Privacy Policy

Emma Heptonstall Ltd, trading as The Divorce Alchemist

Last updated: June 2026

About this policy

This policy explains how I collect, use, and protect your personal data when you visit my website, contact me, work with me, or join my community. I have written it in plain language so you can understand exactly what happens to your information and what your rights are.

I take data protection seriously. I have built my coaching practice on integrity and clear communication. That extends to how I handle your data.

If anything in this policy is unclear, or if you want to exercise any of the rights described below, please email me at emma@emmaheptonstall.com.

Who I am

Emma Heptonstall Ltd is the data controller and is responsible for your personal data. References to “I”, “me”, or “my” in this policy mean Emma Heptonstall Ltd.

Registered office: 71-75 Shelton Street, London, WC2H 9JQ

Contact email: emma@emmaheptonstall.com

I am registered with the Information Commissioner’s Office (ICO) as a data controller. My ICO registration number is ZA221680.

This policy applies to personal data collected through my website emmaheptonstall.com, my services, my community, and any other interaction we have.

What personal data I collect and why

I collect different types of personal data depending on how you interact with me.

Contact and enquiry data

Name, email address, phone number where provided, and the content of your message. I collect this when you fill in a contact form, email me, message me on social media, or otherwise get in touch. I use this data to respond to you and to keep a record of our communication.

Lawful basis: legitimate interests (responding to enquiries and keeping appropriate business records).

Client data

For people who become coaching or consultation clients, I also collect billing information, booking details, and the content of our correspondence by email, message, and voice note. I use this data to deliver the services you have engaged me for.

Lawful basis: performance of a contract.

Sensitive personal data (special category data)

Clients often share information about their physical and mental health, the health effects of their relationship or divorce, and sometimes their sex life or sexual orientation as relevant to their situation. This is special category data under Article 9 UK GDPR and requires an additional lawful condition.

Lawful condition: your explicit consent, given when you engage my services.

Criminal offence data

Clients sometimes share information about domestic abuse, coercive control, police involvement, non-molestation orders, occupation orders, or related proceedings. This is criminal offence data under Article 10 UK GDPR.

Lawful condition: your explicit consent, given when you engage my services.

I receive this information only from you, the client. I do not seek out, verify, or record criminal offence information about anyone else.

Important note on session notes: I do not create or retain written notes of coaching or consultation sessions. Any notes I scribble during a call are anonymous and destroyed immediately. The only record of our work together is the correspondence we exchange. I do not record our sessions or use an Ai note taker.

 

Marketing data

If you subscribe to my newsletter or other communications, I hold your name, email address, your preferences, and a record of how you have engaged with my emails.

Lawful basis: your consent, which you can withdraw at any time.

Payment data

I do not store payment card details. Payments are processed by Stripe, PayPal, ThriveCart, and Xero, who handle this information under their own privacy policies and security standards.

Website usage data

I collect technical information about how you use my website, including your IP address, browser type, pages visited, and length of visit. This is collected through cookies and analytics tools.

Lawful basis: legitimate interests (running and improving my website and business). For non-essential cookies, your consent.

See my Cookie Policy for full details.

A note on safeguarding

Confidentiality is not absolute. If you share information that indicates a risk of serious harm to a child or vulnerable adult, I may need to pass that information to the appropriate authorities. I will discuss this with you first wherever possible, but I cannot guarantee complete confidentiality in those circumstances.

Who I share your data with

I keep your data confidential and only share it with the following categories of recipients.

My processors

These are the platforms and people who help me run my business. Each of them processes your data on my behalf, under a written agreement and appropriate security arrangements:

  • 123 Reg (Go Daddy) — business email hosting (incoming email is delivered to Google Workspace)
  • Google (Gmail, Google Drive) — emails, documents, file storage
  • ActiveCampaign (via Campaign Builder Pro, UK) — email marketing
  • ThriveCart — checkout and order processing
  • Stripe, PayPal — payment processing
  • Xero — invoicing and accounting
  • Dropbox and Dropbox Sign — document storage and signing
  • Acuity Scheduling (Squarespace) — appointment booking
  • TidyCal — appointment booking
  • MemberVault — course delivery
  • Skool — community platform (She Can Divorce)
  • WhatsApp, Voxer — direct client communication where applicable
  • WP Engine — website hosting
  • An Online Business Manager — a contracted business support professional who may access my email and systems to help administer client correspondence. She works under a written data processing agreement with confidentiality, security, and data deletion obligations.

