SHECOMMERCE LTD
Privacy Policy
Last updated: May 2025
1. Who We Are
SHECOMMERCE LTD ('SheCommerce', 'we', 'us', 'our') is a company registered in England and Wales. Our registered office is at BusinessLodge Widnes, Widnes, England.
We operate the SheCommerce mentorship programme and associated digital products and community, accessible at shecom.co.uk and through the Thinkific platform.
For all data protection enquiries, please contact us at:
Email: [email protected]
We are the data controller for personal data processed under this policy. We are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
You have the right to make a complaint to the Information Commissioner's Office (ICO) at www.ico.org.uk. We would appreciate the opportunity to address your concerns first — please contact us at [email protected] before approaching the ICO.
2. What This Policy Covers
This policy explains how we collect, use, store and share your personal data when you:
- visit or use shecom.co.uk or our Thinkific-hosted pages
- purchase or subscribe to a SheCommerce membership tier (Start, Grow, or Scale)
- create an account and access course content, modules, or materials
- participate in our community, including posting, messaging, or engaging in Thinkific Communities
- complete an application form via Typeform
- book a call via Calendly
- participate in a sales, onboarding, or coaching call
- receive communications from us via email or our email marketing platform (Kit)
- interact with us on social media or via ManyChat automations
- contact us directly by email or through any of our business channels
This policy should be read alongside our Terms and Conditions, Membership Agreement, and any specific notices provided at the point of data collection.
3. The Data We Collect About You
We collect and process the following categories of personal data:
3.1 Identity and Contact Data
- Full name, username, or display name
- Email address
- Billing address and postcode
- Business name (where provided)
3.2 Account and Membership Data
- Account login credentials (managed via Thinkific)
- Membership tier and subscription status
- Course progress, lesson completions, and learning activity
- Community posts, comments, replies, and direct messages within Thinkific Communities
- Application form responses submitted via Typeform
- Call booking details submitted via Calendly
3.3 Financial and Transaction Data
- Payment card details (processed and held securely by Stripe / Thinkific Payments — we do not store raw card data)
- Subscription payment history, amounts, and dates
- Billing address associated with payment
- Records of upgrades, cancellations, refund requests, and disputes
3.4 Technical and Usage Data
- IP address and geolocation data
- Device type, browser type and version, operating system
- Login timestamps and session activity
- Pages visited, content accessed, and time spent on platform
- Referring URLs and traffic source data
- Cookies and tracking technology data (see Section 9)
3.5 Communications Data
- Emails sent to and from us
- Email engagement data (opens, clicks, unsubscribes) recorded in Kit
- ManyChat DM interactions via Instagram
- Call recordings and notes from onboarding, sales, or coaching calls
3.6 Marketing and Preferences Data
- Email marketing preferences and consent status
- Communication opt-in/opt-out records
- Survey or feedback responses
3.7 Data We Do Not Collect
We do not knowingly collect Special Category data (including health, race, religion, sexual orientation, biometric or genetic data) or data relating to criminal convictions, unless you choose to provide such information voluntarily in open-text fields.
We do not collect phone numbers as standard. If you choose to provide a phone number in any form or communication, it will be treated as personal data under this policy.
4. How We Collect Your Data
4.1 Direct Interactions
You provide data directly when you:
- register for a SheCommerce membership
- complete checkout or subscribe to a membership tier
- complete a Typeform application for the Scale tier
- book a call via Calendly
- enrol in or access a course or module
- post, comment or message in Thinkific Communities
- contact us by email
- respond to surveys, feedback requests, or competitions
4.2 Automated Technologies
When you interact with our website and platform, we automatically collect Technical and Usage Data through cookies, server logs, session tracking, and similar technologies.
4.3 Third-Party Sources
We may receive data from:
- Stripe and Thinkific Payments (payment and transaction data)
- Thinkific (account activity, course progress, community data)
- Kit (email engagement data)
- Calendly (call booking and scheduling data)
- Typeform (application form responses)
- Meta (Facebook/Instagram) ad platforms and pixel data, where applicable
- Google Analytics and similar analytics providers
- ManyChat (Instagram DM automation interactions)
5. How We Use Your Personal Data
We use your personal data only where we have a lawful basis to do so under UK GDPR. The primary lawful bases we rely on are:
- Performance of a contract — to provide and manage your membership, course access, and community participation
- Legitimate interests — to operate, protect, and improve our business, prevent fraud, defend legal claims, and communicate relevant information
- Legal obligation — to comply with applicable law, tax obligations, and regulatory requirements
- Consent — for direct marketing communications, where required
Specifically, we use your data to:
- create, manage, and maintain your account and membership
- process subscription payments and manage billing
- provide access to course content, community features, and member resources
- send onboarding, membership, and service-related communications
- send marketing emails and updates (where you have consented or are an existing member and have not opted out)
- schedule and conduct calls (including onboarding, sales, and coaching calls)
- record calls for quality assurance, training, dispute resolution, and fraud prevention purposes
- review, assess, and process Scale tier applications
- track member progress, engagement, and retention
- respond to support enquiries and complaints
- analyse usage data to improve course content, platform experience, and marketing effectiveness
- run advertising and retargeting campaigns via Meta, Google, and similar platforms
- detect, investigate and prevent fraudulent activity, chargebacks, and abuse
- retain evidence of terms acceptance, payment authorisation, and consent for dispute and legal defence purposes
- comply with legal, tax, and regulatory obligations
- enforce our Terms and Conditions and Membership Agreement
6. Call Recordings
Where calls are conducted in connection with SheCommerce — including but not limited to pre-screening calls, onboarding calls, coaching calls, and sales consultations — calls may be recorded.
