CREATIVE ENTREPRENEURS CLUB - PRIVACY POLICY

creativeentrepreneursclub.co.uk

Version 1.0 | Effective Date: May 15, 2026 | Last Reviewed: May 15, 2026



1. WHO WE ARE AND HOW TO CONTACT US

1.1 Creative Entrepreneurs Club ("CEC", "we", "us", "our") is a people-powered membership network connecting, upskilling, and empowering creative freelancers and businesses. We operate through our website at creativeentrepreneursclub.co.uk and associated platforms.

1.2 For the purposes of applicable data protection law, CEC is the data controller of your personal data. This means we determine the purposes for which, and the manner in which, your personal data is processed.

1.3 Our contact details for all privacy and data protection matters are:

Creative Entrepreneurs Club [Registered Address] Email: [email protected] Website: creativeentrepreneursclub.co.uk

1.4 If you have any questions about this Privacy Policy or how we handle your data, please contact us at the address above. We aim to respond to all privacy enquiries within 30 days.



2. THE LEGAL FRAMEWORK

2.1 This Privacy Policy is governed by and prepared in accordance with:

2.2 This policy applies to all personal data we collect from you as a website visitor, free member, paid member, course purchaser, event attendee, or in any other capacity in connection with our Services.

2.3 We are based in Scotland. These Terms are governed by the laws of Scotland, and any disputes relating to your personal data shall be subject to the jurisdiction of the Scottish courts.



3. WHAT PERSONAL DATA WE COLLECT

3.1 Data you give us directly

When you register for an account, purchase a membership or course, attend an event, or contact us, we may collect:

3.2 Data collected automatically

When you use our website and platforms, we may automatically collect:

3.3 Data from third parties

We may receive data about you from:



4. HOW WE USE YOUR PERSONAL DATA AND OUR LEGAL BASES

Under UK GDPR, we must have a lawful basis for processing your personal data. The table below sets out the purposes for which we process your data and the legal basis we rely on in each case.

Purpose: Creating and managing your CEC account Legal basis: Performance of a contract (Article 6(1)(b) UK GDPR)

Purpose: Processing membership payments and issuing receipts Legal basis: Performance of a contract (Article 6(1)(b))

Purpose: Providing access to courses, community spaces, meetups, and events Legal basis: Performance of a contract (Article 6(1)(b))

Purpose: Sending transactional emails (account confirmations, receipts, booking confirmations) Legal basis: Performance of a contract (Article 6(1)(b))

Purpose: Sending marketing emails, newsletters, and promotional communications Legal basis: Consent (Article 6(1)(a)) — you may withdraw this consent at any time

Purpose: Managing our CRM records and member relationship data Legal basis: Legitimate interests (Article 6(1)(f)) — to manage our business and member relationships effectively

Purpose: Hosting and facilitating online meetings, masterclasses, and events via Zoom Legal basis: Legitimate interests (Article 6(1)(f)) — to deliver our Services to you

Purpose: Automating workflows between our platforms (via Zapier) Legal basis: Legitimate interests (Article 6(1)(f)) — to operate our Services efficiently

Purpose: Analysing how our website and platforms are used, to improve our Services Legal basis: Legitimate interests (Article 6(1)(f)) — to develop and improve our offerings

Purpose: Complying with legal obligations (e.g. financial record-keeping, responding to regulatory requests) Legal basis: Legal obligation (Article 6(1)(c))

Purpose: Establishing, exercising, or defending legal claims Legal basis: Legitimate interests (Article 6(1)(f))

4.1 Where we rely on legitimate interests as our legal basis, we have assessed that our interests are not overridden by your rights and freedoms. You have the right to object to processing based on legitimate interests — see Section 10.

4.2 Where we rely on consent as our legal basis (in particular for marketing communications), you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent, click the unsubscribe link in any marketing email or contact us at [email protected].



5. OUR THIRD-PARTY PLATFORMS AND DATA PROCESSORS

5.1 We use a number of trusted third-party technology platforms to deliver our Services. Where these platforms process personal data on our behalf, they act as data processors and are subject to contractual obligations to handle your data securely and in accordance with UK GDPR.

5.2 The following is a description of each platform we use, the data they process, and where relevant, the international transfer safeguards in place.

Thinkific Labs Inc.

Role: Data processor Purpose: Hosting our website, online courses, CEC Social community platform, and sending transactional emails (account confirmations, enrolment notifications, receipts). Data processed: Name, email address, account data, course progress, community posts, payment transaction data, and usage data. Location: Canada and USA (AWS infrastructure). Thinkific has entered into a Data Processing Addendum (DPA) incorporating the Standard Contractual Clauses approved by the ICO for international transfers. Thinkific is certified as GDPR-compliant and operates under its own DPA with CEC. Further information: thinkific.com/privacy-policy and thinkific.com/dpa

Zoom Video Communications, Inc.

