Version 2.0 | Effective Date: 7 May 2026
1. Introduction
View From Here Limited (“View From Here”, “we”, “us”, “our”) is committed to protecting the privacy and security of personal data entrusted to us by our clients, the participants in our 360-degree feedback programmes, our website visitors, and our wider professional contacts.
This Privacy and Security Policy explains what personal data we collect, how we use it, how we keep it secure, the legal basis on which we process it, and the rights available to data subjects under applicable data protection laws – in particular the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and, where it applies, the EU General Data Protection Regulation (“EU GDPR”).
This policy supersedes our previous Privacy Policy dated July 2018.
2. Who We Are
View From Here Limited is a company registered in England and Wales, providing leadership development services, including the design and delivery of bespoke 360-degree feedback programmes through our online platform.
Registered office: Atkinson Ground, Coniston, Cumbria, LA21 8AE, United Kingdom.
Data protection contact: Jonathan Bowyer, Director.
Email: jfb@viewfromhere.co.uk or info@viewfromhere.co.uk
Website: www.viewfromhere.co.uk
For the purposes of UK GDPR and (where applicable) EU GDPR, View From Here Limited is the data controller for personal data described in Section 5.1 of this policy. Where we deliver 360-degree feedback programmes for client organisations, we typically act as a data processor on behalf of the client organisation, who is the data controller. The applicable role is set out in the Data Processing Agreement (DPA) we put in place with each client.
3. Scope of This Policy
This policy applies to personal data we process in connection with:
- our marketing website at www.viewfromhere.co.uk;
- our 360-degree feedback platform at 360feedback.viewfromhere.co.uk (the “Platform”);
- our email and direct communications with clients, prospective clients, programme participants and professional contacts; and
- any associated services we provide, such as coaching, workshops, and reporting.
4. Definitions
- “Personal data” means any information relating to an identified or identifiable living individual.
- “Data controller” means the entity that determines the purposes and means of the processing of personal data.
- “Data processor” means an entity that processes personal data on behalf of, and on the documented instructions of, a data controller.
- “Participant” means an individual who is the subject of a 360-degree feedback exercise (the person being given feedback).
- “Respondent” means an individual who is invited to provide feedback about a Participant.
- “Client” means the organisation that engages View From Here to deliver a feedback programme.
5. What Personal Data We Collect
5.1 Data we collect as a controller
Where we are acting as the data controller, we may collect and process the following categories of personal data:
- Identification data: name, professional title, employer.
- Contact data: business email address, business postal address, business telephone number.
- Marketing data: marketing preferences, mailing-list subscription status.
- Communications data: enquiries, correspondence, meeting notes.
- Technical data: IP address, browser type, device information, and pages visited on our marketing website (collected via essential and analytics cookies; see Section 11).
5.2 Data we process as a processor on behalf of Clients
Where we deliver a 360-degree feedback programme on behalf of a Client, we process personal data about Participants and Respondents on the Client’s behalf and on their documented instructions. This typically includes:
- Identification and contact data: name and business email address.
- Role context: job title, team, manager relationship, or other relationship to the Participant (e.g. peer, direct report).
- Feedback data: numeric ratings and free-text comments provided by Respondents about the Participant.
- Self-assessment data: ratings and comments provided by the Participant about themselves.
- System metadata: timestamps recording survey invitations, completion status, and report generation.
We do not knowingly collect special category data (such as data revealing health, ethnicity, religion, or trade union membership) through the Platform. Clients are responsible for ensuring that questionnaires and feedback questions they configure do not solicit such data, and Respondents are advised in invitation emails not to disclose it in free-text comments.
6. How We Use Personal Data and Our Lawful Basis
We process personal data only where we have a lawful basis to do so under UK GDPR and (where applicable) EU GDPR. The lawful basis depends on the purpose:
6.1 To deliver our services
Purpose: administering 360-degree feedback programmes; sending survey invitations and reminders; collecting and storing responses; generating reports for Participants and Clients.
Lawful basis: contractual necessity (with the Client) and our and the Client’s legitimate interests in supporting professional development. Where we act as processor, the Client is responsible for ensuring an appropriate lawful basis applies to the underlying data subjects.
6.2 To communicate with you
Purpose: responding to enquiries; sending information you have requested; account administration; service announcements about the Platform.
Lawful basis: legitimate interests; contractual necessity.
6.3 Contact form enquiries and marketing
Purpose: managing professional contacts who get in touch via the contact form on our marketing website, and sending occasional updates about our services to those who have asked to receive them.
