Privacy, data protection and GDPR

We take your privacy seriously at ACM Training. So on this page you'll find a whole heap of stuff concerning our approach to the information about you that we collect, hold and - when asked - delete. There's also guidance on how we store and process your data. You'll see that word process crop up quite a few times below. Put simply it's a technical term for use. We hope this guide is written so that it makes sense to people (ourselves included) who aren't legally trained or experts in initials like GDPR, ICO and 3HZ (I made that last one up)!

What information we collect online

If you're an existing customer we hold your name and email address, the name of your organisation, it's postal address and a telephone number. We may, depending on who pays your invoice, also hold information about your accounts department. You, or the person making the booking for you, gave us these at the time of booking so that we could remind you where and when the course was taking place and send other documentation like invoices, post course material and feedback requests.

Please note ACM Training does NOT collect, process or store any credit card or sensitive financial information about you or your organisation. Transactions are handled by a fully compliant third party, Secure Trading.

If you're a potential customer and you've chosen to join one of our mailing lists, entered your details on our contacts page or filled in other webforms on our site, we collect your name and email address as a minimum. Depending on the form, we also collect your organisation, your position in that organisation and a telephone number plus any other details you choose to add like the course you are interested in.

With both existing and potential customers we log and store certain technical information like the IP address your device uses to connect to the Internet, the time you place a booking or make another action on our site and aggregated demographic information collected on our behalf by Google Analytics.

What information we collect offline

If you phone us we keep a note of your name and number and any other information you volunteer during the call. We offer telephone coaching so for training puposes we occasionally record calls although only with your permission. If we meet you face-to-face at one of our training courses or at an event we may make a note of our meeting which will probably include your name and contact details. We also collect information from others sources including publicy available websites and online searches. And we sparingly use marketing list providers for email, social media, print and other campaigns.

Why we collect this information

In short, we collect and process this information as part of the day-to-day running of our business. We use it to find new clients and manage existing ones. We use it to make sure that if you book a place on one of our workshops you know where it is, when it is and really important details like when it starts and finishes and how to get there. We use it to collect money when it's due and pay money when it's owed. And we keep contact details to enable us to send you marketing information for as long as we have your consent or (if we're relying on legitimate interests) for as long as our legitimate interests allow.

How long we keep the information

In most cases we keep it for up to seven years after which we burn it, shred it or otherwise securely (and environmentally sensitively) destroy it. You have the right, as what's called a Data Subject, to ask us to delete the information we hold on you before this time although, that said, we're obliged, by HMRC for example, to keep certain things like invoices with your organisation's name on for the full period - delete request or not. See more under the heading your rights.

Who we might share this information with

We don't routinely share your personal information with third parties. But there might be reasons where we do or have to. For example, with analytics and search engine providers to optimise our site. Or with customer survey providers to collect feedback to improve what we do. In the event that we sell the business or are taken over we will share your data. And, of course, if we're compelled to do so by law we will disclose information to investigators.

How we keep this information safe and secure

One of the many things that GDPR and other legislation demands of firms trading in the EU is that the data they store is held securely. Unlike a doctor's surgery or a bank, we don't hold any really sensisitve data about you. But we still take security seriously. Databases are secured and protected physically including by CCTV and keycode access as well as digitally by, for example, encryption. On the subject of CCTV it's worth pointing out that we may record images of you if you visit our premises and this information about you is treated in the same way as all the other data sources we've mentioned here.

Your rights, consent versus legitimate interest and how you can access the information we have about you

At any time you can ask to see what information we hold on you, put it right if it's wrong, limit what we do with it and even delete it - fully or partially. If, for example, you're happy for us to keep your details but want to opt out of future marketing offers you can do this by clicking on the update profile link at the bottom of your email or sending an email to

There are a couple of caveats (aren't there always)? If we're processing your data based on your consent - in other words you've given us your explicit permission to use it in a particular way, including for marketing - you can withdraw that consent, no ifs, no buts. But if we're processing your data without your consent based on what, under GDPR, is called a legitimate interest we will only act on your request providing there are no compelling business or legal reasons for that processing. So what is a legitmate interest? Good question. To which, we're afraid, there is no easy answer. Like much of law the concept is open to interpretation and will only become clearer as it's tested in the courts. That said it would clearly be a legitimate interest of a company to issue an invoice to a customer and, as a result, to refuse a delete request from that customer before the invoice has been paid. What is less clear is whether marketing and, in particular, sending an unsolicited email, constitutes a legitimate business interest and, in effect, trumps an individual's right to privacy.

You can exercise these rights by email to by post to FAO DPR, ACM Training, Crosshands, Coreley, Ludlow, Shropshire UK SY8 3AR, or by phoning 07831 354026 and asking for the DPR.


