Last updated: 14/08/2025

1. Introduction

Paul Flavin Ltd : ("we," "our," or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, and protect your information when you visit our website [www.paulflavin.co.uk], use our services, or interact with us through various communication channels.

This policy complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR) 2003, and other applicable UK data protection laws.

Data Controller: Paul Flavin Ltd

Registered Address: Littlejohns Farmhouse, 44 Green Lane, Burnham-On-Crouch, Essex, CM0 8PU

Contact Email: [email protected]

Phone: 07968 822606

ICO Registration Number: C1743002

2. Information We Collect

2.1 Information You Provide Directly

◦ Contact Information: Name, email address, phone number, postal address

◦ Business Information: Company name, job title, industry

◦ Communication Data: Messages, inquiries, and correspondence

◦ Marketing Preferences: Your consent for different communication channels

◦ Account Information: Login credentials and profile data (if you create an

account)

2.2 Information Collected Automatically

◦ Website Usage: IP address, browser type, device information, pages visited

◦ Cookies and Tracking: As detailed in our Cookie Policy

◦ Location Data: General location based on IP address

◦ Social Media Interactions: When you interact with our social media content

2.3 Information from Third Parties

◦ Social Media Platforms: Public profile information when you interact with us

◦ Lead Generation: Information from legitimate lead generation services

◦ Go High Level Platform: Data processed through our CRM and marketing automation system

3. Legal Basis for Processing

We process your personal data under the following legal bases:

3.1 Consent (Article 6(1)(a) UK GDPR)

◦ Email marketing communications

◦ SMS marketing messages

◦ WhatsApp marketing communications

◦ Social media marketing engagement

◦ Non-essential cookies and tracking

3.2 Legitimate Interests (Article 6(1)(f) UK GDPR)

◦ Analysing website usage and improving our services

◦ Fraud prevention and security

◦ Direct marketing to existing customers (soft opt-in)

◦ Business development and networking

3.3 Contract Performance (Article 6(1)(b) UK GDPR)

◦ Providing services you've requested

◦ Processing transactions

◦ Customer support

3.4 Legal Obligation (Article 6(1)(c) UK GDPR)

◦ Compliance with tax and accounting requirements

◦ Regulatory compliance

◦ Court orders or legal proceedings

4. How We Use Your Information

4.1 Service Provision

◦ Delivering requested services and products

◦ Customer support and communication

◦ Account management and billing

◦ Service improvement and development

4.2 Marketing Communications

Email Marketing:

◦ Sending promotional emails about our services

◦ Newsletter subscriptions

◦ Event invitations and updates

◦ Educational content and resources

SMS Marketing:

◦ Promotional text messages

◦ Service updates and notifications

◦ Appointment reminders

◦ Emergency communications

WhatsApp Marketing:

◦ Business communications and updates

◦ Customer support via WhatsApp Business

◦ Promotional messages (with consent)

Social Media Marketing:

◦ Targeted advertising on Facebook, Instagram, LinkedIn, Twitter

◦ Engagement with your social media interactions

◦ Content personalization based on interests

4.3 Analytics and Improvement

◦ Website performance analysis

◦ User behaviour insights

◦ Service optimization

◦ Marketing campaign effectiveness

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We may share your data with:

Go High Level CRM: Our primary customer relationship management platform for data processing and marketing automation

Email Service Providers: For sending marketing emails and newsletters

SMS Gateway Providers: For delivering text message communications

WhatsApp Business API Providers: For WhatsApp messaging services

Social Media Platforms: Facebook, Instagram, LinkedIn, Twitter for advertising and analytics

Website Analytics: Google Analytics, heat mapping tools

Payment Processors: For handling transactions securely

Cloud Storage Providers: For secure data backup and storage

5.2 Legal Requirements

We may disclose your information when required by law, court order, or regulatory authority.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new entity.

6. International Data Transfers

Some of our service providers may be located outside the UK/EEA. When we transfer your data internationally, we ensure:

◦ The destination country has an adequacy decision from the UK Government

◦ Appropriate safeguards are in place (Standard Contractual Clauses)

◦ Specific derogations apply under UK GDPR Article 49

Go High Level: Data may be processed in the United States under appropriate safeguards including Standard Contractual Clauses and/or adequacy decisions.

7. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes outlined in this policy:

◦ Marketing Data: Until you withdraw consent or 3 years from last engagement

◦ Customer Data: For the duration of our business relationship plus 6 years for legal compliance

◦ Website Analytics: 26 months from collection

◦ Financial Records: 7 years as required by UK law

◦ Communications: 3 years from last contact

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

8.1 Right of Access (Article 15)

Request confirmation of data processing and a copy of your data

8.2 Right to Rectification (Article 16)

Correct inaccurate or incomplete personal data

8.3 Right to Erasure (Article 17)

Request deletion of your personal data ("right to be forgotten")

8.4 Right to Restrict Processing (Article 18)

Limit how we process your data in certain circumstances

8.5 Right to Data Portability (Article 20)

Receive your data in a structured, machine-readable format

8.6 Right to Object (Article 21)

Object to processing based on legitimate interests or direct marketing

8.7 Rights Related to Automated Decision Making (Article 22)

Protection against solely automated decision-making including profiling

9. Marketing Communications and Consent

9.1 Email Marketing

◦ We only send marketing emails to those who have consented

◦ Existing customers may receive service-related communications under "soft opt-in"

◦ All marketing emails include an unsubscribe link

◦ You can withdraw consent at any time

9.2 SMS Marketing

◦ Explicit consent required for promotional SMS messages

◦ Compliant with PECR regulations

◦ Clear opt-out instructions provided in every message

◦ No premium rate numbers used without explicit disclosure

9.3 WhatsApp Marketing

◦ Only sent to those who have provided consent

◦ Compliant with WhatsApp Business API terms

◦ Easy opt-out mechanisms provided

◦ Respects WhatsApp's anti-spam policies

9.4 Social Media Marketing

◦ Targeted advertising based on legitimate interests

◦ You can adjust ad preferences on social media platforms

◦ We comply with each platform's advertising policies

10. Cookies and Website Analytics

We use cookies and similar technologies as detailed in our Cookie Policy. Key points:

◦ Essential Cookies: Necessary for website functionality (no consent required)

◦ Analytics Cookies: Help us understand website usage (consent required)

◦ Marketing Cookies: Enable targeted advertising (consent required)

◦ Third-Party Cookies: From Go High Level, Google Analytics, social media platforms

You can manage cookie preferences through our cookie banner or browser settings.

11. Data Security

We implement appropriate technical and organizational measures to protect your data:

◦ Encryption: Data encrypted in transit and at rest

◦ Access Controls: Limited access on a need-to-know basis

◦ Regular Audits: Security assessments and vulnerability testing

◦ Staff Training: Regular data protection training for all staff

◦ Incident Response: Procedures for data breach notification

◦ Go High Level Security: Reliance on platform's enterprise-grade security measures

12. Children's Privacy

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware of such collection, we will delete the information immediately.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Significant changes will be

communicated through:

◦ Website notification banner

◦ Email notification to subscribers

◦ Social media announcements

The "Last updated" date at the top of this policy indicates the most recent revision.

14. Contact Information and Complaints

14.1 Data Protection Contact

For questions about this Privacy Policy or your data rights:

Email: [email protected]

Phone: 07968 822606

Address: Littlejohns Farmhouse, 44 Green Lane, Burnham-On-Crouch, Essex, CM0

8PU

14.2 Supervisory Authority

If you're unsatisfied with our response to your data protection concerns, you can lodge a complaint with:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Phone: 0303 123 1113

Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

15. Go High Level Specific Information

As a Go High Level user, please note:

◦ Go High Level acts as our data processor for CRM and marketing automation

◦ Data processed through Go High Level is subject to their data processing agreement

◦ We ensure Go High Level provides appropriate technical and organizational security measures

◦ Data may be stored on Go High Level's servers in the United States under appropriate safeguards

◦ We remain the data controller responsible for compliance with UK data protection laws

16. Specific Channel Compliance

16.1 PECR Compliance

◦ Electronic marketing requires consent or legitimate interest (existing customers)

◦ Clear identification of sender in all electronic communications

◦ Easy and free opt-out mechanisms provided

◦ Respect for Telephone Preference Service (TPS) registrations

16.2 Social Media Compliance

◦ Compliance with platform-specific advertising policies

◦ Transparent data usage in social media advertising

◦ Respect for user privacy settings and preferences

◦ Clear identification of sponsored content