Privacy Policy
Last updated: 25 April 2026
1. Who We Are
Serene Safety is a Norwich-based health and safety consultancy and training provider. We are the data controller for the personal data described in this policy.
- Registered address: 2 Mill Lane, Horsford, Norwich, NR10 3ET, United Kingdom
- Phone: 01603 975536
- Email: [email protected]
- Data controller: Jonathan Reynolds, Serene Safety
2. What Data We Collect
We collect different categories of personal data depending on how you interact with us:
Contact enquiries
When you submit a contact form or email us, we collect your name, email address, phone number (optional), company name (optional), and the content of your message.
Course bookings
When you book a training course, we collect your name, email address, phone number, company name, and the number of delegates. Payment details (card number, bank details) are collected and processed directly by Stripe - we do not store payment card information on our systems.
Delegate onboarding
For each delegate attending a course, we collect: first name, last name, email address, phone number, company, job title, dietary requirements, access needs, emergency contact name and phone number, and prior qualifications.
Delegate portal accounts
When you use the delegate portal to access course materials, we record your email address, login timestamps, course progress, and any quiz or exercise responses you submit.
Website usage
We use Google Analytics 4 to understand how visitors use the website. GA4 is loaded only after you give consent via the cookie banner; if you decline, no analytics scripts run and no analytics cookies are set. We do not use any other tracking, advertising, or session-recording tools.
Marketing list
If you opt in to our newsletter (footer signup form, or the "Subscribe me" checkbox on the contact or booking forms), we collect your email, first name, surname, and (optionally) company name so we can send Health & Safety insights and course-date announcements. You can unsubscribe at any time using the link at the bottom of every marketing email.
Certificate verification
If you complete a Serene-Safety-issued course we issue a completion certificate with a unique verification code. The verification page (/verify/<code>/) is public and shows your name, the course you completed, and the dates — this lets employers confirm the certificate is authentic. Only the data shown on the certificate itself is published; nothing else (email, phone, company) appears on the verification page.
3. How We Use Your Data
We only process your personal data where we have a lawful basis to do so under UK GDPR. The table below sets out each purpose and its legal basis:
| Purpose | Data used | Legal basis |
|---|---|---|
| Responding to your contact enquiry | Name, email, phone, message | Legitimate interest - responding to your request |
| Processing your course booking and payment | Name, email, phone, company, payment details | Contract performance - fulfilling the booking you have made |
| Course delivery and delegate management | Delegate name, email, phone, company, job title, prior qualifications | Contract performance and legitimate interest - delivering the training service and ensuring course suitability |
| Catering and reasonable adjustments | Dietary requirements, access needs | Explicit consent - this is special category data under UK GDPR and is only processed with your consent |
| Emergency situations during training | Emergency contact name and phone | Vital interests - protecting your health and safety |
| Delivering course materials via the delegate portal | Email, course progress, quiz/exercise responses | Contract performance - part of the training service |
| Marketing communications (newsletter, course announcements) | Email, first name, surname, company (optional) | Consent — collected via the footer signup or an opt-in checkbox on the contact / booking forms. Every marketing email contains a one-click unsubscribe link. |
| Live classroom delivery (audio / video / chat) | Display name + audio / video stream while in the session | Contract performance — running the live training session you booked. Streams are not recorded by us unless explicitly arranged in advance. |
| Certificate verification (public) | Name, course name, issue date | Legitimate interest — allowing employers to verify the qualification you have presented. You can request revocation at any time. |
4. Who We Share Your Data With
We share your personal data with the following third-party processors. Each is bound by a data-processing agreement; we have selected providers with strong UK / EU data-protection track records.
