Last Updated: 2 October 2023

Navigating this Policy

If you are viewing this policy online or on PDF, you can click on the below links to jump to the relevant section

  1. Introduction & Scope
  2. How we collect your personal data
  3. The personal data we collect
  4. How we use your personal data (purposes of processing as well as the legal basis for processing)
  5. Sharing your personal data
  6. International transfers of personal data
  7. How long we keep your information
  8. How we secure your information
  9. Existence of automated decision-making (including profiling)
  10. Your rights as a data subject
  11. Cookies
  12. Privacy protections for children using the internet
  13. Managing communication preferences
  14. Third party websites, social media networks, advertising
  15. Changes to this Privacy Policy
  16. Contact Information

1. Introduction & Scope

  1. Lean Solutions Limited trading as ‘Coaching Outside the Box’ (“Coaching Outside the Box”, “COTB”,“we”, “our” or “us”)is committed to protecting the privacy of our customers and stakeholders, and we take our data protection responsibilities with the utmost seriousness.
  2. This Privacy Policy (this “policy”) explains how information about you is collected and used by COTB and applies to all personal data processing activities carried out by us. If you are a user of our services, this policy applies together with any terms of business and other contractual documents, including but not limited to any agreements we may have with you. If you are just browsing, we have designed our website so that you may navigate and use it without having to provide personal data, subject only to certain data that may be collected via the use of cookies, or data you choose to provide for marketing purposes or to access certain resources. This policy should therefore be read together with our Cookie Policy, details of which are referred to below. If you do not accept these policies you should immediately discontinue your use of our website.
  3. COTB is an internationallyfacing businesswhich offers its services in or from within Gibraltar, which is no longer part of the EU. Gibraltar has its own data protection laws that apply certain EU laws. This is referred to as the “Data Protection Legislation”, and includes:
    • The Data Protection Act 2004 (as amended), and regulations made under that Act; and
    • The “Gibraltar GDPR” or “GGDPR”, which is essentially the EU’s General Data Protection Regulation or (Regulation (EU) 2016/679, or the “EU GDPR”) as it forms part of Gibraltar law. This basically means it is read slightly differently to the EU GDPR but still offers privacy protections and guarantees in a similar manner.
  4. If you live or work outside of Gibraltar, other laws, including the EU GDPR, may be applicable to your individual circumstances. The EU GDPR applies to the processing of personal data of data subjects who are in the EEA by a controller or processor not established in the EEA, where the processing activities are related to:
    • offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
    • the monitoring of their behaviour as far as their behaviour takes place within the Union
  5. References to the “EEA” are to the European Economic Area which includes all Member States of the European Union, as well as Norway, Iceland, and Liechtenstein, and for the purposes of this policy should be interpreted in accordance with references to “the Union” in EU GDPR and similar legislation.
  6. For the purposes of this policy, “personal data” means any information relating to you as an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an online identifier or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural, or social identity
  7. In this policy, “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. The term “process” shall be interpreted accordingly.
  8. COTB is a “controller” (sometimes referred to as “data controller”) when it determines the purposes and means of processing of your personal data. We may also act as “processors” (sometimes referred to as “data processor”) when we process your data and may use other data processors who act on our instructions.

