Privacy Policy


1. Introductions

This privacy policy sets out when and how Step Change Design Ltd. obtains, uses and protects any information that you give when you use this website or in our wider off-line work. Step Change Design Ltd. is committed to ensuring that your privacy is protected. Should we ask you to provide personal information, by which you can be identified, then you can be assured that it will only be used in accordance with this privacy statement.

The processing of personal data, such as your name, address, e-mail address, or telephone number shall always be in line with the General Data Protection Regulation (GDPR), and in accordance with the country-specific data protection regulations applicable to Step Change Design Ltd.

For existing customers and those who have provided personal data to us prior to 16th April 2018 we will ensure this information is used in line with the GDPR regulations by the required deadline of the 25th May 2018 at the latest. Prior to this we will continue to work in line with the current data protection legislation on which our original privacy arrangements were based.

For new customers from the 16th April 2018 all personal data will be used in accordance with GDPR from the outset.

As the controller, Step Change Design Ltd. has implemented both technical and organisational measures to ensure the protection of your personal data that is processed in relation to our work. While measures are in place it should be noted that Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed. For this reason, you are free to arrange with us the transfer of any personal data to us via alternative means, e.g. by telephone.

This privacy policy shares our approach to all aspects of Step Change Design Ltd.’s functions with regard to personal data and is based on the General Data Protection Regulation (GDPR). Further information of this can be found at including a full glossary of terms. Where the GDPR would refer to the ‘Data subject’, i.e. the person whose data we may obtain, we have mostly used the term ‘You’ so it is easier to read. Where you are entering information on behalf of another you are responsible for obtaining their consent.


2. Name and Address of the controller

Controller for the GDPR and other data protection laws is:
Step Change Design Ltd.
Correspondence Address:
104 Newtown Road
SO19 9HQ
United Kingdom
Phone: 02380 685193 or 01766 530824


3. Contact regarding our Privacy Policy or Personal Data

Any questions and suggestions concerning data protection may be sent directly to either the Controller on the details shown or via the website contact form.

Legal Basis & your rights

4. Legal basis for the processing

The table below provides a summary of all the areas within our work where we may, only if required, obtain personal data and how this is used. This clearly states the legal basis for processing this information, any special categories that apply to sensitive data, and our review and retention periods for each.

Ref. No.Where Data obtained & main purposeStep Change Design Ltd.’s reason & method of processingLegal basis/ Special CategoriesReview periodRetention period
1Website – via the ‘Subscribe’ button on the home pageCompleted by you (the Data Subject) when visiting our website to subscribe to our Newsletter for updates on our work and future events. Email address is stored on our mailchimp mailing list.Consent2 yearlyIndefinite
2Keep in Touch form (paper version) – used at public events and workshops and presentationsCompleted by you at a workshop or other face to face event. This form captures your name, phone number and email contact details and the type of activity you wish to be kept up to date about. We then transfer this data to the mailchimp mailing list and destroy the paper copy.Consent2 yearlyIndefinite
3Photo Consent Form – photographs taken during on-site visits – for marketing purposes & sharing best practice

Photographs taken as part of the other work, for which permissions were obtained, to illustrate examples of care culture practices and evidence of implementation of changes for the new use of marketing or sharing best practice publicly.

Specific consent will be obtained from you prior to any photographs being used via a photo consent form. Permissions retained & noted on properties of electronically stored photograph.


Special category – a

3 yearlyIndefinite
4Website – ‘Contact Us’ button and online Contact FormCompleted by you after pressing the ‘Contact Us’ button at the lower toolbar on our website. This form captures a request for specific support, service or information and enables us (the Data Controllers) to provide the services requested.Legitimate interestYearlyUntil enquiry or requested service has been completed or as required by law or periods of liability
5Handwritten form –  Initial enquiry by phone

This form is completed by us to capture information by you and enables us to record the key aspects of the enquiry during the phone call.

This information will be transferred to an electronic document if the enquiry becomes a request for a service or support from us. The handwritten copy is destroyed.

