Privacy and Data Protection Complaints Policies

I am registered as a sole trader operating as Dr Jennifer Jones - Expert Writing Coach. I offer copyediting, proofreading, and coaching; I also publish and sell courses and guides to help writers. I work with clients from all over the world.

I will only use information I collect from you in the ways described below; this policy was last updated on 3 December 2019.

What information do I collect?

your name
your email address
details of your inquiry
payment details (when you purchase a product or service)

Why do I need information from you?

I use it to:

allow me to give you a quote for editorial work
allow us to arrange a coaching call
give you access to materials you have ordered
gain insight into how people use my website
give you access to protected areas of my website.

How do I collect this information?

Opt-in form (ActiveCampaign and/or Facebook)
Contact form (WordPress)
Email (gmail)
PayPal
Course access/membership - ThriveApprentice

What do I do with this information?

I use it for tax and accounting purposes (both to file my income tax returns with HMRC and the IRS – as a US citizen residing in the UK, I must file in both countries – and to send invoices to clients).
I use it to contact you in response to queries about my products or services.
I use it to send edited work or purchased ebooks to you.
If you give express permission, I will use your email address to send. marketing information and newsletters (I use MailChimp to send these).

How/where do I store your data?

WordPress hosts my website; it is password protected and is SSL-certified for further security; you’ll find their privacy policy here.
ActiveCampaign is my email list management system. You have the option to opt out at the bottom of each email from me. Their privacy policy is here.
PayPal is the system I use to invoice clients; this secure site is password protected. This information will be used only for accounting purposes; it will not be shared. You will find their privacy policy here.
Gmail is the email-server I use for all emails from jennifer@ewc.coach. It is password protected and you can find their privacy policy here and further information here.
Facebook hosts my membership groups and my free resources. It is password protected and you can find their privacy policy here.

Any US based servers used by the above named companies are registered with the EU-US Privacy Shield.

What I will not do with your information:

I will never sell your data, nor will I share it with a third party unless I am required to do so by law.

Can you opt out?

Of course; you may opt out any time you like–simply ask me to remove your data from WordPress, MailerLite, or gmail. Please note that if I have been paid by you, I will need to retain some data for tax purposes (see below).

What do I do with cookies?

I only use them for analytics (Google Analytics and WordPress stats). I do not use cookies to collect information you haven’t chosen to share with me, nor do they allow me access to your computer. If you need further information about cookies, see this article.

To control how my website uses cookies, adjust your web browser’s cookie settings, but please note that rejecting all cookies may affect how my website functions and may make some pages unavailable.

How long will I keep your data?

I generally only delete data if a client asks me to do so; this saves time should a client work with me more than once. I am required to keep data relevant to tax purposes for a minimum of 5 years (HMRC; the IRS minimum is 3 years in most cases).
As I said above, I will delete your data on request so long as doing so does not contravene tax law.

Contact me:

If you have any questions please contact me at jennifer@ewc.coach.

Data Protection Complaints Policy

Purpose

This policy explains how Dr Jennifer Jones – Writing Coach handles data protection complaints fairly, promptly, and in line with UK data protection law, including the internal complaints process requirements introduced by the Data (Use and Access) Act 2025 and set out in DPA 2018, s.164A.

Scope

This policy applies where an individual complains that we have infringed data protection law in connection with their personal data (or personal data of someone they are authorised to act for).

It covers complaints received from customers, staff, suppliers, website users, and any other individuals whose personal data we process. The duty to operate a complaints process applies broadly and the Information Commissioner’s Office (ICO) states there are no exemptions.

Personal data (or personal information) means information that identifies or relates to an individual.

The ICO is the UK’s independent regulator for data protection and privacy. It provides guidance to organisations, investigates complaints, and has legal powers to take enforcement action where organisations do not comply with data protection law.

What is a “data protection complaint”?

A data protection complaint is any expression of dissatisfaction where the person considers we have breached data protection legislation in how we handled their personal information, and they do not need to use legal terms or cite legislation.

Examples include complaints about:

how we responded to a subject access request (SAR) (a request for a copy of personal information we hold about the individual) or other rights request;

security measures used to protect personal data (including concerns following a breach, whether or not reportable to the ICO);

how we collected, used, stored, retained, or kept personal data accurate.

What is not a data protection complaint?

Sometimes people complain about service or other issues while also exercising data protection rights; the ICO explains that this doesn’t count as a data protection complaint (for example, an employee grievance combined with a request for copies of personal data, or a customer service complaint combined with a deletion request).

Where a complaint raises both data protection issues and other concerns (such as service or employment matters), we will treat it as a “mixed complaint”. We will handle the data protection aspects under this policy and ensure they are identified, recorded, and responded to separately and alongside any non-data protection issues.

If it is unclear whether the person intends to raise a data protection complaint, we will ask them to clarify.

How people can complain to us

We provide clear routes for individuals to complain directly to us, and we will accept complaints however they are received.

Preferred contact details: Dr Jennifer Jones

Email: jennifer@ewc.coach

Post: Owner, writing coach, and editor

Telephone: 07946 361403

Online form/portal: – apologies; this is under construction.

We may invite use of the preferred routes above, but people can complain via any channel (including via social media), and we must accept the complaint regardless.

