LEGAL

Privacy Policy

Last updated: April 2026

Your privacy matters. This policy explains what information we collect when you visit yarrowleadership.com or enroll in our courses, how we use it, the legal basis for that use, and what choices you have. We do not sell your personal information to anyone. This policy applies to visitors and customers worldwide, including those in the European Union and United Kingdom.

Who We Are

Yarrow Leadership operates yarrowleadership.com and offers online courses, free resources, and related educational content. When this policy says "we," "us," or "our," it refers to Yarrow Leadership. When it says "you," it refers to you as a visitor or customer.

For the purposes of the EU General Data Protection Regulation (GDPR) and UK GDPR, Yarrow Leadership is the data controller responsible for your personal data.

If you have questions about this policy or wish to exercise your rights, contact us at: sara@yarrowleadership.com

What Information We Collect

Information you give us directly:

  • Name and email address when you purchase a course or download a free resource

  • Payment information when you enroll in a paid course (processed securely through Stripe — we do not store your full card details)

  • Any messages you send us through our contact form or by email

Information collected automatically:

  • Pages you visit on our site, time spent on those pages, and links you click

  • Your general location (country/region — not your precise address)

  • Device type, browser, and operating system

  • How you arrived at our site (for example, from a search engine or a link)

Automatic data is collected through cookies and similar technologies via Squarespace (our website platform) and its built-in analytics. See the Cookies section below for more detail.

Our Lawful Basis for Processing Your Data

Under GDPR and UK GDPR, we are required to identify a lawful basis for each way we process your personal data. The table below sets out what we do with your data and why we are legally permitted to do it.

How We Share Your Information

We do not sell your personal information. We share it only in these limited circumstances:

  • Squarespace: Our website and course platform. Squarespace processes data on our behalf as a data processor under a Data Processing Agreement. Learn more at squarespace.com/privacy.

  • Stripe: Our payment processor. Stripe processes your payment information under its own privacy policy. Learn more at stripe.com/privacy.

  • Email delivery services: If we use a third-party email platform to send course communications or newsletters, your email address is shared with that provider solely for the purpose of sending those messages.

  • Legal requirements: We may disclose information if required to do so by law or in response to valid legal process from a competent authority.

  • Business transfers: If Yarrow Leadership is acquired or merges with another organisation, your information may be transferred as part of that transaction. We will notify you before that happens and give you the opportunity to delete your account if you wish.

International Data Transfers

Yarrow Leadership is based in the United States. If you are located in the European Union or United Kingdom, your personal data will be transferred to and processed in the United States, which is outside the European Economic Area (EEA) and UK.

We rely on the following safeguards for these transfers:

  • EU-US Data Privacy Framework: Squarespace and Stripe participate in the EU-US Data Privacy Framework, which provides an approved mechanism for transferring personal data from the EU to the US.

  • Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, we rely on the European Commission's Standard Contractual Clauses incorporated into our agreements with service providers.

  • UK International Data Transfer Agreements (IDTAs): For transfers from the United Kingdom, we rely on the UK's International Data Transfer Agreements or UK Addendum to SCCs as appropriate.

You may request a copy of the relevant transfer safeguards by contacting us at sara@yarrowleadership.com.

Cookies

Cookies are small text files stored on your device when you visit a website. We use cookies for the following purposes:

  • Strictly necessary cookies: Required for the website to function — for example, keeping you logged in to your course account. These cookies do not require your consent.

  • Analytics cookies: Help us understand how visitors interact with our site so we can improve it. We use Squarespace Analytics for this purpose. For visitors in the EU and UK, these cookies are only set after you give consent through our cookie banner.

  • Marketing cookies: We do not currently use third-party advertising or tracking cookies.

When you first visit our site, you will be shown a cookie consent banner. You can accept or decline non-essential cookies at that point, or change your preferences at any time by clearing your cookies and revisiting the site.

You can also control cookies through your browser settings. Disabling certain cookies may affect how some parts of the site function.

Data Retention

We retain your personal data for only as long as necessary for the purposes described in this policy:

  • Account and course access data: Retained for the duration of your account and for up to 3 years after your last interaction with us, to support any queries or disputes.

  • Purchase and financial records: Retained for 7 years to meet tax and accounting obligations.

  • Marketing preferences and consent records: Retained until you unsubscribe or withdraw consent, plus 1 year as a record of your preference.

  • Analytics data: Aggregated and anonymised; not retained in identifiable form beyond 26 months.

You may request deletion of your personal data at any time, subject to our legal obligations to retain certain records (see Your Rights below).

Your Rights

Depending on where you are located, you have the following rights regarding your personal data. EU and UK residents have all of these rights under GDPR and UK GDPR. US residents may have rights under applicable state law (including the California Consumer Privacy Act).

  • Right of access: You can ask us to confirm whether we process your data and request a copy of it.

  • Right to rectification: You can ask us to correct inaccurate or incomplete information.

  • Right to erasure ("right to be forgotten"): You can ask us to delete your personal data. We will comply unless we are required to retain it by law (for example, financial records).

  • Right to restrict processing: You can ask us to pause processing of your data while a dispute is resolved.

  • Right to data portability: You can request your data in a structured, machine-readable format so you can transfer it to another provider.

  • Right to object: You can object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.

  • Right to withdraw consent: Where processing is based on consent (for example, marketing emails), you can withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

  • Rights related to automated decision-making: We do not make decisions about you using solely automated processing that produce legal or similarly significant effects.

To exercise any of these rights, email us at sara@yarrowleadership.com with the subject line "Data Rights Request." We will acknowledge your request within 5 business days and respond in full within 30 days (or 3 months for complex requests, with notice to you).

We will not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to act.

If you are located in the European Union, you have the right to lodge a complaint with your national data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu. If you are in the United Kingdom, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.

Children's Privacy

Our courses are designed for professional adults. We do not knowingly collect personal information from anyone under the age of 18. If we learn that we have collected information from a minor, we will delete it promptly. If you believe we may have collected information about a child, please contact us at sara@yarrowleadership.com.

Security

We take reasonable technical and organisational measures to protect your personal information from unauthorised access, loss, or misuse — including using HTTPS encryption for data in transit and access controls for data at rest. Payment transactions are processed using industry-standard encryption via Stripe. However, no method of transmission over the internet is completely secure, and we cannot guarantee absolute security.

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

Links to Other Websites

Our site may contain links to third-party websites. We are not responsible for the privacy practices of those sites and this policy does not apply to them. We encourage you to read their privacy policies before providing any personal information.

Changes to This Policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email at least 14 days before the changes take effect. We encourage you to review this policy periodically.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

Yarrow Leadership
Email: sara@yarrowleadership.com
Website: yarrowleadership.com

We aim to resolve all privacy concerns directly. If you are not satisfied with our response, you have the right to escalate to your local data protection authority as described in the Your Rights section above.