Privacy Policy


Thank you for reading this.

On this page you will find a general privacy statement and some specific references to this website as well as glossary of terms relating to data privacy rules.

In a book called Valuing Your Customers, the founder of Stepping Stones, Angus Jenkinson wrote a prescient chapter in 1995 about the need to respect customers and their privacy. It includes the statement:

While there will always be a tension between those whose aims and values are driven solely by the desire to generate business – on the real basis that businesses need business to survive – and those who stand for a moral or environmental lobby, both these positions must be seen against reality. While many are very happy to have sweepstakes, discounts and lurid promises of a better life, many others are increasingly cynical and disenchanted, a trend which is increasing. Consumers (business or private) will always want value, but when they come to believe that the promises of companies can’t be trusted or that their activities are crossing boundaries of privacy, good taste or ethics then the result is trouble: legal claims, lost sales, bad PR.

Stepping Stones is the legal name of the company trading as Thinking.  This is a context for our privacy policy.

Stepping Stones Consultancy Ltd Privacy Statement

This Stepping Stones Consultancy Ltd (“Stepping Stones”) Privacy Statement sets out your rights and the measures the company will take to protect your personal data. Stepping Stones also trades as “Thinking” and as “The Centre for Thinking Futures” and the same principles apply to any. If anything is not clear please let us know.

We have always and always will regarded your personal information as privileged and that we should treat it with respect.  We only collect and use information for normal legitimate purposes: you are a friend, colleague, trading partner, client, a person interested in our services or working in a company that is. We use the information primarily of rpractical reasons and sometimes to keep in touch. Stepping Stones is a Data Controller as defined under data privacy legislation.

Stepping Stones will review and amend this privacy statement from time to time. You can always find the most up to date version on our website Any terms with a specific definition used in this statement, are highlighted in italics and are explained in the Glossary section.

What follows is a more formal explanation.

What is personal data? 

Personal data means any information relating to an individual who can be directly or indirectly identified by reference to the information. Individuals are referred to as Data Subjects under data privacy legislation. A wide range of information constitutes personal data including names, contact information, identification numbers such as National Insurance numbers, and online identifiers often referred to as ‘cookies‘ for example. This applies to both digital and paper-based information included within filing systems, or which is intended to be placed within a filing system.

What does processing mean?

The processing of personal data means any interaction with the information including viewing, collecting, sharing, storing, transferring or analysing it for instance. This can be by both a Data Controller, or a Data Processor.

Who holds your personal data? 

Your personal data will be held by Stepping Stones in the UK. You can find information on how to contact us as well as further information on what Stepping Stones does, on our website. Thinking has appointed a Data Privacy Officer (DPO) and any data privacy queries which cannot be resolved through the information provided on our website can be directed to them.

The use of your personal data is covered by our registration with the UK Information Commissioner’s Office; registration number ZA159212.

Why is your personal data required? 

When you request our services or information you may need to provide certain personal data to enable us to provide the service you want on an on-going basis. We may also hold personal data about you throughout our relationship with you; the requests you make or how you use our website for instance.

How will Stepping Stones use your personal data? 

The General Data Protection Regulation (GDPR) legislation which applies across Europe only allows the processing of personal data if one or more conditions are met; this is known as a lawful basis for processing. There are six lawful bases provided under GDPR, which are included in the Glossary section. We will only process your personal data for the reasons it was provided for, and only where there is a lawful and friendly professional basis for allowing this.

What personal data will or may Stepping Stones use? 

We use different types of personal data and have grouped them into the following categories:

Contact information

 How to contact you including your business address, sometimes where you live, your telephone number(s) and your email address (where relevant).

Personal details 

Personal information such as your gender, sometimes date of birth, occupation and/or role.

Special categories of personal data

 GDPR categorises certain sensitive personal information as ‘special category’ personal data; this includes information about your health, political opinions, or sexual orientation for instance. Stepping Stones will not collect and use these types of data, unless there is a legal obligation to do so, or it is required to provide (or continue to provide) a service to you in accordance with legal or regulatory requirements.

Financial information

 Financial information such as your bank account number and transaction history when this is necessary for payments to or from you.

Contractual information

 Details about the products or services we provide you personally, where relevant.

Administrative information

 When relevant.

Transactional information 

Notes of requirements and relevant operational information: this is routinely business-related information.


Where will your personal data be obtained from? 