We will inform you at the start of any recorded call. Recordings are retained for the purposes of:
- quality assurance and training
- membership onboarding and programme delivery
- verifying customer consent, understanding, and acceptance
- resolving disputes and complaints
- defending against fraudulent chargeback claims or legal proceedings
- enforcing our contractual terms
The lawful basis for this processing is our legitimate interests in maintaining accurate records, delivering our programme effectively, and protecting our business from fraudulent or unfounded claims.
Recordings are stored securely and are not shared externally except where required by law or as part of a legitimate dispute or legal process.
7. Fraud Prevention, Payment Verification and Legal Defence
We process and retain certain data specifically to protect our business and our legitimate members from fraud, abuse, and unfounded payment disputes. This includes:
- IP addresses and login timestamps associated with account access and purchases
- device and browser fingerprint data at the point of payment and account creation
- records of terms and conditions acceptance, including the date, time, and IP address at the point of clickwrap acceptance
- payment authorisation records and subscription confirmation data from Stripe and Thinkific Payments
- records of course access, content consumption, and community activity following payment
- call recordings and written records of pre-sale and onboarding communications
- email correspondence and marketing engagement data
This data may be used in connection with:
- investigating and contesting chargeback or payment dispute claims
- reporting suspected fraud to payment processors, banks, or law enforcement
- establishing or defending legal claims
- verifying the identity of account holders and payment authorisers
The lawful basis for this processing is our legitimate interests in preventing fraud, recovering debts lawfully owed, and defending our legal position. Where required by law, we will also rely on legal obligation as a lawful basis.
8. Who We Share Your Data With
We do not sell your personal data. We may share it with the following categories of recipients, strictly for the purposes described in this policy:
8.1 Platform and Technology Providers
- Thinkific — course hosting, membership management, community, account administration
- Stripe / Thinkific Payments — payment processing and subscription billing
- Kit (formerly ConvertKit) — email marketing and automation
- Calendly — call scheduling and booking
- Typeform — application form collection
- ManyChat — Instagram DM automation
- Zapier — workflow automation and data routing between platforms
- Google (Analytics, Workspace) — website analytics and business operations
- Meta (Facebook/Instagram) — advertising, pixel tracking, and retargeting (where applicable)
8.2 Professional Advisers
- Legal advisers, accountants, auditors, and insurers — where necessary for compliance, dispute resolution, or professional advice
8.3 Payment and Fraud Bodies
- Banks, card schemes, and payment processors — in connection with payment processing, fraud prevention, and chargeback proceedings
- Law enforcement or regulatory bodies — where required by law or court order
8.4 Business Succession
If SheCommerce LTD is acquired, merged, or undergoes a business restructure, your data may be transferred to the relevant successor entity. You will be notified of any material changes to how your data is processed as a result.
All third parties are required to handle your data in accordance with UK GDPR and our data processing requirements. We do not permit third parties to use your data for their own purposes beyond the scope of services provided to us.
9. Cookies and Tracking Technologies
Our website (shecom.co.uk) and the Thinkific platform use cookies and similar tracking technologies. These may include:
- Essential / functional cookies — required for the website and platform to operate correctly (account login, session management, checkout)
- Analytics cookies — used to understand how visitors use our website and platform (e.g. Google Analytics)
- Advertising and remarketing cookies — used to deliver relevant advertising and measure ad performance across platforms including Meta/Facebook and Google, where applicable
- Third-party cookies — set by embedded services such as Thinkific, Stripe, Meta, and Google
We do not currently operate a cookie consent banner. Where we rely on legitimate interests for non-essential tracking, you have the right to object to that processing (see Section 11). If a cookie consent mechanism is introduced, this policy will be updated accordingly.
You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the platform.
10. International Data Transfers
Some of our service providers are based outside the United Kingdom, including in the United States and Canada. As a result, your personal data may be transferred to and processed in countries outside the UK.
Providers that may process your data outside the UK include:
- Thinkific — Canada
- Stripe — United States
- Kit (ConvertKit) — United States
- Calendly — United States
- Typeform — United States / European Union
- Meta (Facebook/Instagram) — United States
- Google (Analytics, Workspace) — United States
- ManyChat — United States
Where data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR. These safeguards include, where applicable:
- Standard Contractual Clauses (SCCs) approved for UK transfers
- Adequacy decisions made by the UK Secretary of State
- The International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
If you require further information about the specific safeguards in place for any particular transfer, please contact us at [email protected].
