DATA & PRIVACY
Privacy Notice
How we collect, use, and protect your personal data, and your rights under UK GDPR.
This Privacy Notice explains how Aice Limited, trading as GoZtartUp, handles your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We have written it in plain language. If anything is unclear, email us at info@goztartup.com and we will explain.
1. Who we are
GoZtartUp is the trading name of Aice Limited, a company registered in England and Wales (Company No. 14726496), with its registered office at 335 Manchester Road East, Little Hulton, Manchester M38 9AR. We are a done-for-you business launch consultancy that helps healthcare and childcare professionals in the UK move from employment to owning a regulator-ready business. We build and submit CQC or Ofsted applications within a structured 16-week delivery window.
For the purposes of UK data protection law, Aice Limited is the data controller of your personal data. This means we decide how and why your personal data is processed.
- Data Controller: Aice Limited trading as GoZtartUp
- Company Number: 14726496
- Registered Office: 335 Manchester Road East, Little Hulton, Manchester M38 9AR
- Data Protection Lead: Akinlolu Adeojo (Sole Director / Data Protection Lead)
- Contact Email: info@goztartup.com
- ICO Registration: 808634
We have not appointed a statutory Data Protection Officer, as we are not required to under UK GDPR Article 37. The Director acts as our internal Data Protection Lead. Direct any data protection queries to info@goztartup.com.
2. What this notice covers
This Privacy Notice explains how we collect, use, store, share, and protect your personal data when you:
- Visit our website.
- Make an enquiry, book a discovery call, or join our online community.
- Enter into a Service Agreement with us for our regulated care or childcare business launch service.
- Provide us with personal documents (identification, proof of address, DBS information, qualifications) as part of your regulatory application.
- Make payments through our payment providers (Stripe, Klarna, or direct debit).
- Receive marketing communications from us.
- Interact with our Partnership Programme as a referral source or prospect.
This notice is provided under UK GDPR Articles 13 and 14, which require us to give you clear information about how we process your personal data.
We have written this notice in plain language so you can understand what we do with your personal data. If anything is unclear, please contact us at info@goztartup.com and we will be happy to explain.
3. What personal data we collect
The personal data we collect depends on how you interact with us. The table below sets out the categories of personal data we may collect.
| Category | Examples | When we collect it |
|---|---|---|
| Identity data | Full name, date of birth, nationality, copies of your passport or driving licence, photograph. | When you sign up for our service or book a discovery call. |
| Contact data | Postal address, email address, telephone number, messaging number. | When you enquire, sign up, or communicate with us. |
| Professional data | Qualifications, employment history, professional registrations (for example NMC, HCPC), training records. | During onboarding for your regulatory application. |
| Financial data | Payment card details (processed by Stripe/Klarna, we do not see or store your full card number), bank details (for refunds), instalment payment records. | When you make a payment or set up an instalment plan. |
| Application data | Business model details, premises information, staffing plans, governance documents, policies and procedures, all content created for or included in your CQC or Ofsted application. | Throughout the 16-week delivery process. |
| DBS data | DBS certificate reference number, type of check (Basic/Standard/Enhanced), outcome summary. We do not retain your full DBS certificate. | When you provide DBS information for your regulatory application. |
| Health data (limited) | Only where you voluntarily disclose health information relevant to your fitness as a registered manager. We do not routinely request health data. | Only if you choose to disclose it during the application process. |
| Marketing data | Your name, email address or phone number, how you heard about us, your consent preferences, communication history. | When you engage with our content, complete a form, or provide your details. |
| Technical data | IP address, browser type and version, device type, pages visited, time spent on pages, referring URL. | Automatically when you visit our website (subject to your cookie preferences). |
We only collect the personal data necessary for the purpose for which it is collected. We do not collect personal data “just in case” it might be useful later.
4. How we collect your personal data
We collect your personal data through the following methods.
Directly from you
When you complete our onboarding questionnaire or provide documents for your application; when you book a discovery or eligibility call; when you sign a Service Agreement; when you communicate with us by email, phone, or messaging; when you make a payment via Stripe, Klarna, or direct debit; when you join our online community or engage with our social media content.