2. How we collect your personal data

  1. Our primary method of data collection is through information you provide to us when you communicate with us. This is done primarily through our website, via telephone and via use of voice over internet protocol (VOIP) / videoconferencing services (e.g. Zoom). Information is also generated by us during our relationship with you, such as when we associate your username with your name and contact information, and with particular courses we offer.
  2. As noted, our website is designed so you may navigate it without provision of personal data other than as described in our Cookie Policy (referred to below). Our website also offers registration and login features, and contact forms that request basic information so we can identify you as a user of our services or someone that is interested in our services.
  3. During coaching and mentoring sessions, and during our relationship with you as either a user of our services or one of our in-house or partner coaches, we may record or monitor calls or training sessions, emails, text messages and other correspondence for training purposes to improve the qualityof our offering and to prevent and detect fraud. This may include recording of audio and/or video and we will notify you (either verbally or in writing) in advance that calls and sessions are recorded and monitored in this manner.
  4. Other than information you provide to us directly when using or services and/or website, attending our courses or our events, or requesting information from us, information is also collected from other sources. We work closely with third parties (including, for example, business partners, sub-contractors, payment and delivery services, advertising networks, analytics providers, and search information providers) who may provide us with information about you. Such third partiesmay include:
    • Google Analytics – collects information about how visitors use our website;
    • Google Adwords – collects information about how visitors interact with our ads;
    • The International Coaching Federation;
    • The Scrum Alliance;
    • Zoom Video Communications, Inc (and/or its group or partner entities offering the Zoom platform);
    • SlackTechnologies, Salesforce Inc;
    • Miro (a digital collaboration platform developed by RealtimeBoard, Inc); and
    • Our partner coaches and sub-contractors;
    • Such other software, tools and platforms required to deliver our services as may be notified to you from time to time.
  5. We are not responsible for the privacy practices of third parties. If a third party collected your name and contact details, they should only pass those details to us for marketing purposes if you have consented to them doing so. You are primarily responsible for information you make available to such third parties (e.g. disclosing your email, photo, video image, or other contact or identifying information during videoconferencing). At the time of collection of this information we shall, to the extent allowed under Data Protection Legislation, provide you with information about the source of the personal data.

3. The personal data we collect

  1. Information provided by you: Name, email address (work and/or personal), postal address, telephone number(s), job title, company details, interests, preferences, and answers you give us when (i) using any of our online forms;(ii) subscribing to our Newsletter;(iii) using videoconferencing facilities; or (iv) attending live or online events. Any passwordsyou provide related to your account with COTB will not be visible to COTB and cannot be used to identify you as it is encrypted data. Likewise, any payment details you provide when paying for our services are similarly encrypted, and we will only keep a record of successful and unsuccessful payments, as well as any outstanding sums.
  2. Information collected automatically: When you visit or use our website, or interact with our marketing communications, we automatically collect certain information from you and third party website analytics providers (e.g. Google analytics): further information is contained in our Cookie Policy (referred to below). In many cases, this data is de-identified or anonymised so that it is no longer personal data. Additionally, if you have subscribed to any electronic newsletter we produce, each time you receive a newsletter from us we may collect and process personal data. This data may include: (i) the date and time you opened the email (ii) what (if any) links or URLs you accessed from our newsletter (iii) the location our newsletter was accessed from.We may also choose to use a marketing email management system (such as MailChimp) to send out newsletters to subscribers, allowing us to prepare customised emails and manage our subscriber base. Where we use such services, we will not store any information collected by our mailing list provider, other than the association of a name to an email address. We will direct you to the privacy policies/notices of any third party system we implement for this purpose.
  3. Information provided by third parties: Name, association/affiliation/accreditation to or with a third party organisation, certification body or regulatory authority, reference or referee details, and further information about your relationship with such third party (e.g. whether you are registered/unregistered). In addition, other coaches and participants in group sessions may provide further information about you (e.g. attendance/non-attendance, complaints, or any information you provide to such persons). Finally, social media networking sites such as Facebook/Meta may share information such as your name and location data, as well as your preferences when you interact with any of our advertisements (e.g. ‘reacting’ to content or ‘sharing’ content).
  4. Special category and criminal offence data: Unless you or a third party specifically disclose these to us, we do not generally request or process categories of personal data that reveal any of the following (which for convenience we label “sensitive data”):
    • your racial or ethnic origin;
    • your political opinions;
    • your religious or philosophical beliefs;
    • your trade union membership;
    • your genetic data or biometric data for the purpose of uniquely identifying you;
    • your health;
    • your sex life or sexual orientation;
    • criminal convictions and offences (including the alleged commission of offences, proceedings in relation to such offences or alleged commission of offences or the disposal of such proceedings, including sentencing);
  5. On occasion, we may need to process sensitive data (e.g. you tell us you feel ill, or we are advised by law enforcement or a third party that you have committed an offence or are being investigated) but will seek to limit this processing as far as possible under the law.

