The Eye Care Advocate

Privacy Policy

by

Jason Searle

Privacy Policy – The Eye Care Advocate

Last Updated: 25 October 2025

1. Introduction & Who We Are

Welcome to The Eye Care Advocate. This Privacy Policy applies to our public-facing website (www.theeyecareadvocate.co.uk), referred to as the “Website,” and our private subscription service, “The Eye Care Advocate Community,” referred to as the “Community.”

We are committed to protecting your personal data and respecting your privacy. This policy explains what personal data we collect, why we collect it, how we use it, and what your rights are.

Who is the Data Controller?

For the purpose of UK data protection law (including the UK General Data Protection Regulation or “UK GDPR”), the Data Controller is:

  • Entity: The Eye Care Advocate
  • Data Protection Lead: Jason Searle
  • Email: jason@theeyecareadvocate.co.uk
  • Address: 7 Regent Street, Kingswood, Bristol BS15 8JX

As the Data Controller, we are responsible for deciding how and why your personal data is processed. If you have any questions about this policy or your data protection rights, please contact us at the email above.

2. The Data We Collect & Our Lawful Basis

We process different data depending on how you interact with us. We have broken this down into two clear sections. Under UK GDPR, we must have a “lawful basis” for processing your data.

A) Visitors to our Website (The Free Blog)

What Data We Collect Why We Collect It (Purpose) Our Lawful Basis (GDPR)
Contact Form Data (Name, Email, Message) To respond to your direct enquiries. Legitimate Interest (to respond to your query)
Comment Data (Name, Email, Website, IP Address) To display your comment and prevent spam. Legitimate Interest (to enable discussion and prevent abuse)
Newsletter Sign-up (Email Address) To send you our newsletter, articles, and marketing communications. Consent (We will only send you marketing emails where you have explicitly consented, e.g., via an un-ticked box)
Analytics Data (Anonymised IP, device type, pages visited) To understand how visitors use our Website so we can improve it. Consent (This data is only collected if you “Accept” analytics cookies on our cookie banner)
Advertising Data (Cookie IDs, browsing behaviour) To show you relevant advertising. Consent (This data is only collected if you “Accept” advertising cookies on our cookie banner)
Embedded Content Data (e.g., from YouTube) To display rich content like videos. These providers may collect data as if you visited their site. Consent (This content and its trackers are only loaded if you “Accept” functional/advertising cookies)

B) Members of our Community (The Paid Service)

When you subscribe to the Community, we process the data above plus the following:

What Data We Collect Why We Collect It (Purpose) Our Lawful Basis (GDPR)
Account Data (Name, Email Address, Password) To create and manage your account and provide the core service. Contractual Necessity (We need this to fulfil the service you paid for)
Payment Data (Billing Address, transaction details) To process your subscription payments. (Note: We do not store your full card details; this is handled by our payment processor). Contractual Necessity (To take payment for the service)
Profile Data (e.g., GOC Number, Career Stage, Interests) To verify professional status, tailor your Community experience, and allow networking. Legitimate Interest (To build a verified, professional community and enhance your member experience)
User-Generated Content (UGC) (Your posts, comments, messages) To provide the core function of the Community (discussion and learning). Contractual Necessity (This is the service you are paying for)
Special Category Data (Health Data) This is a critical point. Your UGC (user generated content) may include discussions about sensitive clinical cases, which is “data concerning health.” We process this to facilitate peer-to-peer professional learning. Article 6: Contractual Necessity AND Article 9: Explicit Consent (You must provide separate, explicit consent for us to process this sensitive data when you join. You can withdraw this consent, but you would lose access to the clinical discussion areas).
Content Interaction Data (e.g., H5P/xAPI scores) To provide you with feedback on your learning and to improve our educational content. Contractual Necessity (This is a core part of the educational service)

3. Special Category Data & DPIA

Processing “data concerning health” (even if “anonymised” by you) requires the highest level of protection. We only process this data based on your explicit consent, which you provide during sign-up. We have robust moderation and security measures in place.