Role: Data processor Purpose: Hosting our online meetups, masterclasses, training sessions, 1-2-1 advisory sessions, and other live virtual events. Data processed: Name, email address, IP address, device information, video and audio data during meetings, and chat messages where used. Meeting recordings (where made) may also contain personal data. Location: USA. Zoom relies on the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (incorporating the UK Addendum issued by the ICO under s.119A(1) of the Data Protection Act 2018) as the basis for international data transfers. Important: Where CEC records a meeting, we will notify all participants in advance and obtain consent where required. Recordings will be stored securely and access limited to those with a legitimate need. Further information: zoom.com/en/trust/privacy

Google Workspace (Google LLC)

Role: Data processor Purpose: Internal CEC communications (Gmail), document storage and collaboration (Google Drive, Google Docs), scheduling, and file management. Google Workspace is used by CEC staff and is not directly accessed by members. Data processed: Internal communications, documents, and files which may contain member data (e.g. contact details or correspondence). Location: USA and other Google data centres globally. Google LLC participates in the EU-US Data Privacy Framework and provides Standard Contractual Clauses for UK transfers. Further information: workspace.google.com/terms/dpa_terms.html

Zoho Corporation (Zoho One suite)

Role: Data processor Purpose: Marketing email communications (Zoho Campaigns), customer relationship management and member records (Zoho CRM), and related business operations. Data processed: Name, email address, membership status, communication history, marketing consent records, and CRM activity data. Location: USA and EU data centres. Zoho offers a GDPR-compliant Data Processing Addendum based on EU Commission Model Contractual Clauses, adopted by the ICO for UK transfers. Zoho holds ISO/IEC 27001, 27701, 27017, and 27018 certifications. Further information: zoho.com/en-uk/privacy.html and zoho.com/gdpr.html

Zapier Inc.

Role: Data processor Purpose: Automated workflows connecting our platforms (for example, syncing member data between Thinkific, Zoho CRM, and other tools, or triggering automated emails or tasks based on member activity). Data processed: Data passed between our connected platforms as part of automated workflows — typically name, email address, membership status, and event trigger data. We design our Zapier automations to transfer only the minimum data necessary. Location: USA. Zapier provides Standard Contractual Clauses and a GDPR-compliant DPA for international transfers. Further information: zapier.com/privacy

Social Media Platforms

Role: Independent data controllers (in most cases) Purpose: We maintain a presence on the social media platforms linked in the footer of our website (which may include, but are not limited to, Facebook, Instagram, LinkedIn, X/Twitter, and YouTube). We use these platforms to share content, engage with our community, and promote our Services. Data processed: When you interact with us on social media, the relevant platform processes your data in accordance with its own privacy policy. Where we use social media advertising or analytics tools (such as Meta Pixel or LinkedIn Insight Tag), this may involve the processing of data about your visit to our website. This is subject to your cookie preferences — see Section 12. Important: We are a co-controller with these platforms in respect of data processed through our social media pages (e.g. page analytics). You should consult each platform's own privacy policy for full details of their data practices.

5.3 We review our data processor relationships regularly and maintain data processing agreements with each provider as required by UK GDPR.



6. INTERNATIONAL DATA TRANSFERS

6.1 Several of our data processors are based outside the UK, including in the USA. Under UK GDPR, transfers of personal data to countries not deemed to provide an adequate level of data protection must be carried out with appropriate safeguards in place.

6.2 For all international transfers of your personal data, we rely on one or more of the following safeguards:

6.3 Details of the specific transfer mechanism used by each processor are set out in Section 5. You can request a copy of the relevant transfer agreements by contacting us at [email protected].



7. HOW LONG WE KEEP YOUR DATA

7.1 We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. Our general retention periods are as follows:

Account and membership data: Retained for the duration of your membership and for up to 6 years after your account is closed or your membership ends, to comply with contractual and financial record-keeping obligations.

Course enrolment and progress data: Retained for the duration of your enrolment and for up to 6 years thereafter, in line with our contractual records obligations.

Financial and transaction records: Retained for 7 years from the date of the transaction, as required by HMRC and applicable accounting legislation.

Marketing consent records: Retained for as long as you remain subscribed, plus a reasonable period thereafter to demonstrate compliance with PECR.

Event attendance records: Retained for up to 3 years after the event, for legitimate business record-keeping purposes.

Community posts and User Content: Content you post in our community spaces will remain visible until you delete it or close your account. If you close your account, your public posts may remain in the platform for a period before deletion; we will endeavour to action deletion requests promptly.

Communications (emails, support queries): Retained for up to 3 years from the last communication.

7.2 Where data is retained beyond the active membership period for legal compliance purposes, access to that data will be restricted to those with a legitimate operational need.

