Legal

Privacy Policy

Last updated: April 2026 · Lewin Paro Ltd · Company No. 16993210

This Privacy Policy explains how Lewin Paro Ltd ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our website at lewinparo.com or any of our services. We are committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy should be read alongside our Terms & Conditions and Cookie Policy.

Part 1 Who We Are & What We Collect

Who We Are

Lewin Paro Ltd is a corporate psychology and professional wellbeing service registered in England and Wales (Company No. 16993210). Registered address: 20 Sandown Park, Tunbridge Wells, England, TN2 4RJ.

For any data-related queries: info@lewinparo.com

What Data We Collect

We may collect the following categories of personal data when you use our website or services:

Identity data — your name
Contact data — email address, phone number
Account data — login credentials for your member account on Kajabi
Transaction data — subscription plan, billing history, and payment records (payment processing is handled by Stripe; we do not store full card details)
Assessment data — your responses to the Lewin Paro burnout and wellbeing assessment (this is special category health data under UK GDPR Article 9 — see Part 3)
Session data — notes, progress records, and recordings from practitioner-led sessions (treated as strictly confidential sensitive data)
Consent records — timestamped records of the consents you have provided, including Article 9 health data consent
Technical data — IP address, browser type, device information, and usage analytics collected via cookies
Marketing data — your preferences regarding communications

How We Collect Your Data

Directly from you — when you complete the burnout assessment form, create a Kajabi account, subscribe to a plan, book a session, or contact us by email
Automatically — via cookies and analytics tools when you visit our website
From third-party processors — subscription and payment data from Kajabi and Stripe; assessment submission data from Formspree

Part 2 How & Why We Use Your Data

Lawful Bases for Processing

We use your personal data only where we have a valid lawful basis to do so under UK GDPR:

Contract — processing necessary to provide the Service you have subscribed to (account management, session delivery, billing)
Legitimate interests — improving our platform, ensuring security, and sending service-related communications
Legal obligation — retaining financial records and complying with applicable law
Explicit consent (Article 9) — processing your burnout assessment responses, which constitute special category health data. You may withdraw this consent at any time — see Part 3.
Consent — sending marketing emails where you have opted in

Purposes of Processing

Providing our services (contract) — to create and manage your account and deliver sessions
Processing payments (contract) — to manage subscriptions and billing via Stripe
Delivering assessment results (explicit consent) — to send your burnout assessment results to your email address via Gmail
Service communications (contract / legitimate interests) — session confirmations, reminders, and support updates
Improving our service (legitimate interests) — to analyse usage and improve the platform
Marketing (consent) — newsletters or promotional emails where you have opted in; you can withdraw consent at any time
Legal compliance (legal obligation) — to meet our obligations under applicable law
Safeguarding (vital interests / legal obligation) — where we have a duty to act to prevent serious harm

Confidentiality of Session Data

Session notes, recordings, and psychological support records are treated as strictly confidential. This information is never shared with your employer, insurer, or any third party without your explicit consent, except where we are legally compelled to do so (e.g. a court order) or where there is an immediate and credible risk of harm to you or another person.

Part 3 Special Category Health Data & Assessment Processing

Your Burnout Assessment & Health Data

⚕ UK GDPR Article 9 — Sensitive Health Data Your burnout assessment responses are classified as special category data under UK GDPR Article 9 because they relate to your mental and emotional health. This data receives the highest level of legal protection and is processed only with your explicit consent, given via a dedicated consent checkbox on the assessment form.

How your assessment data flows

When you submit the Lewin Paro burnout assessment, your data moves through the following sequence of processors:

YouSubmit assessment

→

FormspreeCaptures & stores responses

→

Gmail / GoogleDelivers results to your email

→

KajabiAccount & subscription only

Formspree receives your name, email, all assessment responses, and a timestamped record of your Article 9 consent. Formspree acts solely as a data processor on our instructions and does not use your data for its own purposes. A Data Processing Agreement (DPA) is in place.
Google (Gmail/Workspace) is used to deliver your results email. Your name, email address, and result level (e.g. "Moderate Risk") pass through Google's mail infrastructure. This is covered by Google's Workspace Data Processing Amendment incorporating UK Standard Contractual Clauses.
Kajabi holds your name, email, subscription status, and session history only. Your assessment responses are not transferred to Kajabi and remain within Formspree's systems exclusively.

Consent and your right to withdraw

Your assessment data is processed solely on the basis of your explicit Article 9 consent. A timestamped record of this consent is retained for 6 years for compliance purposes. You may withdraw consent and request permanent deletion of your assessment data at any time by emailing info@lewinparo.com. Withdrawal does not affect the lawfulness of any processing already carried out.

Security of health data

All assessment data is transmitted over encrypted HTTPS connections. Formspree stores your data at rest using AES-256 encryption. Your assessment responses are never transmitted in plain text at any point in the data flow.