Our approach to collecting information is human not machine. Stepping Stones collects personal data that you provide when interacting with us. Sometimes we collect from social media when useful and allowed, but not by automated means, except if you have given us consent to do so through agreeing with any cookie statement on our website (if we use them), registration of your online activities, or requests for communication.  Personal data that we have collected from you will include data you have provided when you:

  • Request or discuss services;
  • Talk to us on the phone or in person;
  • Use our websites;
  • Subscribe to a newsletter or other marketing messages;
  • Send us e-mails or letters.

We may also obtain your personal data from third partieswe deal with if there is a lawful basis to do so, in which case you will be notified of how and why we will use them. This could include the following:

  • Companies that introduce you to us or engage us as subcontractors or partners in their work with you.
  • Public information sources;
  • Agents working on your behalf;
  • Companies who work for us on projects for you and collect information related to the project.


After you have given us consent we may collect legally allowed data from your personal electronic devices to register your online and mobile activities. We may monitor data sessions to register your visits or use cookiesto enable required functionality, increase the quality of our website or mobile services, optimise your personal experience or support promotional and direct marketing activities. We do not do this as standard.

Who do we share your personal data with?

Members of our team including any third parties such as subcontractors or agents when it is relevant to the work they are doing.

We do not sell information about you.

How will personal data be shared? 

Stepping Stones will only share your data if there is a lawful basis to do so. We will treat all your personal data as private and confidential and in accordance with data privacy legislation (even when you are no longer a customer). Information we hold about you will not be disclosed to anyone unless:

  • we are legally required to disclose the information. This includes sharing your information with tax authorities and law enforcement agencies such as HMRC or the police for example;
  • we need to disclose the information for the purposes of or in connection with any legal proceedings, or for the purposes of obtaining legal advice, or the disclosure is otherwise necessary for the purposes of establishing, exercising or defending legal rights;
  • disclosure is required to protect our legitimate interests, or someone else’s legitimate interests (for example, to prevent fraud);
  • the disclosure is made with your consent; and
  • disclosure is to a third party for the purposes of providing administrative or processing services on behalf of Stepping Stones. If this is required, we will ensure that the third party protects your personal data in the same way that we do.

Why is your personal data shared? 

We may need to share your personal data with other third party organisations to provide you with the service offering you have chosen or are asking us to propose.

The use of your personal data by third parties

When a third party Processorprocesses your personal data on our behalf, we ensure that they follow our instructions to process and protect your personal data. Third parties are required to sign agreements in which they commit themselves to safeguard your personal data, agree to only use the data to provide services to us specifically outlined in the agreement, and follow our instructions.

Your personal data will be shared with the following categories of third parties for the purposes described:

Administrative and professional services

Contact information, personal details, business requirements / contractual / transactional information

To provide you with the service you require

Market research and marketing communications companies 

Contact information, socio-demographic information, personal details, financial information

To ensure that you receive the right marketing communication messages from us, at the right time and in areas that you are interested in.

Does Stepping Stones share your data outside of the European Economic Area? 

Stepping Stones’ default position is that we will not disclose or transfer personal data to organisations outside of the European Economic Area (‘EEA’). However, where this is required we will inform you and confirm why we need to do this. When we do transfer personal data outside of the EEA, we will make sure that it is protected at the same level as within the EEA by using one of these safeguards:

  • Transfer data to organisations in non-EEA countries (or states or provinces of these countries) with privacy laws in place providing the same level of data privacy protection as within the EEA;
  • Transfer data to organisations that are part of Privacy Shield which is an international framework that sets privacy standards at a similar level as those of the EEA; or
  • Put a contract in place with the recipient ensuring that they will process the data with the same level of data protection as within the EEA.

How we use your information to make automated decisions

We do not, except for website management, see below.

If you choose not to provide your personal data

Where personal data has been collected using your consent as the lawful basis for processing, you are free to withdraw your consent at any time and without any contractual or service delivery consequences other than the services you choose not to make use of.

Marketing communications  

From time to time we will send you information about our ideas, offerings, and the projects we do. We are careful to be sensible and legitimate in this and to respect your wishes.

If you are not yet a customer of Stepping Stones and want to receive marketing communications from us, you can request this. We will not give your personal data to anyone else for marketing purposes (other than those described above in ‘The use of your personal data by third parties’ and any lawful tool such as Eventbrite) without informing you and obtaining your consent.

