Privacy policy.

The Good Shepherd Covenant of Care Privacy Policy & GDPR Statement

Effective Date: 25 November 2025

Policy Version: 1.1

 1. Introduction and Data Controller

This policy outlines how The Good Shepherd Solutions (referred to as "we," "us," or "our") collects, uses, stores, and protects the personal data of members of The Good Shepherd Covenant of Care membership scheme ("Members").

By joining or using the services under this Covenant, you agree to the collection and use of information in accordance with this policy.

  • Data Controller: The Good Shepherd Solutions

  • Contact for Privacy Matters: dataprotection@thegoodshepherdsolutions.com

  • Postal Address: Madison Close Hayle, TR27 4BZ

2. Information We Collect

We collect and process the following categories of personal data when you join or interact with The Good Shepherd Covenant of Care:

  • Identity Data: Name, title, job role, and organization name.

  • Contact Data: Email address, telephone number, and postal address (for billing/correspondence).

  • Financial Data: Payment information (processed securely via a third-party payment processor; we do not store full payment card details).

  • Membership Data: Membership tier (Flock, Shepherd, Guardian), sign-up date, and status.

  • Usage Data: Records of which policy updates, webinars, or services you have accessed or purchased.

3. How We Use Your Data (Purpose)

We use your personal data for the following essential purposes:

  • Membership Administration: To manage your membership, deliver the contracted benefits (e.g., policy discounts, 1-to-1 support access), and process renewals.

  • Service Communication: To send essential, non-marketing communications related to your service (e.g., billing invoices, service notifications, login credentials).

  • Statutory Compliance: To communicate required, relevant changes to legislation and best practice guides as part of your membership benefit (via the regular newsletter).

  • Marketing (Consent-Based): To send promotional emails, newsletters, and information about new services only if you have provided explicit consent (opt-in).

4. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases to process your personal data:

  • Contractual Necessity: Processing is necessary for the performance of the contract (the membership agreement) we have with you (e.g., providing access to discounted services).

  • Legitimate Interests: Processing is necessary for our legitimate interests (e.g., securing our IT systems, analysing service usage to improve offerings), provided your interests and fundamental rights do not override those interests.

  • Consent: We rely on your explicit opt-in consent for sending direct marketing communications and promotional materials. You may withdraw this consent at any time via the unsubscribe link in the email or by contacting us.

5. Data Storage, Security, and Third Parties

  • Data Processor (CRM): All operational membership data (Identity, Contact, and Membership Data) is securely stored and managed within Monday CRM. Monday CRM acts as a Data Processor on behalf of The Good Shepherd Solutions (the Data Controller). This tool is essential for the administration of your Covenant of Care membership, including tracking policy usage and managing billing records.

  • Legal Agreement: We maintain a contractual agreement (Data Processing Addendum) with Monday CRM to ensure they process your data lawfully and adhere to strict GDPR technical and organizational security standards.

  • Security Measures: The Good Shepherd Solutions implements appropriate technical and organizational measures to protect your data against accidental loss, unauthorized access, and unlawful processing, including encryption and controlled access within our systems.

6. Your Rights (Subject Access Requests)

Under GDPR, you have strong rights regarding your personal data. To exercise any of these rights, please contact the Data Controller using the contact details in Section 1.

  • Right of Access (Subject Access Request - SAR): You have the right to request a copy of the personal data we hold about you. While the term "Freedom of Information" is sometimes used for data requests, the correct legal mechanism for requesting your personal data from us is a Subject Access Request (SAR). We will respond to all valid SARs within one month of receipt.

  • Right to Rectification: You can request that inaccurate or incomplete data we hold about you is corrected.

  • Right to Erasure ('Right to be Forgotten'): You can ask us to delete your personal data where there is no good reason for us to continue processing it.

  • Right to Withdraw Consent: You may withdraw your consent for direct marketing at any time.

7. Data Retention

We will retain your personal data only for as long as necessary to fulfil the purposes we collected it for, including for satisfying any legal, accounting, or reporting requirements.

We generally retain membership data for a period of seven years after the termination of your membership to comply with tax and legal regulations. Data used solely for marketing purposes is retained until you opt-out or request erasure.

8. Changes to this Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new Policy on our website and, where appropriate, notifying you via email.