Privacy Policy

Last Updated: 06 July 2026
Next Review: July 2027

1. Who We Are

Layercake CX Ltd is a UK‑based consultancy specialising in strategy, analytics, and digital delivery for membership organisations.
We operate as:
  • Data Controller when processing personal data for our own operations, marketing, and website analytics.
  • Data Processor when processing personal data on behalf of our clients within their systems.
We comply with the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), the Data (Use and Access) Act 2025 and, where applicable, the EU GDPR.

Registered Office: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ 
Company Number: 14529453 
Data Protection Lead: Damian Watson
Website:
www.layercake-cx.biz

2. Acting as a Data Processor (Client Work)

When providing analytics, strategy, or digital delivery services, we typically access personal data hosted in client-owned systems.
The client remains the Data Controller.
  • We only process personal data based on the client’s documented instructions.
  • We only access data necessary for delivery of the services.
  • We do not store, copy, extract, or re‑use client data for our own purposes.
  • We do not transfer client data to our own systems unless explicitly required and authorised.
For questions about personal data handled by a Layercake client, please contact that organisation directly.

3. Personal Data We Collect as a Controller

When you interact with us directly (email, meetings, workshops, events, website), we may collect:
  • Name, job title and organisation
  • Business email address
  • Business telephone number
  • Billing and invoicing information
  • Communications you send us
  • Website usage data collected through cookies and similar technologies (see our Cookie Policy)
  • Information relating to your interactions with our marketing communications, such as email opens, link clicks and subscription preferences, where permitted by applicable law.
We do not intentionally collect special category personal data. If such information is provided to us inadvertently, we will process it only where necessary and in accordance with applicable law.

4. How We Use Your Personal Data 

We use personal data for:

Business communications 

Managing enquiries, responding to requests, maintaining relationships.

Contract delivery

Managing proposals, agreements, invoicing, and service delivery. 

Marketing (B2B)

Sending newsletters, insight reports, event invitations, product updates, workshops, research findings and information about services that we believe are relevant to membership organisations and associated professionals.

Marketing analytics

Understanding how recipients engage with our marketing communications, including measuring email opens, link clicks and subscription preferences where permitted by applicable law, in order to improve future communications and better understand the interests of our audience.

Website analytics 

Understanding how our website is used, improving content and usability.

Legal obligations

Accounting, tax records, preventing fraud, record keeping.

5. Lawful Basis for Processing

Under the UK GDPR, the Data (Use and Access) Act 2025 and, where applicable, the EU GDPR, we rely on the following lawful bases for processing:
  • Performance of a contract – service delivery, invoicing. 
  • Legitimate interests – maintaining business relationships, providing services, improving our website and conducting proportionate B2B marketing activities. 
  • Legal obligation – tax, accounting, compliance. 
  • Consent – where required for marketing communications, non-essential cookies, or email engagement tracking in accordance with applicable law.
We only use non‑essential cookies with your consent. 

6. Marketing Communications 

We may send marketing communications where:
  • you have requested information from us;  
  • you have subscribed to receive updates; 
  • you have attended one of our events, webinars or workshops; 
  • we reasonably believe our services are relevant to your professional role, in accordance with applicable electronic marketing legislation; or  
  • you have provided consent where required. 
Our marketing communications may include:
  • Insight Reports 
  • event invitations 
  • research and benchmarking 
  • newsletters 
  • product and service updates 
  • customer experience resources 
  • industry news and thought leadership. 

Email Engagement Tracking

Where permitted by applicable law, we may use technology provided by our marketing platform (currently HubSpot) to understand how recipients interact with our communications. This may include measuring:
  • whether an email has been opened; 
  • which links have been clicked; 
  • subscription preferences; and 
  • overall campaign performance. 
This information helps us:
  • improve the relevance of our communications; 
  • understand which topics are of greatest interest; 
  • measure campaign effectiveness; and 
  • enhance our services. 
Where applicable law requires consent before email engagement tracking takes place, we will obtain that consent before enabling such tracking.
You can unsubscribe at any time using the link in our emails or by sending us a message through our Contact Us form.