We routinely use your business information for communication. The main exception is when you provide your personal contact details as a preferred alternative of yours.

A legitimate interest in a marketing context means that we will only send you marketing communications that may be of interest to you based on what we already know about you. We may use some form of market segmentsto assist this.  Our legitimate interests will always be balanced with your interests, and you can ask us at any time to stop sending you marketing communications.

How long does Stepping Stones keep your personal data for? 

As long as you are a customer, potential customer, network connection, partner, or potential partner (e.g. contractor) of Stepping Stones we will process your personal data to maintain contact. After you end any contract with Stepping Stones we may retain some or all of your personal data for up to 12 years (depending on the products or services you took out) for one or more of these reasons:

  • To respond to any questions or complaints;
  • To show that we treated you fairly; or
  • To meet our ongoing legal and regulatory requirements.

We may keep your personal data for longer than 12 years if we cannot delete it for legal, regulatory or technical reasons. Personal data will be retained with the utmost care and security measures will be applied to ensure your privacy and security are maintained.

What are your rights? 

GDPR entitles you to several rights in relation to your personal data, you can contact us using information on our websites.

The right to be informed

Individuals or data subjectsas they are referred to under data privacy legislation, have the right to be informed about the collection, use and sharing of their personal data. This Privacy Statement provides you with the information you are entitled to and we are required to give you.

The right to access your data 

You have the right to access your data to establish what it is being used for and verify the lawfulness of any processing. Before providing access to your personal data we will ask you to verify your identity to protect you from identity theft and financial crime. We may also need to ask you some questions to ensure we have understood your request correctly.

The right to rectification (correcting mistakes and inaccuracies)

We believe it is important so far as possible that any personal data we use is accurate, up to date, and relevant. To ensure that your data is correct you have the right to access, correct and/or update your personal data at any time. If you think your data is incorrect or incomplete and you wish to correct your data or privacy settings, please contact us.

The right to erasure (the deletion of your personal data) 

You have right to request that we delete your personal data if:

a) your personal data is no longer needed in relation to the purposes for which was collected;

b) you withdraw your consent and there are no other legal bases to process your personal data;

c) you object to us processing your personal data for direct marketing purposes;

d) you object to us processing your personal data for the legitimate interests of Stepping Stones;

e) you feel that your personal data is not being processed lawfully; and

f) your personal data needs to be deleted to comply with legal requirements.

As a financial services provider operating in the UK, Stepping Stones needs to keep your personal data for a certain period of time to provide you with our financial products and services, and to remain compliant with legal and regulatory requirements.

The right to restrict processing

You have the right to request the restriction of the processing of your personal data for a limited period and under certain circumstances. For example, this could apply if you feel that your personal data held by Stepping Stones is inaccurate, has not been processed lawfully, or is no longer needed for the purposes it was originally collected for. Stepping Stones has the right to store your personal data while your query is investigated.

The right to data portability

You have the right to receive your personal data in a structured, commonly used and machine-readable format. We are looking at the best way to achieve this for our customers and will provide more information when it is available.

The right to object to processing

You have the right to object to the processing of your personal data based on legitimate interests, direct marketing, and processing for historical research and statistical purposes. If you wish to exercise this right, please get in touch and we will consider your request. Stepping Stones is legally allowed to continue to process your data if one of the following can be demonstrated:

a) compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or

b) processing is required for the establishment, exercise or defence of legal claims.

Rights related to automated decision making, including profiling

Stepping Stones does not undertake any processing which includes decisions made by solely automated means, including profiling.

How to Complain

Please contact us in the first instance if you have any concerns with how we have processed your personal data. Details on how to do this are included in our website. You also have the right to lodge a complaint directly with the ICO; please visit their website ( for further details on how to do this.

See Glossary below

What is this Website Privacy Policy for?

This privacy policy is for this website and served by Thinking, a brand trading name of Stepping Stones Consultancy Ltd. It governs the privacy of its users who choose to use it. It is an extension of the governing Privacy policy of the company.
The policy sets out the different areas where user privacy is concerned and outlines the obligations & requirements of the users, the website and website owners. Furthermore, the way this website processes, stores and protects user data and information will also be detailed within this policy.

The Website

This website and its owners take a proactive approach to user privacy and ensure the necessary steps are taken to protect the privacy of its users throughout their visiting experience. This website complies to all UK national laws and requirements for user privacy.