Automatically from your devices
When you visit our website, we may collect technical data using cookies and similar technologies (subject to your consent for non-essential cookies). See Section 14.
From third parties
Referral partners in our Partnership Programme may provide us with your name and contact details (with your knowledge) so we can contact you about our services. Where your contact details are obtained from publicly available professional directories, we will tell you how we obtained them when we first contact you.
Where we obtain your personal data from a source other than you, we will tell you within a reasonable period and no later than one month, or at the point of first communication, whichever is earlier (UK GDPR Article 14).
5. Why we process your personal data and our lawful bases
We only process your personal data where we have a lawful reason to do so. UK GDPR Article 6 sets out six lawful bases. The table below explains what we use your data for, and which lawful basis applies. You have different rights depending on which lawful basis we rely on.
| What we use your data for | Lawful basis | More detail |
|---|---|---|
| Delivering the 16-week build-and-submit service | Contract (Art.6(1)(b)) | Processing is necessary to perform the Service Agreement you have entered into with us. |
| Collecting your identity documents and onboarding information | Contract (Art.6(1)(b)) | We need this to prepare your regulatory application. |
| Preparing and submitting your CQC or Ofsted application | Contract (Art.6(1)(b)) | This is the core service we are contracted to provide. |
| Processing your DBS information | Contract (Art.6(1)(b)) + DPA 2018 Sch.1 Pt.1 Para.1 | Necessary for your application. DBS data has extra legal protection, see Section 6. |
| Taking your payments and managing instalment plans | Contract (Art.6(1)(b)) | Necessary to collect fees under your Service Agreement. Payments are processed by Stripe and Klarna, see Section 8. |
| Providing post-registration launch support | Contract (Art.6(1)(b)) | Included in your Service Agreement for 4 to 8 weeks after registration. |
| Handling complaints and resolving disputes | Legitimate interests (Art.6(1)(f)) | Our interest: investigating and resolving complaints fairly. Your interest: having your complaint properly addressed. |
| Defending or pursuing legal claims | Legitimate interests (Art.6(1)(f)) | Our interest: establishing, exercising, or defending legal claims, including professional indemnity insurance notifications. |
| Sending you marketing communications | Consent (Art.6(1)(a)) or legitimate interests with soft opt-in | For new prospects we rely on your consent. For existing clients we may rely on the PECR soft opt-in to market similar services, provided you had a clear opportunity to opt out. See Section 13. |
| Website analytics and improving our website | Consent (Art.6(1)(a)) for non-essential cookies | Non-essential cookies are only placed with your prior consent. Essential cookies do not require consent. See Section 14. |
| Keeping financial and accounting records | Legal obligation (Art.6(1)(c)) | Required under the Companies Act 2006 (ss.386 to 389) and for HMRC tax purposes. |
| Reporting to the ICO if a data breach occurs | Legal obligation (Art.6(1)(c)) | We are legally required to report certain personal data breaches to the ICO under UK GDPR Article 33. |
Where we rely on legitimate interests, we have carried out a balancing test to ensure our interests do not override your rights and freedoms. We have documented these assessments. You have the right to object to processing based on legitimate interests at any time, see Section 11.
6. Special category and criminal offence data
Some types of personal data have extra legal protection because they are more sensitive. These include health information and criminal record data (such as DBS checks).
6.1 DBS (criminal record) data
If you are applying for CQC or Ofsted registration, you may need to provide DBS check information. We process this under Article 6(1)(b) (contract performance) and the additional condition in DPA 2018, Schedule 1, Part 1, Paragraph 1 (processing necessary for employment, health, and social care purposes).
We only record the DBS certificate reference number, the type of check, and the outcome summary. We do not retain your full DBS certificate. Once your regulatory application has been submitted, any copy of your DBS certificate in our possession is securely destroyed within six months, in line with the DBS Code of Practice.
