Last updated: May 2026
This privacy policy explains how Larocca Consulting Ltd collects, uses, and protects your personal information when you visit drdaveheath.com, book a conversation, sign up to receive content, or otherwise interact with this Website.
By using this Website you are agreeing to the terms set out here. If you have any questions, you can contact me directly at dave@drdaveheath.com.
The data controller for this Website is Larocca Consulting Ltd, the consulting business of Dr Dave Heath. The company is registered in Scotland under company number SC727238, with registered office at Pavilion 2, Finnieston Business Park, Minerva Way, Glasgow G3 8AU.
Throughout this policy, "I" refers to the practice and "you" refers to you, the visitor or contact. The best way to reach me on any data protection matter is dave@drdaveheath.com.
Enquiry and contact data. When you book a conversation, fill in a contact form, or email me directly, I collect your name, email address, and any information you choose to share in your message.
Newsletter and content data. If you sign up to receive content, updates, or communications from me, I collect your name and email address, plus a record of when you signed up, what you signed up to receive, and how you have engaged with what I send.
Client data. If you engage me as a client, I collect the additional information needed to deliver the work and run the business relationship, including billing details, project documents you share with me, and any information that arises in the course of the engagement.
Booking and scheduling data. If you book a call through a scheduling tool linked from this site, that tool, currently Cal.com, collects the information you provide directly to them under their own privacy policy. I receive the booking details from them.
Automatically collected data. When you visit this Website, standard technical data is collected by the hosting platform and analytics tools. This may include your IP address, device and browser type, pages visited, time on site, and referring URLs. Some of this data can identify you indirectly. IP addresses, for example, are treated as personal data under UK GDPR. See the Cookie Policy for more on what is set and how to control it.
I do not knowingly collect special category data, for example data revealing health, race, religion, or political views, through this Website. I do not collect or store payment card information directly.
I use your personal data only for the following purposes: to respond to your enquiry or booking request; to send you the content, updates, or communications you have signed up to receive; to deliver consultancy or coaching work where you have engaged me as a client; to issue invoices, keep accounting records, and meet legal and tax obligations; to understand how this Website is being used so I can improve it; and to keep the Website and my systems secure.
I do not sell, rent, or trade your personal data with third parties for their marketing purposes. I do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.
Under UK GDPR I rely on the following legal bases. Consent, where you have actively signed up to receive marketing or content from me, and which you can withdraw at any time using the unsubscribe link in any email or by contacting me directly. Contract, where processing is necessary to fulfil an engagement or take steps at your request before entering one. Legal obligation, where I am required to retain information for tax, accounting, or other statutory reasons. Legitimate interests, where I have a genuine business interest such as responding to an enquiry, running the Website securely, or analysing how visitors use the site, and that interest does not override your rights and freedoms.
I send marketing emails only to people who have actively signed up to receive them. Every marketing email contains a one-click unsubscribe link. Unsubscribe requests are processed promptly, and your details are removed from the active list shortly afterwards.
I send marketing emails only to people who have actively signed up to receive them. Every marketing email contains a one-click unsubscribe link. Unsubscribe requests are processed promptly, and your details are removed from the active list shortly afterwards.
If you have engaged me as a client, I may send you communications that relate directly to that engagement on the basis of our contract rather than consent.
If you have engaged me as a client, I may send you communications that relate directly to that engagement on the basis of our contract rather than consent.
I send marketing emails only to people who have actively signed up to receive them. Every marketing email contains a one-click unsubscribe link. Unsubscribe requests are processed promptly, and your details are removed from the active list shortly afterwards.
If you have engaged me as a client, I may send you communications that relate directly to that engagement on the basis of our contract rather than consent.
I keep your data only for as long as is necessary for the purpose it was collected. Enquiry and contact data is retained for up to two years from our last contact, then deleted unless there is a reason to keep it longer. Newsletter subscriber data is held for as long as you remain subscribed, and if you do not engage with my emails for an extended period your record may be reviewed and removed. Client records are retained for six years after the engagement ends, to meet HMRC, accounting, and limitation period requirements. Some records, for example signed contracts, may be retained longer where there is a continuing reason to do so. Website analytics data is retained according to the policies of the analytics provider, currently Google Analytics. The default retention period for that service is 14 months unless reconfigured.
This Website uses cookies and similar technologies. For full details of what is set, why, and how to control it, see the Cookie Policy.
Some of the providers above are based outside the UK, including in the United States. Where personal data is transferred outside the UK, I rely on the safeguards required under UK GDPR. These typically take the form of the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or transfers to jurisdictions that the UK government has formally recognised as providing adequate protection. You can request more information about the safeguards in place for any specific transfer by contacting me at dave@drdaveheath.com.
Some of the providers above are based outside the UK, including in the United States. Where personal data is transferred outside the UK, I rely on the safeguards required under UK GDPR. These typically take the form of the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or transfers to jurisdictions that the UK government has formally recognised as providing adequate protection. You can request more information about the safeguards in place for any specific transfer by contacting me at dave@drdaveheath.com.
I use a small number of trusted service providers to run the Website and the practice. Each one acts as a data processor or, where appropriate, a separate data controller, and each has its own privacy policy. Webflow hosts this Website. Cal.com powers scheduling and booking links. MailerLite is used for email and newsletter delivery. Google Analytics is used for website analytics. If the providers I rely on change materially, I will update this list. Each provider has been chosen with UK GDPR compliance in mind, and I have data processing agreements in place where required.
Some of the providers above are based outside the UK, including in the United States. Where personal data is transferred outside the UK, I rely on the safeguards required under UK GDPR. These typically take the form of the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or transfers to jurisdictions that the UK government has formally recognised as providing adequate protection. You can request more information about the safeguards in place for any specific transfer by contacting me at dave@drdaveheath.com.
This Website is not directed at children, and I do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data through this site, please contact me and I will take steps to delete it.
I take reasonable and appropriate technical and organisational measures to protect personal data against loss, misuse, and unauthorised access. This includes using reputable providers, applying access controls and strong authentication, and keeping software up to date. No internet service can be guaranteed entirely secure, but I treat the security of personal data as a serious responsibility.
Under UK data protection law you have the right to access the personal data I hold about you, have inaccurate data corrected, have your data deleted in certain circumstances, restrict or object to how your data is used, request portability of your data in certain cases, and withdraw consent where consent is the basis for processing.
To exercise any of these rights, contact me at dave@drdaveheath.com. I will respond within one month, which is the timeframe set by UK GDPR. There is no charge for exercising your rights in normal circumstances.
This Website is not directed at children, and I do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data through this site, please contact me and I will take steps to delete it.
This Website is not directed at children, and I do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data through this site, please contact me and I will take steps to delete it.
I may update this privacy policy from time to time. The date at the top of this page reflects when it was last revised. Significant changes will be communicated directly where appropriate, for example by email to newsletter subscribers.
If you are not satisfied with how I have handled your data or responded to a request, you have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk. I would encourage you to contact me first so I have an opportunity to put things right.
For any questions about this policy or how I handle your data: dave@drdaveheath.com / drdaveheath.com