Legitimate interestYearlyUntil enquiry or requested service complete or as required by law or periods of liability

Website or phone contact – For purchases



On-line shop purchases and over the phone payments to enable supply of goods and services. Information taken to fulfil legal financial record keeping.Legitimate interestYearlyLegal financial record periods (6 years)
7Website / Email contact – Web shop discount code set upWe may set up a discretionary purchase discount code at our web shop linked to a specific email address to enable them to receive a discount on an on-line purchase.Legitimate interest6 monthlyUntil discount code expires
8Booking Forms for workshop events and services – by email & PhoneEvent administration: booking forms (contract), attendee lists. To enable provision of service/event requested. Personal contact details for attendees are retained until completed event, separate consent is sought to retain beyond this.Legitimate interestYearlyUntil event complete or as required by law or periods of liability
9Observation Notes & Site Information – written during site visits for designs & consultations – to provide site specific advice & supportObservations captured where these are transposed to electronic formats from on-site visits to fulfil project aims as part of design or consultancy. Observations captured may include ref to individual’s health, organisational location and practices at the locations. This is used by us to inform the care culture practices and corresponding location on our Map tool and to provide appropriate and relevant advice and wider support.

Legitimate interest

Special category –  h

YearlyRetain only if special category data informed advice given. Then retain until requested service complete or as required by law or periods of liability
10Photographs during site visits for designs & Consultations – to provide site specific advice & support

Photographs taken on-site during a project to support design or consultancy. Used to support advice and illustrate examples of care cultural practices. This informs the provision of appropriate and relevant support and provides evidence of the effectiveness of the implemented support. Permissions will be sought as part of the contract for the provision of the service.


Legitimate interest

Special category –  h

YearlyRetain only if special category photos informed advice given. Then until requested service complete or as required by law or periods of liability
11Website / Email contact/ Electronic & 3rd party records – from web shop purchases and financial transactions related to services received or providedFinancial records captured during processing of services: Invoices, PayPal records, Web shop records, Banking information, details of refunds or queries on transactions to fulfil obligations to provide or pay for services and any legal record keeping requirements.Legal obligationYearlyLegal financial record periods (6 years)

Throughout we have adhered to the principles set out in the GDPR regulation which are summarised below where they apply to each legal status.:

  • a) The right to be informed
  • b) The right of access
  • c) The right to rectification
  • d) The right to erasure
  • e) The right to restrict processing
  • f) The right to data portability
  • g) The right to object
  • h) Rights in relation to automated decision making and profiling.

More detail about each of these rights can be found at
A summary of the main areas that are likely to apply to our work are given below:


5. Rights to be informed, have access, amend or erase data

You have the right to enquire as to any personal data we hold on you, to have access to this and where there are errors to provide the correct information so we can put this right.

Where you have given consent to receive our Newsletter, updates on our work or future events you have the right to withdraw this consent at any time. If you withdraw consent we will erase your details from our MailChimp database.

For all other areas, where we have obtained personal data, you have the right to have your data erased with the exception of where there is an on-going and overriding legitimate or legal reason to continue to retain the information. We will make the reason clear to you if this is the case.

In order to exercise the right to have access, amend or erase your personal data you can contact Step Change Design Ltd. at any time via the website contact form or the details shown for the Controller above. We will endeavour to act on your requests in a prompt way, and at least within a month, and to provide any required information in an easily understood form.


6. Provision of personal data due to a legal or contractual requirement

Sometimes it may be necessary to request and obtain personal data as part of a contract that you enter into with us or that we are required to provide for legal reasons or associated with other regulatory requirements and liability. Non-provision could mean that the contract with you may not be able to be provided. This is likely to apply to: financial records for tax purposes and information obtained related to advice or services provided where the law of liability may apply.

Purchases for products & services

7. Payment & Card details

Step Change Design Ltd. do not record or retain any details of your payment details within their website, internal documentation, either handwritten or electronic. All payments via debit or credit cards are processed via PayPal as set out below.


