Cookie Policy

Last updated: 9 September 2025
Company: Care Leaders Consultancy Ltd (Company No. 16675181)
Website: www.careleadersconsultancy.co.uk

This Cookie Policy explains how we use cookies and similar technologies on our website (the “Site”) and how you can control them.

1) What are cookies?

Cookies are small text files stored on your device by your browser. They help websites work, keep you logged in, remember preferences and measure performance.

2) Who sets cookies on this Site?

  • First‑party (Squarespace) – our website platform places essential and (if enabled) analytics cookies.

  • Third‑party – services we integrate (e.g., Google Analytics, email or scheduling) may set their own cookies.

Squarespace documents the cookies their platform sets and how to restrict non‑essential cookies. Squarespace Help+1

3) Your choices (consent)

On your first visit you’ll see our cookie banner. You can Accept all, Decline non‑essential, or Manage preferences (enable only the categories you want). You can change your choice at any time via the Cookie settings link in our footer or by reopening the banner. When “restrict non‑essential cookies” is enabled in Squarespace, analytics/performance cookies aren’t placed until you consent. Squarespace Help

4) Types of cookies we use

  • Strictly necessary (always on): required for core site functions and security (e.g., CSRF protection, remembering you closed a banner).

  • Performance/analytics (optional): help us understand traffic and improve content.

  • Functionality (optional): remember choices like language or region.

  • Advertising (optional): not used by default; if we enable any, they’ll be off unless you consent.

5) Cookies you’ll commonly see on a Squarespace site

Cookie names and lifetimes can vary depending on which features you use; the list below reflects Squarespace’s own documentation and typical defaults. Squarespace Help

A. Squarespace – Strictly necessary

NamePurposeDurationCrumbPrevents cross‑site request forgery (security)SessionRecentRedirectPrevents redirect loops (site stability)30 minutesss_performancecookiesAllowedRemembers your choice about performance cookies30 daysss_marketingcookiesAllowedRemembers your choice about marketing cookies30 days

(Other necessary cookies may appear if you use features like customer accounts, commerce or Scheduling; Squarespace lists these in their help article.) Squarespace Help

B. Squarespace – Analytics & performance (optional)

NamePurposeDurationss_cidIdentifies unique visitors and tracks sessions2 yearsss_cpvisitIdentifies unique visitors and tracks sessions2 yearsss_cvisitIdentifies visits/sessions30 minutesss_cvrIdentifies unique visitors and tracks sessions2 yearsss_cvtIdentifies visits/sessions30 minutes

These are switched off until you consent when the banner is set to restrict non‑essential cookies. Squarespace Help

C. Scheduling (Acuity) – Necessary

If you book a consultation via Squarespace Scheduling (Acuity), it may set essential cookies to run the booking flow (e.g., remembering login or time‑zone preferences). These are necessary and not restricted by the banner. Squarespace Help

D. Google Analytics 4 (optional)

If we enable GA4, it may set cookies such as _ga and _ga_<container> (used to distinguish users and sessions; typical lifetime ~2 years). These won’t run unless you consent via the banner. (See Google’s own documentation for the current list.)

6) Managing cookies

You can change or withdraw consent at any time via Cookie settings in our footer, and you can clear or block cookies in your browser settings. If you block essential cookies, parts of the Site may not work.

7) Changes to this Policy

We may update this Policy; the latest version will always be on this page.

8) Contact

Questions about cookies? Email [insert privacy email] or write to Care Leaders Consultancy Ltd, [insert postal address].

Data Processing Addendum (UK GDPR) — One‑page template

Purpose. This DPA forms part of the agreement between the parties named below and governs the processing of personal data for consultancy services. It reflects the UK GDPR and the Data Protection Act 2018. Replace the bracketed fields and attach Annex A when you sign with a client.
This template is not legal advice; please have a solicitor review for your particular use.

Parties
Controller (Client): [Legal name, company number/address]
Processor: Care Leaders Consultancy Ltd (Company No. 16675181), [address], privacy contact: [email].