4. How we use your personal data (purposes of processing as well as the legal basis for processing)

  1. We must always have a valid reason or ‘lawful basis’ for processing your personal data. Note the definition of processing in the first section of this policy is extremely wide. Use (including storage) or deletion of your personal data also constitutes processing. Accordingly, we limit any processing of your personal data to that which is strictly necessary to satisfy the lawful basis relied on. In summary, the lawful bases that we rely on are:
    • Consent: you consent to the processing of your personal data for one or more specific purposes;
    • Contract: our processing is necessary to deliver our contractual duties to you as user of our services or prior to your registration with COTB;
    • Legal obligation: our processing is necessary for us to comply with a legal obligation to which we are subject;
    • Vital interests: our processing is necessary to protect your vital interests or those of another natural person (i.e. human being). Note this will rarely arise in practice but includes situations where processing is required to save someone’s life or prevent other harm to them; and
    • Legitimate interests: our processing is necessary for the purposes of the legitimate interests we are pursuing or that a third party is pursuing unlesssuch interests are overridden by your fundamental rights and freedoms requiring protection of your personal data.
  2. Since (i) we are not a public authority; (ii) do not act under official authority vested in us; and (iii) do not act in performance of a task carried out in the public interest, we do not rely on the ‘public task’ lawful basis.
  3. In rare cases where we need to process sensitive data, we will rely on one of the above lawful bases together with additional safeguards and lawful bases required in respect of this data. We will inform you of these as appropriate and to the extent we are not prohibited or exempted from doing so under the law.
  4. Any of the information we collect from you may be used for one or more of the following purposes:
    • to provide a high level of customer service, including assisting with any of your enquiries and bookings, and to notify you of any changes to courses you signed up for;
    • to be able to offer youour training, coaching and mentoring servicesyou purchase from us. Failure to supply your personal data will result in us not being able to offer you the requested services;
    • to manage your relationship with us and provide you with an account to allow you access to specific courses, track your progress and allow us to interact and communicate with you;
    • to collect a debt owed to us;
    • to meet our legal obligations and for establishing, exercising or defending our legal rights;
    • to account for our business and prepare financial statements;
    • to compile reports and to help us understand and improve our services;
    • (with your consent) to market our services/products to you and communicate with you about our offers, promotions, upcoming events, reviews and other news or those of our selected partners through targeted online advertising more likely to be relevant to our end users;or
    • to facilitate profiling, segmentation and personalisation. These may be based on location, preferences, interests and past actions (including previous course purchases), and allows us to personalise and tailor our services to youand your overall experience on our website.
  5. In respect of the lawful basis of consent, this may apply where no other lawful basis can be relied on (e.g. for the use of our website by persons who are not our customers, in respect of certain cookies that are not essential – see our Cookie Policy for further information). We rarely rely on your consent to process your personal data, as usually another lawful basis will be more suitable. Where we do seek to rely on your consent, we will always ensure that this consent is fairly obtained by clearly informing you about why your consent is needed. We will always seek to provide a real and informed choice. Although consent can be obtained orally, we will usually require that you provide your consent through a clear, affirmative action such as ticking a box, toggling/swiping a button or switch on our website or on a mobile application, signing your name or other suitable method that can clearly evidence your consent (including on paper consent forms).
  6. In respect of the lawful basis of legitimate interests, we will always need to (i) identify a legitimate interest (ii) show that processing is necessary to achieve it; and (iii) balance it against your interests, rights, and freedoms. Some non-exhaustive examples of situations where we may seek to pursue legitimate interests are:
    • direct marketing, and improving our services, website, and user experience;
    • where necessary to establish, exercise, or defend legal claims;
    • preventing fraud, keeping our staff (any premises we may operate from) secure, and disclosing criminal acts; and
    • monitoring the use of our products, website, and online services, and use your information to help us improve and protect our products, content, services, and websites, both online and offline. We may also monitor data on our networks and information management systems, which may relate to personal data of our business partners and coaches. Our legitimate interests are keeping your data secure, improving our service offering, and ensuring the prevention ofpersonal data breaches.