8. Use of PayPal as a payment processor

Our website has an integrated component with PayPal. PayPal enables us to process online payment for the purchase of products or services via the web shop. All payments are processed directly in PayPal, and we act as joint controllers of your data. This is processed via virtual private or business PayPal accounts and it also enables the processing of payments through credit and debit cards when a user does not have a PayPal account. PayPal makes it possible to trigger online payments to third parties or to receive payments. PayPal also accepts trustee functions and offers buyer protection services.

When you choose “PayPal” to make payment in the online shop during the ordering process, we automatically transmit the required data to PayPal. By selecting this payment option, you agree to the transfer of personal data required for payment processing.

The personal data transmitted to PayPal is usually first name, last name, address, email address, IP address, telephone number, mobile phone number, or other data necessary for payment processing. The processing of the purchase contract also requires such personal data, which are in connection with the respective order.

The transmission of the data is aimed at payment processing and fraud prevention. PayPal will, if necessary, pass on personal data to affiliates and service providers or subcontractors to the extent that this is necessary to fulfil contractual obligations or for data to be processed in the order.

If you would rather not process your payment via PayPal then contact us via the Contact details on our contact page or by the telephone number shown there to discuss alternative arrangements. Further details about PayPal and how it uses your information can be found on their home website privacy policy.


9. Purchased by Credit or Debit card via Phone

We can process payments by debit or credit card by telephone. This is carried out using PayPal virtual terminal with all required personal data entered directly into PayPal’s site. We act as joint controllers in processing your data. This information is used in the same way as for Web shop sales described above but with a record retained on PayPal about the sales only and none held on our web site.


10. Purchased via Invoicing

Where an invoice is raised to request payment for a product or service it is possible to pay via PayPal virtual terminal for card payments over the phone as described above or alternatively by cheque and BACs (Bank Transfer). Any personal details within the Invoice will only be retained to process the sale plus any period required by law as part of our financial record keeping. No details from cheques are retained beyond it being present to the bank for payment.


11. Financial records

Any personal data captured as part of the payment process, not card details, will only be retained until the product or service is provided and any period required by law for financial record keeping or liability. All data will be held securely.


12. Existence of automated decision-making

We do not use automated decision-making or profiling on our website.


13. Collection of cookies and IP addresses

Step Change Design Ltd.’s website collects a series of general data and information when you, or an automated system such as your browser, calls up the website. We use this information to measure visits to our website in order to improve its usability and security. The data we collect may contain personal information (most likely your IP address and/or cookies). We do not link IP addresses to individuals. Cookies issued by us only contain a unique number and therefore contain no personal data. We do not link cookies to individuals other than to recognise repeat visits.

You may, at any time, prevent the setting of new cookies and delete old cookies by means of the appropriate settings within your Internet browser used to deny the setting of these cookies. If you deactivate the setting of cookies some functions of our website may not operate.

(IP address definition – An IP address is a series of numbers that identify computers on the internet. IP addresses can theoretically be linked to an individual. Such linking requires additional information (particularly from the internet provider who issued the IP address or from the visitor themselves). For that reason IP addresses are considered personal data.)

(Cookie definition – A cookie is a small file that is stored on the computer of a visitor when they visit a website. If they visit the website again, the cookie shows that it is a repeat visit. Because the visitor is recognised through the cookie, cookies are considered personal data. In addition, cookies may contain personal data themselves.)

This website uses cookies. We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website.

Cookies are small text files that can be used by websites to make a user’s experience more efficient.

The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission.

This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.

You can at any time change or withdraw your consent from the Cookie Declaration on our website.

Learn more about who we are, how you can contact us and how we process personal data in our Privacy Policy.

Your consent applies to the following domains:


Your current state: Allow all cookies (Necessary, Preferences, Statistics).

Cookie declaration last updated on 21/05/2018.

Necessary (1)

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

NameProviderPurposeExpiryType the user’s cookie consent state for the current domain1 yearHTTP Cookie

Preferences (2)

Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.

