Privacy Policy | Willow Springs Drawing

Data Controller

Willow Springs Drawing is the controller for your personal data.

Email: [email protected] · Tel: +44 20 3807 4123

Registered in the UK. For any privacy query, you can contact us using the details above.

Navigate this policy

Data we collect
Purposes and legal bases
Sources of data
Cookies
Sharing
International transfers
Security
Retention
Automated decision-making
Children’s data
Your rights
How to complain
Changes to this policy
Contact

Data We Collect

Account details (name, email)
Contact details (telephone, correspondence)
Usage data (pages viewed, preferences, referrer URL, device type, approximate location)
Technical data (IP address, browser/version, time zone, cookie identifiers)
Transactional data (enrolment selections, invoices, payment confirmation references—no full card details stored)
Communications (support requests, feedback, survey responses)
Marketing preferences (opt-in/opt-out status, consent timestamps)

We collect the minimum data necessary to deliver and improve our services.

Purposes and Legal Bases

Provide courses and support (contract)
Service improvement and security (legitimate interests)
Legal compliance (legal obligation)
Marketing with consent (consent)

How we assess legitimate interests

We perform a balancing test to ensure our interests do not override your rights. You can object at any time where we rely on legitimate interests.

Sources of Data

Directly from you when you create an account, enrol or contact us
Automatically via our site and cookies (see Cookies)
From payment and email service providers acting on our instructions
Publicly available sources where lawful and relevant (e.g., business contact details)

Cookies

We use essential cookies for authentication and preferences. You can manage cookies in your browser settings. See the footer banner for consent choices.

Cookie categories

Strictly necessary: required for core functionality and security.
Analytics: help us understand usage to improve the site (set only with consent in the UK).
Marketing: measure campaign effectiveness and personalise content (set only with consent).

You may change your choices at any time using the Cookie Preferences link in the footer area once visible.

Sharing

We do not sell personal data. We may share with service providers who operate under strict contractual terms.

Infrastructure, hosting and security providers
Payment processors (tokenised references only)
Email and communication tools
Professional advisers (accounting, legal) where necessary
Authorities where required by law

All processing by service providers occurs under written data protection terms consistent with UK GDPR Article 28.

International Transfers

Where data is transferred outside the UK, we rely on adequacy regulations, International Data Transfer Agreements (IDTAs), or appropriate safeguards such as the UK Addendum to the EU SCCs. Copies of core safeguards can be requested via our contact details.

Security

We implement technical and organisational measures proportionate to risk, including encryption in transit (TLS), restricted access, least-privilege controls and staff training. No method of transmission or storage is 100% secure; we continually assess and improve our controls.

Incident response

In the unlikely event of a data breach impacting your rights, we will notify you and, where required, the ICO without undue delay.

Retention

We keep data only as long as necessary for the purposes above and to comply with legal obligations.

Account and course records: while your account remains active and up to 6 years after for tax/accounting.
Support correspondence: up to 24 months.
Marketing preferences and consent logs: until you withdraw consent plus 24 months for audit.
Website analytics (if consented): typically 14–26 months depending on provider settings.

When retention periods expire, data is securely deleted or anonymised.

Automated Decision-Making

We do not make decisions producing legal or similarly significant effects solely by automated means. We may use automated rules to tailor content or communications where you have consented to marketing.

Children’s Data

Our services are intended for individuals aged 16 and over. We do not knowingly collect personal data from children under 16. If you believe a child has provided us data, contact us and we will take appropriate steps.

Your Rights

Access, rectification, erasure
Restriction and objection
Data portability
Withdraw consent at any time

To exercise your rights, contact us using the details in the Data Controller section. We may need to verify your identity. We aim to respond within one month.

How to Complain

If you are unhappy with our handling of your data, please contact us first so we can resolve your concern. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO).

Changes to This Policy

We may update this policy to reflect operational, legal or regulatory changes. We will post the updated version on this page and adjust the effective date above.

Contact

For privacy queries, email [email protected]. You can also contact the ICO in the UK.