Lawful basis: legitimate interests for responding to enquiries and follow-up communications; consent for any direct marketing emails. You may withdraw consent at any time using the unsubscribe link in any marketing email or by emailing us.
6.4 To meet legal and regulatory obligations
Purpose: retaining accounting records; responding to lawful requests from regulators or law enforcement.
Lawful basis: legal obligation.
7. Where Your Data Is Stored and How We Keep It Secure
7.1 UK-based hosting
Both the 360-degree feedback Platform and our marketing website at www.viewfromhere.co.uk are hosted on infrastructure provided by Krystal Hosting Ltd, a UK company, with servers physically located in the United Kingdom. This means feedback data and Participant/Respondent personal data processed through the Platform, along with any data submitted via our marketing website, is stored in the UK at rest.
7.2 Storage architecture
The Platform uses a flat-file storage architecture rather than a shared database. Each Client’s programme data is stored within dedicated files and folders, segregated at the file-system level. The web server has read/write access only to the specific files required for it to operate; other files in the application are read-only at the operating-system level. No personal data is stored in URLs, query strings, or browser cookies.
7.3 Technical and organisational security measures
We have implemented appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including:
- Encryption in transit: all connections to the Platform are protected with TLS (HTTPS) encryption using industry-standard certificates.
- Access controls: access to the Platform’s administrative interface is restricted to authenticated users with role-based permissions; passwords are stored using salted cryptographic hashes.
- Server hardening: hosting infrastructure is patched and maintained by our hosting provider; server-side firewalls and intrusion-prevention systems are in place; web application files are read-only to the web-server process other than where write access is required for normal operation.
- Backups: the Platform is backed up regularly by the hosting provider, with backups stored in the UK and retained on a rolling schedule.
- Principle of least privilege: only View From Here personnel who need access to deliver a programme are granted access to that programme’s data.
- Code review and testing: changes to the Platform’s source code are reviewed before deployment; the application is designed to limit the surface area available to the public web.
- Secure email delivery: outbound emails sent from the Platform (such as survey invitations, reminders and notifications) are transmitted to our transactional email provider over authenticated, TLS-encrypted connections. The sending domain is protected by SPF, DKIM and DMARC records to authenticate messages and resist spoofing. API credentials used to connect the Platform to the email provider are stored outside the public web root, scoped to the minimum permissions required, and rotated periodically.
- Secrets management: API keys, passwords and other credentials used by the Platform are held in configuration files located outside the public web root, are not committed to version control, and are restricted to the minimum file-system permissions required for the application to read them.
- Confidentiality: all View From Here personnel and contractors are bound by written confidentiality obligations.
No system is perfectly secure, but we continuously review our measures and adopt improvements where appropriate.
7.4 Sub-processors
We use a small number of carefully selected sub-processors to deliver our services. Each is bound by a written contract that requires it to provide the same level of data protection as we provide. Our current sub-processors are:
- Krystal Hosting Ltd (UK) – hosting and storage of the 360-degree feedback Platform and our marketing website.
- HubSpot, Inc. (USA) – customer relationship management. Used solely to receive and manage enquiries submitted via the contact form on our marketing website, and to manage our list of professional contacts.
- Postmark (operated by ActiveCampaign, LLC, USA) – transactional email delivery for survey invitations, reminders and notifications sent from the 360-degree feedback Platform. Emails are submitted to Postmark over authenticated, TLS-encrypted API calls, with the sending domain authenticated via SPF, DKIM and DMARC. Email content and recipient logs retained by Postmark are configured to the shortest practical retention period.
- Google Analytics (operated by Google LLC, USA) – anonymised website analytics on our marketing website. Not deployed on the Platform.
We will give Clients reasonable advance notice of any change to our sub-processors that will materially affect the processing of their data.
8. International Data Transfers
Where we transfer personal data outside the United Kingdom or, in the case of EU clients, outside the European Economic Area (“EEA”), we put in place safeguards required by UK GDPR and EU GDPR.
In particular:
- Personal data processed through the 360-degree feedback Platform is held on servers in the United Kingdom. The European Commission has adopted an adequacy decision in respect of the United Kingdom, which permits transfers of personal data from the EEA to the UK without additional safeguards.
- Where any sub-processor is located outside the UK or the EEA (for example, HubSpot, Postmark and Google in the United States), the transfer is protected either by the UK Extension to the EU–US Data Privacy Framework (where the recipient is certified) or by the UK International Data Transfer Agreement and EU Standard Contractual Clauses, supplemented by additional measures where required.
We can provide further information about the specific transfer mechanisms used for any particular sub-processor on request.
9. How Long We Keep Your Data
We retain personal data only for as long as is necessary for the purposes for which it was collected, including any legal, accounting, or reporting requirements.
9.1 360-degree feedback Platform data
Where we act as a processor for a Client, retention periods for Participant and Respondent data, and the schedule for deletion or return of that data at the end of the engagement, are agreed with the Client and recorded in the Data Processing Agreement. Our default position is to delete or return Client data within 90 days of the conclusion of a programme unless the Client instructs otherwise.
9.2 Other data
- Enquiry and correspondence data: retained for up to 2 years from last meaningful contact, after which it is deleted unless we have a continuing legal or contractual reason to keep it.
- Marketing list data: retained until you unsubscribe, or until 2 years have elapsed without engagement, whichever is sooner.
- Accounting and tax records: retained for at least 6 years to comply with HMRC requirements.
- Website analytics data: retained in line with the default settings of the analytics provider, in aggregated and pseudonymised form.
10. Your Rights
Under UK GDPR and (where applicable) EU GDPR, you have the following rights in relation to personal data we hold about you. Some of these rights are subject to conditions and exemptions in the legislation.
- Right of access – to obtain confirmation that we are processing your personal data and a copy of that data.
- Right to rectification – to have inaccurate personal data corrected and incomplete data completed.
- Right to erasure – to have your personal data deleted in certain circumstances (sometimes called the “right to be forgotten”).
- Right to restrict processing – to ask us to suspend the processing of your personal data in certain circumstances.
- Right to data portability – to receive personal data you have provided to us in a structured, commonly used, machine-readable format and to have it transmitted to another controller where technically feasible.
- Right to object – to object to processing carried out on the basis of legitimate interests, and to direct marketing at any time.
- Rights related to automated decision-making – we do not currently make decisions about you using solely automated processing that produces legal or similarly significant effects.
- Right to withdraw consent – where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
If you wish to exercise any of these rights, please contact us using the details in Section 14. Where we are processing your data as a processor on behalf of a Client, we will normally direct your request to the Client and assist them in responding.
We will respond to a valid rights request within one month of receipt. If your request is complex or you make multiple requests, we may extend this by up to two further months and will let you know.
11. Cookies and Website Analytics
Our marketing website uses cookies. Cookies are small text files placed on your device when you visit a website.
We use:
- Strictly necessary cookies – required for the website to function (for example, to remember your cookie preferences). These do not require your consent.
- Analytics cookies – set by Google Analytics with IP-anonymisation enabled, to help us understand how visitors use our website. We rely on your consent for these.
You can control or disable cookies through your browser settings. Disabling strictly necessary cookies may prevent some parts of the website from working correctly.
The 360-degree feedback Platform uses only the minimum cookies needed to keep you logged in during a session and to maintain security (e.g. a session identifier and a CSRF protection token). It does not use third-party tracking or advertising cookies.
12. Data Breaches
We have procedures in place to detect, investigate, and respond to suspected personal data breaches. Where we are required to do so by law, we will notify the UK Information Commissioner’s Office (“ICO”) and, where applicable, the relevant EU supervisory authority of a notifiable breach within 72 hours of becoming aware of it.
Where we act as a processor and a breach affects a Client’s data, we will notify the Client without undue delay so that they can comply with their notification obligations.
Where there is a high risk to data subjects, we will also notify affected individuals directly without undue delay.
13. Children
Our services are designed for use by professional adults in workplace settings. We do not knowingly collect personal data from children under 16. If we become aware that we have collected such data without an appropriate lawful basis, we will delete it promptly.
14. How to Contact Us and How to Complain
If you have any questions about this Privacy and Security Policy, or you wish to exercise any of the rights set out in Section 10, please contact:
View From Here Limited
Atkinson Ground
Coniston
Cumbria LA21 8AE
United Kingdom
Email: jfb@viewfromhere.co.uk
If you are unhappy with how we have handled your personal data, you have the right to complain to a data protection supervisory authority.
In the United Kingdom, the supervisory authority is the Information Commissioner’s Office (ICO): ico.org.uk.
In Germany, you may complain to your relevant State (Länder) data protection authority or to the Federal Commissioner for Data Protection and Freedom of Information (bfdi.bund.de).
In other EEA countries, you may complain to your national supervisory authority. We would, however, appreciate the opportunity to address your concerns before you approach the regulator, so please consider contacting us first.
15. Changes to This Policy
We review this policy regularly and will update it when our practices change or when required by law. The version number and effective date at the top of this document will be updated when we make material changes. Where required, we will notify you of significant changes directly.
This version (2.0, 7 May 2026) replaces the version dated July 2018 in full.