Legal // Data Protection

Privacy Policy

Effective date: 16 April 2026 · Last updated: 16 April 2026

Action required before publishing

As a data controller processing special category (health) data, you are legally required to register with the Information Commissioner's Office (ICO). Annual fee is £40 for micro-organisations. Register at ico.org.uk/registration and insert your registration number in the placeholder below before this policy goes live.

Who We Are

Circadex Performance is operated by Jon Goodbourn, trading as Circadex Performance, 5 Jackson's Row, Manchester M2 5WD, United Kingdom.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Jon Goodbourn is the data controller in respect of any personal data we hold about you.

Email: circadexperformance@gmail.com

Phone: +44 7386 221027

Post: 5 Jackson's Row, Manchester M2 5WD

ICO Registration Number: [INSERT NUMBER — see action notice above]

What Data We Collect and Why

We collect personal data in the following contexts. For each, we identify the data collected, the purpose, and our lawful basis under UK GDPR.

2.1 Website enquiries and contact form

Data collected: Name, email address, roster type (if provided), message content
Purpose: To respond to your enquiry and, where applicable, to take steps prior to entering into a contract for services
Lawful basis: Article 6(1)(b) UK GDPR — necessary for pre-contractual steps at your request; or Article 6(1)(f) — our legitimate interest in responding to business enquiries

2.2 Lead magnet — The 3 AM Protocol

Data collected: Email address
Purpose: To deliver the requested resource and to send you information about Circadex Performance, including tips, updates, and service offerings
Lawful basis: Article 6(1)(a) UK GDPR — your consent, given when you submit your email address

You may withdraw consent at any time by clicking "unsubscribe" in any email from us. Withdrawal does not affect the lawfulness of processing before that date.

2.3 Coaching clients — general data

Data collected: Name, contact details, employment and roster information, goals, session notes, progress records
Purpose: To deliver coaching services and manage the client relationship
Lawful basis: Article 6(1)(b) UK GDPR — performance of a contract with you

2.4 Coaching clients — health and performance data

Data collected: Health metrics (including Heart Rate Variability data), health history relevant to your programme, physical performance data, and information about medical conditions or symptoms where voluntarily disclosed
Purpose: To design and deliver a safe, effective, and personalised protocol tailored to your biology and shift pattern
Lawful basis: Article 6(1)(b) UK GDPR (performance of contract) and Article 9(2)(a) UK GDPR — your explicit written consent for special category data

Special Category Data

Health information constitutes special category data under Article 9 of the UK GDPR. We will always seek your explicit written consent before recording health data. You may withdraw this consent at any time by contacting us; however, doing so may affect our ability to deliver your programme safely.

2.5 In-person sessions (Tactical Interventions)

For in-person sessions delivered in and around Manchester, we may record session notes including physical findings and any health information voluntarily disclosed during the session. The same lawful bases apply as in sections 2.3 and 2.4 above, depending on the nature of the information recorded.

How We Hold Your Data

Your data is held across the following systems. We have assessed each processor and rely on the transfer mechanisms described in Section 4 for processors based outside the UK.

System	Data held	Location
Gmail (Google LLC)	Enquiry emails, client correspondence	US — UK-US Data Bridge
Kit.com	Email subscriber list (email address)	US — Standard Contractual Clauses
Google Sheets	Client records and administrative data	US — UK-US Data Bridge
Google Forms	Intake forms and questionnaire responses	US — UK-US Data Bridge
Apple Notes (iCloud)	Client session notes and progress records	US / EU — Apple SCCs / Data Bridge
Netlify, Inc.	Website hosting; contact form submissions in transit	US — Standard Contractual Clauses
Future Circadex Platform	All of the above, consolidated	TBC — policy will be updated on launch

// We do not use any automated decision-making or profiling systems.

International Data Transfers

Several of our processors are based in the United States. The UK has not issued a blanket adequacy decision for the US; however, we rely on the following lawful transfer mechanisms:

Google LLC: UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge). Google is a certified participant.
Apple Inc.: UK-US Data Bridge certification and supplementary Standard Contractual Clauses where applicable.
Kit.com (ConvertKit): Standard Contractual Clauses (SCCs) as approved under Article 46 UK GDPR.
Netlify, Inc.: Standard Contractual Clauses for data transfers outside the UK.

