Privacy Policy

Last Updated
This document last updated: 20 February 2026.
1.Purpose

This privacy policy explains how and why we collect, use, store and share personal data, the lawful bases we rely on, and the rights available to individuals under UK data protection law.

It should be read alongside any other privacy notices we may provide at the point we collect personal data.

2.Scope

This policy applies to personal data we process in connection with:

visitors to our website
customers and prospective customers
suppliers and business contacts
job applicants and candidates
current and former colleagues
any other individuals whose personal data are provided to us

It covers processing carried out through our website, our products and services, our marketing activities, our recruitment processes, and our internal business operations.

This policy does not form part of any contract of employment or contract for services.

3.Who We Are and How to Contact Us

Train-a-Lift Ltd (we, us, our) is a company registered in England and Wales with company number 01298366 and registered office at 11 Highdown Road, Leamington Spa, Warwickshire, CV31 1XT.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018:

we act as a controller for personal data processed in connection with our website, marketing and general business activities
we act as a processor where we process personal data on behalf of our customers in accordance with their instructions
Privacy contact

Email: privacy@tal.uk.net Postal address: TAL Centre, Curriers Close, Charter Avenue Industrial Estate, Coventry, CV4 8AF

If you contact us about privacy, please include enough information for us to identify you and understand your request.

4.Personal Data We Collect

We collect and process personal data in connection with delivering training services, managing bookings, operating our website, administering our internal systems, and conducting marketing and recruitment activities. The personal data we collect depends on how you interact with us and whether training is arranged directly with you or through an employer.

Identity data

This may include:

name
title
date of birth
photograph (where you choose to provide one)

If you provide a photograph, we use it for identification and certification purposes.

Contact data

This may include:

postal address
email address
telephone number
home address
employer name and business address

Where training is delivered on behalf of an employer, we may receive delegate details directly from that employer.

Government identifier data

This may include:

National Insurance number
Employment and training data

This may include:

job title and employer details
training history
assessment outcomes
certification records
attendance records
candidate identification numbers
Booking and administrative data

We operate an internal booking and administration system known as Train-a-Lift Intelligent Administration (TALIA). Personal data processed within this system may include identity data, contact data, employment and training data, and booking information.

Financial data

This may include billing information and transaction records where required for invoicing and accounting purposes. We do not currently process payments through our website.

Technical data

When you visit our website, we may automatically collect:

IP address
browser type and version
device type
operating system
log data and technical identifiers
Usage data

We may collect information about how our website is used, including:

pages viewed
time spent on pages
navigation paths
referring websites
Marketing and communications data

This may include:

your marketing preferences
records of consent (where we rely on consent)
records of communications with us
engagement data for marketing emails and other communications (for example opens, clicks, bounces and unsubscribe events)
Special category data

We do not routinely process special category data. In limited circumstances, we may process health information where it is relevant to training delivery, assessment, reasonable adjustments, or safety.

Children’s data

We may process personal data relating to trainees who are under the age of 18, including where a trainee books training directly with us.

5.How We Collect Personal Data
Data you provide to us

We collect personal data directly from you where you:

enquire about our training services
make a booking
attend a training course
complete assessment documentation
contact us by email, telephone or post
subscribe to marketing communications
apply for a role with us
deliver training for us on a sub-contract basis

Data are typically provided through website forms, email correspondence, telephone conversations, paper forms, or in person at training venues.

Where training is arranged by an employer, trainee details may be submitted to us by that employer on your behalf.

Data collected automatically

When you visit our website, certain technical and usage data are collected automatically through server logs and similar technologies.

Our approach to the use of cookies is detailed in our cookie policy.

Data obtained from third parties

We may receive personal data from third parties in limited circumstances, including:

employers and other organisations who book training on behalf of trainees
public authorities or government bodies who arrange training
intermediaries or managed service providers acting on behalf of employers
professional advisers
organisations to whom we sub-contract training
publicly available sources such as Companies House or business websites
6.Purposes and Lawful Bases

We process personal data only where we have a lawful basis under UK GDPR. Where we rely on legitimate interests, we consider the impact on individuals and aim to use personal data in ways people would reasonably expect in the context of our relationship with them.

Delivery of training services

Purpose To administer bookings, deliver training, conduct assessments, issue certificates, and maintain training records.

Categories of personal data Identity data, contact data, employment and training data, booking and administrative data.

Lawful basis

performance of a contract where training is provided directly to an individual
legitimate interests where training is arranged by an employer, namely delivering and certifying training efficiently, maintaining accurate training records and enabling verification of certification where required
Customer and account management

Purpose To manage customer relationships, respond to enquiries, provide quotes, administer contracts, and maintain internal records.

Categories of personal data Identity data, contact data, booking and administrative data, financial data, and marketing and communications data.

Lawful basis

performance of a contract
legitimate interests, namely operating and developing our business, providing appropriate customer service, and maintaining business records
Website operation, security and improvement

Purpose To operate, secure and improve our website, analyse usage, and diagnose technical issues.

Categories of personal data Technical data and usage data.