Use of Cookies

This website uses cookies to better the users experience while visiting the website. Where applicable this website uses a cookie control system allowing the user on their first visit to the website to allow or disallow the use of cookies on their computer /device. This complies with recent legislation requirements for websites to obtain explicit consent from users before leaving behind or reading files such as cookies on a user’s computer / device.
Cookies are small files saved to the user’s computers hard drive that track, save and store information about the user’s interactions and usage of the website. This allows the website, through its server to provide the user s with a tailored experience within this website. Users are advised that if they wish to deny the use and saving of cookies from this website on to their computers hard drive they should take necessary steps within their web browsers security settings to block all cookies from this website and its external serving vendors.
This website uses tracking software to monitor its visitors to better understand how they use it. This software is provided by Google Analytics which uses cookies to track visitor usage. The software will save a cookie to your computers hard drive in order to track and monitor your engagement and usage of the website, but will not store, save or collect personal information. You can read Google’s privacy policy here for further information [].
Other cookies may be stored to your computers hard drive by external vendors when this website uses referral programs, sponsored link s or adverts. Such cookies are used for conversion and referral tracking and typically expire after 30 days, though some may take longer. No personal information is stored, saved or collected.

Contact & Communication

Users contacting this website and/or its owners do so at their own discretion and provide any such personal details requested at their own risk. Your personal information is kept private and stored securely until a time it is no longer required or has no use, as detailed in the Data Protection Act 1998. Every effort has been made to ensure a safe and secure form to email submission process but advise users using such form to email processes that they do so at their own risk.
This website and its owners use any information submitted to provide you with further information about the products / services they offer or to assist you in answering any questions or queries you may have submitted. This includes using your details to subscribe you to any email newsletter program the website operates but only if this was made clear to you and your express permission was granted when submitting any form to email process. Or whereby you the consumer have previously purchased from or enquired about purchasing from the company a product or service that the email newsletter relates to. This is by no means an entire list of your user rights in regard to receiving email marketing material. Your details are not passed onto any third parties.

Email Newsletter

This website operates an email newsletter program, used to inform subscribers about products and services supplied by this website. Users can subscribe through an online automated process should they wish to do so but do so at their own discretion. Some subscriptions may be manually processed through prior written agreement with the user.
Subscriptions are taken in compliance with UK Spam Laws detailed in the Privacy and Electronic Communications Regulations 2003. All personal details relating to subscriptions are held securely and in accordance with the Data Protection Act 1998. No personal details are passed on to third parties nor shared with companies /people outside of the company that operates this website. Under the Data Protection Act 1998 you may request a copy of personal information held about you by this website’s email newsletter program. A small fee will be payable. If you would like a copy of the information held on you please write to the business address at the bottom of this policy.
Email marketing campaigns published by this website or its owners may contain tracking facilities within the actual email. Subscriber activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include; the opening of emails, forwarding of emails, the clicking of links within the email content, times, dates and frequency of activity [this is by no far a comprehensive list].
This information is used to refine future email campaigns and supply the user with more relevant content based around their activity. In compliance with UK Spam Laws and the Privacy and Electronic Communications Regulations 2003 subscribers are given the opportunity to un-subscribe at any time through an automated system. This process is detailed at the footer of each email campaign. If an automated un-subscription system is unavailable clear instructions on how to un-subscribe will by detailed instead.

External Links

Although this website only looks to include quality, safe and relevant external links, users are advised adopt a policy of caution before clicking any external web links mentioned throughout this website. (External links are clickable text / banner /image links to other websites, similar to or
The owners of this website cannot guarantee or verify the contents of any externally linked website despite their best efforts. Users should therefore note they click on external links at their own risk and this website and its owners cannot be held liable for any damages or implications caused by visiting any external links mentioned.

Adverts and Sponsored Links

This website may contain sponsored links and adverts. If so, these will typically be served through our advertising partners, to whom may have detailed privacy policies relating directly to the adverts they serve.
Clicking on any such adverts will send you to the advertiser’s website through a referral program which may use cookies and will track the number of referrals sent from this website. This may include the use of cookies which may in turn be saved on your computers hard drive. Users should therefore note they click on sponsored external links at their own risk and this website and its owners cannot be held liable for any damages or implications caused by visiting any external links mentioned.