Where a complaint comes in via social media, we will request an alternative contact method because social media is generally not a secure way to exchange personal information.

Our legal duties

We will facilitate the making of complaints (for example, by providing a complaint form that can be completed electronically and by other means).

When we receive a data protection complaint, we will:

Acknowledge receipt within 30 days (the 30 days run from when the complaint is received).

Without undue delay - take appropriate steps to respond (including making appropriate enquiries and keeping the complainant informed of progress).

Without undue delay - inform the complainant of the outcome.

Making people aware of their right to complain

We will tell people that they can complain to us (and that they can also complain to the ICO) at the point we collect their personal information, for example in our privacy notice, using clear and plain language.

We will also include information about this right when we respond to a subject access request.

Identity and authority checks

We will verify identity where necessary. If we have doubts about the complainant’s identity, we may ask for proof of ID and we will do this as early as possible; if we already have enough information to confirm identity, we will not request more.

If someone complains on behalf of another person, we must check they are authorised to act for that person (for example, by a signed letter of authority or appropriate power of attorney). If we do not have evidence of authority, we will not investigate until we receive it.

Our process (step-by-step)

Logging and triage (Day 0 onward)

We will log the complaint on receipt, record the channel it came through, and route it promptly to Dr Jennifer Jones. The duty to investigate begins when the complaint is received, not after the acknowledgement is sent.

We will check whether it is a data protection complaint (see section 3) and, if unclear, we will ask the individual to clarify their intent.

Acknowledgement (within 30 days)

We will acknowledge the complaint within 30 days. The acknowledgement will confirm receipt, that we will look into it, and the next steps. The 30 days start the day after receipt, including weekends/bank holidays, and if the last day falls on a weekend or public holiday the deadline moves to the next working day.

We will make operational arrangements to ensure acknowledgements are sent even during staff absence.

Investigation (without undue delay)

We will investigate without undue delay (meaning as soon as reasonably possible, and without unnecessary delay). What is “undue” depends on the circumstances, and factors such as complexity, scale, and any harm caused by any delay.

In most cases, we aim to provide a substantive response within one month, although complex complaints may take longer.

Our investigation will be proportionate and may include reviewing relevant records, speaking to staff, comparing the complaint with the data we hold, and checking compliance with our own policies and standards.

If we need more information to understand the complaint, we will ask as soon as possible. We may also ask what outcome the individual is seeking to help resolve matters efficiently.

Keeping the complainant informed (without undue delay)

We will keep the complainant updated about progress without undue delay, including timeframes, and where there are delays, the reason for these will be explained.

Outcome (without undue delay)

Once we have finished our investigation, we will inform the complainant of the outcome without an unjustifiable or excessive delay.

Our response will clearly explain what we did, what we found, and (where appropriate) what we changed or corrected. If we consider we complied with data protection law, we will explain why and provide enough detail to help the complainant understand how we reached that view; the ICO suggests itemising complaint points and responding to each.

If the complaint is upheld, we may (as appropriate) correct data, amend processes, provide training, or take other remedial steps.

Review/escalation within the organisation

If the complainant remains unhappy, we may offer a review by a different decision-maker or a senior member of staff, where practical. The ICO indicates organisations could consider having a review process, but people can complain to the ICO at any point and do not have to wait for an internal review.

How to complain to the ICO

Individuals can complain to the ICO at any time. The ICO will, in most cases, ask individuals to raise their complaint with the organisation first, but the ICO remains available to handle eligible data protection complaints.

ICO complaint information: https://ico.org.uk/make-a-complaint/data-protection-complaints/

Record keeping and retention

We will keep records to demonstrate compliance, including:

date received;
acknowledgement;
key communications and documents;
outcome; and
actions taken.

We will not retain personal information for longer than necessary.

We may also monitor themes and trends to identify recurring issues and improve compliance.

Children and vulnerable individuals

Children have the same rights as adults, but merit specific protection; if we receive a complaint from a child, we will use clear, plain language and assess competence to exercise rights.

If we are within scope of the Age Appropriate Design Code (ICO rules for protecting children’s personal data online), we will also follow the ICO’s expectations for complaint mechanisms and escalation routes for urgent and/or safeguarding issues.

Joint controllers and processors

If we act as a joint controller (meaning we decide together with another organisation how and why personal data is used), we will maintain a transparent arrangement that covers complaint handling and coordination, noting that the timeframe starts when any joint controller receives the complaint.

Where we use data processors (organisations that process personal data on our behalf), we will ensure contracts/support arrangements enable us to meet our complaint-handling obligations; processors may assist administratively but the duty remains with us as controller.

Staff training and internal awareness

Currently (as of June 2026), Dr Jennifer Jones is the only person working at Dr Jennifer Jones – Expert Writing Coach; should the business hire further staff, we will train them to recognise data protection complaints and route them appropriately, because complaints can be received through any part of the organisation.

Policy ownership and review

Policy owner:
Dr Jennifer Jones
Approved by:
Dr Jennifer Jones
Effective date:
19/06/2026
Next review date: 19/06/2027

This policy will be reviewed at least annually and after any significant complaint trend or regulatory/guidance change.