NameProviderPurposeExpiryType Cookie Cookie

Statistics (3)

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

NameProviderPurposeExpiryType a unique ID that is used to generate statistical data on how the visitor uses the website.2 yearsHTTP Cookie by Google Analytics to throttle request rateSessionHTTP Cookie a unique ID that is used to generate statistical data on how the visitor uses the website.SessionHTTP Cookie

Marketing (2)

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

collectgoogle-analytics.comUsed to send data to Google Analytics about the visitor’s device and behaviour. Tracks the visitor across devices and marketing channels.SessionPixel Tracker
impression.php/#facebook.comUsed by Facebook to register impressions on pages with the Facebook login button.SessionPixel Tracker


14. Subscription to our newsletters, updates on our work and future events

Step Change Design Ltd.’s website offers users the opportunity to subscribe to our newsletter and to be kept informed of updates on our work and future events. The personal data collected will only be used to inform you of these via the newsletter or email. This information is stored on Mailchimp and held solely for this purpose.

Our newsletter contains tracking pixels, which are a miniature graphic embedded in the e-mails, to enable recording and analysis. This is collected and used only to enable statistical analysis of the success or failure of our newsletter and assists us in optimising our content of future updates.

The consent to the storage of personal data given for this purpose may be revoked at any time by selecting unsubscribe from the website, or by contacting us via the Contact details on our contact page.


15. Registration on our website

During a purchase in our Webshop, you have the possibility to register on the website with the inclusion of personal data. Your registration is intended to enable Step Change Design Ltd. to offer you the services offered to registered users. It enables us to remember you for future visits and you are free to change the personal data specified or to have them completely deleted at any time by contacting Step Change Design Ltd. via any of the contact details listed on our Contact page or via the routes listed above for the Data Controller or Data Protections Officer.

The data is collected and stored exclusively for internal use by the controller, and specific processors (e.g. a parcel service), and will only be used for the purposes they were requested.

It is possible to process a sale without registering by selecting to check out as a ‘Guest’.


16. Contact via the website ‘Contact form’

If you use our Contact form to send an e-mail to us the personal data transmitted is automatically stored on our 3rd party Cymru 1 until downloaded to Step Change Design Ltd Directors’ devices or deleted from the server. This information will only be stored and used for the purpose of processing or contacting you in regards to your enquiry. This information is retained until completion of the enquiry or the requested support has been provided plus any period required by law or in regards to the law of liability.

3rd Parties and Social media

17. 3rd parties

We do not pass any personal data shared with us with any 3rd parties except for those required by us to fulfil our services to you. All parties we use have either a contract with us stating we are joint controllers, or clearly controller and processor, and that all data is handled in line with GDPR and only for the purpose for which we stated it was to be used with you.

Where a formal contract is not in place, possibly for the ad-hoc use of a supplier, we will put in place appropriate confidentiality agreements or ensure that the organisation is GDPR compliant to the best of our knowledge.

The following organisations may assist us in our work in providing our services to you and operate within the criteria above:

OrganisationProcessing role
TSO HostWebsite hosting site
PayPalWeb & phone sales, payment processing
MailChimpNewsletter database storage & processing
FootprintWebsite build & maintenance, Design Plan printers
Cymru 1Email server & maintenance
DropboxOnline document storage
Barbara Marsh Virtual Office ServicesAdministration support


18. Social Media Networks – Facebook & Twitter

Our website has integrated components with Facebook and Twitter social media networks. Their company details and privacy policies can be obtained via their home websites. Our Facebook and Twitter buttons create a link between our website and these organisations. This system enables them to be made aware of what specific sub-site of our website was visited by you. If you have an account with these organisations and visit our website with these logged in at the same time they can detect what was visited on our website by you and can associate it to your data held by you within their organisation.

You may, at any time, prevent this transfer of data by logging out of their sites prior to visiting our website and by adjusting your privacy settings within the accounts with these organisations.


