top of page

Privacy Policy

Effective date: 1 June 2026 | Last reviewed: 1 June 2026

1. Introduction

Penguin & Elephant Consulting (“we”, “us”, or “our”) is an HR consulting business operated by Theresa Siek. We are committed to protecting your personal data and to being transparent about how we collect, use, and store it.

This Privacy Policy applies to personal data we collect through our website (www.penguinelephantconsulting.com), when you book or use our services, attend our events, or otherwise interact with us. It is designed to comply with:

  • the EU General Data Protection Regulation (GDPR);

  • the UK General Data Protection Regulation and Data Protection Act 2018 (UK GDPR);

  • the Swiss Federal Act on Data Protection as revised in 2023 (nDSG / revDSG);

  • applicable US state privacy laws, including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) where relevant.

Please read this policy carefully. If you have questions, contact us at: theresa@penguinelephantconsulting.com.

 

2. Who We Are (Data Controller)

For the purposes of EU/UK GDPR and Swiss nDSG, the data controller is:

 

Business name:  Penguin & Elephant Consulting, LLC

 

Operated by: Theresa Siek

 

Email: theresa@penguinelephantconsulting.com

 

Telephone: +44 7401 222681

 

We do not currently have a legal obligation to appoint a Data Protection Officer (DPO), but you may direct any privacy-related enquiries to the contact above.

 

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Data you provide directly

  • Identity data: full name, job title, company name.

  • Contact data: email address, telephone number, postal address.

  • Booking and enquiry data: service requirements, scheduling preferences, messages you send us.

  • Payment data: invoicing details (we do not store full payment card numbers; payments are processed by authorised third-party processors).

  • Professional data: HR-related information you share in the course of a consulting engagement, which may include employment records or workforce data.

3.2 Data collected automatically

  • Technical data: IP address, browser type and version, device type, time zone, operating system.

  • Usage data: pages visited, links clicked, referral source, session duration.

  • Cookie data: see Section 9 (Cookies) below.

3.3 Data received from third parties

  • Calendly: scheduling and appointment data when you book a call.

  • Wix: website analytics and form submission data hosted on the Wix platform.

  • Referrals: contact details shared by clients or partners who refer you to us.

 

4. Lawful Basis for Processing (EU/UK GDPR & Swiss nDSG)

We only process your personal data where we have a valid lawful basis. The bases we rely on are:

  • Contract performance: to provide consulting services you have engaged us for, and to manage bookings and billing.

  • Legitimate interests: to operate and improve our website, respond to enquiries, conduct marketing to business contacts, and protect our business — provided these interests are not overridden by your rights.

  • Legal obligation: to comply with applicable laws (e.g. tax, employment, or accounting regulations).

  • Consent: where we rely on consent (e.g. for certain marketing emails or non-essential cookies), you may withdraw it at any time without affecting the lawfulness of prior processing.

Under Swiss nDSG, processing must be proportionate and conducted in good faith. We apply the same standards as GDPR where processing involves cross-border data transfers to or from Switzerland.

 

5. How We Use Your Personal Data

We use personal data for the following purposes:

  • Providing and managing HR consulting services.

  • Communicating with you about bookings, proposals, and project work.

  • Sending service-related notifications and invoices.

  • Sending marketing communications (where you have opted in, or where we have a legitimate interest in doing so for B2B contacts).

  • Organising and administering events.

  • Improving our website and understanding how visitors use it.

  • Complying with legal and regulatory obligations.

  • Defending or pursuing legal claims if necessary.

We will not use your personal data for automated decision-making that produces legal or similarly significant effects without your knowledge and an opportunity to object.

 

6. Sharing Your Personal Data

We do not sell your personal data. We may share it with:

  • Service providers acting as data processors on our behalf (e.g. Wix for website hosting, Calendly for scheduling, accounting software, email providers) — who are bound by data processing agreements.

  • Professional advisers including lawyers, accountants, and insurers, under duties of confidentiality.

  • Regulatory authorities, law enforcement, or courts where required by law or to protect our legal rights.

  • Potential buyers or investors in the event of a business sale or restructure, subject to confidentiality obligations.

We do not share your personal data with third parties for their own marketing purposes.

 

7. International Data Transfers

Our services involve clients and operations in the EU/EEA, United Kingdom, Switzerland, and the United States. Where personal data is transferred across borders, we ensure appropriate safeguards are in place:

  • EU to UK / UK to EU: we rely on adequacy decisions or Standard Contractual Clauses (SCCs) as applicable.

  • EU/UK to Switzerland: Switzerland has adequacy status under EU GDPR; UK SCCs apply for UK-to-Switzerland transfers where required.