Part 4 Third-Party Processors & International Transfers

Our Data Processors

The following third-party service providers act as data processors on our behalf. Each is bound by a Data Processing Agreement (DPA) in accordance with UK GDPR Article 28. We do not sell your personal data to any third party.

Processor	Role	Data Processed	Location	Transfer Basis
Kajabi	Platform hosting, membership management, video sessions, checkout	Name, email, subscription data, session recordings, account activity	USA	UK SCCs (Art. 46 UK GDPR)
Stripe	Payment processing	Payment method details, billing address, transaction records	USA / Ireland	UK SCCs (Art. 46 UK GDPR)
Formspree	Burnout assessment form submission and data capture	Name, email, assessment responses (special category health data), consent timestamps	USA	UK SCCs (Art. 46 UK GDPR)
Google (Gmail / Workspace)	Email delivery of assessment results and service communications	Name, email address, assessment result level	USA / EEA	UK SCCs (Art. 46 UK GDPR)
Google Analytics	Anonymous website analytics	Anonymised browsing data, session duration, device type	USA	UK SCCs (Art. 46 UK GDPR)

International Data Transfers

Formspree, Kajabi, Stripe, and Google are based in the United States of America, which does not benefit from a UK adequacy decision under UK GDPR. All transfers of personal data to these processors are therefore made under UK Standard Contractual Clauses (UK SCCs) pursuant to UK GDPR Article 46(2)(c) and the UK International Data Transfer Agreement (IDTA) framework.

Transfer Risk Assessments (TRAs): Before transferring data internationally, Lewin Paro has conducted a Transfer Risk Assessment for each processor in accordance with ICO guidance. We are satisfied that the contractual, technical, and organisational safeguards in place provide an essentially equivalent level of protection to that afforded under UK law. You may request a copy of these safeguards by emailing info@lewinparo.com.

Part 5 Cookies, Retention & Security

Cookies

Our website uses cookies to improve your experience and analyse traffic. These include:

Essential cookies — required for the website and your account to function correctly
Analytics cookies — to understand how visitors use our site (Google Analytics, anonymised data only)
Marketing cookies — only set with your explicit consent

You can manage or withdraw cookie consent at any time through your browser settings or via our Cookie Policy.

How Long We Keep Your Data

Data Type	Retention Period	Reason
Account & contact data	Duration of membership + 2 years	Service delivery and support
Assessment responses (health data)	6 years from submission	Article 9 consent compliance records
Session records & recordings	5 years from your last session	Professional practice standards and safeguarding
Transaction & billing data	7 years	Financial and legal compliance (HMRC)
Consent records	6 years	UK GDPR accountability obligations
Analytics data	26 months (Google Analytics default)	Service improvement

How We Protect Your Data

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include:

Encrypted connections (SSL/TLS) across all data transmissions
AES-256 encryption at rest for assessment data held by Formspree
Access controls limiting who can view sensitive data internally
Data Processing Agreements with all third-party processors
Regular security reviews of our platform and supplier relationships

Part 6 Your Rights & How to Exercise Them

Your UK GDPR Rights

You have the following rights in relation to all personal data held about you across our processor systems (Formspree, Gmail, Kajabi, Stripe). These rights apply to both standard personal data and special category health data.

Right of Access

Request a copy of all personal data we hold about you (Subject Access Request)

Right to Rectification

Ask us to correct any inaccurate or incomplete data we hold

Right to Erasure

Request deletion of your personal data from all our systems, including Formspree and Kajabi

Right to Withdraw Consent

Withdraw Article 9 health data consent or marketing consent at any time

Right to Restrict Processing

Ask us to pause or limit how we process your data in certain circumstances

Right to Data Portability

Receive your data in a structured, machine-readable format

Right to Object

Object to processing based on our legitimate interests or for direct marketing

Rights re: International Transfers

Request details of the safeguards in place for any international transfer of your data

To exercise any of these rights, email us at info@lewinparo.com. We will respond within 30 days. For complex or multiple requests, we may extend this by a further 60 days and will inform you accordingly. We will not charge a fee for reasonable requests.

Part 7 Changes, Complaints & Contact

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Any significant changes will be communicated to you by email or via a notice on our website at least 14 days before they take effect. The "Last updated" date at the top of this page will always reflect the most recent version.

Complaints

If you have concerns about how we handle your data, please contact us first at info@lewinparo.com and we will endeavour to resolve the matter promptly.

If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK's independent data protection authority:

Website: ico.org.uk
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Contact Us

For all privacy-related questions, data rights requests, or to withdraw consent:

Lewin Paro Ltd

📧 Data & privacy: info@lewinparo.com

📧 General: info@lewinparo.com

🌐 lewinparo.com

Lewin Paro Ltd · 20 Sandown Park, Tunbridge Wells, England, TN2 4RJ · Company No. 16993210

Terms & Conditions · Cookie Policy