P R I V A C Y N O T I C E

Exceptional Leadership Technology Ltd (“ELT”)

Version 2.0  |  Last updated: April 2026

About this notice

This privacy notice explains how Exceptional Leadership Technology Ltd (“ELT”, “we”, “us”, or “our”) collects, uses, stores, and protects personal information, and tells you about the rights available to you under UK data protection law, including the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

ELT is a leadership intelligence company. Depending on the nature of our relationship with you, we may process your personal data in one of two distinct roles:

“Data Controller”: where we determine the purposes and means of processing (for example, when managing our client relationships, communicating with prospects or suppliers, or operating our internal business).

“Data Processor”: where we process personal data on behalf of a client organisation that has engaged us to deliver assessment, coaching, facilitation, leadership development or related services and/or software provision. In that context, the client organisation is the Data Controller and ELT acts on their instructions.

Part A of this notice covers our processing as a Data Controller and sets out your full rights under Art 13 and Art 14 UK GDPR. Part B is a transparency statement about our processing as a Data Processor.

Who we are

  • Organisation: Exceptional Leadership Technology Ltd.

  • Trading name: Exceptional Leadership

  • Email: tzuki@exceptionalleadership.co.uk

  • Data privacy contact: Tzuki Stewart

  • ICO registration: ZB914080

Where this notice refers to “ICO”, this means the Information Commissioner’s Office, which is the UK’s independent supervisory authority for data protection. ELT is registered with the ICO as a Data Controller.

PART A | ELT as Data Controller

The sections below apply when ELT is the Data Controller; where we decide why and how your personal data is processed. This covers our relationships with client contacts, business prospects, supplier contacts, website visitors, and our own employees and contractors.

A1.  Client and prospect relationship management

This covers named contacts at client organisations, prospective clients, and attendees at networking or business events.

What data we collect:

  • Name, job title, and employing organisation

  • Work email address and telephone number

  • Meeting notes, proposal records, and commercial correspondence

  • Information you share during business conversations about your organisation’s needs

We process this data to manage and develop our commercial relationships, respond to enquiries, prepare and deliver proposals, and manage ongoing client engagements.

Legal basis: Article 6(1)(f) UK GDPR — Legitimate interests. ELT has a legitimate interest in maintaining and developing its commercial relationships with client organisations and prospects. We have assessed this interest against your rights and do not consider it to be overridden by your interests or fundamental rights, given that we process only professional contact information in a business-to-business context. You have the right to object to this processing (see Section A6).

Where we store this data:

  • Microsoft 365: Microsoft Corporation acts as our processor under a UK IDTA-compliant arrangement

  • Notion: Notion Labs Inc. (USA) acts as our processor; data is transferred to the USA under Standard Contractual Clauses / UK IDTA

  • Slack: Slack Technologies (USA); data is transferred to the USA under Standard Contractual Clauses / UK IDTA

We keep it for the duration of the relationship, plus three years from the end of the relationship. If you ask us to delete your data, we will do so unless we have a legal obligation to retain it.

A2.  Supplier and third-party management

This covers named contacts at our technology suppliers and professional service partners.

What data we collect:

  • Name, job title, and organisation

  • Work email address and telephone number

  • Contract terms and correspondence

Why we process it and our legal basis: Article 6(1)(b) UK GDPR — Necessary for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract.

Where we store this data:

  • Microsoft 365

  • Notion

  • Dropbox

We keep it for the duration of the contract, plus six years after termination (consistent with the Limitation Act 1980).

A3.  Business communications

This covers any individual with whom ELT staff correspond by email or direct message in the course of conducting ELT’s own business (as distinct from processing client data on a client’s behalf).

What data we collect:

  • Names and email addresses

  • Content of emails and messages

Why we process it and our legal basis: Article 6(1)(b) — Contract performance; and Article 6(1)(f) — Legitimate interests in conducting normal business communications.

Where we store this data:

  • Microsoft 365

  • Slack (data transferred to USA under SCCs / UK IDTA)

  • Notion

We keep it for up to three years since last contact.

A4.  Website and cookies

ELT does not currently collect cookies.

A5.  Employees and contractors

This covers individuals employed by or engaged as contractors to ELT.

What data we collect:

  • Full name, home address, date of birth, National Insurance number

  • Bank details, salary, and contract terms

  • Right-to-work documents and employment history

  • Performance and appraisal records

  • System access rights, device identifiers, and authentication logs

  • Security training completion records

Why we process it and our legal basis: Article 6(1)(b) — Necessary for the performance of the employment or engagement contract; Article 6(1)(c) — Legal obligations under employment law and HMRC requirements.

Special category data: Where health or sickness data arises, we rely on Article 9(2)(b) UK GDPR and Schedule 1, Part 1, paragraph 1 of the Data Protection Act 2018 (employment, social security, and social protection).

