Privacy policy.
Last updated: 07 March 2026
GrowBright HR (“we”, “us”, “our”) is operated by Sofie Howard, sole trader. We are committed to protecting your personal data and being transparent about how we use it.
This Privacy Policy explains how we collect, use, share, and protect your personal information when you interact with us — including as a client, website visitor, candidate, or supplier.
Data Controller:
Sofie Howard, trading as GrowBright HR
Email: hello@growbrighthr.co.uk
Business Location: Pontypridd, South Wales, UK
ICO Registration:
UK‑only business — no EU representative required.
1) What data we collect
We may collect and process:
Identity & Contact Data
Name, email address, phone number, job title, employer, postal address.
HR & Professional Data
CVs, job applications, work history, qualifications, interview notes, employee relations information (where working with clients), HR documentation.
Special Category Data
Only where strictly necessary and lawful (e.g., health data for reasonable adjustments).
Financial & Transaction Data
Invoices, payments, receipts, bank details (for suppliers/contractors).
Website & Technical Data
IP address, browser type, device information, and analytics cookies. UK guidance states websites using cookies must inform users and obtain consent where cookies are not strictly necessary.
Marketing Preferences
Email preferences and opt-ins.
2) How we collect your data
Directly from you via email, forms, or consultation
From clients (as part of HR services)
From candidates applying for roles
From public sources (e.g., LinkedIn)
Automatically through website cookies and analytics
3) How we use your data (purposes & lawful bases)
We use your data to:
Deliver HR services (legitimate interests/contract)
Providing HR consultancy, employee relations support, document creation, and training.
Recruitment activities (contract/legitimate interests)
Handling job applications, shortlisting, screening, and sharing profiles with clients.
Communications (legitimate interests)
Responding to enquiries, providing updates about services.
Marketing (consent or legitimate interests)
Sending optional newsletters or insights.
Compliance (legal obligation)
Financial record keeping, ICO compliance, tax obligations.
Website operation (legitimate interests/consent)
Using cookies to operate and improve our website; consent required for non-essential cookies.
4) When we act as a processor
Where a client engages GrowBright HR to process employee/candidate data on their behalf, the client is the data controller and we act as their processor, following their instructions.
5) Sharing your data
We may share your data with:
Clients (where relevant to services/candidate submissions)
IT and cloud service providers
Email/CRM systems
Accountants, legal advisers
Regulators where required
Website hosting and analytics tools (as applicable)
All providers are required to meet appropriate security standards.
6) International transfers
If any provider stores data outside the UK, we ensure appropriate safeguards, such as Standard Contractual Clauses (SCCs).
7) Data retention
Client records: 6–7 years (legal requirement for HMRC purposes)
Candidate data: 12 months unless consented to remain on file longer
Financial records: 6 years
Marketing data: until you unsubscribe
Cookie data: per cookie expiry (see Cookie Policy)
8) Your rights
You can request to:
Access your data
Correct inaccurate data
Request erasure (where applicable)
Restrict processing
Object to processing
Withdraw consent
Make a complaint to the ICO
You can contact the ICO at www.ico.org.uk. A privacy notice is legally required when processing personal data.
9) Security
We apply reasonable technical and organisational measures, including:
Password protections
Secure cloud storage
Limited access controls
Multi-factor authentication
10) Changes to this policy
We may update this Privacy Policy occasionally. The latest version will always be available on our website.
11) Contact
If you have any questions:
Email: hello@growbrighthr.co.uk