Privacy Policy


We at Headlight respect your privacy and are driven to protecting your personal data.

This document will detail how we gather and look after your data, we aim to be honest and will provide you information about your rights and how the laws protect you.


Headlight Consulting Ltd. Is a registered company in England and Wales, our contact details are:

Headlight Consulting Ltd.


Redmans Hill



BS28 4NQ



Headlight (We, our,& us) are the data controller, if you have any questions about our privacy policy please get in touch via the contact details above.


This version was created and/or last updated on the 10th Mar 2020.


Our Policy Principles

We aim to gather, process and use as little personal data as it possible,

We aim to protect and manage your personal data in a responsible way

If we no longer need your data, and we are not required to retain it for legal purposes, we will aim to delete it or anonymise it

Your personal data will not be sold, lent, rented or shared other than the terms how is detailed in the privacy document

You are not obliged to provide us your personal data, however it may limit the services we can offer you


What personal data do we collect

Personal data, or personal information, means any information about an individual from which that person can be identified. It excludes data where the identity has been redacted, otherwise known as anonymous data.

Personal data items we collect are


  • Identify data

  • First name

  • Last Name

  • Date of Birth

  • Contact Data

  • Postal Address

  • Email Address

  • Telephone Numbers

  • Financial Data

  • Bank account information

  • Credit and/or debit card information

  • Transaction data

  • Payment details of services you've purchased from us

  • Technical Data

  • IP Address

  • Browser type & Version

  • Geographical region

  • Operating system

  • Device/platform

  • Usage data (this is tracked via Google Analytics and not stored on


We may need to collect personal data by law or under the terms of the contact we have with you, if you fail to provide that data when request we may not be able to perform the terms of the contract. This could lead us to having to cancel a product or service with us but we will notify you at the time.


How is the personal data collected

We may collect data from by the following means


  • Direct verbal interaction

  • By telephone

  • Via 3rd parties, this may include analytics data from Google (based outside the UK)

  • Subscribe to our service

  • Request marketing to be sent to you

  • Enter a survey

  • Give us feedback or contact us


Why do we collect your data

Firstly, we only collect data about you when the law permits us to. We do this so can provide the best possible service and product. We may use it to:


  • contact you,

  • comply with regulatory or legal obligation

  • adhere to and carry out the obligation of the contract we about to enter into with you or have entered into with you


Generally, we do not rely on consent as a legal basis for processing your personal data although we will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.


We have set out a table below detailing the type of the data we collect, the purpose and/or activity it will be used for and the lawful basis for collecting and processing the type of data

































Third-party marketing

We will get your expressed opt-in consent before we share your personal data with any third party for marketing purposes.


Opting out

You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you at any time.


Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product or service purchase, service experience or other transactions.


You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our cookie policy.


Disclosures of personal data

Third Parties

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.


International transfers

Some of our third parties are based outside of the EEA, so their processing of your personal data will involve transfer of data outside the EEA.


Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.

  • Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.

  • Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US.


Data Security

We have put the appropriate security measure in place to prevent your personal data from being lost, used or accessed in any unauthorised way, altered or disclosed.


In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.


How long will you use my personal data for


We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.


To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.


By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers, this is for tax purposes.


We may, In some circumstances anonymise your personal data (so that it can no longer be associated with you, and thus classified as personal data) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.


What are your rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data.


  • The right to be informed: you must provide individuals with your purpose for processing their personal data, your retention periods for that personal data, and who it will be shared with.


  • The right of access: Individuals have the right to access their personal data. This is known as a Subject Access Request. A request can be made verbally or in writing. When a request is made Headlight has 1 month (30 days) to respond.


  • The right to rectification: this is the right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. When a request is made Headlight has 1 month (30 days) to respond.


  • The right to erasure: The right to erasure is also known as ‘the right to be forgotten’. An individual can make a request for rectification verbally or in writing. When a request is made Headlight has 1 month (30 days) to respond.


  • The right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data. When processing is restricted, you are permitted to store the personal data, but not use it. An individual can make a request for rectification verbally or in writing. When a request is made Headlight has 1 month (30 days) to respond.


  • The right to data portability: The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.


  • The right to object: The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so.



Lawful Basis

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service and/or product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.


Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.


Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.



Data controller

A controller determines the purposes and means of processing personal data. In the majority of cases Headlight is the data controller. Controllers are not relieved of compliance obligations where a processor is involved.

In the majority of circumstances Headlight is the data controller. Therefore the organisation, and the people that work within it, take full responsibility for compliance with the GDPR legislation.

Data subject

A person whose personal data is processed by a controller or processor - eg. a person who shares their personal data with Headlight so they can participate in user testing. Headlight employees are also data subjects.

General Data Protection Regulation (GDPR)

This is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).

Information Commissioner's Office (ICO)

The ICO is a non-departmental public body which reports directly to Parliament and is sponsored by the Department for Digital, Culture, Media and Sport (DCMS). The ICO is the government regulator which deals with the freedom of information and the protection of personal and sensitive data.


Legal Obligation

the processing is necessary for you to comply with the law (not including contractual obligations).

Legitimate interest

The interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests.


Personal data

Any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including: Name; Address; Email Address; Identification number; Location data; Opinions about an individual including appraisals.