Privacy Notice

(Last updated: 1 September 2025)

At Trauma At Work Ltd., I take your privacy seriously — not just because the law says I must, but because trust is at the heart of everything I do.

This notice explains what personal information I collect, why I collect it, how I keep it safe, and the choices you have.

1. Who I am

I’m Adina Dinu, founder of Trauma At Work Ltd., a UK‑based business providing trauma‑informed coaching, training, and resources. I am the data controller for the personal information you share with me.

2. Cookies and similar technologies

Our website uses cookies and similar technologies to make it work properly, keep it secure, and improve your experience. Some cookies are essential and set automatically when you visit. Others, such as analytics or marketing cookies, are only used if you agree.

When you first visit our site, you’ll see a banner giving you the option to accept or reject non‑essential cookies. You can change your choice at any time via your browser settings or the “Cookie Settings” link in the site footer.

Cookies may be set by us (“first‑party cookies”) or by trusted third parties whose services we use (“third‑party cookies”) such as Google Analytics. These may collect information such as your IP address, browser type, pages visited, and time spent on the www.traumaatwork.com site. For more details about the specific cookies we use, their purpose, and how long they last, please contact me at traumaatwork@outlook.com.

3. Other information I collect

Depending on how you interact with me, I may collect:

Contact details (name, email, phone)
Signed contracts/agreements (coaching agreements, training contracts, supplier terms)
Payment information (processed securely via third‑party providers)
Session notes (brief, relevant records to support our work)
Workshop sign‑up details
Newsletter or Substack subscription details (name, email, preferences)
Email correspondence
Engagement data (e.g., email opens/clicks, if you’ve consented to tracking)
Survey responses (feedback, pre‑assessments, reviews — anonymous or identifiable)

I do not collect more than I need, and I avoid recording sensitive personal history unless it’s essential for our agreed work.

4. Where I get your information

I only collect personal information that you choose to share with me directly — for example, when you complete a form, send me an email, subscribe to my newsletter, or take part in a survey.

I do not obtain personal data about you from third‑party sources.

5. How I use your information

To deliver coaching, training, and related services
To manage bookings, payments, and follow‑up
To evidence agreed terms and protect both parties in case of a dispute
To send newsletters or updates you’ve opted into
To improve my services and communications
To gather feedback and insights through surveys (anonymous where possible)
To meet legal and tax obligations.

6. Lawful bases for processing

I process your data under one or more of these UK GDPR bases:

Contract — to deliver the service you’ve requested and maintain agreements
Consent — for newsletters, marketing, surveys where you choose to identify yourself, and optional tracking
Legitimate interest — for essential business operations, service improvement, and anonymous survey analysis
Legal obligation — for tax, accounting, and statutory record‑keeping.

7. How I store and protect your data

Digital records are stored in encrypted cloud services. Some of the systems I use (such as Microsoft and certain Google services) store data in the UK or EU, while others (including Substack, WIX, and some Google services) store or process data in the US or other countries. Where data is transferred outside the UK/EU, this is done in compliance with UK GDPR using safeguards such as Standard Contractual Clauses (SCCs) and, where applicable, the UK–US Data Bridge under the Data Privacy Framework (DPF).

Paper records (if any) are kept in a locked cabinet. Access to all records is limited to me alone.

8. How long I keep your data

I keep your personal data only as long as necessary for the purpose it was collected, or as required by law. Please see below my data retention schedule, listed below as Type of Data, Retention Period, and Legal Basis/Rationale:

Signed contracts / agreements: 6 years after contract ends. Limitation Act 1980 – Section 5 (simple contracts). Aligns with statutory limitation periods for legal claims. Lawful basis: UK GDPR Art 6(1)(c) (legal obligation) and/or Art 6(1)(b) (contract).
Coaching session notes (identifiable): retained for up to 7 years after final session. Professional indemnity insurance requirements and potential legal claims under Limitation Act 1980. Lawful basis: Art 6(1)(f) (legitimate interests) and/or Art 6(1)(b).
Workshop attendance lists (identifiable): 12 months after event. Needed for CPD verification, follow-up resources, and evaluation. Deleted or anonymised after this period. Lawful basis: Art 6(1)(b) and/or Art 6(1)(f).
Identifiable survey responses: Up to 12 months after collection. Retained only as long as needed for analysis and follow-up. Deleted or anonymised thereafter in line with storage limitation principle (Art 5(1)(e)). Lawful basis: Art 6(1)(a) (consent) or Art 6(1)(f).
Anonymised survey responses: May be retained longer for research purposes. Once fully anonymised (per ICO anonymisation guidance), no longer personal data. Reviewed every 2–3 years to confirm anonymity and relevance.
Aggregated / collective survey summaries: May be retained indefinitely. Contain no personal data; used for trend analysis, benchmarking, and reporting.
Email correspondence (client-related): 7 years after final contact. Supports contractual obligations, dispute resolution, and record-keeping. Lawful basis: Art 6(1)(b) and/or Art 6(1)(f).
Marketing mailing list data: Until consent withdrawn or data becomes inactive for 24 months. Lawful basis: Art 6(1)(a) (consent). Reviewed annually for relevance and accuracy.
Financial records (invoices, receipts): 6 years from end of financial year. HMRC record-keeping requirements. Lawful basis: Art 6(1)(c) (legal obligation).
Website contact form submissions: 6 months from receipt. Retained only for responding to enquiries and follow-up. Lawful basis: Art 6(1)(f).

9. Sharing your information

I do not sell or trade your personal data. I may share it with trusted service providers (e.g., payment processors, email platforms, survey tools) who process it on my behalf, under strict confidentiality and security terms.

10. Your rights

You have the right to:

Access your data
Ask for corrections
Request deletion
Withdraw consent
Object to certain uses
Lodge a complaint with the ICO (www.ico.org.uk)

To exercise your rights, email traumaatwork@outlook.com.

11. Newsletter & Substack

If you subscribe via my website or Substack, I’ll use your email to send you updates and resources. Substack hosts my publication and processes subscriber data under its own privacy policy, which you can read here: Substack Privacy Policy. You can unsubscribe at any time via the link in each email.

12. Surveys and feedback

From time to time, I invite clients or participants to share feedback, complete pre‑assessment forms, or take part in surveys. I will always tell you if your responses are anonymous or identifiable. Identifiable responses are kept for no longer than 12 months and are used only for the stated purpose. Anonymous or aggregated data may be kept for longer to help improve my services. If I wish to use your comments as a testimonial, I will ask for your explicit consent.

13. Data deletion and review

I review the personal data I hold at regular intervals, in line with my retention schedule. When the retention period for a record ends, I delete it securely from my systems and backups, or anonymise it so it can no longer be linked to you. Paper records (if any) are cross‑cut shredded. I also carry out an annual review to make sure my records are accurate, up to date, and only kept for as long as necessary.

14. Changes to this notice

I review this notice annually and update it if my services or the law changes.