How we take care of your data

We control some personal data, but mostly we process data on behalf of our customers.

Our ICO Registration number is Z5416763.

Out of the Hat Ltd is registered in England, company number 4041890.
You can find our company registration details here.

Please visit the 'Contact Us' page for contact details.


Out of the Hat Ltd provides most of our services to businesses, schools and other organisations: they are responsible for controlling their data, and we process it on their behalf.  This is most of the personal data we hold. In a few cases we provide services to private individuals or Sole Traders, and in these cases we are the controller of the data we hold about you.

By accessing our services you establish a contract with us, which entitles us to process your data for the purposes of fulfilling the contract.

To see our other contractual terms, please refer to our Terms and Conditions.

Your Rights

Your rights can be summarised as follows:

  • The right to be informed - this page informs you of the data we collect and how we use it
  • The right of access - you may request a copy of the personal data we hold about you
  • The right of rectification - you can correct your data through the online services we provide you, or you may ask us to do it for you
  • The right to erasure - you can ask us to remove your data - please see below for details.
  • The right to restrict processing - you can ask us to keep your data but not use it
  • The right to data portability - you can ask us to provide your personal data in a form that can be readily used by other organisations
  • The right to object - you may object to your data being processed for official use, direct marketing or research/statistical analysis.
  • Rights in relation to automated decision making and profiling - we do not use these processes

For more information about each of these rights, please consult the Information Commissioner's website.

If you wish to exercise any of these rights or have any doubts about how to do so in respect of the data we hold about you, please use the 'About my data' option on the 'Contact Us' page.

You may withdraw your consent for us to hold your data at any time.  This may result in us no longer being able to fulfil our obligations under our contract, so some services may become unavailable to you.  We may refuse to delete data only under circumstances allowed in legislation (e.g. the data is required to fulfil other legal obligations such as accounting records).

Please read the details below for further information.

If you have any complaint about our handling of your data, please raise it with us using the 'About my data' option on the 'Contact Us' page.  If you remain unsatisfied with our handling of your issue, you have the right to raise the matter with the Information Commissioner.

Reporting a Data Breach

If you suspect that our company has suffered a data breach, please contact us as soon as possible using the 'Contact Us' page.

Website and Email Services

We provide internet services as our customers' Data Processor, including domain name registration, website hosting and email services.

When providing website services we use WordPress and provide you with Administrator access to your site.  You are able to inspect, add, edit and delete client data via this access.  We sometimes use third-party plugins and services to provide functionality on your site: where these are in use we will inform you of the personal data that is collected, how it is used, and how it can be maintained or deleted.

Our hosting service provides SSL certificates, regular backups, a firewall, and login/brute-force attack protection.  We also recommend that you use two-factor authentication for all Administrator logins and ensure that all themes and plugins remain up-to-date.  We can manage this on your behalf if you ask us to.

We sometimes provide email boxes as part of our hosting services.  We help you connect your mail programs to the mailboxes, and you can manage all of the data contained in them.  Our administrative access is carefully controlled internally.  We can delete mailboxes on request.

Technical elements of the service (provision of domain name registration, hosting and email services) are contracted to third party suppliers, whose operations are based in the UK and who have contractual commitments to us on Data Protection.

Microsoft 365 Services

As a Microsoft Partner we sometimes provide Microsoft 365 Services to our customers as Data Processor.  In order to provide the service we use Microsoft who are GDPR compliant (details here).  As part of the registration service you accept Microsoft's terms of service which establish a contract between you and Microsoft, and include Microsoft's contractual obligations to you as a Data Processor.  You have administrative access to your 365 account and can manage all data therein.

When requested, we sometimes have administrative access to your 365 account.  This access is restricted within our organisation, and we undertake to use this access only for the purposes of administering your Microsoft 365 Services in accordance with your instructions.

We make use of Microsoft's content delivery network to provide you with information on this website about the services we offer.  Microsoft or their partners may collect usage data for the purposes of online advertising and may monitor website activity, including use of cookies, web beacons, and other technologies to compile and use anonymous statistics about you and your interaction with this content.  Standard Microsoft 365 terms state that Microsoft retain ownership of all data and information collected or obtained by them from users through your use of the information they deliver to our website.

Training Services

We provide a variety of training services, both online and onsite.

Onsite training courses are delivered business-to-business, and delegates' details are collected for purposes of course administration and support.  We communicate by email with delegates both before and after the course, and retain your details in order to provide support services related to the course.  We use this data only for the purpose described, and delete you from our contact database when requested to do so.  We may retain emails as evidence of support work undertaken, to form part of our knowledge base.

Where private individuals and Sole Traders purchase our training courses we are the Data Controller.    We manage your data via our website: please see 'About Our Website' below for details of how your data is managed.

We sometimes provide training services on subcontract from third parties.  In this case we receive information about delegates' names and business contact details.  These are destroyed after each training course.

About Our Website

Our own website is hosted in the UK.  Where we subcontract this service, we ensure contractual commitments to appropriate data protection measures.

We use cookies on our website (small data packets that are stored in your browser) to enhance your experience on our site, for example when you log in.  You can change your browser settings to prevent cookies being downloaded, but this may affect your usage of some of our services.

When someone visits we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.  Find out about Google's Data Protection policies here.

We sometimes show you embedded media - this can be a YouTube or Vimeo video, Facebook, Twitter or Google Maps service.  When you view media served from these services, the service collects data about you.  We have provided privacy messages that enable you to choose whether or not to view the media and therefore share your data with the service in question.

We sometimes link to external websites which are not under our control.  We collect anonymised data about the links you follow on our website, using the Google Analytics service mentioned above, and in some cases third-party services CJ Affiliate and Partnerize.  Click the links to read their privacy policies.

The website uses an SSL certificate, server firewall and login/brute-force attack prevention measures.

You can create an account on the website with your name and email address, and are able to view, edit and delete the information we hold about you when logged into that account.  If you have any problems doing so, please contact us via the 'Contact Us' page and we will undertake your requested changes.

In the event that your account is deleted, we may retain your comments, communications and support conversations to inform us and other customers about our service, but these will be attached to an anonymous account.

When you place an order via our website, we retain your billing data (products, name, address, email address and optionally telephone number(s)) for audit purposes in accordance with HMRC requirements.    You receive a website login through which you can manage your account data - you can request deletion of your account at any time.  Ordering is managed through WooCommerce provided by Automattic Inc (GDPR compliance information here), with your order details being retained on our website for order management and audit purposes in accordance with HMRC requirements.  Payment is managed by Stripe Payments Europe Limited (GDPR compliance information here), who retain your credit card details for future orders if you choose to store them.  If you have chosen to allow Stripe to retain your credit card details and wish to have them deleted, please contact us using the 'About my data' option on the 'Contact us' page and we will arrange for the deletion to occur.

Email Communications

When you interact with us via our website, you might recieve:

  • Email confirmation of a communication
  • A copy of your enquiry submitted via our contact form
  • Order status emails
  • Subscription reminders

We will retain copies of these communications as business records.  If you wish your communications to be deleted from our records, please use the 'About my data' option on the 'Contact Us' page.

Where we offer the option to be kept informed of news and offers by email (our mailing list), we use the MailChimp service (GDPR compliance information here).  As part of this service your data may be transferred outside the EU under the auspices of MailChimp's EU-US Privacy Shield Certification.  The MailChimp service allows you at any time to edit or remove your details from our mailing list, via links at the bottom of every email sent to you.

Changes to this Privacy Notice

We keep our privancy notice under regular review.  This privacy notice was last updated on 23rd June 2020.

If you wish to adjust the permission settings for embedded media you can do so here: