Privacy Notice
Last updated 1 June 2026
This is the privacy notice for the Calm Back with Gem website at calmbackwithgem.co.uk. It explains what personal data we collect, why we collect it, how we use it, who we share it with, and the rights you have over it. We have written it in plain language because legal small print does not help anyone.
If anything is unclear, email us at hello@calmbackwithgem.co.uk and we will explain.
Who we are
Data controller: Gemma Hurlstone, trading as Calm Back with Gem (sole trader).
Postal address: Unit 158814, PO Box 7169, Poole, BH15 9EL, United Kingdom
Email: hello@calmbackwithgem.co.uk
ICO registration number: ZB858213 (registered with the UK Information Commissioner's Office).
What personal data we collect
We collect data when you choose to give it to us, and a small amount automatically when you visit the site.
When you give it to us:
- Workbook sign-up (the free Business Foundations Workbook): your first name and email address. This happens on our separate funnel at free.calmbackwithgem.co.uk.
- Contact by email: anything you send us in the message itself, plus your name and email.
- Booking a session: name, email, and any context you add when scheduling. This is collected through Cal.com.
- Email newsletter (when you subscribe): name and email address.
Automatically when you visit
Server logs: our hosting provider keeps basic technical logs (IP address, browser type, pages visited, timestamps) to run and secure the site.
Analytics: we use Plausible, a privacy-friendly analytics tool. Plausible is cookieless. It does not store any personal data, does not track you across sites, and does not need your consent. That is why this site has no cookie banner.
This website is a static site. It does not set any tracking or marketing cookies of its own.
Why we collect it (lawful bases under UK GDPR)
| What we use the data for | Lawful basis |
|---|---|
| Sending you the free workbook after you request it | Consent (Article 6(1)(a)) |
| Adding you to the email list if you opt in | Consent (Article 6(1)(a)) |
| Replying to your enquiry | Legitimate interest (Article 6(1)(f)): responding to people who contact us |
| Delivering a paid service you have bought | Contract (Article 6(1)(b)) |
| Keeping invoices and tax records | Legal obligation (Article 6(1)(c)): HMRC requires records to be kept |
| Site security and fraud prevention | Legitimate interest (Article 6(1)(f)): keeping the site safe |
How long we keep it
- Workbook sign-ups: until you unsubscribe, or 3 years of inactivity, whichever comes sooner.
- Email list: until you unsubscribe.
- Email enquiries: 2 years.
- Booking records: 2 years after the last interaction.
- Paid client records and invoices: 7 years (HMRC requirement).
- Server logs: managed by our host, typically kept for a short period.
Who we share it with
We use these third-party services (data processors) to run the site and the business. Each one has its own privacy notice and a data processing agreement with us.
| Processor | What they do | Where they are |
|---|---|---|
| Vercel | Hosts the website | USA (data transfer safeguards / Standard Contractual Clauses apply) |
| MailerLite (UAB MailerLite) | Sends marketing emails, hosts the workbook sign-up form | EU (GDPR-compliant, EU-based) |
| Plausible Analytics | Cookieless site usage analytics, no personal data | EU |
| Cal.com | Booking calendar for discovery calls | USA (Standard Contractual Clauses apply) |
Payments
We do not take online payments through this website yet. When you buy a service, we agree the details and invoicing with you directly. If we add online payments in future, we will update this notice first and name the payment processor here.
International transfers
Some of our processors are based outside the UK or EEA, including Vercel in the USA. Where that happens we rely on the UK Data Bridge, the UK-US Data Bridge, or Standard Contractual Clauses approved by the UK ICO. We have checked each provider has appropriate safeguards in place.
Your rights
Under UK GDPR you have the following rights, free of charge in most cases:
- Right of access: ask for a copy of the personal data we hold about you.
- Right to rectification: ask us to correct anything that is wrong.
- Right to erasure: ask us to delete your data ("the right to be forgotten") in most cases.
- Right to restrict processing: ask us to pause using your data while you query something.
- Right to data portability: ask for your data in a machine-readable format.
- Right to object: tell us to stop using your data for direct marketing or where we rely on legitimate interest.
- Right to withdraw consent: at any time, where we relied on consent. This does not affect anything we did before you withdrew.
- Rights regarding automated decision-making: we do not make any automated decisions about you that have legal or significant effects.
Complaints
To exercise any of your rights, email hello@calmbackwithgem.co.uk. We will respond within one calendar month.
If you are not happy with how we have handled your data, you have the right to complain to the UK Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113.
Children
This site is not directed at children under 13 and we do not knowingly collect data from anyone under 13. If you are a parent and think we have collected data from your child, contact us and we will delete it.
Security
We use reasonable technical and organisational measures to protect your data, including HTTPS encryption and strong access controls on our hosting. No system is perfectly secure, so we cannot guarantee absolute security, but we work hard at it.
If a personal data breach happens that is likely to risk your rights, we will notify the ICO within 72 hours and you directly where required by law.
Changes to this notice
We will update this notice when our practices change. The "last updated" date at the top tells you when. For significant changes we will email anyone affected.
Contact
For anything privacy-related: hello@calmbackwithgem.co.uk