Privacy Policy

This policy explains who we are, the information we collect, how and why we use it, how we store it, the partners we work with, and your rights regarding any information you share with us.

Last updated 06 May 2026.

Our Commitment to Data Privacy

Kate Fitzgerald Consulting Limited (“we”, “us”, “our”) is committed to protecting the privacy of our clients, suppliers, associates and sector contacts. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025, and the Privacy and Electronic Communications Regulations (PECR).

We operate exclusively as a business‑to‑business consultancy supporting arts, cultural and heritage organisations. We do not provide services directly to individual consumers, and we do not maintain consumer‑facing accounts or marketing lists.

Who We Are

Kate Fitzgerald Consulting Limited is a private limited company (CRN 13195832) registered at The Copper Room, Deva Centre, Trinity Way, Manchester, M3 7BG.

Kate Fitzgerald Consulting Limited (ICO ZB370708) is the registered Data Controller.

Contact Us

Please contact us you have any questions about how we use or retain your personal data, if you want to exercise any of your individual rights, or if you wish to be removed from communications or data processing. You can also contact us to raise a concern or complaint about our handling of your information.

Individuals who remain dissatisfied have the right to complain to the Information Commissioner’s Office (ICO).

Our Privacy Principles

We believe in clear, responsible and proportionate use of personal data. Our approach is guided by the following principles:

  • Transparency: We provide honest, accessible information about how and why we use personal data.
  • Purposeful Use: We only process personal data when it is necessary to deliver our services or when a client has explicitly asked us to do so.
  • Data Minimisation: We avoid collecting or retaining personal data that we do not need.
  • Security and Accountability: We take active steps to protect personal data and ensure it is deleted when no longer required.
  • Shared Responsibility: We work with clients, suppliers and associates to uphold these principles in practice.

We only collect the information needed to manage our business relationships and to deliver the services you have requested. We do not carry out direct marketing to prospective or existing clients.

What Data We Collect And Why

Type of DataPurposeLawful Basis
Contact details of client staffProject delivery, invoicing, updatesPerformance of a contract
Email correspondenceProject tracking, record-keepingLegitimate interests
Website usage data (via cookies)Site improvement and analyticsConsent
Social media engagementSector updates and communicationLegitimate interests
Survey responses (via SurveyMonkey)Audience research and evaluationLegitimate interests
Prize draw entries (via SurveyMonkey)Administer prize drawConsent
Third-party data (e.g., donors, visitors, staff)Client-requested processingPerformance of a contract

Surveys and Audience Research

We conduct surveys on behalf of clients using SurveyMonkey. Our approach prioritises anonymity, data minimisation, and proportionate collection.

Most surveys are fully anonymous. We do not collect IP addresses or any other identifiers, and we design each survey with the client to ensure that every question is necessary and proportionate.

Where a survey includes an option to join a client’s mailing list or enter a prize draw, we only collect the personal data required for that purpose. We provide clear information about how that data will be used, and we set deletion deadlines from the outset.

When personal data is collected for mailing list sign-ups of prize draws, we:

  • Securely transfer the data to the client. Data is encrypted, and the password is shared separately.
  • Delete all copies held by us, including removing responses from SurveyMonkey and deleting any downloaded file. The client holds the only retained copy.
  • Remind clients of their obligations. For mailing list sign-ups, clients must contact individuals within 30 days to confirm they are processing their data, share their privacy policy, and provide a clear way to opt out.

Special Category Data and Information About Children

We recognise that some types of personal data require additional care and protection. This includes information about disability or medical need, religion, political views, sexuality or ethnicity. Under UK GDPR, this is known as special category data. Although information about children is not classed as special category data, we treat it with the same level of care.

We only collect special category data when it is strictly necessary for our work and the purpose has been clearly agreed with the client. All surveys include a “Prefer not to say” option for any sensitive question.

For surveys that include demographic questions, the age question is presented first. If a respondent indicates they are under 16, the survey ends automatically and we do not collect any further demographic information. We also encourage clients to provide privacy information that is clear, accessible and suitable for children.

When collecting special category data, we apply the following safeguards:

  • It is collected only with a clear and lawful basis.
  • Enhanced security measures are used to protect it from unauthorised access or misuse.
  • It is used solely for the agreed purpose and is securely deleted once no longer required.

We will never link sensitive survey responses to identifiable contact information unless the respondent has given explicit, informed consent.

How We Keep Data Safe

We store personal data on secure systems with up‑to‑date technology, encryption and appropriate access controls. Access is limited to those who need it for legitimate business purposes. We use strong, unique passwords for all systems and enable multi‑factor authentication wherever it is available.

We regularly review the data we hold and delete information that is no longer needed. We maintain secure backups to protect against data loss.

When we collect personal data through client surveys, for example, mailing list sign‑ups or prize draw entries, the data is encrypted before being shared with the client, and any password is provided separately. Once the data has been transferred, we delete all copies held by us, including removing responses from SurveyMonkey and deleting any downloaded files. The client holds the only retained copy.

We do not share personal data with third parties unless we are legally required to do so, or where sharing is necessary to deliver our services and appropriate safeguards are in place.

How Long We Keep Your Data

  • We keep invoices, remittance advices, and other financial information for 7 years.
  • After completing a project, we archive the project contract, letter of agreement, final files, and client testimonial and logo indefinitely. All other files are deleted.
  • We retain all project-related emails for up to two years after the completion of a project, after which point they are deleted.

Your Individual Rights

Under data protection law, you have the following rights:

  • Your right of access: you have the right to ask us for copies of your personal information.
  • Your right to rectification: you have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure: you have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing: you have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • Your right to object to processing: you have the right to object to the processing of your personal information in certain circumstances.
  • Your right to data portability: you have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
  • Your right related to automated decision-making including profiling: you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.