6.2 Health data
We do not routinely collect health data. You may voluntarily disclose health information relevant to your fitness as a registered manager (for example, if the regulator requires a health declaration). Where you do, we process it under Article 9(2)(b) (employment and social protection obligations) combined with DPA 2018, Schedule 1, Part 1, Paragraph 1. We use this data only for your regulatory application and will not share it with anyone other than the regulator, unless required by law.
6.3 Consequences of not providing your data
You are not legally required to provide us with personal data. However, if you choose not to provide certain information (for example, your identity documents, DBS information, or qualifications), we may not be able to deliver our service or submit your regulatory application. We will always explain what information is essential and why before you provide it.
7. Who we share your personal data with
We do not sell your personal data to anyone. We only share your data where necessary to deliver our service, comply with the law, or protect our legitimate interests.
| Recipient | Why we share | Their role |
|---|---|---|
| CQC or Ofsted | To submit your regulatory application on your behalf. | Independent controller, they have their own privacy policies. |
| Companies House | Where we assist with company formation, director/PSC details are filed as required by law. | Public register (legal requirement). |
| Stripe | To process your card payments securely. | Processor under Art.28. PCI-DSS compliant. |
| Klarna | To process instalment payments where you choose this option. | Independent controller for creditworthiness assessment; processor for payment execution. |
| Our CRM provider | To manage your client record, communications, and delivery milestones. | Processor under Art.28. |
| Our booking provider | To manage your discovery/eligibility call booking. | Processor under Art.28. |
| Email / hosting provider | To send and receive email communications. | Processor (hosting provider). |
| Our automation provider | To send automated notifications and follow-ups. | Processor under Art.28. |
| Our web host | To host our website and process form submissions. | Processor under Art.28. |
| External accountant | To maintain our accounts and tax records. | Processor under Art.28. |
| Professional indemnity insurer | To notify circumstances or claims under our PII policy. | Independent controller for claims. |
| HMRC | To comply with tax obligations. | Public authority (independent controller). |
| ICO | To report personal data breaches where required. | Supervisory authority. |
Where we use processors (organisations that process your data on our behalf), we have written data processing agreements in place that require them to process your data only on our instructions, keep it confidential, and implement appropriate security measures, as required by UK GDPR Article 28.
8. Payment providers and instalment plans
We offer several payment methods. It is important you understand how your payment data is handled by each provider.
Stripe (card payments)
When you pay by card, your payment is processed by Stripe. We pass Stripe your name, email address, and transaction amount. Your card details are entered directly into Stripe’s PCI-DSS compliant environment. We do not see, store, or have access to your full card number. Stripe is certified under the EU-US Data Privacy Framework (including the UK extension) and uses the UK International Data Transfer Addendum for transfers outside the UK.
Klarna (instalment payments)
If you pay in instalments through Klarna, we pass Klarna your name, email address, and transaction amount. Klarna independently assesses your eligibility for the instalment plan. For this creditworthiness assessment, Klarna acts as an independent data controller with its own lawful basis and privacy policy. We do not receive the results of Klarna’s credit assessment and we do not see your full financial details.
Direct debit
Where you pay by direct debit, your bank details are processed by our direct debit provider. We retain a record of the mandate reference and payment schedule but do not store your full bank account details.
We do not assess your creditworthiness. We do not recommend or advise on financial products. We do not store your payment card details. We are not authorised or regulated by the Financial Conduct Authority. Instalment payment plans are provided entirely by our third-party payment partners, subject to their own terms and eligibility criteria.
9. International transfers
Your personal data is primarily stored and processed in the United Kingdom. However, some of our technology providers may store or process data outside the UK (for example, Stripe processes data in the United States).
Where your data is transferred outside the UK, we ensure that: the destination country benefits from a UK adequacy decision; or the transfer is covered by appropriate safeguards such as Standard Contractual Clauses or the UK International Data Transfer Agreement; or the recipient participates in the EU-US Data Privacy Framework (as extended to the UK).
We carry out transfer risk assessments for each international transfer. The EU renewed the UK’s adequacy status through to December 2031, confirming that data flows between the EU and UK remain protected. You can contact us at info@goztartup.com for further details about the safeguards in place for any specific transfer.