7.3 We will securely delete or anonymise personal data once the applicable retention period has expired.



8. HOW WE PROTECT YOUR DATA

8.1 We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, disclosure, alteration, or destruction. These include:

8.2 In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it, and will notify you directly where required.

8.3 If you suspect any unauthorised access to your account or a breach of your personal data, please notify us immediately at [email protected].



9. CHILDREN'S DATA

9.1 Our Services are intended for individuals aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have inadvertently collected data from a person under 18, we will delete it promptly. If you believe we have collected data relating to a child, please contact us at [email protected].



10. YOUR DATA PROTECTION RIGHTS

10.1 Under UK GDPR, you have the following rights in relation to your personal data:

Right of access: You have the right to request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one month.

Right to rectification: You have the right to request that we correct inaccurate or incomplete personal data we hold about you.

Right to erasure ("right to be forgotten"): You have the right to request that we delete your personal data in certain circumstances, for example where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent.

Right to restrict processing: You have the right to ask us to restrict our processing of your personal data in certain circumstances, for example while we investigate a dispute about accuracy.

Right to data portability: Where we process your data on the basis of consent or contract, and the processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format.

Right to object: You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will always honour this. Where you object to processing based on legitimate interests, we will consider your objection and cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights relating to automated decision-making and profiling: We do not currently carry out solely automated decision-making that produces legal or similarly significant effects on you.

10.2 To exercise any of the above rights, please contact us at [email protected]. We will respond within one calendar month of receipt of your request. We may need to verify your identity before processing your request.

10.3 There is no charge for exercising your rights in most circumstances. If a request is manifestly unfounded or excessive, we may charge a reasonable administrative fee or refuse to act on it, in which case we will explain our reasons.



11. RIGHT TO COMPLAIN

11.1 If you are unhappy with how we have handled your personal data, we encourage you to contact us first at [email protected] so that we can attempt to resolve your concern.

11.2 You also have the right to lodge a complaint directly with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Website: ico.org.uk Telephone: 0303 123 1113

11.3 Making a complaint to the ICO does not affect your right to seek legal redress through the courts.



12. COOKIES

12.1 We use cookies and similar tracking technologies on our website. Cookies are small text files placed on your device when you visit a website. They help us to operate our site, understand how it is used, and serve relevant content.

12.2 We use the following categories of cookies:

Strictly necessary cookies: Essential for the website to function. These cannot be disabled.

Functional cookies: These enable enhanced functionality and personalisation, such as remembering your preferences or login status.

Analytical/performance cookies: These help us understand how visitors interact with our website, allowing us to improve its performance. Data collected is aggregated and anonymised where possible.

Marketing/targeting cookies: These may be set by our social media partners and advertising tools to build a profile of your interests and show you relevant content on other sites. These are only set with your consent.

12.3 When you first visit our website, you will be presented with a cookie consent banner. You can choose to accept all cookies, reject non-essential cookies, or customise your preferences. You can update your preferences at any time via the "Cookie Settings" link on our website.

12.4 Please note that some of our third-party platform providers (including Thinkific and Zoho) also use cookies when you access their platforms. Please refer to their respective privacy and cookie policies for further information.



13. LINKS TO THIRD-PARTY WEBSITES

13.1 Our website and community spaces may contain links to third-party websites, including our social media profiles. Once you follow a link to another website, we are not responsible for that website's privacy practices. We encourage you to read the privacy policy of any external site you visit.



14. MARKETING COMMUNICATIONS

14.1 We send marketing emails and newsletters using Zoho Campaigns. We will only send you marketing communications where you have opted in to receive them, or where we have a legitimate basis to do so under PECR (for example, where you are an existing member and we are promoting our own similar services).

14.2 Every marketing email we send will include a clear and easy unsubscribe link. You can also opt out at any time by contacting us at [email protected].

14.3 Opting out of marketing communications will not affect your receipt of transactional or service-related emails (such as receipts, booking confirmations, and account notifications).



15. CHANGES TO THIS PRIVACY POLICY

15.1 We may update this Privacy Policy from time to time to reflect changes in our data practices, our Services, or applicable law. We will notify you of material changes by email or by posting a prominent notice on our website, giving you at least 14 days' notice before changes take effect where practicable.

15.2 The date of the most recent version is shown at the top of this document. We recommend that you review this policy periodically.



16. GLOSSARY

Data controller: The organisation that determines the purposes and means of processing personal data — in this case, CEC.

Data processor: A third party that processes personal data on behalf of the data controller, subject to a data processing agreement.

Personal data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

UK GDPR: The UK version of the General Data Protection Regulation, as retained in UK law following Brexit.

ICO: The Information Commissioner's Office — the UK's independent data protection authority.

Standard Contractual Clauses (SCCs) / IDTA: Legal mechanisms used to ensure adequate protection for personal data transferred outside the UK.

Special category data: Particularly sensitive personal data, such as health data, racial or ethnic origin, religious beliefs, sexual orientation, and biometric data. CEC does not intentionally collect special category data.