1. Roles & scope. Processor will process personal data only on documented instructions from Controller, including as set out in Annex A (Processing Details) and any Statement of Work.

2. Confidentiality. Processor ensures personnel are bound by confidentiality obligations and receive appropriate data protection training.

3. Security. Processor implements suitable technical and organisational measures (see Annex A – Security Measures).

4. Sub‑processors. Controller authorises Processor to use the sub‑processors listed in Annex B and others reasonably required for the Services, subject to a written contract imposing data protection terms no less protective than this DPA. Processor will notify Controller of changes and allow objection on reasonable, documented grounds.

5. International transfers. Processor will not transfer personal data outside the UK (or permit onward transfer) unless required for the Services and then only with appropriate safeguards, such as the UK IDTA or the EU SCCs with UK Addendum or an adequacy decision (including the UK‑US Data Bridge where applicable).

6. Assistance. Taking into account the nature of processing, Processor will assist Controller by appropriate technical and organisational measures to: (a) respond to data subject requests; (b) meet security, breach notification, DPIA and prior‑consultation obligations.

7. Personal data breaches. Processor will notify Controller without undue delay and within 48 hours after becoming aware of a personal data breach, describing the nature, likely consequences, measures taken, and contact point.

8. Records & audit. Processor will keep records of processing and make them available to Controller on request. Upon reasonable prior written notice (no less than 10 working days) and not more than once per 12 months, Controller may audit Processor’s compliance (policy review, security summaries, and where necessary an on‑site visit). Audits will minimise disruption and protect confidentiality; each party bears its own costs unless non‑compliance is found.

9. Deletion/return. At the end of Services or upon Controller’s written request, Processor will delete or return personal data (at Controller’s choice) and delete existing copies within 30 days, unless law requires storage.

10. Liability & order of precedence. Each party’s liability under this DPA is limited as set out in the main agreement. If there’s a conflict, this DPA prevails to the extent of the conflict on data protection matters.

11. Governing law. England and Wales.
Signatures.
Controller: ____________________ Name/Title: __________ Date: ____
Processor (Care Leaders Consultancy Ltd): ____________________ Name/Title: __________ Date: ____

Annex A – Processing Details (complete and attach)

A1. Subject matter & purpose
[Consultancy services for care providers, e.g., quality audits, compliance support, training, bid support.]

A2. Duration & retention
[From effective date until termination/expiry of Services; retention as per Controller’s instructions.]

A3. Nature of processing
[Collection, viewing, recording, organising, storage, analysis, reporting, and secure deletion.]

A4. Categories of data subjects
[Client organisation staff; contractors; candidates; in some projects, service users and family representatives (only where necessary and instructed).]

A5. Categories of personal data
[Identification and contact data; employment details; training and supervision records; audit notes; in some projects, health and care information contained in care plans and incident reports.]

A6. Special category data
[Health and social care data only where required and instructed by Controller. Controller confirms a lawful basis, an applicable Schedule 1 condition and an Appropriate Policy Document where required.]

A7. Security measures (summary)

  • Encryption in transit (TLS) and, where supported by the tool, encryption at rest

  • Role‑based access; least privilege; MFA for admin accounts

  • Secure file sharing; no use of personal devices without encryption and lock

  • Audit trail for access to shared folders; regular access reviews

  • Staff confidentiality undertakings and onboarding/offboarding controls

  • Vulnerability patching and vendor risk review for SaaS tools

  • Incident response plan and breach notification process

Annex B – Approved sub‑processors (example list; tailor per client)

  • Squarespace, Inc. – website hosting & forms (USA)

  • Squarespace Scheduling (Acuity) – appointment booking (USA)

  • Google Workspace (if used) – business email & file storage (EU/USA)

  • Mailchimp (if used) – newsletters (USA/EU)

  • Microsoft 365 / OneDrive (if used) – document storage (EU/UK data centres where applicable)

International transfers for these services are protected by adequacy decisions and/or approved transfer mechanisms (e.g., SCCs with UK Addendum or the UK‑US Data Bridge). Confirm the current mechanism in your vendor list at the time of signing.