When you visit our website (like you are right now) we collect cookies to make sure what's called the user experience is as smooth as possible. Cookies are small text files and the law allows us to store them on your device only if they're strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies on different pages and you get a chance to choose which ones you're happy to for us to store when you first visit those pages. You can review or change these settings at any time by magically reappearing the cookie preferences pop up.

Mailing lists

Like pretty much all businesses, we operate two basic types of mailing list here at ACM Training. One is for our existing customers and those who ask to join our mailing list via our website, blogs and social media pages. The other is for potential customers.

We mail people on both lists from time to time to try to get even more of their money or to win their business in the first place! But we know you're busy and get heaps of similar emails, so we aim to message you for marketing purposes at the very most once a week and usually only once a month. If you receive an email more often than this let us know and we'll dial back on the frequency. If we ignore your request and you want to leave the list or change your preference we can't say we'd blame you. You can leave our lists by clicking the unsubscribe button at the bottom of our marketing emails or by emailing from the adress you want removed. You can change your preferences by clicking the update profile button, again which appears at the bottom of our marketing emails.

How we got your name?

Good question. If you're an existing client or joined our mailing list you, or somebody on your behalf - for example, your training manager - will have given it to us. Or maybe a friend or colleague forwarded you one of our marketing emails. It happens. And yes, from time to time we carefully identify potential new clients and send them offers. So, for example, we work with a lot of universities and if a professor in Univesity A says "this is the best such and such training course I've ever been on" we believe other staff in other higher education institutions might like to hear from us. Now before you say "gotcha" and reach for the ICO's email address, bear in mind that, under GDPR, companies are still allowed to send unsolicited material. They can do so under what's called the "legitmate interest" dispensation (see above under your rights). A commercial interest is considered legitimate providing it's balanced against the receiver's rights or freedoms. We'd argue that receiving one or two unsolicited emails doesn't infringe those rights or freedoms in any significant way providing it's obvious who the email is from and includes clear and easy instructions on how to stop them.


One person's spam is another person's slightly annoying unsolicited email, is yet another person's legitimate marketing tool. Whatever your view, we certainly don't want to annoy our clients and potential clients. It's not good for business. But nor do we subscribe (pun intended) to the view that all unsolicited email is spam and that it's all bad. We like to be open to the world of possibilities and we think you probably do too. Which means sometimes buying something from somebody you've never heard of before. I'll swear that's how I ended up wearing the very comfortable yet stylish jeans I'm wearing right now! But we quite understand that if you're not the sort of person to buy trousers or training off the Internet then all you have to do is follow the remove request and you won't hear from us. Ever again. Unless you happen to have an alias or aliases pointed to the offending email address. In which case you might, so don't forget to remove those too.

Remove requests

Our remove requests are handled automatically by our third party provider (MailChimp) or by us. In both cases the procedure is, we believe, clear, easy and prominent on all our marketing material. Remove requests are usually processed immediately but in certain circumstances may take up to 48 hours to take effect. If you've received an email from us and the unsubscribe link is broken or not accessible from your browser you can always email from the email address you want removed and we'll make sure it's done for you manually.


If you're cheesed off in some way because you believe we've fallen short of these obligations and aspirations under privacy, data and GDPR then get in touch and we'll do our level best to sort things out. All we ask is that you keep things in proportion and don't resort to getting sweary or violent or both like this correspondent did!

If, ultimately, you're not satisfied with our response and you're in the UK you have the right to complain to the Information Commissioner’s Office (ICO).  The ICO’s contact details are available at


In common with a few, we like to think brave, companies we took the view that we already had proper permission in place from our existing clients to spare them yet another GDPR opt in email. That plus the fact we knew our request would be lost among all the others and we really didn't want to say goodbye for good. But that doesn't mean we don't take our GDPR responsibilities seriously. We do. Which is what all of the preceding paragraphs have been about. But all that said, there are one or two details which we're obliged and happy to include. (We're also happy to offer you discount* off your next booking as a reward for reading this far)! Call this the really small print...

For the purposes of the relevant legislation the designated data controller is Crosshands Limited (registered number 3136393) trading as ACM Training of Crosshands, Coreley, Ludlow, Shropshire SY8 3AR UK. Our Data Protection Representative is Richard Uridge (“DPR”). If you have any queries, complaints or requests please contact our DPR at or on 07831 354026.

Changes to this policy

This page is reviewed and updated regularly to make sure it complies with changes to the relevant laws and current best practice. Please come back and check it periodcally.

* To collect your diligent reader discount - and hurry because the offer is limited to the first five who claim it - simply add the word "diligentowl" (without the quote marks) in the promotional code box on our booking page.

What our clients say:

"An excellent training session, very well run and very engaging. I would go as far as to say probably the best training session I have ever been on."
07831 354026

ACM Training

ACM Training is a trading name of Crosshands Limited. Our registered office is at the above address and our registration number is 03136393.

The small print
   Safety and equality
   Terms and conditions

Free stuff
Special offers
ACM Training blog

Read the ACM blog  LinkedIn

© ACM Training