5. Sharing your personal data

  1. We may pass your personal data to our business partners, affiliates, administration centres, third party service providers, agents, subcontractors, and other associated organisations for the purposes of completing tasks and providing our services to you. These will be treated as our data processors, who will act on our instruction when processing your personal data.
  2. In addition, when we use any other third-party service providers, we will disclose only the personal data that is necessary to deliver the service required, and we will ensure that they keep your information secure and not to use it for their own direct marketing purposes without your permission.
  3. Whilst we take reasonable steps to ensure your contact information is not shared with trainers and coaches, you are responsible for preserving the confidentiality of your contact information on videoconferencing platforms used during coaching/training sessions. Note that the nature of the coaching and training services provides requires audience participation, so your consent for recording of sessions, sharing your audio and video and name will be required. If you refuse to give such consent, we may not be able to provide our services to you.
  4. Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes set out in section 4 above, such as where we are mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws. In such cases we will normally be prevented from disclosing such sharing has taken place to such extent as it could prejudice an investigation or may also seek to rely on another applicable exemption under the Data Protection Legislation.
  5. In addition, we may transfer your personal information to a third party as part of a sale of some, or all, of our business and assets or as part of any business restructuring or reorganisation, or if we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation. However, we will take steps to ensure that your privacy rights continue to be protected.
  6. In rare cases where we have a joint business venture or arrangement with another controller of your personal data, we may be regarded as ‘joint controllers under the Data Protection Legislation and will need to determine our respective responsibilities for compliance in a transparent manner. In such cases, the arrangement may designate a contact point for data subjects, and we will provide further information when such an arrangement exists and concerns your personal data.