Due to this high-risk processing, we have conducted a Data Protection Impact Assessment (DPIA) as required by GDPR Article 35 to ensure your data and rights are protected.

4. Cookies and Trackers (PECR Compliance)

Our Website uses cookies. A cookie is a small file placed on your device. We divide them into two categories:

  • Strictly Necessary Cookies: These are essential for the site to function (e.g., keeping you logged in, managing your cookie consent). They do not require your consent.
  • Non-Essential Cookies: These include Analytics, Advertising, and Functional cookies. We will not set any of these cookies on your device unless you give us your explicit, affirmative consent by clicking “Accept All” or customising your choices on our cookie banner. You can change or withdraw your consent at any time via the banner.

5. Third-Party Sharing & Sub-Processors

We do not sell your personal data. We only share it with trusted third-party service providers (“sub-processors”) who help us operate our business. They are contractually bound to protect your data.

Our key sub-processors include:

  • Community Platform: Mighty Networks (USA)
  • Payment Processors: Stripe (USA/Ireland) and PayPal (USA)
  • Email Marketing Provider: (WordPress, Jetpack) (USA)
  • Analytics Provider: Google Analytics (USA)
  • Spam Prevention: (e.g., Akismet) (USA)

6. International Data Transfers

Some of our sub-processors (listed above) are based in the United States. This means your personal data may be transferred and stored outside the United Kingdom (UK).

We only transfer data where appropriate safeguards are in place that meet UK GDPR standards. We rely on:

  1. UK Adequacy Decisions: Specifically, the UK Extension to the EU-US Data Privacy Framework. We ensure our US providers are certified under this framework.
  2. Standard Contractual Clauses (SCCs): Where the framework does not apply, we have a Data Processing Agreement (DPA) in place that includes UK-approved Standard Contractual Clauses, legally binding the provider to protect your data to a UK standard.

7. Data Security & Retention

Security: We have implemented appropriate technical and organisational security measures (including SSL encryption, access controls, and platform security via Mighty Networks) to protect your personal data from being accidentally lost, used, or accessed in an unauthorised way.

Retention: We will only keep your data for as long as necessary to fulfil the purpose we collected it for, or to comply with legal, accounting, or reporting requirements.

  • Community Data: We retain your profile and UGC for as long as you have an active membership. If you cancel your membership, your personal data will be deleted or anonymised within 90 days.
  • Financial Records: We are legally required to keep payment and invoice data for 7 years (6 full financial years + 1 current year) for HMRC tax purposes.
  • Contact Form Data: We retain enquiries for 12 months.
  • Comment Data: We retain comments for the lifetime of the article to maintain context, but you can request erasure at any time.

8. Your Data Subject Rights (UK GDPR)

You have rights over your personal data. These include:

  • The right to access: You can request a copy of the data we hold about you.
  • The right to rectification: You can ask us to correct inaccurate or incomplete data.
  • The right to erasure (“to be forgotten”): You can ask us to delete your data in certain circumstances.
  • The right to restrict processing: You can ask us to temporarily halt processing your data.
  • The right to data portability: You can ask us to provide you with your data in a machine-readable format.
  • The right to object: You can object to us processing your data (e.g., for direct marketing).
  • Rights related to automated decision-making: We do not perform purely automated decision-making.

To exercise any of these rights, please contact our Data Protection Lead at jason@theeyecareadvocate.co.uk. We will respond within one month.

9. Children’s Privacy

Our Website and Community are not intended for or directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18.

10. How to Complain

We hope to resolve any concerns you have directly. However, if you are not satisfied with our response, you have the right to lodge a complaint with the UK’s supervisory authority:

  • Authority: Information Commissioner’s Office (ICO)
  • Website: www.ico.org.uk
  • Helpline: 0303 123 1113

11. Policy Updates

We may update this Privacy Policy from time to time. We will notify you of any significant changes and will update the “Last Updated” date at the top of this page.