11. Data Retention
We retain your personal data only for as long as is necessary for the purposes for which it was collected, and in accordance with applicable legal, regulatory, and business requirements.
Our standard retention periods are as follows:
- Active membership data — retained for the duration of your membership and for 6 years following the end of your membership, in accordance with HMRC and tax record-keeping obligations
- Financial and transaction records — retained for a minimum of 6 years from the date of the last transaction, as required by law
- Dispute and chargeback records (including IP logs, timestamps, call recordings, and acceptance records) — retained for up to 6 years from the date of the relevant transaction or dispute, to support legal claims and fraud prevention
- Email marketing data — retained while your consent remains active or while you remain an active or recent member; removed upon request or following a reasonable period of inactivity
- Application form data (Typeform) — retained for the duration of membership and for a reasonable period thereafter in case of dispute
- Call recordings — retained for up to 3 years from the date of the call, unless required for longer in connection with a dispute or legal claim
- Community posts and messages — retained in accordance with Thinkific's platform data policies; may persist unless deleted by the user or removed by our moderation team
In certain circumstances, we may anonymise your personal data for analytical or research purposes, in which case it may be retained indefinitely in anonymised form.
To request deletion of your data, see Section 12 below.
12. Your Rights Under UK GDPR
Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:
- Right of access — to request a copy of the personal data we hold about you
- Right to rectification — to request correction of inaccurate or incomplete data
- Right to erasure — to request deletion of your data where we no longer have a lawful basis to retain it
- Right to restriction — to request that we limit processing of your data in certain circumstances
- Right to data portability — to receive your data in a structured, machine-readable format where processing is based on consent or contract
- Right to object — to object to processing based on legitimate interests, including direct marketing
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time; this does not affect the lawfulness of prior processing
Please note that some rights are subject to exemptions. For example, we may retain certain data notwithstanding a deletion request where we have a legal obligation or legitimate interest in retention (e.g. for dispute defence or tax compliance).
To exercise any of your rights, please contact us at:
Email: [email protected]
We will respond to all legitimate requests within one calendar month. Where a request is complex or numerous, we may extend this period by a further two months, in which case we will notify you.
We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests; however, we reserve the right to charge a reasonable fee or refuse manifestly unfounded, excessive, or repetitive requests.
13. Children and Minors
SheCommerce is a general-audience platform. We do not knowingly collect personal data from children under the age of 13 without verifiable parental consent. If you are under 13, please do not use our platform or submit any personal data.
Where persons under the age of 18 use our platform, we encourage parental or guardian awareness. If we become aware that we have collected personal data from a child under 13 without appropriate consent, we will take steps to delete that data promptly.
If you believe we have inadvertently collected data from a child, please contact us at [email protected].
14. Data Security
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, loss, alteration, disclosure, or destruction. These include:
- access controls limiting data access to authorised personnel only
- use of reputable, compliant third-party platforms with their own security certifications (Thinkific, Stripe, Kit, Google)
- use of HTTPS/SSL encryption across our web platform
- login and session security managed via Thinkific's platform
No data transmission over the internet is completely secure. While we work to protect your data, we cannot guarantee absolute security. In the event of a data breach, we will notify affected individuals and the ICO in accordance with our legal obligations.
15. Third-Party Links and Platforms
Our website and communications may contain links to third-party websites, tools, or platforms (including social media platforms such as Instagram and TikTok). We are not responsible for the privacy practices of those third parties, and their use of your data is governed by their own privacy policies.
We encourage you to review the privacy policy of any third-party site you visit.
16. Changes to This Privacy Policy
We review this policy regularly and will update it as our business, technology, or legal obligations change. The date at the top of this document reflects the most recent revision.
Where changes are material, we will notify active members via email or a platform notice. Continued use of SheCommerce following notification of an updated policy constitutes acceptance of the revised terms.
We recommend you review this policy periodically.
17. Contact Us
For all privacy-related queries, data subject requests, or concerns regarding this policy, please contact:
SHECOMMERCE LTD
Email: [email protected]
Website: shecom.co.uk
Registered office: BusinessLodge Widnes, Widnes, England
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk or by calling 0303 123 1113.
Glossary
UK GDPR
The UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018, supplemented by the Data Protection Act 2018.
Data Controller
The entity that determines the purposes and means of processing personal data. SHECOMMERCE LTD is the data controller for data processed under this policy.
Data Processor
A third party that processes personal data on behalf of the data controller (e.g. Thinkific, Stripe, Kit).
Legitimate Interests
A lawful basis under UK GDPR permitting processing that is necessary for the genuine and proportionate interests of the data controller, provided those interests are not overridden by the rights and interests of the data subject.
Clickwrap
A method of obtaining consent or acceptance of terms through an active user action (such as checking a box or clicking a button confirming agreement), typically accompanied by a timestamp and IP address log for evidential purposes.
Chargeback
A reversal of a payment transaction initiated by a cardholder through their bank or card provider, typically following a dispute. We may retain relevant data to contest chargebacks where they are unfounded.