7. Sharing Your Data

We do not sell personal data.
We may share limited personal data with trusted service providers who assist us in operating our business, including:
  • accountants, auditors and legal advisers; 
  • IT service providers; 
  • cloud hosting providers; 
  • CRM and marketing platform providers (including HubSpot); 
  • project management and collaboration platforms; 
  • subcontractors supporting the delivery of client services. 
All third parties are contractually required to protect personal information and process it only in accordance with our instructions and applicable data protection legislation.
As a Data Processor, we only access or share client data in accordance with our client's documented instructions.

8. International Transfers

Some of our third-party service providers may process personal data outside the United Kingdom or European Economic Area.
Where this occurs, Layercake ensures appropriate safeguards are in place, including:
  • UK adequacy regulations; 
  • the UK International Data Transfer Agreement (IDTA); 
  • the UK Addendum to the EU Standard Contractual Clauses; or 
  • other legally recognised transfer mechanisms. 
Client data processed during consultancy engagements normally remains within client-controlled systems unless otherwise agreed.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, tax and reporting requirements. 

Typical retention periods are as follows:
Category of Personal Data  Retention Period 
Client contracts, proposals and project documentation  Duration of the relationship plus up to 6 years 
Financial and accounting records  6 years, or longer where required by law 
Business contact information used for marketing  Until you unsubscribe or up to 2 years after our last meaningful interaction 
General enquiries and correspondence  Up to 2 years 
Routine business emails  Retained in accordance with business needs and our email management practices
Website analytics data  In accordance with the retention settings of the relevant analytics provider 
Personal data processed on behalf of clients (where we act as a Data Processor)  Retained in accordance with the instructions of the relevant client 
Marketing engagement data (such as email subscription preferences and campaign interaction data) is retained only for as long as necessary to manage our communications and measure their effectiveness, or until consent is withdrawn where consent is the lawful basis for processing.
When personal data is no longer required, we will securely delete or anonymise it. 
Where legal, regulatory or contractual obligations require us to retain information for longer periods, we will do so in accordance with those requirements.

10. Security

We implement proportionate technical and organisational measures including:
  • access controls and least‑privilege permissions
  • secure devices (encrypted, password‑protected)
  • approved cloud systems
  • staff confidentiality and data protection training
  • incident response and breach management procedures
  • data minimisation and secure deletion practices
When working inside client systems, infrastructure security remains under client governance.

11. Your Rights

You have rights under data protection law, including:
  • access to your data;
  • correction;
  • deletion;
  • restriction;
  • objection;
  • portability (where applicable);
  • withdraw consent at any time;
  • lodge a complaint with the ICO;
  • not be subject to solely automated decision-making where applicable.
If your request is broad or unclear, we may request clarification.
Under the Data (Use and Access) Act 2025, where a request is unclear or broad, we may seek clarification and the applicable response period may be paused until clarification is received.
We will respond to requests relating to your personal information in accordance with applicable data protection legislation. Where permitted by law, we may request additional information to verify your identity before processing your request.

Complaints:

If you have concerns regarding how we process personal data, you may contact us using the details below.

We will: 
  • acknowledge receipt of your complaint within 30 days;
  • investigate the matter without undue delay;
  • keep you informed of the progress of our investigation where appropriate; and
    notify you of the outcome.
  • notify you of the outcome.
If you remain dissatisfied, you may lodge a complaint with:
  • United Kingdom: Information Commissioner's Office (ICO)
  • European Union: your local supervisory authority.

12. Contacting Details

For questions about this Privacy Notice or personal data processing:
Damian Watson
Data Protection Lead
Layercake CX Ltd
71–75 Shelton Street
Covent Garden, London, WC2H 9JQ 

Website: www.layercake-cx.biz

13. Automated Decision-Making

Layercake does not use personal data for solely automated decision-making or profiling that produces legal or similarly significant effects.
We may analyse website usage, marketing engagement and service interactions to better understand user interests, improve our communications and enhance our services. Such analysis is used only to support business decisions and does not result in automated decisions that significantly affect individuals.

14. Related Policies

This Privacy Notice forms part of Layercake's wider commitment to protecting your personal information. You may also find the following documents helpful:
  • Cookie Policy – explains how we use cookies and similar technologies on our website, including how you can manage your cookie preferences. 
  • Website Terms & Conditions – explains the terms governing your use of our website and services.

15. Changes to this Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our services, legal obligations, regulatory guidance or business practices. Any updates will be published on this page and the Last Updated date at the top of this notice will be amended accordingly.
We encourage you to review this Privacy Notice periodically to stay informed about how we protect your personal information.
Created with