6. International transfers of personal data

  1. In connection with our (i) IT development, hosting, and support (ii) acceptance of payments; (iii) human resources/talent acquisition; and (iv) partnership with mentors, trainers and coaches around the world, your personal data may be transferred to data processors within and outside of the EEA. Under Gibraltar GDPR, all transfers outside of Gibraltar are treated as transfers to a “third country” as that expression means a country or territory outside of Gibraltar. In cases where we intend to transfer personal data to third countries or international organisations outside of Gibraltar, we are required to confirm to you whether it has been determined by under Gibraltar GDPR that the country or organisation we are sharing your Personal data with will protect your information adequately. Specifically, we need to confirm the existence or absence of a decision based on an adequacy regulation as set out in Article 45(1) of the Gibraltar GDPR.
  2. A transfer of personal data to a third country or an international organisation may take place if
    • it is a transfer to the United Kingdom (“UK”). Accordingly, where Gibraltar GDPR applies, transfers to the UK may take place without additional safeguards;
    • it is a transfer based on adequacy regulations for the purposes of the UK GDPR and Part 2 of the UK Data Protection Act 2018. This means the destination country has been deemed by the UK (and by extension Gibraltar, which adopts UK decisions on adequacy) as providing an adequate level of data protection for data subjects. See Article 45 Gibraltar GDPR for further information on the meaning of “UK GDPR” and “UK Data Protection Act 2018”;
    • we or our processors have provided “appropriate safeguards” (see paragraph 6.5below);
    • (where none of the above items (i) to (iii) apply) we rely on specific derogations provided for under the Data Protection Legislation (see paragraphs6.6 and 6.7below)
  3. We transfer personal data to the following countries/international organisations which are deemed adequate and subject to adequacy regulations for the purposes of Gibraltar GDPR and/or the Data Protection Legislation at the date of this policy:
    • United Kingdom
    • Italy
  4. We transfer personal data to the following countries/international organisations which are not deemed adequate at the date of this policy:
    • United States (note: on 10 July 2023 the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, but this only extends to personal data transferred from the EU to US companies under the new framework, and for Gibraltar GDPR purposes will require equivalent adequacy regulations to be passed in the UK)
  5. In the absence of an adequacy decision, we rely on “appropriate safeguards” as provided for in the Data Protection Legislation. In this regard, we may use a number of legal mechanisms to ensure that your rights and protection level follow your data, including (a) standard data protection clauses specified in Gibraltar regulations, issued by the Information Commissioner, or approved by the EU Commission as standard contractual clauses and given effect under Gibraltar law; (b) approved codes of conduct; (c) certification mechanisms; or (d) binding corporate rules.
  6. Certain third country transfers are exempted transfers, meaning that they are allowed under the specific derogations in the law and are used where “appropriate safeguards” above are not available. We may rely on these exemptions in order to transfer data to third countries:
    • with your explicit consent
    • where necessary for the performance of a contract, or for pre-contractual steps taken at your request;
    • where necessary for the conclusion of a contract between us and a third party which is in your interest;
    • where necessary for important reasons of public interest;
    • where necessary for the establishment, exercise, or defence of legal claims; or
    • where necessary to protect your vital interests (or those of another) if you are physically or legally incapable of giving consent.
  7. As a measure of last resort, we may also make a third country transfer where we cannot rely on any of the above reasons, but only if the transfer fulfils all of the following criteria:
    • the transfer must not be repetitive;
    • the transfer must concern only a limited number of data subjects;
    • the transfer must be necessary for compelling legitimate interests we pursue which are not overridden by your interests and freedoms (as well as those of affected data subjects);
    • we must have assessed all the circumstances and provided suitable safeguards (e.g. encryption measures) to protect the personal data;
    • we inform the relevant supervisory authority of the transfer; and
    • we provide you with (i) confirmation of the transfer, (ii) the information in this policy, and (iii) the compelling legitimate interests we seek to rely on.
  8. You may request further information on appropriate or suitable safeguards we rely on using the contact details contained at the end of this policy.

7. How long we keep your information

  1. We retain your information only for as long as is necessary for the purposes for which we process the information as set out in this policy. Records can be held on a variety of media (physical or electronic) and formats.
  2. Retention periods are determined based on the type of record, the nature of the record and activity and the legal or regulatory requirements that apply to those records. We will, in the normal course of events, keep client records for at least 5 years after the termination of the relationship. In certain circumstances, we may wish to retain certain information such as video recordings / recorded coaching sessions for training purposes, and in such cases we will ordinarily seek your consent to continued retention beyond our usual retention periods.
  3. However, we may retain your personal data for a longer period of time where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. Examples of situations where we may extend ordinary retention periods are as follows:
    • maintaining business records for the purposes of satisfying any legal, accounting, or reporting requirement;
    • complying with record retention requirements under relevant laws;
    • exercising, establishing, or defending legal claims; or
    • dealing with complaints regarding our services.
  4. In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
  5. Upon expiration of the relevant period we have determined is suitable for retention of your personal data, we will either delete (or arrange deletion of) or anonymise (or arrange anonymisation of) such personal data. If, for technical reasons, we are unable to delete or anonymise such personal data (either partially or entirely), we will put in place appropriate measures to prevent further processing, placing this data beyond use, and/or implementing pseudonymisation where possible

