01 Introduction
Structured PM Ltd (we, us, our) runs ‘GDPR STEPWISE’. We take data protection and your privacy seriously. This privacy notice explains how we collect, use, disclose, and safeguard your information including when you use GDPR STEPWISE (STEPWISE). When we do this, we are known as the data controller. We are registered with the Information Commissioner's Office (ICO) under registration number ZB345678.
This notice does not form part of any contract with you, and we may update this notice at any time. If you have any questions about any aspect of this privacy notice, you can contact us by emailing us at info@structured-pm.com.
02 Who is this privacy notice for?
The way you interact with us will determine what personal data we collect, how we collect it, and why we use it. This privacy notice is for:
- STEPWISE Users: This is you when you sign up to use our compliance dashboard, program, workbooks, and templates.
- Event Attendees: This is you when you join one of our webinars, workshops, training sessions, or compliance events.
- Website Visitors: This is you when you browse our landing page, read resources, or interact with our web forms.
- Business Prospects & Enquirers: This is you when you book a discovery call, complete our assessment quiz, or contact us about our services.
03 What personal data do we collect?
Depending on how you interact with STEPWISE, we collect and process several categories of personal data:
- Identity Data: Includes first name, last name, username, title, job role, and company name.
- Contact Data: Includes email address, billing address, telephone number, and communication preferences.
- Financial Data: Includes payment transaction metadata, transaction IDs, and tier selection tokens from PayPal. We do not collect or store your credit/debit card numbers directly on our servers; card payments are securely handled directly by PayPal.
- Technical Data: Includes internet protocol (IP) address, login credentials, browser type, operating system, and unique device identifiers.
- Usage Data: Includes details of your progress on the 15 compliance steps, completed workbooks, timestamp of completions, support tickets, and interactive quiz choices.
04 How we collect your personal data
We use different methods to collect personal data from and about you:
- Direct Interactions: You provide your Identity, Contact, and Financial details by filling in forms, registering a dashboard account, completing steps, or emailing us directly.
- Automated Technologies: When you browse or interact with the STEPWISE platform, we automatically collect Technical and Usage Data via secure cookies, session storage, and server log files.
- Third Parties: We receive data from analytics providers (such as Google Analytics), payment gateways (PayPal transaction statuses), and CRM/lead management solutions (such as HubSpot).
05 Why we collect your data and our Lawful Bases
We only use your personal data when the law allows us to. Below is a summary table detailing the purposes for processing your data and our corresponding lawful bases under the UK GDPR:
| Purpose / Activity | Data Categories | Lawful Basis for Processing |
|---|---|---|
| To register you as a new STEPWISE client and create your secure account | Identity, Contact | Performance of a contract with you |
| To process your purchase, verify tiers, and process payments | Identity, Contact, Financial | Performance of a contract with you |
| To manage your progress through the 15 steps, dashboard access, and workbook downloads | Identity, Contact, Usage | Performance of a contract with you |
| To administer and protect our website and platform (troubleshooting, system maintenance) | Technical, Usage | Legitimate interests (running our business, securing our site, system diagnostics) |
| To capture prospects from the assessment quiz, sync with HubSpot, and coordinate discovery calls | Identity, Contact, Quiz responses | Consent (where opted in) or Legitimate interests (to respond to your requests and enquiries) |
| To send you B2B marketing communication or newsletters | Identity, Contact | Legitimate interests (growing our service brand) or Consent |
07 International transfers
Some of our core platform providers (e.g., Supabase, HubSpot) may store or process data in servers located in the United States or other territories outside the United Kingdom (UK) and the European Economic Area (EEA).
When this happens, we ensure that your data is afforded an equivalent level of security. We implement standard safeguards, including the UK International Data Transfer Agreement (IDTA) or standard contractual clauses (SCCs) alongside supplementary encryption, access restrictions, and regular risk audits.
08 Security of your personal data
We have integrated robust security measures across every step of the STEPWISE customer journey to ensure your data is safe and defended against unauthorized access, disclosure, or breach:
- All data transmitted between your device and our servers is encrypted using HTTPS and Transport Layer Security (TLS).
- Sensitive database access in Supabase is locked down using Row-Level Security (RLS), ensuring that users can only view their own compliance records.
- We enforce strict password strength rules, MFA options, and session expirations for dashboard user accounts.
- Netlify environment variables (including all API secrets for Supabase and PayPal) are fully isolated and never exposed to the client.
09 How long we keep your personal data
We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including to satisfy any legal, regulatory, tax, or auditing requirements:
- Transaction and Billing Records: Retained for 7 years to meet statutory requirements under UK corporate and tax laws.
- Active Client Accounts: Retained for as long as your dashboard subscription is active. If your account is inactive for more than 2 years, we will contact you to ask if you wish to keep it active before automatically deactivating and deleting your account.
- Prospective Enquiries: Retained for up to 2 years from your last active communication, unless you request earlier deletion.
10 Your data protection rights
Under the UK General Data Protection Regulation (UK GDPR), you have powerful rights concerning your personal information that you can exercise free of charge:
- Right of Access (Subject Access Request): You have the right to request copies of the personal data we hold about you.
- Right to Rectification: You have the right to request that we correct any information you believe is inaccurate or incomplete.
- Right to Erasure (Right to be Forgotten): You have the right to request that we delete your personal data under certain conditions.
- Right to Object or Restrict Processing: You have the right to object to or restrict our processing of your personal data for legitimate interests or marketing.
- Right to Data Portability: You have the right to request that we transfer the data we collected directly to another organization, or to you.
- Right to Withdraw Consent: Where we rely on your consent (e.g. for marketing subscriptions), you can withdraw it at any time.
To exercise any of your rights, please email us directly at info@structured-pm.com. We will respond to all valid requests within one calendar month.
11 How to complain
If you have any questions, worries, or complaints regarding how we handle your personal data, please contact us at info@structured-pm.com so we can resolve your concerns immediately.
You also have the legal right to lodge a formal complaint at any time with the UK Information Commissioner's Office (ICO). Our ICO registration number is ZB345678. You can contact them directly via:
- Website: www.ico.org.uk
- Phone Helpline: 0303 123 1113