Social Media Platforms

Communication, engagement and actions taken through external social media platforms that this website and its owners participate on are custom to the terms and conditions as well as the privacy policies held with each social media platform respectively.
Users are advised to use social media platforms wisely and communicate / engage upon them with due care and caution in regard to their own privacy and personal details. This website nor its owners will ever ask for personal or sensitive information through social media platforms and encourage users wishing to discuss sensitive details to contact them through primary communication channels such as by telephone or email.
This website may use social sharing buttons which help share web content directly from web pages to the social media platform in question. Users are advised before using such social sharing buttons that they do so at their own discretion and note that the social media platform may track and save your request to share a web page respectively through your social media platform account.

Shortened Links in Social Media

This website and its owners through their social media platform accounts may share web links to relevant web pages. By default some social media platforms shortenlengthy URLs [web addresses] (this is an example:
Users are advised to take caution and good judgment before clicking any shortened URLs published on social media platforms by this website and its owners. Despite the best efforts to ensure only genuine URLs are published many social media platforms are prone to spam and hacking and therefore this website and its owners cannot be held liable for any damages or implications caused by visiting any shortened links.
Resources & Further Information



A message given to an Internet Browser by a Server, which is stored in a text file; the message is then sent back to the Server each time the Browser requests a webpage to be opened.
Cookies are used to identify users of webpages and to customise content where applicable.

Customer segments

Customer segmentation is the process of dividing customers into groups based on common characteristics, so organisations can market to each group effectively and appropriately.

Data controller

An individual or organisation which determines why personal data needs to be processed, and the manner it is processed in.

Data Privacy Officer

A position within an organisation responsible for ensuring that personal data is processed in accordance with UK data privacy requirements.

Data Processor

An individual or organisation which processes personal data on behalf of a data controller, in accordance with instructions from the data controller.

Data Subject

An individual who can be identified from the personal data i.e. the person the data is about.

European Economic Area (EEA) 

The European area which provides for the free movement of persons, goods, services and capital; it is made up of EU members plus other countries within Europe which have agreements in place with the EU.

GDPR – General Data Protection Regulation

The legal framework that sets the guidelines and requirements for the collection, processing and storage of personal data of identifiable individuals within the European Union (EU). The GDPR legislation was adopted in April 2016 and comes into force across the EU on 25 May 2018.

 Information Commissioner’s Office (ICO) 

The independent UK authority set up to uphold data privacy rights in the public interest.

Lawful basis for processing

One of six allowable lawful bases for processing must be satisfied for Stepping Stones to process your personal data. The six lawful bases are:

  1. Consent – the individual has given clear consent
  2. Contract – processing is necessary for a contract to be provided
  3. Legal obligation – processing is necessary to comply with the law
  4. Protect life – processing is necessary to protect someone’s life
  5. Public interest – processing is necessary to perform a task in the public interest
  6. Legitimate interest – processing is necessary for Stepping Stones’ legitimate interests, or the legitimate interests of a third party, unless there is a good reason to protect the individual’s data which overrides these legitimate interests.

Lead Supervisor 

Stepping Stones operates from the UK and follows UK data privacy requirements set by the UK government and the ICO.

Legitimate interests 

The business reason for Stepping Stones to use your information. It must not conflict unfairly with your rights and interests.

Personal Data 

Any information relating to an identified or identifiable natural person (an individual).

Special Categories of Personal Data  

Personal data which relates to particular characteristics including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health or medical information, sexual life or orientation.
Additional protection is required for personal data falling into this category, and both a general and specific lawful basis for processing are required. This means that one of the six general GDPR lawful bases for processing is needed, as well as one of the following which relate specifically to special categories of personal data:

  1. explicit consent
  2. processing is necessary for meeting obligations under employment, social security and social protection law
  3. processing is necessary to protect the vital interests of someone who is unable to provide consent
  4. processing is carried out during legitimate activity by a Foundation, Association or other not-for-profit body with a political, philosophical, religious, or trade union-based aim and processing relates to current or former members of that organisation, and that personal data is not disclosed outside of that organisation
  5. processing relates to personal data which has been disclosed by the individual
  6. processing is necessary in connection with legal claims
  7. processing is necessary for substantial public interest
  8. processing is necessary for preventative or occupational health
  9. processing is necessary for public interest in the area of public health
  10. processing is necessary for archiving purposes in the public interest such as scientific, historic or statistical research

 Third parties 

Organisations external to Stepping Stones who undertake services and activity on our request such as our business partners, suppliers and affiliates.