Lawful basis

legitimate interests, namely maintaining the security, performance and effectiveness of our website and preventing misuse
consent where required under the Privacy and Electronic Communications Regulations for non-essential cookies or similar technologies
Marketing communications

Purpose To send information about our training services, updates, and related offerings.

Categories of personal data Identity data, contact data, marketing and communications data, and engagement data relating to marketing communications.

Lawful basis

consent where required for electronic marketing
legitimate interests where we rely on the soft opt-in under the Privacy and Electronic Communications Regulations, namely promoting and developing our services to existing customers or enquirers in circumstances where individuals would reasonably expect to hear from us about similar services

You can withdraw consent at any time. You can also object to direct marketing at any time.

Compliance with legal obligations

Purpose To comply with applicable legal and regulatory requirements, including accounting and tax obligations.

Categories of personal data Identity data, contact data, financial data, and training and certification records where relevant.

Lawful basis

compliance with a legal obligation
Protecting rights and business interests

Purpose To establish, exercise or defend legal claims, prevent fraud, and protect our business, colleagues and trainees.

Categories of personal data Any relevant category depending on the circumstances.

Lawful basis

legitimate interests, namely protecting our legal rights, preventing fraud and ensuring the safety and integrity of our operations
compliance with a legal obligation where applicable

We do not normally rely on vital interests or public task as a lawful basis for our processing.

7.Direct Marketing: How We Use Your Data
What we send

We send marketing communications about our training services, such as course availability, refresher training, and service updates.

Marketing emails may be sent to people who have previously enquired about, or purchased, training from us, and people who sign up to our newsletter via our website.

What data we use

For email marketing we use contact data (such as name and email address) and booking and administrative data (such as enquiry and purchase history).

How we send marketing emails and manage suppression

We use TALIA to hold contact details and enquiry and purchase history. We export relevant mailing lists from TALIA and send communications using email delivery providers such as Mailchimp or MailerSend.

These providers provide email delivery and engagement information (such as delivery, opens, clicks, bounces and unsubscribe events). We use this information to measure the effectiveness of our communications and to maintain suppression lists so we can respect opt-outs.

How to opt out

Every marketing email we send includes an unsubscribe link. You can also opt out by contacting us using the details in the section “Who we are and how to contact us”.

If you opt out of marketing, we may still send service messages where needed, such as messages about bookings, training delivery, certification, and important operational notices.

8.Automated Decision-making and Profiling

We do not make decisions about individuals that are based solely on automated processing, including profiling, where the decision produces legal effects or similarly significant effects.

We use limited automation to support administration, for example scheduling follow-up emails after a quote has been sent and no response has been received.

9.Who We Share Personal Data With

We share personal data with third parties where this is necessary to deliver our services, operate our business, meet accreditation requirements, and obtain independent assurance. Depending on the context, these third parties act as independent controllers or as our processors.

Accrediting and awarding bodies

We share trainee identity and training data with accrediting and awarding bodies where required to register candidates, issue certificates, verify outcomes, and maintain recognised training records.

External auditors and certification bodies

We share relevant records and evidence with external auditors and certification bodies to support audits, assessments, and ongoing assurance activities. We limit the data shared to what is necessary for the audit scope.

Service providers and software developers

We use third-party service providers and software developers to support our operations and systems, including hosting and cloud infrastructure providers (for example AWS or Azure), and business systems such as Xero. Where these providers process personal data on our behalf, they act as our processors and we require appropriate contractual protections.

Subcontract trainers

We may use subcontract trainers (including self-employed trainers and trainers operating through limited companies) to deliver training on our behalf. They may collect and return trainee identity, contact and training data to us for administration, assessment, certification and record-keeping. Where subcontract trainers process personal data on our behalf, they do so under written terms intended to meet Article 28 UK GDPR requirements.

Professional advisers and public authorities

We may share personal data with professional advisers (such as legal, insurance and accountancy advisers) and with public authorities or regulators where required by law.

10.International Transfers

Some of our suppliers may process personal data outside the UK. This includes email delivery and marketing platforms, MailerSend and Mailchimp, which may transfer and process personal data in the United States and in other countries where they or their sub-processors operate.

Where an international transfer is restricted under UK GDPR, we aim to ensure it is protected by appropriate safeguards, which may include:

the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as appropriate for the supplier arrangements
an adequacy regulation, where applicable
where applicable, the UK Extension to the EU-U.S. Data Privacy Framework (if the relevant supplier is certified)

You can contact us using the details in the section “Who we are and how to contact us” if you would like more information about the safeguards for a particular transfer.

11.How Long We Keep Your Personal Data

We keep personal data only for as long as necessary for the purposes for which it was collected, including to meet legal, accounting, accreditation and reporting requirements, and to establish or defend legal claims.

We apply the retention periods below unless a longer period is required by law or is necessary in connection with a complaint, dispute, audit or investigation.