8. How we secure your information

  1. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed, as this would constitute a “personal data breach”. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. Such persons will only process your personal data on our instructions (as our processors), and they are subject to a duty of confidentiality and other contractual duties to maintain security and integrity of the information provided to them.
  2. We educate and train our coaches, mentors, administrative staff and other business partners on our information security, fraud prevention and privacy obligations at least annually, and they are aware that mishandling of your personal data is a disciplinary offence, but also has important legal implications.
  3. We have put in place procedures to deal with any suspected personal data breaches and where we are legally required to do so, we will notify you and any applicable supervisory authority of such breaches without undue delay.
  4. Transmission of information via the internet is not completely secure, and we take all reasonable steps to protect personal data from loss, misuse, or alteration when it is within our control. For example, if you choose to complete our online forms or make enquiries via telephone calls and attend training events via videoconference, such recordings may be stored on cloud servers provided through the videoconferencing service or other third party software. We will ensure that personal data are stored on password-protected databases or secure servers, which not every mentor, coach or staff member will have access to.
  5. Whilst we take appropriate technical and organisational measures to safeguard your personal data, please note that we cannot guarantee the security of any data that you transfer over the internet to us.

9. Existence of automated decision-making (including profiling)

  1. Automated decision-making” is the process of making a decision by automated means without any human involvement. We do not use automated decision-making or profiling when processing personal data, as there is always a process of manual intervention by humans. Where we decide to do so, we would confirm this to you and provide meaningful information about the logic involved, as well as the significance and the envisaged consequences for you. We are not responsible for any automated decision-making by third parties but may take reasonable steps to bring such automated decision-making to your attention.
  2. Profiling” means any form of automated processing of personal data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements

10. Your rights as a data subject

  1. Under the Data Protection Legislation, we are required to inform you about the existence of the right to request from us access to and rectification or erasure of personal data or restriction of processing of personal data concerning you as a data subject, as well as your right to object to processing, your right to data portability, and your right to lodge a complaint with a supervisory authority. We explain each of these rights below.
  2. Under the Data Protection Legislation in Gibraltar, if you are a natural person (in other words, a human being and not a company), you have the right to:
    • Receive information about the processing of your personal data (and if you did not give it to us, information as to the source). This is the purpose of this policy and any other privacy notices we prepare.
    • Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold aboutyouand certain supplementary information, in order for you to check that we are lawfully processing it.
    • Request rectification of incorrect, inaccurate, or incomplete personal data we hold.We want to ensure that your personal data is accurate and up to date. If any of the information that you have provided to us changes (e.g. if you change your email address or name) please let us know the correct details by contacting us on the details at the end of this policy.
    • Request, in certain cases, deletion of your personal data when it is no longer needed or if processing it is unlawful(commonly known as the “right to be forgotten”)
    • Request, in certain cases, the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you if(i) you contest its accuracyand want us to establish its accuracyor the reason for processing it;(ii) the processing is unlawful but you do not wish to exercise your right of erasure; (iii) we no longer need the personal data for our purposes, but you require this to establish, exercise or defend legal claims; or (iv) you have exercised your right to object (see below)pending determination of whether legitimate interests override your rights and freedoms.
    • Request, in certain cases, the transfer of your personal data to you or to a third partyin a structured, commonly used, machine-readable formatwhere this is technically feasible and does not adversely affect the rights and freedoms of others(commonly known as the “right to data portability”). This right is also limited to caseswhere processing is based on consent or on contract and is carried out by automated means.
    • Objectto processing of your personal data based onlegitimate interests (or those of a third party) or on grounds of public task (including profiling based on those grounds) and your particular situation makes you want to object to processing.
    • Freedom from direct marketing(commonly known as “opting-out”). Under the right to object, you may also object at any time to processing of your personal data for direct marketing purposes (including profiling to the extent that it is related to such direct marketing). This is an absolute right, in the sense that it is always available to you, and you can exercise this right at any time without restriction. You have a choice about whether or not you wish to receive direct marketing information from us. We will not contact you for marketing purposes unless (i) you have a business relationship with us, and we rely on our legitimate interests as the lawful basis for processing (as described above); or (ii) you have otherwise given your prior consent (such as when you actively subscribe for news, information, newsletters, or marketing information on our website, where we provide this functionality). We will only use your preferred communication channels to contact you, and on each and every marketing communication, we will always provide the option for you to exercise your right to object to the processing of your personal data for marketing purposes by clicking on an ‘unsubscribe’ button on our marketing emails or choosing a similar opt-out option on any forms we use to collect your data. You can change your marketing preferences and/or opt-out at any time by contacting us on the details at the end of this policy.Please note that any administrative or service-related communications (to offer our services or notify you of an update to this policy or applicable terms of business, etc.) are not methods of direct marketing and generally do not offer an option to unsubscribe as they are necessary to provide the services requested.Therefore, please be aware that your ability to opt-out from receiving marketing and promotional materials does not change our right to contact you regarding your use of our website or as part of a contractual relationship we may have with you.
    • Freedom from automated decision-making, including profiling. You may request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers (commonly known as “human intervention”). You also have the right in this case to express your point of view and to contest the decision.
    • Withdraw your consent. Where the legal basis for processing your personal information is your consent, you have the right to withdraw that consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. Consent should be as easy to withdraw as it is to give, so we will normally provide toggle switches, tick boxes or forms that allow you to change your preference at any time online. However, if an online option is not available, or if you have submitted a paper form and no longer have a copy available, you can always enquire about and exercise your right to withdraw consent by contacting us on the details at the end of this policy.
    • Raise a complaint with us about how we have handled your personal data. We would appreciate the chance to deal with your concerns before you approach a supervisory authority so please contact us in the first instance using the details contained at the end of this policy.
    • Raise a complaint with a relevant supervisory authority. Where we have not responded to you within a reasonable time or if you feel that your complaint has not been resolved to your satisfaction, you have a right to lodge a complaint with the Information Commissioner of Gibraltar (the “Commissioner”), which is the Gibraltar Regulatory Authority (“GRA”).You may contact the GRA on the below details:
      • Address:               Gibraltar Regulatory Authority, 2nd Floor, Eurotowers 4, 1 Europort Road, Gibraltar
      • Email:         
      • Phone:                  (+350) 200 74636
      • Fax:                       (+350) 200 72166
      • Website:     
    • You also have the right to lodge a complaint with the supervisory authority in the country of your habitual residence, place of work, or the place where you allege an infringement of one or more of your rights has taken place if that is based in the EEA. If based in the UK, you have a right to complain to the Information Commissioner’s Office (“ICO”) under UK GDPR, and if based outside of the EEA, Gibraltar, or the UK, you may have additional rights to complain to a relevant supervisory or other competent body or authority in accordance with local privacy laws.
  3. Requests are free of charge, unless manifestly unfounded or excessive (in particular because of any repetitive character in such requests) in which case we may charge a reasonable fee. Alternatively, we may refuse to comply with your request in these circumstances.Please also note that there are certain exemptions or derogations from, and restrictions and adaptations of the application of, rules of the Data Protection Legislation. These exemptions may impact on your rights andentirely or partially restrict them in certain cases. The rights themselves are in most cases qualified rights and may not always apply.
  4. If you wish to exercise any of these rights, please contact us on the details found at the end of this policy.
  5. Requests will be processed within one month of receipt, but this might be extended to two months in case of a complex request, where you have made a number of requests.
  6. We may need to request specific information from you to help us understand the nature of your request, to confirm your identity and to ensure that personal data is not disclosed to any person who has no right to receive it. If the identity of the requestor cannot be verified, applicable time periods under the Data Protection Legislation may be paused until verification information is provided.
  7. Depending on your particular circumstances, you may also have additional rights if you live or work outside of Gibraltar. For example, the EU GDPR may apply to you if you are based in the EEA, and also depending on whether we are seen to be offering goods or services or monitoring the behaviour of persons in the EEA.You can find out more about the EU GDPR and your rights (if any) by accessing the European Commission’s website: Likewise, if you are based outside of the EEA, other local privacy laws may apply.

