Legal & Compliance

Privacy Notice

How we collect, use, and protect your personal data — and what your rights are.

Version: 2.0.0

Published: May 2026

Last reviewed: May 2026

Next review: November 2026

Controller: Vulnerability Managers Limited

Contents

Introduction

We are Vulnerability Managers, a UK consultancy run by Matt Radford. We provide training, coaching, consultancy, and advisory services on how to work with people in vulnerable circumstances.

We collect personal data to deliver our services and to meet our legal obligations. We never sell your data. We do not share it with third parties except where we have a legal duty to do so — for example, in a safeguarding situation.

You have rights over your data, including the right to see what we hold, to ask us to correct it, and in some cases to ask us to delete it.

To use those rights, or to ask us any questions, contact matt@vulnerabilitymanagers.com.

If you are not satisfied with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

Who we are

We are Vulnerability Managers Limited, a company registered in England and Wales (Company No. 17145853). We trade as Vulnerability Managers.

Our founder and director is Matt Radford. He is the data controller for all personal data Vulnerability Managers processes.

Registered address: Vulnerability Managers Limited, Chingford, London, United Kingdom.

Contact:matt@vulnerabilitymanagers.com

We are registered with the Information Commissioner's Office (ICO) as a data controller. Our ICO registration is held in line with UK GDPR Article 30 (records of processing activities).

What personal data we collect

We only collect what we need. The type of data we collect depends on how you work with us.

If you enquire about or book our services

  • Name, job title, organisation

  • Email address and phone number

  • Information about the service you are enquiring about

  • Accessibility and adjustment requirements you choose to share

If you attend training, coaching, or a consultancy engagement

  • Attendance records

  • Session notes (where relevant to the engagement)

  • Accessibility requirements and reasonable adjustments

  • Any information about your circumstances you choose to share with us

If you are an associate or subcontractor

  • Identity and contact information

  • Right-to-work documentation

  • Qualifications and professional memberships

  • DBS check information where regulated activity applies

  • Contractual and financial records

If you are a third-party partner or supplier

  • Organisation and contact details

  • Information gathered as part of our due diligence process

  • Contractual records and monitoring notes

If you visit our website

  • Cookies and analytics data (see our separate Cookie Policy)

  • Any information you submit via a contact or enquiry form

Why we collect it — our lawful bases

Under UK GDPR Article 6, we must have a lawful basis for processing personal data. Below sets out the bases we rely on and when each applies.

Performance of a contract - 6(1)(b)

Delivering services you have engaged us to provide — training, coaching, consultancy, advisory work

Legal obligation - 6(1)(c)

Meeting our duties under safeguarding law, modern slavery legislation, HMRC requirements, and other legal requirements

Vital interests - 6(1)(d)

In safeguarding situations where we believe someone's life or safety is at risk and we cannot obtain consent in time

Legitimate interests - 6(1)(f)

Responding to enquiries; running due diligence on partners; maintaining records needed for the safe delivery of services; communication with clients and associates about existing engagements

Consent - 6(1)(a)

Where we use specific tools — for example, transcription software — and ask for your agreement before using them. Consent is always specific, informed, and freely given, and you can withdraw it at any time

Special category data

Some of the data we may handle is classified under UK GDPR Article 9 as special category data. This includes information about health, disability, mental health, and other protected characteristics.

We come into contact with this type of data through:

  • Requests for reasonable adjustments from delegates or coachees

  • Voluntary disclosures of vulnerability or personal circumstances during an engagement

  • Safeguarding disclosures that require us to act

  • Equality, diversity and inclusion considerations in our work

Our Article 9 conditions

For special category data, we must also meet a condition under UK GDPR Article 9. The conditions we rely on are:

  • Explicit consent — where you have actively chosen to share information with us for a specific purpose (Article 9(2)(a))

  • Vital interests — in a safeguarding situation where processing is necessary to protect life and consent cannot be obtained (Article 9(2)(c))

  • Safeguarding condition — under Schedule 1 Part 2 of the Data Protection Act 2018, for processing necessary for safeguarding purposes

How we handle it

We collect the minimum we need for the purpose. We use it only for that purpose. We store it securely and do not share it with clients, other delegates, or third parties without your consent — except in the narrow circumstances described in Section 6 below.

How we use your data

We use the data we collect only for the purpose it was collected for. Specifically:

  • To deliver the service you have engaged us to provide

  • To make reasonable adjustments so you can participate fully

  • To respond to a disclosure of vulnerability in a way that is appropriate and proportionate

  • To meet our safeguarding obligations — identifying risk, responding, recording, and referring when needed

  • To carry out due diligence before we work with a third-party partner or supplier

  • To comply with our legal obligations (safeguarding law, modern slavery legislation, HMRC, and others)

  • To communicate with you about an existing engagement

We do not use your personal data for unsolicited marketing. We do not use automated decision-making that would have a significant effect on you.

Purpose limitation

Data collected for one purpose is not used for another purpose without a fresh lawful basis. For example, information you share with us to request a reasonable adjustment is used to make that adjustment — it is not passed to your employer or shared with other participants.

Who we share your data with

We share personal data with third parties only when we have to or when we have your consent.

