO register →

1. Data Controller

The data controller responsible for your personal data is:

Coaley Peak Ltd
Company number: 11783676 (registered in England and Wales)
Registered office: The Limes, Bayshill Road, Cheltenham GL50 3AW, United Kingdom
VAT number: GB374552088
Email: privacy@coaleypeak.co.uk
Phone: 0800 494 7725

2. Personal Data We Collect

We may collect personal data including your name, email address, telephone number, company name, job title, IP address, browser type, and information you provide through contact forms, enquiry submissions, job applications, or training booking requests.

Where you use our AI-assisted features (such as the Owlpen Ask chatbot), we collect the text of your query. Where you submit a CV or application via our careers page, we collect the content of your application including any personal information contained within it.

3. How We Use Your Personal Data

We use your personal data to respond to enquiries, process job applications, handle training bookings, provide our services, improve our website, comply with legal obligations, and communicate with you about our services where you have provided consent.

4. Legal Basis for Processing

We process personal data on the following legal bases under UK GDPR Article 6. The table below maps each processing activity to its specific legal basis.

5. Sharing Your Personal Data and Third-Party Processors

We do not sell your personal data. In delivering our services and operating this website, we share personal data with the following categories of third-party processor, each operating under a Data Processing Agreement:

• Hosting and infrastructure: Vercel Inc. (US), Cloudflare Inc. (US): for website hosting, serverless compute, CDN, and DDoS protection.
• Email delivery: Resend Inc. (US): for delivering transactional emails when you submit a form on our website. Your name, email address, and message content are transmitted via Resend.
• Analytics: Google LLC (US): Google Analytics (GA4) for anonymised website usage analytics, subject to your cookie consent.
• AI processing: Anthropic PBC (US): for AI-assisted features on our website, including the Owlpen Ask chatbot and CV content processing. Queries submitted to these features are sent to the Anthropic Claude API under an enterprise agreement. Anthropic does not use your data for model training.
• CRM: HubSpot Inc. (US): for business contact management.
• Communication: Microsoft Corporation (US): for business email and collaboration.

A complete, authoritative list of all sub-processors is maintained at /legal/sub-processors. We may also disclose data where required by law or to protect our legitimate interests.

6. International Transfers

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place. For transfers to the United States, we rely on the UK International Data Transfer Agreement (UK IDTA) or EU Standard Contractual Clauses (SCCs), as applicable. Details of the transfer mechanism for each sub-processor are set out in our Sub-processors register.

7. Cookies

Our website uses cookies and similar tracking technologies, including analytics cookies (Google Analytics) and functional cookies (personalisation). All non-essential cookies require your consent before they are set. For full details, please refer to our Cookie and Tracking Policy. You can change your cookie preferences at any time using the “Manage cookies” link in the website footer.

8. Data Protection

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. We hold ISO 27001:2022 certification (UKAS accredited) and Cyber Essentials certification. These measures are regularly reviewed and updated.

9. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation, you have the following rights:

• Right of access (Art. 15): to obtain a copy of your personal data.
• Right to rectification (Art. 16): to correct inaccurate personal data.
• Right to erasure (Art. 17): to request deletion of your personal data.
• Right to restrict processing (Art. 18): to limit how we use your data.
• Right to data portability (Art. 20): to receive your data in a machine-readable format.
• Right to object (Art. 21): to object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)): to withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact privacy@coaleypeak.co.uk. We will respond to valid data subject requests within one calendar month from receipt of a verifiable request, as required by UK GDPR Art. 12(3). If we need to extend this period (by up to two further months), we will inform you within the first month and explain the reasons.

10. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

• Form submissions and enquiry data: 12 months from submission.
• Job applications and CV data: 12 months from submission (or longer if the applicant consents to being considered for future roles).
• Training booking requests: 12 months from submission.
• Analytics data (Google Analytics): 14 months (configured at platform level).
• AI-processed queries (Owlpen Ask): Not retained by Coaley Peak beyond the duration of the server request. Anthropic does not retain data for model training under our enterprise agreement.
• Functional cookie data: See our Cookie and Tracking Policy for individual cookie durations.

We review retention periods regularly and securely delete data that is no longer required.

11. Automated Decision-Making

We do not use personal data for automated decision-making or profiling that produces legal effects or similarly significant effects on individuals, as defined in UK GDPR Art. 22. Where AI-assisted features are used on this website (such as the Owlpen Ask chatbot), these provide informational responses only and do not make decisions about individuals.

12. Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk, or by calling 0303 123 1113.

13. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to read their privacy policies.

14. Children's Privacy

Our website and services are not directed at individuals under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware of such collection, we will take steps to delete the data promptly.

15. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated effective date. We encourage you to review this policy periodically.

16. Data Protection Officer

Coaley Peak Ltd does not have a statutory obligation to appoint a Data Protection Officer (DPO) given the nature and scale of its processing activities. However, all data protection queries, requests to exercise data subject rights, and complaints should be directed to privacy@coaleypeak.co.uk.

17. Contact

For questions about this privacy policy or to exercise your data protection rights, please contact us at privacy@coaleypeak.co.uk.