You may request a copy of the relevant safeguards for any transfer by contacting us at circadexperformance@gmail.com.

How Long We Keep Your Data

Enquiries and contact form submissions

Up to 2 years

Unless an enquiry results in a contract, in which case the data is retained as a client record.

Email subscribers

Until you unsubscribe

Suppression records (to prevent re-adding unsubscribed addresses) are retained indefinitely.

Coaching client records — general

Duration of programme + 3 years

To support resolution of any queries or disputes and to meet professional record-keeping expectations.

Health and special category data

As per client record above

If you withdraw consent for health data processing, we will delete or anonymise that data within 30 days unless retention is required by law.

Financial and payment records

6 years

As required by HMRC.

Who We Share Your Data With

We do not sell, rent, or trade your personal data to any third party.

We share data only in the following circumstances:

Service processors (Section 3 above) — as necessary to operate our website and deliver our services. Each processor is bound by a data processing agreement or equivalent contractual safeguard.
Legal or regulatory authorities — where required to do so by law or in response to a valid legal request from a court or regulatory body.
BASRaT or FHT — where required for a professional conduct investigation or to demonstrate compliance with our registration obligations.
Emergency services — in the rare event that information disclosed to us indicates a serious, immediate risk to your health or the health of another person.

Your Rights Under UK GDPR

You have the following rights in relation to the personal data we hold about you. To exercise any of these rights, contact us at circadexperformance@gmail.com. We will respond within one calendar month.

Right of access (Article 15): To request a copy of the personal data we hold about you (a Subject Access Request).

Right to rectification (Article 16): To have inaccurate or incomplete data corrected without undue delay.

Right to erasure (Article 17): To request deletion of your data where there is no compelling reason for its continued processing.

Right to restriction of processing (Article 18): To ask us to pause processing of your data while a query or dispute is resolved.

Right to data portability (Article 20): To receive your personal data in a structured, commonly used, machine-readable format (applies to data you provided to us on the basis of consent or contract).

Right to object (Article 21): To object to processing based on our legitimate interests, or to direct marketing. If you object to direct marketing, we will cease immediately.

Automated decision-making (Article 22): We do not use automated decision-making or profiling that produces legal or similarly significant effects.

Withdrawing Consent

Where we rely on consent as our lawful basis — for the email subscriber list and for special category health data — you may withdraw that consent at any time:

Email marketing:click "unsubscribe" in any email, or contact us directly.
Health data: contact us at circadexperformance@gmail.com. We will confirm receipt and action deletion or anonymisation within 30 days.

Withdrawal of consent does not affect the lawfulness of any processing carried out before withdrawal. Where health data is deleted, this may affect our ability to safely continue delivering your programme.

Under-18s

Our services are primarily directed at adults. Where we work with individuals under the age of 18, we require explicit written consent from a parent or legal guardian before processing that individual's personal data, including for coaching enrolment and any health data.

We do not knowingly collect personal data from individuals under 13 via our website. If you believe we have inadvertently done so, please contact us immediately at circadexperformance@gmail.com and we will delete that data without delay.

Cookies

Our website uses only technically necessary cookies required for the site to function correctly. We do not currently use tracking, analytics, advertising, or third-party cookies.

If we introduce analytics or marketing cookies in the future, we will update this policy and display an appropriate cookie consent mechanism on the website before doing so.

Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include:

Password-protected access to all systems holding personal data
Two-factor authentication on email and cloud storage accounts where available
Encrypted connections (HTTPS) for all data transmitted via our website
Restriction of data access to Jon Goodbourn only, except where processors require access for delivery of services

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected individuals without undue delay.

Your Right to Complain

If you have concerns about how we handle your personal data, please contact us first at circadexperformance@gmail.com and we will do our best to resolve the matter.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time:

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
ico.org.uk · 0303 123 1113

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The current version will always be available at circadexperformance.com/privacy.

Material changes — particularly those affecting how we use your data or your rights — will be communicated to active clients and email subscribers by email before they take effect.