When we may share data without your consent

  • Safeguarding referrals — if we have a duty to act to protect someone from harm, we may share information with the relevant local authority, police, Disclosure and Barring Service (DBS), Charity Commission, or regulator. We share only what is necessary.

  • Legal obligations — where a court order, regulatory duty, or other legal requirement means we must disclose information

  • HMRC — financial and tax records where required by law

When we share data with your knowledge

  • Associates and subcontractors — where a colleague is involved in delivering a service to you, they will have access to what they need to do that work. All associates sign a data processing agreement and must follow this Privacy Notice.

  • Technology providers — for example, secure file storage or video conferencing tools we use in service delivery. These providers are assessed before use and must meet our data protection requirements.

What we do not do

  • We do not sell your personal data

  • We do not share vulnerability or adjustment disclosures with clients, employers, or other participants without your consent

  • We do not transfer personal data outside the UK unless we have a lawful transfer mechanism in place (such as an International Data Transfer Agreement — IDTA)

AI and your data

We use AI tools to support our work — for drafting, summarising, and administrative tasks. Our AI Use Policy sets firm limits on how your data is involved.

  • We do not input your personal data, special category data, or commercially sensitive information into a public AI tool that does not provide enterprise-level data protection guarantees

  • We do not use AI to make automated decisions about you that would have a significant effect

  • Where we use transcription tools, we ask for your consent first, tell you which tool we use, and confirm how long the recording is kept

  • We carry out a Data Protection Impact Assessment (DPIA) before using any AI tool that involves high-risk processing (UK GDPR Article 35)

Where AI has been used in producing a deliverable for you, we tell you — for example, noting that a report includes AI-assisted drafting reviewed and signed off by Matt Radford.

How long we keep your data

We keep personal data only as long as we need it. The length of time depends on the type of data and the purpose it was collected for. This includes, the type of record, how long we keep it and the reason.

Client contracts and financial records

  • 7 years from end of engagement (Legal and tax obligation)

Safeguarding records

  • As required by relevant safeguarding guidance — typically until the youngest person involved reaches 25, or longer where a serious incident occurred (Legal duty; guidance from statutory safeguarding bodies)

Reasonable adjustment records

  • Duration of the engagement; deleted promptly when no longer needed (Purpose limitation — collected for the adjustment only)

Vulnerability disclosures (non-safeguarding)

  • Duration of the engagement; deleted promptly when no longer needed (Data minimisation — minimum necessary, minimum duration)

Associate and subcontractor records

  • Duration of the engagement plus 7 years (Legal and contractual obligations)

Enquiries not leading to an engagement

  • 12 months from last contact (Legitimate interests; deleted when purpose is exhausted)

When data is no longer needed, it is deleted securely.

Paper records are shredded.

Digital records are permanently deleted from all storage locations including backups within a reasonable time.

Your rights

Under UK GDPR, you have a number of rights over your personal data. Your rights depend on the lawful basis we use to process your data and the specific circumstances.

Access

  • Ask us to confirm whether we hold data about you and to receive a copy. This is called a Subject Access Request (SAR). We respond within one month.

Rectification

  • Ask us to correct data that is inaccurate or incomplete.

Erasure

  • Ask us to delete your data in certain circumstances — for example, where the data is no longer needed or you withdraw consent.

Restriction

  • Ask us to limit how we use your data while a query is resolved.

Portability

  • Receive your data in a structured, machine-readable format where we process it by automated means on the basis of consent or contract.

Object

  • Object to processing based on legitimate interests. We will stop unless we can show a compelling reason that overrides your interests.

Withdraw consent

  • Where we process your data on the basis of consent, you can withdraw it at any time. Withdrawal does not affect processing that took place before you withdrew.

Automated decisions

  • Not to be subject to a solely automated decision that has a significant effect on you. We do not make such decisions.

To exercise any of these rights, contact us at the details in Section 10.

We do not charge a fee for standard requests. We may ask you to confirm your identity before responding.

Contact and complaints

If you have a question about this notice, want to exercise a right, or have a concern about how we have handled your data, contact us directly in the first instance.

Data controller contact

Matt Radford

Founder & Director, Vulnerability Managers

Email: matt@vulnerabilitymanagers.com

We aim to acknowledge all data-related requests within five working days and to respond fully within one month of receiving your request.

If you are not satisfied with our response, or if you believe we are processing your data unlawfully, you have the right to complain to the Information Commissioner's Office (ICO) — the UK supervisory authority for data protection.

Information Commissioner's Office (ICO)

Website: ico.org.uk

Helpline: 0303 123 1113

You can also make a complaint using the ICO's online form at ico.org.uk/make-a-complaint

Changes to this notice

We review this Privacy Notice in line with our data protection obligations and any changes to the law or our services. The review schedule follows our AI Use Policy cadence — every six months until the regulatory landscape stabilises — and in any case when a material change occurs.

Material changes include: a new service or way of processing data; a change to the lawful bases we rely on; a new technology provider; or a relevant change in UK data protection law.

When we make a significant change, we update the version number and the "last reviewed" date at the top of this page. We do not notify individuals of minor updates.

The current version of this notice is always available at vulnerabilitymanagers.com/privacy.

Version history

Version: 2.0.0

Date: May 2026