Page 1 of 1

Privacy Policy

Last updated: 05/12/24

1. Introduction Welcome to the privacy policy for Andrew Henderson. Your privacy is important, and Andrew is committed to protecting your personal data and handling it transparently and securely in accordance with the General Data Protection Regulation (GDPR). For clarity, references to “we,” “us,” and “our” in this policy should be understood to refer to Andrew Henderson and any authorised processors acting on his behalf. This Privacy Policy explains how Andrew collects, uses, and safeguards your personal data when you interact with his waitlist for the 10 Steps to £100k course. It also outlines your rights regarding your personal data and how you can exercise them. By using Andrew’s services and submitting your information, you agree to the terms outlined in this Privacy Policy. 2. Data Controller and Processor Information The data controller for the personal data collected through this waitlist is Andrew Henderson, responsible for determining the purposes and means of processing your personal data. The data controller can be contacted for any GDPR-related inquiries at: Contact Information: Email: [email protected] Phone: 07590 848424 In providing this service, the following data processors are also involved: Optimise Outreach Ltd (Marketing Agency): Acting as a data processor to manage and facilitate the collection and secure storage of data on behalf of Andy Henderson.

Tally (Form Platform): Used to collect form submissions securely. Tally complies with GDPR regulations, providing encrypted data storage and transmission.

Google Sheets (Data Management Platform): Used to manage and organize collected data. Google Sheets complies with GDPR regulations, employing encryption, secure access controls, and data processing agreements to ensure data security.

MailChimp (Email Marketing Tool): Used to send course-related updates and communications. ConvertKit complies with GDPR regulations, supporting consent management, data access, and secure data processing practices through encryption. These data processors act under the instruction of the data controller and ensure compliance with GDPR standards. Data Processing Agreements (DPAs) are in place with all processors to formalize these roles and responsibilities. Andrew Henderson also serves as the Data Controller and acts as the equivalent of a Data Protection Officer (DPO) to ensure GDPR compliance. For any GDPR-related concerns, please contact Andrew Henderson directly at the contact information provided above.

3. Data We Collect We collect and process the following categories of personal data when you interact with our waitlist for the 10 Steps to £100k course:

Name: To identify and personalise communications with you.

Email Address: To send you updates, notifications, and course-related information.

User-Provided Course Preferences or Responses: To understand your interests and preferences regarding the course. We do not collect any sensitive data as defined under GDPR, such as information about your race, religion, health, or other special categories of personal data. All data collected is relevant and limited to the purposes outlined in this privacy policy.

4. How We Use Your Data We use the personal data collected from you for the following purposes:

To Manage the Waitlist: Ensuring your place on the waitlist and maintaining accurate records.

To Send Course-Related Updates and Reminders: Keeping you informed about course developments, launch dates, and relevant updates.

To Understand User Preferences for Course Customisation: Gathering insights to tailor the course content to better meet the needs and expectations of participants. Your data will not be used for any purposes unrelated to the waitlist or course without obtaining your explicit consent beforehand.

5. Legal Basis for Processing We process your personal data in accordance with the General Data Protection Regulation (GDPR) based on the following legal grounds:

Consent: Your explicit consent is obtained when you complete the sign-up form and check the box acknowledging this privacy policy. This consent allows us to process your data for the purposes stated in this policy.

Legitimate Interest: We have a legitimate interest in managing and improving the course and communicating relevant updates to ensure the waitlist and course meet user expectations. This interest does not override your fundamental rights and freedoms. If you wish to withdraw your consent or object to processing based on legitimate interests, please contact us at [email protected] .

6. How We Obtain Consent We collect your consent at the time of form submission through a checkbox acknowledgment. Before submitting your personal data, you are required to check a box confirming that you have read and agreed to this privacy policy. This ensures that your consent is explicit and informed, in compliance with GDPR regulations. You have the right to withdraw your consent at any time. Requests to withdraw consent will be processed within 30 days of receipt. If you choose to do so, please contact us at [email protected] . Once we receive your request, we will cease processing your data for the purposes covered by your consent, unless we have another lawful basis to continue processing.

