Our Privacy Policy

Last Updated: November 2025

1. Introduction

Foundations First HR ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our services or visit our website.

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Your Rights: You have important rights under data protection law. Please read this policy carefully to understand how we handle your information.

2. Data Controller

For the purposes of data protection law, the data controller is Katie Poniatowska, trading as:

Business Name: Foundations First HR
Email: hello@foundationsfirsthr.co.uk
Phone: 07920642438
Address: Bristol, United Kingdom

3. Information We Collect

3.1 Information You Provide Directly

Contact Information: Name, email address, phone number, company name
Business Information: Company details, number of employees, industry, department names
Employment Information: Job titles, employee names (for contract customisation), organisational structure
Communication Records: Emails, phone call notes, meeting notes, training session records
Payment Information: Billing address, payment method (processed securely through third-party payment processors)
Inquiry Information: Information submitted through contact forms or consultation requests

3.2 Information Collected Automatically

Technical Information: IP address, browser type, device type, operating system
Usage Data: Pages visited, time spent on pages, links clicked, referring website
Location Data: General geographic location (city/country level only)

3.3 Information We Do NOT Collect

Sensitive personal data (health information, racial/ethnic origin, religious beliefs, etc.) unless you voluntarily provide it
Financial information (credit card numbers are processed by secure third-party payment processors)
Employee performance data or disciplinary records

4. How We Use Your Information

4.1 Legal Basis for Processing

Contract Performance: To provide services you've purchased
Legitimate Interests: To improve our services, communicate with clients, prevent fraud
Legal Obligation: To comply with accounting, tax, and legal requirements
Consent: For marketing communications (you can withdraw consent anytime)

4.2 Specific Uses

Provide Services: Customise templates, deliver training, provide Shield updates
Communication: Respond to inquiries, send service updates, provide customer support
Payment Processing: Process payments, send invoices, manage accounts
Legal Compliance: Maintain records for tax, accounting, and legal purposes
Service Improvement: Analyse usage patterns, improve website functionality, develop new services
Marketing: Send newsletters, service updates, promotional materials (with your consent only)

5. How We Share Your Information

5.1 Third-Party Service Providers

We may share your information with trusted third parties who help us operate our business:

Payment Processors: To process payments securely (e.g., Stripe, PayPal)
Email Services: To send communications (e.g., email marketing platforms)
Cloud Storage: To store documents securely (e.g., Google Drive, Dropbox)
Video Conferencing: For training sessions (e.g., Zoom, Microsoft Teams)
Accounting Software: For invoicing and bookkeeping

All third-party providers are contractually bound to protect your data and use it only for the purposes we specify.

5.2 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect our legal rights.

5.3 Business Transfers

If we are acquired, merge with another company, or sell our assets, your information may be transferred to the new owner. We will notify you of any such change.

5.4 What We Do NOT Do

We will NEVER:

Sell your personal information to third parties
Share your information with unrelated businesses for their marketing purposes
Share employee-specific information you provide without your consent

6. How Long We Keep Your Information

We retain your personal information for as long as necessary to provide services and comply with legal obligations:

Information Type	Retention Period
Client contact information	7 years after last service (tax/accounting requirements)
Contract and service records	7 years after service completion (legal requirements)
Payment and invoice records	7 years (HMRC requirements)
Marketing consent records	Until consent is withdrawn
Inquiry information (no service purchased)	2 years from last contact
Website analytics data	14 months

After retention periods expire, we securely delete or anonymise your information.

7. How We Protect Your Information

We implement appropriate technical and organisational measures to protect your personal data:

7.1 Technical Measures

Encrypted data transmission (SSL/TLS)
Secure cloud storage with encryption
Regular security updates and patches
Strong password policies
Two-factor authentication where available

7.2 Organisational Measures

Access to personal data limited to authorised personnel only
Confidentiality agreements with staff and contractors
Regular privacy and security training
Data breach response procedures

Important: While we take security seriously, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your information.

8. Your Data Protection Rights

Under UK GDPR, you have the following rights:

Right to Access
Request a copy of the personal data we hold about you

Right to Rectification
Request correction of inaccurate or incomplete data

Right to Erasure ("Right to be Forgotten")
Request deletion of your personal data (subject to legal retention requirements)

Right to Restrict Processing
Request limitation on how we use your data

Right to Data Portability
Receive your data in a structured, machine-readable format

Right to Object
Object to processing based on legitimate interests or for marketing purposes

Right to Withdraw Consent
Withdraw consent for processing where consent is the legal basis

Right to Complain
Lodge a complaint with the Information Commissioner's Office (ICO)

How to Exercise Your Rights

To exercise any of these rights, contact us at:

Email: hello@foundationsfirsthr.co.uk
Subject Line: "Data Protection Rights Request"

We will respond to your request within one month. If your request is complex, we may extend this by two additional months and will notify you.

9. Cookies and Tracking Technologies

9.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us provide a better user experience.

9.2 Types of Cookies We Use

Essential Cookies: Required for website functionality (cannot be disabled)
Analytics Cookies: Help us understand how visitors use our site (e.g., Google Analytics)
Functional Cookies: Remember your preferences and settings

9.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling cookies may affect website functionality.

Learn more about managing cookies:
• Chrome • Firefox • Safari • Edge

10. International Data Transfers

We primarily store and process data within the UK. However, some of our service providers (e.g., cloud storage, email services) may process data outside the UK/EEA.

When we transfer data internationally, we ensure adequate protection through:

UK adequacy decisions (countries deemed to have adequate data protection)
Standard Contractual Clauses approved by the ICO
Service providers certified under appropriate data protection frameworks

11. Children's Privacy

Our services are not directed at children under 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately.

12. Marketing Communications

12.1 Consent

We will only send marketing communications if you have given consent or if you are an existing client (soft opt-in for similar services).

12.2 Email Communications

We may occasionally contact existing clients about relevant service updates or new HR resources. You can opt out of these communications at any time by emailing hello@foundationsfirsthr.co.uk with “Unsubscribe” in the subject line.

Note: You will continue to receive service-related communications (e.g., invoices, service updates) even if you unsubscribe from communications.

13. Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

Notify the ICO within 72 hours of becoming aware of the breach
Notify affected individuals without undue delay if the breach poses a high risk
Take immediate steps to contain and remedy the breach
Document the breach and our response

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes:

We will update the "Last Updated" date at the top of this policy
We will post the updated policy on our website
For material changes, we will notify active clients via email

We encourage you to review this policy periodically.

15. Contact Us & Complaints

15.1 Contact Information

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Email: hello@foundationsfirsthr.co.uk
Phone: 07920642438
Address: Bristol, United Kingdom

15.2 Complaints to the ICO

We are not currently required to pay a data protection fee to the ICO, as our data processing activities fall within the exemption categories. If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: www.ico.org.uk

Privacy Policy Summary

We collect only information necessary to provide our services
We never sell your personal information
We protect your data with appropriate security measures
You have full rights over your personal data
We comply with UK GDPR and Data Protection Act 2018
You can contact us anytime about your privacy

Last Updated: November 2025