10. How long we keep your personal data
We keep your personal data only for as long as we need it, or as required by law. We do not keep data indefinitely.
| Data category | Retention period | Reason |
|---|---|---|
| Client files (active engagement) | Duration of engagement + 6 years | Limitation Act 1980 (6-year period for contract and tort claims); professional indemnity insurance run-off obligations. |
| Completed client files | 6 years from date of completion | Limitation Act 1980; PII run-off; defence of legal claims. |
| DBS reference records | Destroyed within 6 months of application submission | DBS Code of Practice; data minimisation. Full certificates are never retained. |
| Marketing / prospect data | 24 months from last engagement, or until you withdraw consent | If you do not engage with us for 24 months, we delete your marketing data. You can opt out at any time. |
| Financial and accounting records | 6 years from end of the relevant financial year | Companies Act 2006 ss.386 to 389; HMRC requirements. |
| Website analytics data | Up to 26 months | Aligned with analytics provider settings. You can clear cookies at any time. |
| Complaints and dispute records | 6 years from date of resolution | Defence of legal claims under the Limitation Act 1980. |
When the retention period expires, we securely delete or anonymise your personal data. Electronic data is permanently erased. Physical documents are cross-cut shredded.
11. Your rights under UK GDPR
You have the following rights over your personal data. These rights are not absolute, there are situations where we may lawfully decline a request (for example, if we need to keep data to comply with a legal obligation or to defend a legal claim). Where we decline, we will explain why.
| Your right | What it means | How it applies |
|---|---|---|
| Right to be informed | You have the right to know how we use your data. | This Privacy Notice fulfils this right. |
| Right of access (DSAR) | You can ask for a copy of all the personal data we hold about you. | We respond within 1 calendar month. Free of charge. |
| Right to rectification | You can ask us to correct inaccurate or incomplete data. | Contact us and we will correct your records without delay. |
| Right to erasure | You can ask us to delete your data in certain circumstances. | We may not be able to erase data needed for legal claims or statutory records. |
| Right to restrict processing | You can ask us to temporarily stop processing your data. | For example, while we verify accuracy of your data. |
| Right to data portability | You can ask for your data in a portable format. | Applies where processing is based on consent or contract and carried out by automated means. |
| Right to object | You can object to processing based on legitimate interests. | We will stop unless we have compelling grounds. You can always object to direct marketing, and we will stop immediately. |
| Right to withdraw consent | Where we rely on consent, you can withdraw it at any time. | Withdrawal does not affect the lawfulness of processing before withdrawal. |
12. How to exercise your rights
You can exercise any of your rights by contacting us. You do not need to fill in a special form. Your request can be made by email, letter, or verbally.
- Email: info@goztartup.com
- Post: Aice Limited, 335 Manchester Road East, Little Hulton, Manchester M38 9AR
- Suggested subject line: Data Protection Request, [Your Name]
We may need to verify your identity before responding, which protects your data from being disclosed to someone else. We will respond within one calendar month. If your request is complex, we may extend this by up to two further months, but we will tell you within the first month. There is no charge for exercising your data rights.
13. Marketing communications and your choices
We may send you information about our services, including educational content about regulatory compliance and business ownership. We only send marketing where we have a lawful basis.
When we need your consent
Under the Privacy and Electronic Communications Regulations 2003 (PECR), we need your consent to send you electronic marketing (email, SMS, messaging) unless the soft opt-in exception applies. We will always clearly ask for your consent before adding you to our marketing list, tell you what you will receive, make it as easy to unsubscribe as to subscribe, and never use pre-ticked boxes.
The soft opt-in (existing clients)
If you are an existing client and we obtained your email address while providing our service, we may use the PECR soft opt-in to send you marketing about similar services. This only applies where we obtained your details in the context of a sale, we are marketing our own similar services, and we gave you a clear opportunity to opt out when we collected your details and in every message.
How to opt out
Click the unsubscribe link in any marketing email; reply “STOP” to any marketing message; or email info@goztartup.com with the subject line “Opt Out”. We will process your opt-out without delay. Opting out of marketing will not affect service-related communications needed to deliver your contracted service.