7. Data Sharing We share your data only with trusted third-party processors as necessary to manage the waitlist and deliver course-related services. Each third-party processor is contractually obligated through a Data Processing Agreement (DPA) to comply with GDPR standards, ensuring the security and confidentiality of your data. These processors include:

Tally: We use Tally for form submissions and data collection. Tally is GDPR-compliant, located in Belgium, and provides end-to-end encryption for data both in transit and at rest.

Google Sheets: Used for managing and organizing collected data. Google Sheets is GDPR-compliant, employing encryption for data both at rest and in transit, as well as adhering to data processing agreements and standard contractual clauses for secure data handling.

MailChimp: Used to send course-related updates and communications. ConvertKit is GDPR-compliant, providing features to manage user consent, support data access requests, and securely process data through encrypted systems. We do not sell, rent, or share your personal data for purposes unrelated to the waitlist or course. Any data sharing is limited to what is strictly necessary for the services outlined in this privacy policy.

If you have any concerns about our data-sharing practices, please contact us at [email protected] . 8. Data Storage and Retention We ensure that all personal data collected is stored securely and retained only as long as necessary for the purposes outlined in this Privacy Policy.

Retention Period for Active Data: Personal data will be retained for six months after the creation of the course or after the user’s interaction with the course ends, whichever is later.

Retention Period for Unused Data: Personal data submitted by users who do not proceed with the course will be securely deleted after six months from the date of submission. Data is stored securely within the following platforms:

Tally: Form submissions are securely stored on GDPR-compliant servers, encrypted both at rest and in transit.

Google Sheets: Used to manage and organize collected data, stored with encryption in a GDPR-compliant environment.

MailChimp: Subscriber data and email communication records are securely stored and encrypted. We collect only the personal data necessary for managing the waitlist and delivering course-related services, in compliance with GDPR’s principle of data minimization. We follow secure deletion procedures to ensure that personal data and any backups are irretrievably deleted after the retention period expires, in compliance with GDPR Article 17 (Right to Erasure). If you have any questions regarding our data storage or retention practices, please contact us at [email protected] . 9. Security Measures We are committed to protecting your personal data and have implemented the following security measures, in compliance with GDPR Article 32:

Encryption: Data collected through Tally is encrypted end-to-end, both in transit and at rest. Other third party processors mentioned in this policy (if applicable) also employ encryption to secure data stored on its platform.

Access Controls: Access to your data is strictly limited to authorized personnel, including the marketing agency and the client Andrew Henderson, who require it for managing the waitlist and course-related communications.

Regular Reviews: We periodically review our data security practices to ensure they remain up-to-date with industry standards and GDPR compliance requirements. These measures are in place to prevent unauthorised access, alteration, disclosure, or destruction of your personal data. If you have any concerns about the security of your data, please contact us at [email protected] .

10. User Rights Under GDPR You have several rights under the General Data Protection Regulation (GDPR) concerning your personal data, including:

Right to Access: You can request a copy of the personal data we hold about you.

Right to Rectification: You have the right to request corrections to any inaccurate or incomplete data we hold about you.

Right to Erasure: You can request that we delete your personal data when it is no longer necessary for the purposes for which it was collected or if you withdraw your consent.

Right to Restrict Processing: You can request that we limit how your data is processed in certain circumstances.

Right to Data Portability: You can request that we provide your data in a commonly used, machine-readable format, or transfer it to another organization at your request.

Right to Object: You have the right to object to the processing of your data for specific purposes, such as direct marketing.

Right to Withdraw Consent: You can withdraw your consent at any time for the processing of your data based on your prior consent. If you believe your data rights have been violated, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk. To exercise any of these rights, please contact us at [email protected]. We aim to respond to all requests promptly and in accordance with GDPR regulations.