Training delivery, assessment, and certification records

Trigger: latest trainee active date Retention: 6 years End action: delete or anonymise, except items retained in the certificate verification register

Certificate verification register

Trigger: course commencement date Retention: 40 years End action: delete

Minimum fields only:

trainee name
course type
course commencement date
certificate unique ID
outcome
trainer identifier

Access control:

restricted access to colleagues who handle verification
separated from wider CRM and marketing use
Enquiries and quotes

Trigger: last interaction date Retention: 6 years End action: delete or anonymise

Booking Confirmations

Trigger: course commencement date Retention: 6 years End action: delete or anonymise

Customer account management (B2B relationship records)

Trigger: last transaction date Retention: 6 years End action: delete or anonymise

Marketing list and engagement history

Trigger: last meaningful engagement date (or last marketing communication date if engagement is not measurable) Retention: 3 years End action: delete or anonymise

Suppression list (opt-outs)

Trigger: opt-out date Retention: for as long as we continue direct marketing, to ensure we respect your opt-out End action: delete when direct marketing ends

Finance, invoicing, and tax

Trigger: end of the financial year Retention: 6 years End action: delete or anonymise

Website security logs

Trigger: log date Retention: 12 months End action: delete or anonymise

Website analytics data

Trigger: collection date Retention: 14 months End action: delete or anonymise

Recruitment (unsuccessful candidates)

Trigger: decision date Retention: 12 months End action: delete or anonymise

Colleague HR records

Trigger: employment end date Retention: 6 years End action: delete or anonymise

Supplier and business contacts

Trigger: end of relationship or last transaction date Retention: 6 years End action: delete or anonymise

12.Data Security

We use technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.

These measures include:

encryption in transit for our website and web applications using TLS, and disk-level encryption for customer data held in TALIA
role-based access controls and least-privilege access to systems such as TALIA and Xero
multi-factor authentication for Microsoft Entra sign-in and for TALIA authentication
device management through Microsoft Intune for organisation-owned laptops, and controls for colleague BYOD access to organisational email and file systems where Intune is used
anti-malware controls on organisation-owned devices
logging to support security monitoring and investigation, including web server logs and identity and device-management logging within Microsoft Entra and Intune
patching and updates for laptops and servers, and application updates on a planned cadence
backups for TALIA and Microsoft Entra
supplier contractual controls where suppliers process personal data on our behalf
incident handling processes to assess, contain and remediate suspected incidents, and to make notifications to the ICO and affected individuals where required
13.Your Rights

You have rights under UK GDPR in relation to your personal data. These include:

access, to request a copy of the personal data we hold about you
rectification, to ask us to correct inaccurate or incomplete personal data
erasure, to ask us to delete personal data in certain circumstances
restriction, to ask us to limit how we use personal data in certain circumstances
data portability, to receive certain personal data in a structured, commonly used format, or to have it transferred to another organisation where this applies
objection, to object to processing based on legitimate interests, and to object to direct marketing at any time
withdrawal of consent, where we rely on consent, without affecting the lawfulness of processing before withdrawal
rights relating to automated decision-making, where applicable, to not be subject to a decision based solely on automated processing that produces legal or similarly significant effects
How to exercise your rights

To exercise your rights, contact us using the details in the section “Who we are and how to contact us”. We may ask for information to confirm your identity and to help us locate the relevant data.

Fees and time limits

We do not usually charge a fee for handling rights requests. Where permitted, we may charge a reasonable fee or refuse to act on a request that is manifestly unfounded or excessive.

We aim to respond within one month. If a request is complex or we receive a high volume of requests, we may extend the deadline in accordance with UK GDPR and will tell you if that applies.

14.Complaints

If you have concerns about how we handle your personal data, you can contact us using the details in the section “Who we are and how to contact us”. We encourage you to raise concerns with us first so we can investigate and respond.

You also have the right to complain to the Information Commissioner’s Office (ICO). You can find details of how to complain on the ICO website: https://ico.org.uk/make-a-complaint/.

15.When You Need to Provide Personal Data

In some cases, personal data are required so we can provide training services, administer bookings, and meet legal and accreditation requirements.

Mandatory or contractual data

You may need to provide personal data where:

you (or your employer) are entering into a contract with us for training services, including making and managing a booking
we need to identify trainees for course delivery, assessment, certification, and training records
we must meet requirements set by awarding bodies, accreditation organisations, or audit and certification standards that apply to our services
we must comply with legal obligations, such as accounting and tax requirements
Optional data

Providing personal data is usually optional where:

you contact us with a general enquiry and choose how much information to share
you choose to subscribe to marketing communications or set markfeting preferences
you provide optional information (for example, a photograph for identification and certification purposes)
If you do not provide personal data

If required personal data are not provided, we may be unable to:

process an enquiry into a booking, deliver training, complete assessments, issue certificates, or maintain training records that support verification
invoice or otherwise manage payments and meet accounting and tax requirements
respond effectively to your request where we cannot identify you or locate the relevant records
16.Changes to This Privacy Policy

We may update this privacy policy from time to time. The current version is published on our website and the “Last updated” date at the top of the page shows when it was most recently changed. We keep archived copies of previous versions for our records.