- Stripe — payment processing. Handles card, Klarna, PayPal and Pay by Bank transactions. Card details never touch our servers. Stripe Privacy Policy
- Resend — transactional and marketing email delivery (booking confirmations, magic-link logins, contact-form notifications, weekly digest, certificate alerts). Resend Privacy Policy
- Railway — application hosting (Node.js server) and managed Postgres database, EU region. Railway Privacy Policy
- Cloudflare — CDN, R2 object storage (course materials, document uploads), and DNS. Cloudflare Privacy Policy
- Cloudflare Stream — video hosting and adaptive-bitrate playback for course videos. The video bytes are uploaded directly from your browser to Cloudflare; we never see the file contents. Cloudflare Privacy Policy
- Jitsi Meet — live classroom audio / video conferencing. Sessions are not recorded by us unless explicitly arranged. Jitsi Meet Privacy Notice
- Google — Google Analytics 4 (only if you accept analytics cookies via the banner) and Google Places (used to fetch our public review widget on the home page). Google Privacy Policy
- Microsoft — where in-person training requires SharePoint document sync we transfer delegate first / last name and email to a private SharePoint list. Not used for marketing or analytics. Microsoft Privacy Statement
- NEBOSH and IOSH — where required for course registration, examination booking and accreditation, we share delegate names and (where required) date of birth and results with the relevant awarding body.
- Sentry — error monitoring. Captures unexpected errors only; we configure it to scrub email addresses and other identifying data from error reports.
We do not sell your personal data to any third party. Where a processor stores data outside the UK or EEA we rely on an adequacy decision or Standard Contractual Clauses as the lawful transfer mechanism.
5. How Long We Keep Your Data
We retain your data only for as long as necessary for the purpose it was collected, or as required by law:
| Data type | Retention period | Reason |
|---|---|---|
| Contact form submissions | 12 months | Sufficient to respond to and follow up on enquiries |
| Booking and payment records | 6 years | HMRC tax record requirements |
| Delegate training records | 6 years | Industry standard for training records; regulatory and insurance requirements |
| Portal accounts and course progress | Duration of course + 12 months | To allow access to materials after course completion |
| Quiz and exercise responses | Duration of course + 12 months | To allow review and certification processes |
After the retention period expires, data is securely deleted or anonymised.
6. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Right of access - you can request a copy of all personal data we hold about you (a Subject Access Request).
- Right to rectification - you can ask us to correct any inaccurate or incomplete data.
- Right to erasure - you can ask us to delete your personal data. Where we are legally required to retain records (e.g. for HMRC tax purposes), we will anonymise the data instead of deleting it.
- Right to restrict processing - you can ask us to limit how we use your data while a concern is resolved.
- Right to data portability - you can request your data in a structured, machine-readable format.
- Right to object - you can object to processing based on legitimate interest.
- Rights related to automated decision-making - we do not currently make any automated decisions about you.
To exercise any of these rights, please email [email protected]. We will respond within one month of receiving your request.
If you are not satisfied with how we handle your request, you have the right to complain to the Information Commissioner’s Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Helpline: 0303 123 1113
7. Cookies
Our website uses a small number of cookies:
Strictly necessary cookies
These cookies are essential for the website to function and cannot be switched off:
| Cookie | Purpose | Duration |
|---|---|---|
admin_session | Authenticates admin dashboard sessions | Session (expires on browser close or after 24 hours) |
serene_portal_session | Authenticates delegate portal sessions | Session (expires on browser close or after 7 days) |
Analytics cookies
We do not currently use any analytics cookies. Cloudflare Web Analytics is privacy-first and does not require cookies.
Marketing cookies
We do not currently use any marketing or advertising cookies.
Third-party embeds
Some pages may include embedded content from third parties (e.g. Google Maps on our contact page, Vimeo or Microsoft Teams video on the delegate portal). These services may set their own cookies. Please refer to their respective privacy policies for details.
8. Data Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:
- Encryption in transit - all data is transmitted over HTTPS/TLS.
- Encryption at rest - data stored on Cloudflare’s edge network is encrypted at rest.
- Access controls - admin access requires authentication. Personal data is only accessible to authorised personnel.
- Payment security - payment card details are handled entirely by Stripe, a PCI DSS Level 1 certified provider. We never see or store your full card number.
- Regular reviews - we regularly review our security measures and update them as necessary.
9. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will update the “Last updated” date at the top of this page. We encourage you to review this policy periodically.
10. Contact Us
If you have any questions about this privacy policy or how we handle your personal data, please contact us:
- Email: [email protected]
- Phone: 01603 975536
- Post: Serene Safety, 2 Mill Lane, Horsford, Norwich, NR10 3ET