11. Data Breach Notification In the event of a personal data breach, Andrew Henderson is responsible for notifying affected individuals and the relevant supervisory authority within 72 hours, as required under the General Data Protection Regulation (GDPR). If a breach occurs, the following steps will be taken:

Assessment of the Breach: The nature, scope, and impact of the breach will be evaluated to determine the risks to individuals’ rights and freedoms.

Notification to the Supervisory Authority: The appropriate supervisory authority will be informed of the breach within 72 hours of becoming aware of it, including:

- The nature of the data breach. - Categories and approximate number of affected individuals and data records. - Contact information for further inquiries. - Likely consequences of the breach. - Measures taken or proposed to address the breach.

Notification to Affected Individuals: If the breach poses a high risk to individuals’ rights and freedoms, affected users will be notified without undue delay. This notification will include:

- A description of the breach and its potential impact. - Contact details for more information. - Steps the affected individual should take to mitigate potential harm. - Measures being taken to address and prevent future breaches. Andrew Henderson works with all data processors, such as Optimise Outreach Ltd, Tally, Google Sheets, and MailChimp, to ensure prompt communication and collaboration in case of a breach. Each processor is required to notify the controller immediately upon becoming aware of a breach, in compliance with GDPR Article 33.

For any concerns about data breaches, please contact us at [email protected].

12. International Data Transfers We ensure that all personal data collected is stored and processed in compliance with GDPR requirements. Where data transfers outside the European Economic Area (EEA) are necessary, appropriate safeguards such as Standard Contractual Clauses are in place to ensure data protection standards are met.

Tally: Data submitted through Tally is stored on GDPR-compliant servers located within the European Union, ensuring compliance with EU data protection laws.

Google Sheets: Data managed through Google Sheets may be stored on servers outside the European Union. Google Sheets ensures compliance with GDPR by implementing Standard Contractual Clauses and robust encryption for data both at rest and in transit.

MailChimp: Data processed through ConvertKit may be stored on servers located outside the European Union. ConvertKit complies with GDPR through Standard Contractual Clauses and secure encryption methods, ensuring that personal data is protected during storage and processing. We do not transfer your personal data outside the European Union unless such transfers are compliant with applicable data protection laws and ensure the security and confidentiality of your data.

If you have any questions about international data transfers, please contact us at [email protected].

13. Data Deletion Process We are committed to ensuring that your personal data is not retained longer than necessary. After the specified retention period of six months following the creation of the course, your data will be securely deleted.

The deletion process includes:

Manual Deletion from Tally: All form submissions stored in Tally will be manually deleted to ensure no data remains in their system.

Manual Deletion from Google Sheets: Any data managed through Google Sheets will be manually deleted, ensuring no personal data is retained in their platform.

Manual Deletion from ConvertKit: All data stored in ConvertKit, including email subscriber lists and communication records, will be manually deleted.

Backups: If any backups containing your personal data exist within these platforms or Optimise Outreach Ltd’s systems, they will be securely deleted during the same process.

This includes using methods that render the data irretrievable, in compliance with GDPR Article 17 (Right to Erasure). We follow secure deletion procedures to prevent unauthorised access, alteration, or recovery of deleted data. If you have any questions regarding our data deletion practices, please contact us at [email protected]"

14. Updates to the Privacy Policy We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or other factors.

If significant changes are made, we will notify users through:

- A notice on our website. - An email notification sent to the address provided during sign-up (if applicable). We encourage users to periodically review this policy to stay informed about how we are protecting their personal data. The “Last Updated” date at the bottom of this policy will indicate the most recent revisions.

If you have any questions about updates to this policy, please contact us at [email protected].

15. Contact Information If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights under GDPR, please contact us at:

Contact: Andrew Henderson Email: [email protected] . Phone: 07590 848424 We are committed to responding promptly to all inquiries and requests.