—   LEGAL   —

Privacy Notice

Last updated 24 June 2026

This notice explains what personal information Fellas collects when you use this website or attend a session, why we collect it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

The data controller is Stuart Mullins, trading as Fellas — Men's Support Group at The Secret Space. We are responsible for deciding how your personal information is held and used.

Contact us: coaching@stuartmullins.co.uk
Postal address: 105 Fore Street, Hertford, Hertfordshire SG14 1AS, United Kingdom

2. What we collect

  • Contact form & bookings. Your name, email, phone (optional), the topic you select, and anything you write in the message field.
  • Reviews. Your name, email, line of work (optional), the review text, and your consent confirmation.
  • Site analytics. Pages visited, the page that linked you here, your IP address (used only to derive country and to throttle abuse), browser/device type, and a first-party session cookie. We do not use third-party trackers.
  • Server logs. Standard hosting access logs (IP, user agent, request line, response code) kept for security and troubleshooting.

3. Why we use it, and the lawful basis

  • Replying to your enquiry / running your booking. Lawful basis: performance of a contract or steps requested by you prior to a contract.
  • Publishing the reviews you submit. Lawful basis: your explicit consent, given via the consent checkbox on the form. You can withdraw it at any time by emailing us.
  • Improving the website + protecting it from abuse. Lawful basis: our legitimate interest in understanding how the site is used and keeping it secure. We balance that against your interests and only retain aggregate-friendly data.
  • Replying to a question by email or WhatsApp. Lawful basis: legitimate interest (responding when you contact us first).
  • Sending you marketing. We don't currently send marketing emails. If we ever do, we'll ask for opt-in consent first.

4. Who we share it with

We only share your data with:

  • Our hosting provider (Hostinger) — they process your data on our behalf to run the website. They are a data processor under contract; they can't use your data for their own purposes.
  • Email providers (the SMTP service we use to send notification emails) — again, processors only.
  • Authorities, if we're required to by law (e.g. a court order).

We never sell your data, and we don't share it with advertising or analytics networks like Google Analytics, Facebook Pixel, or similar.

5. Where it's stored

Our servers and databases are hosted in the United Kingdom and the European Economic Area (EEA). If a processor we use stores data outside the UK / EEA, we rely on an adequacy decision or the UK International Data Transfer Agreement to keep your data protected to the same standard.

6. How long we keep it

  • Contact & booking submissions: up to 24 months, then deleted or anonymised — unless we're still in conversation with you.
  • Published reviews: kept while the review is live on the site. You can ask us to take it down at any time.
  • Site analytics: up to 12 months.
  • Server logs: up to 90 days, after which they're rotated and deleted.

7. Your rights

Under UK GDPR you have the right to:

  • Access — ask for a copy of the personal data we hold about you.
  • Rectification — ask us to correct anything inaccurate.
  • Erasure — ask us to delete it ("the right to be forgotten").
  • Restriction — ask us to stop using it for a particular purpose.
  • Portability — ask for your data in a machine-readable form (for the data we hold under consent or contract).
  • Object — object to processing carried out under legitimate interest.
  • Withdraw consent — at any time, with no effect on processing already done.

To exercise any of these, email coaching@stuartmullins.co.uk. We'll respond within one month.

8. How we keep it secure

  • The whole site is served over HTTPS, with HSTS enabled and modern security headers (Content-Security-Policy, X-Frame-Options, Referrer-Policy).
  • Form submissions are protected against bots (honeypot field + rate limits) and CSRF (admin actions).
  • Admin access requires a strong password; access is logged.
  • Database backups are encrypted at rest by our hosting provider.

9. Cookies

See our cookie policy for the full list, plus how to accept or reject non-essential cookies.

10. Complaints

You have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
ico.org.uk/make-a-complaint

We'd appreciate the chance to put things right first — please email us if you have a concern.

11. Changes to this notice

We may update this notice from time to time. The "last updated" date at the top will change when we do. Significant changes will be flagged on the home page.