14. Cookies and website tracking
Our website uses cookies and similar technologies. Cookies are small text files placed on your device when you visit a website.
| Cookie type | Purpose | Consent required? |
|---|---|---|
| Strictly necessary | Essential for the website to function (for example, session management, security). | No, exempt under PECR Reg.6. |
| Analytics | Help us understand how visitors use our website (pages visited, traffic sources). | Yes, consent via cookie banner. |
| Marketing / advertising | Track visitors across websites to display relevant advertisements. | Yes, only placed with your prior consent. |
You can change your cookie preferences at any time through our cookie banner or by adjusting your browser settings. Refusing non-essential cookies will not prevent you from using our website. For full detail, see our Cookie & Tracking Policy.
15. Automated decision-making
UK GDPR Article 22 gives you the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects.
GoZtartUp does not use automated decision-making or profiling that produces legal or significant effects on you. All material decisions about your application, service delivery, and account are made by our team with human oversight. We do not use algorithms to determine your eligibility, pricing, or service outcomes.
16. Data security
We have implemented appropriate technical and organisational measures to protect your data against unauthorised access, loss, destruction, or damage. Our measures include role-based access controls, multi-factor authentication on critical systems, encryption in transit (HTTPS/TLS), full-disk encryption on devices, up-to-date anti-malware and operating systems, password management with minimum 12-character passwords, and secure disposal of data when retention periods expire. We do not input client personal data into AI tools unless the tool is approved and a data processing agreement is in place.
While we take all reasonable steps, no method of transmission or storage is completely secure. If you become aware of any security concern, please contact us immediately at info@goztartup.com.
17. Children’s data
Our services are designed for adults who are healthcare and childcare professionals. We do not knowingly collect or process personal data from children (individuals under the age of 18). If we become aware that we have inadvertently collected personal data from a child, we will delete it promptly and securely.
18. Changes to this Privacy Notice
We may update this Privacy Notice from time to time. Where we make material changes, we will update the date on this notice, notify you directly (for example, by email) if the change significantly affects how we use your data, and publish the updated notice on our website. This notice was last updated in March 2026.
19. Limitation of liability
This Privacy Notice is provided for transparency and to meet our obligations under UK GDPR Articles 13 and 14. It does not create contractual rights beyond those in your Service Agreement.
- Our aggregate liability to any client for all claims (including data protection claims) arising from a Service Agreement shall not exceed the total fees paid or payable under that agreement.
- We exclude liability for indirect, consequential, and special losses, including loss of profits, revenue, or business opportunity, to the maximum extent permitted by law.
- Nothing in this notice or your Service Agreement limits or excludes liability for death or personal injury caused by negligence, for fraud or fraudulent misrepresentation, or for any other liability that cannot be excluded by law.
- Under UK GDPR Article 82, you have the right to claim compensation for material or non-material damage caused by a breach of UK GDPR. This statutory right cannot be excluded by contract.
20. Governing law
This Privacy Notice, and any dispute or claim arising from or in connection with it, is governed by and construed in accordance with the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction. Your data protection rights under UK GDPR are not affected by this clause. You always have the right to lodge a complaint with the ICO.
21. How to contact us
If you have any questions about this Privacy Notice or how we handle your personal data:
- Data Controller: Aice Limited trading as GoZtartUp
- Data Protection Lead: Akinlolu Adeojo
- Email: info@goztartup.com
- Post: 335 Manchester Road East, Little Hulton, Manchester M38 9AR
22. How to complain
If you are unhappy with how we have handled your personal data, we encourage you to contact us first so we can try to resolve the issue directly. You also have the right to complain to the Information Commissioner’s Office (ICO) at any time.
- ICO website: ico.org.uk
- ICO helpline: 0303 123 1113
- ICO address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
You may also have the right to seek a judicial remedy through the courts if you believe your data protection rights have been infringed.
Last updated: March 2026. Questions about this notice? Contact us at info@goztartup.com.