11. Cookies

  1. We use cookies or similar technologies to analyse trends, administer the website, track users’ movements around our website, and to gather demographic information about our user base as a whole. A cookie is a text file that is placed on your hard disk by a web server. Cookies help you personalise your online experience and act as a convenience feature to save you from having to input the same information again by recalling your specific information and preferences from previous visits. Some cookies also track your movements across websites.For more information on cookies and how to manage them, please visit our Cookies page.

12. Privacy protections for children using the internet

  1. Protecting children’s privacy is important to us. For that reason, we do not collect or maintain information on our website from those we actually know are under the age of 16, nor is any part of our website targeted to attract anyone under 16. We request that all visitors to our website who are under 16 not disclose or provide any Personal Data and discontinue use of our website.We also may limit how we collect, use, and store some of the information of data subjects between 16 and 18 years old. In some cases, this means we will be unable to provide certain services to these data subjects.
  2. If we are required to provide or decide to provide online services to a child, or to investigate a report or complaint made by a child, we will need parental consent for this, and may, for this purpose, ask for the name, email address and contact information of the person(s) with parental responsibility for that child.We may also ask you to verify your date of birth before collecting any personal information from you. If you are under the age of 16, our services may be either blocked or redirected to a parental consent process.
  3. A parent who has already given us permission to collect and use their child’s personal information can, at any time:
    • review, correct or delete the child’s personal data; or
    • discontinue further collection or use of the child’s personal information.

13. Managing communication preferences

  1. We aim to send you content and information that is relevant and engaging, in accordance with the preferences you have expressed when interacting with us. Should you want to update your preferences and change what type of communications you receive, you can do so by visiting the preference centre, accessible from the footer of our emails (“Update your email preferences”).
  2. You may, at any time, unsubscribe from our marketing communications altogether by clicking on the “unsubscribe” link located on the bottom of our emails, or by sending us an email at
  3. Please note that you cannot opt out of receiving transactional emails relating to a training course you have purchased, an enquiry you have made with us, or an offer that you signed up for (i.e. download a white paper, get a promotional code), but may choose to opt out of receiving future offers.

14. Third party websites, social media networks, advertising

  1. Occasionally, at our discretion, we may include links to third party products, services, or websites on our website. Please be aware that we are not responsible for the privacy practices of any third party sites, nor do we verify nor accept any responsibility or liability for their content. The privacy policies of others may differ significantly from this policy. Therefore, we encourage you to read the privacy statement/policy of each and every third party website that collects personal data.

15. Changes to this Privacy Policy

  1. We may, from time to time, make changes to this policy. Where we do so, we will notify those who have a business relationship with us, have an online account with us, or who are subscribed to our emailing lists directly of the changes, and change the ‘Last Updated’ date above. Any amended policy will be effective immediately on the date stated therein.
  2. Please make sure you visit this page to see the most up-to-date policy. We encourage you to review this policy whenever you access or use our website to stay informed about our information practices and the choices available to you. If you do not agree to the revised policy, you should discontinue your use of our website. By continuing to access or use our website and/or services after the effective date of a change, you confirm your acceptance of any revised Privacy Policy or policies.
  3. If you are an existing business relationship with us and do not agree to the revised Privacy Policy, your only option will be to terminate this under applicable terms and conditions and any other contractual arrangement we may have with you.

16. Contact Information

  1. The data controller for any personal data you provide to us is Lean Solutions Limited, a company incorporated in Gibraltar with registered number 114836and registered office situated at Suite 16, Watergardens 5, Gibraltar. Our trading/business name is ‘Coaching Outside the Box’.
  2. If you have any questions, concerns or comments or if you would like further information about this policy, how we handle your personal data, or otherwise wish to enforce your data protection rights please contact us at the above address or email us at:

This privacy policy is to be construed in accordance with Gibraltar law, and the courts of Gibraltar shall have jurisdiction to determine any disputes arising in relation to the interpretation or construction of the same.

© Lean Solutions Limited. All rights reserved.