Professional advisers

My accountant, and if required my legal and insurance advisers.

Authorities

If I am legally required to share information, or if safeguarding concerns arise as described above.

I do not sell your personal data. I do not share it for any other organisation’s marketing purposes.

International transfers

Several of my processors are based outside the United Kingdom, primarily in the United States. Where this is the case, I rely on one of the following safeguards to protect your data:

  • The UK Extension to the EU-US Data Privacy Framework, for processors certified under that scheme
  • The UK’s International Data Transfer Agreement (IDTA), or Standard Contractual Clauses with the UK Addendum
  • A UK adequacy decision, where one applies (for example Switzerland)

My Online Business Manager accesses my systems from Turkey, which does not have a UK adequacy decision. This transfer is covered by an IDTA between us.

How long I keep your data

 

Data

Retention period

Client emails and correspondence

6 years from the end of our working relationship

Engagement terms and signed agreements

6 years from the end of the contract

Invoices and financial records

6 years from the end of the relevant accounting period

Enquiries that did not become clients

12 months from last contact

Marketing contacts

While your consent remains valid, reviewed every 2 years

 

I count the end of the working relationship as the earlier of a clear ending or six months with no substantive contact. After these periods, data is securely deleted or anonymised.

You have the right to ask me to delete your data sooner. See “Your rights” below.

How I keep your data secure

I have appropriate technical and organisational measures in place, including:

  • Two-factor authentication on all business accounts
  • Strong unique passwords stored in an encrypted password manager
  • Passcode protection on all devices
  • A written data processing agreement with my Online Business Manager
  • No client data stored on shared or unsecured devices
  • A documented breach response procedure

If a personal data breach occurs that is likely to affect you, I will notify you and the ICO within the timeframes required by law.

Automated decision-making

I do not carry out solely automated decision-making, including profiling, that produces legal or similarly significant effects on you. If this changes, I will update this policy and let you know.

Your rights

Under UK GDPR you have the following rights:

  • Access — to receive a copy of the personal data I hold about you
  • Rectification — to have inaccurate data corrected
  • Erasure — to have your data deleted, subject to any legal obligation I have to retain it
  • Restriction — to restrict how I process your data
  • Portability — to receive your data in a portable format
  • Objection — to object to processing based on legitimate interests
  • Withdrawal of consent — where I rely on consent, you can withdraw it at any time

 

To exercise any of these rights, please email me at emma@emmaheptonstall.com.

I will respond within one month. If your request is complex I may extend this by a further two months, in which case I will tell you why. I may need to verify your identity before responding.

There is no fee unless your request is manifestly unfounded or excessive.

How to complain about how I handle your personal data

If you are unhappy with how I have handled your personal data, I encourage you to come to me first — though you have the right to go directly to the ICO at any time without doing so.

To complain to me directly

Email me at emma@emmaheptonstall.com with:

  • Your name and contact details
  • A description of what you believe went wrong
  • Any relevant dates or context
  • The outcome you are looking for, if you have one in mind

I will acknowledge your complaint within 30 days, investigate it properly, and aim to provide a full response within three months. If exceptional circumstances mean I need longer, I will tell you and explain why.

If you are not satisfied

If you remain dissatisfied with my response, or if I have not resolved your complaint within three months, you have the right to escalate to the Information Commissioner’s Office. You also retain this right from the outset — there is no requirement to come to me first.

  • Website: ico.org.uk/make-a-complaint
  • Telephone: 0303 123 1113
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

 

You also retain the right to apply to a court for a remedy under UK GDPR.

Children

My services are aimed at adults. I do not knowingly collect personal data from anyone under 18. If you believe a child has provided me with personal data, please contact me and I will delete it.

Cookies

My website uses cookies for essential functions, analytics, and to remember your preferences. See my Cookie Policy for full details and to manage your preferences.

Changes to this policy

I review this policy annually and update it when the law changes or when my business changes how it handles data. The version date at the top tells you when it was last updated. Material changes will be flagged on my website.

Contact

For any questions about this policy or about how I handle your personal data, please email me at emma@emmaheptonstall.com.