  • EU/UK/CH to United States: we use EU Standard Contractual Clauses (SCCs) or, where applicable, rely on the EU-US Data Privacy Framework (DPF) for transfers involving certified US entities.

You may request a copy of the safeguards we rely on by contacting us at: theresa@penguinelephantconsulting.com.

 

8. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Our general retention periods are:

  • Client engagement records: 7 years after the end of an engagement (for tax and legal compliance).

  • Enquiry and contact data (non-clients): up to 2 years from last contact.

  • Event attendee data: up to 1 year after the event, unless you become a client.

  • Website analytics data: in line with our cookie and analytics provider settings (typically 13–26 months).

  • Marketing contact lists: until you unsubscribe or object, or 3 years of inactivity, whichever is sooner.

When data is no longer required, it is securely deleted or anonymised.

9. Cookies

Our website uses cookies and similar technologies. Cookies are small text files placed on your device that help the website function, analyse usage, and (where applicable) deliver relevant content.

9.1 Types of cookies we use

  • Strictly necessary: required for the website to function (e.g. session management). These do not require consent.

  • Analytics / performance: help us understand how visitors use the site (e.g. Wix Analytics). These require your consent in the EU/UK and Switzerland.

  • Functional: remember your preferences to improve your experience.

  • Third-party: set by Calendly or other embedded tools when you interact with them.

9.2 Managing cookies

You can manage or withdraw consent for non-essential cookies at any time via the cookie banner on our website, or by adjusting your browser settings. Note that disabling certain cookies may affect the functionality of the site.

 

10. Your Rights

Depending on your jurisdiction, you have the following rights in relation to your personal data:

10.1 Rights under EU/UK GDPR and Swiss nDSG

  • Right of access: to obtain a copy of the personal data we hold about you.

  • Right to rectification: to have inaccurate data corrected.

  • Right to erasure (‘right to be forgotten’): to request deletion of your data, subject to legal retention requirements.

  • Right to restriction: to limit how we process your data in certain circumstances.

  • Right to data portability: to receive your data in a structured, machine-readable format.

  • Right to object: to processing based on legitimate interests or for direct marketing.

  • Rights related to automated decision-making: to not be subject to solely automated decisions with significant effects.

  • Right to withdraw consent: at any time, without affecting prior processing.

To exercise any of these rights, contact us at theresa@penguinelephantconsulting.com. We will respond within one month (extendable to three months for complex requests). We may need to verify your identity.

10.2 California residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, disclose, or sell.

  • Delete personal information we hold about you (subject to exceptions).

  • Correct inaccurate personal information.

  • Opt out of the sale or sharing of personal information. We do not sell personal information.

  • Non-discrimination for exercising your rights.

To submit a CCPA request, contact us at theresa@penguinelephantconsulting.com. We will respond within 45 days.

10.3 Swiss residents

Under the nDSG, you have the right to information, rectification, erasure, and restriction of processing. You also have the right to object to processing and to data portability for data processed by automated means. Contact us or the Federal Data Protection and Information Commissioner (FDPIC) if you have concerns.

 

11. How to Complain

If you have concerns about how we handle your personal data, please contact us first at theresa@penguinelephantconsulting.com. We take all complaints seriously and will work to resolve them promptly.

You also have the right to lodge a complaint with the relevant supervisory authority:

  • EU: the data protection authority in your EU member state of residence.

  • UK: the Information Commissioner’s Office (ICO) — ico.org.uk.

  • Switzerland: the Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch.

  • US: the Federal Trade Commission (FTC) or your state attorney general, as applicable.

 

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

  • Secure, password-protected access to systems containing personal data.

  • Use of reputable, GDPR-compliant service providers with their own security certifications.

  • Limiting access to personal data to those who need it to perform their role.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected individuals without undue delay.

 

13. Children’s Privacy

Our services are directed at businesses and business professionals. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that we have inadvertently collected such data, we will delete it promptly.

 

14. Third-Party Links

Our website may contain links to third-party websites (including Calendly and LinkedIn). We are not responsible for the privacy practices of those sites and encourage you to review their policies separately.

 

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will update the “Last reviewed” date at the top of this document. For material changes, we will take reasonable steps to notify you (e.g. by email or a notice on our website).

We encourage you to review this policy periodically.

 

16. Contact Us

For any questions, requests, or complaints relating to this Privacy Policy or how we handle your personal data, please contact:

 

Name: Theresa Siek

 

Business: Penguin & Elephant Consulting

 

Email: theresa@penguinelephantconsulting.com

 

Phone: +44 7401 222681

 

We aim to respond to all privacy-related queries within 5 business days.

bottom of page