19. Use of Google Analytics

On this website, we have integrated the component of Google Analytics (with the anonymizer function). Google Analytics is a web analytics service that collects and analyses data about the behaviour of visitors to our website. This information is only used to optimise our website in order to carry out our services more effectively and to ensure any marketing is appropriate. Google Analytics company details can be obtained via their home website

For the web analytics through Google Analytics we use the application “_gat. _anonymizeIp”. This ensures your IP address is abridged by Google and anonymised when accessing our websites. Google Analytics places a cookie on your system which enables Google to analyse your use of our website during which it may gain knowledge of personal information, such as your IP address, which serves Google to understand the origin of visitors and clicks, and subsequently create information to inform our analysis of our websites and adapt if for the future.

This data is stored by Google in the United States of America. Google may pass this personal data collected through the technical procedure to third parties. You may, as stated in ‘Website, Cookies’ (make a link), prevent and delete the setting of cookies through our website at any time by means of the settings in your web browser used.

Other Personal data obtained & held

20. General

Where we collect data about you, or those you support, both personal data (i.e. name, address, contact information) and also in some rare cases sensitive data (i.e. health related), will only be taken where it is absolutely necessary for the purpose entered into between you and Step Change Design Ltd. The personal data and sensitive personal data will be stored, processed and used in the following ways:

  • Providing and administering our services to you
  • Monitoring the quality of services provided
  • To answer your questions and enquiries
  • To meet any legal or liability needs beyond the service provided.

21. Sensitive data

In some rare cases sensitive data (i.e. likely to be health related) may be obtained as part of providing our services. This is only obtained where it is necessary for the purpose entered into between you, or those you support, and Step Change Design Ltd. This is most likely to occur during observational work as part of our consultations within a project location and may include photographic material. This data will only be retained until the service is complete plus any required period by law or for liability. In any instances where this sensitive data does not go on to inform any part of the service provided, or advice given, this data will be destroyed.


22. Direct email contact with us

If you contact us directly using e-mail the personal data transmitted is automatically stored on our 3rd party Cymru 1 until downloaded to Step Change Design Ltd Directors’ devices or deleted from the server. This information will only be stored and used for the purpose of processing or contacting you in regards to your enquiry. This information is retained until completion of the enquiry or the requested support has been provided plus any period required by law or in regards to the law of liability.


23. Electronic Documentation

Electronic copies of personal data may include: contact information provided to enable providing a purchase or other service, details to enable contact for an event and document of attendance to a workshop or other event, processing payment via invoicing, within contractual documents to agree provision of a service, including on design plans, and photographic form related to an agreed service.

Where we create electronic documents, including photographic and design plans, we hold copies of this on a cloud-based system called Dropbox. This also allows local copies of these files to be saved on devices where the operator has Login access to Step Change Design Ltd Dropbox account to enable its use when not connected on-line. Only the Directors of Step Change Design Ltd. have access to this information and we do not share this with 3rd parties except where it is essential in providing the services you have entered into with us and as per that described in ‘3rd parties & Social media’ (make a link).

Paper copies may be produced from these documents where they are required to meet legal or liability reasons e.g. financial archived record keeping.
During consultation site visits a paper copy of some personal data, such as contact information, may be needed when working away from electronic access. Following the visit, and after any appropriate updating of on-line electronic copies, the paper copy will be destroyed.


24. Use of data for marketing or sharing of best practice

Step Change Design Ltd. will not use any photographs of you, or those you support, for marketing or as part of sharing best practice in the fields we work in without obtaining express permission from you, and any other appropriate people shown in the image.

We will obtain permissions via a photographic consent form and permissions, where given, will be retained electronically and also added to the properties section on the photograph data file itself.


25. Handwritten Documentation

Handwritten notes containing your personal data may be taken as a result of: phone enquiry, phone payments, our ‘Stay in touch’ forms following an event and on consultation field notes.

Where handwritten notes are made these will be used only for the purpose entered into with Step Change Design Ltd. All information is held securely at Step Change Design offices in Southampton and North Wales until completion of the enquiry or service is provided plus any required period in law or for liability. Periods beyond the service provision will see the documents centrally archived at the address shown for the Data Controller in Southampton.

If handwritten notes are transcribed to an electronic form for any reason the handwritten copy will be destroyed unless this document represents the ‘consent’ document. This is the case of the ‘Stay in touch form’ completed by you at a face-to-face event.