Where we store this data:

  • Microsoft 365

  • FreeAgent (payroll / accounting platform)

  • Notion

  • Dropbox

  • Vanta Inc. (USA) for compliance monitoring — data transferred under SCCs / UK IDTA

We keep it for the duration of employment or engagement, plus six years from termination (employment records) or three years (security and access records).

PART B | Transparency Statement | ELT as Data Processor

When a client organisation engages ELT to deliver psychometric assessments, coaching programmes, leadership workshops or related services, that client organisation is the Data Controller. They determine why your personal data is collected and what it is used for. ELT is the Data Processor: we handle your data only to the extent necessary to deliver the services the client has commissioned.

B2.  What we do with your data in our role as Data Processor

Depending on the services commissioned by your employer or relevant organisation, ELT may handle your personal data for one or more of the following purposes:

a) Psychometric assessment facilitation

  • We send you login credentials and instructions so you can complete a psychometric questionnaire on Hogan Assessment Systems Inc.’s own platform.

  • We receive your completed assessment report from Hogan and store it for use in the services for which we have been commissioned by the client organisation.

  • Alternatively, if you have recently taken the Hogan Assessment (within the past three years) and your employer or relevant organisation already has the results of that previous assessment, they may instead provide these to us in lieu of you repeating the assessment.

  • We may share your psychometric assessment data and our analysis with your employer or relevant decision-makers as instructed by the client organisation.

Assessment reports may contain information that constitutes or is derived from psychometric data. Hogan data is used for insight and decision support purposes only; it does not constitute automated decision-making within the meaning of Article 22 UK GDPR.

b) The Exceptional Insights platform

Exceptional Insights is a proprietary SaaS platform developed by ELT. It is used to store, process, and visualise Hogan psychometric assessment data in support of the leadership lifecycle, from hiring and team effectiveness to leadership development and succession planning.

The platform is used in two ways:

  1. Internal delivery. ELT’s own consultants and coaches use the platform to review assessment data, generate reports, and prepare analysis and recommendations on behalf of client organisations. In this context ELT processes your data as a Data Processor, acting on the instructions of the client organisation that commissioned the work.

  2. Client SaaS access. Client organisations that employ Hogan-accredited professionals in-house may purchase login accounts or administrator seats to access the platform directly. In this case, the client organisation’s staff use the platform to view and work with assessment data relating to their own participants. ELT provides and operates the platform; the client organisation retains its role as Data Controller and is responsible for how its staff access and use the data within the platform. 

In both cases, the following applies to how your data is handled on the platform:

  • Following completion of a psychometric questionnaire, the results are uploaded and stored in the platform’s cloud infrastructure, hosted by AWS.

  • Data is used for insight, reporting, and decision support purposes only. It does not constitute or support automated decision-making within the meaning of Article 22 UK GDPR.

  • Access to your data within the platform is restricted to authorised users: ELT delivery staff and, where the client has purchased SaaS access, designated personnel at the client organisation with a legitimate need to access it.

  • ELT’s software development and infrastructure sub-processor holds administrative access to the production platform. This access is operationally necessary and is governed by a Data Processing Agreement requiring documented access controls, audit logging, confidentiality obligations, and least-privilege principles.

  • Your data is not shared with any other client organisation or used for any purpose beyond the delivery of the services commissioned in your case.

c) Executive coaching

  • We hold notes from coaching sessions and personal development goals where we deliver executive coaching on behalf of a client organisation.

  • These records are held and used solely for the purpose of delivering your coaching programme and supporting continuity between sessions.

d) Leadership offsites

  • Where assessment summaries or results are shared or discussed in the course of a workshop or offsite facilitated by ELT, we may hold a record of those discussions.

  • Such records are used exclusively for session delivery and follow-up reporting to the client organisation.

e) Business communications in a processor context

When delivering services on a client’s behalf, ELT may correspond with you by email; for example, to send you assessment login details, deliver reports, or schedule debrief or coaching sessions. In these communications ELT is acting as an agent of the client organisation, not as an independent Data Controller in relation to your personal data.

B3.  Sub-processors and international transfers

As a Data Processor, ELT uses a limited number of technology sub-processors based in the EU and USA to deliver its services. Each sub-processor is bound by a contract that restricts how they may use your data and requires them to maintain appropriate security measures.

Where data is transferred outside the UK, we rely on the UK’s International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) as appropriate. If you would like further information about the specific transfer mechanisms in place, please contact us using the details below.

B4.  How to exercise your rights in relation to processor activities

Because ELT is a Data Processor in these contexts, we do not independently control how your personal data is used. Your primary point of contact for data subject rights requests is the organisation that commissioned your assessment, coaching, workshop programme or other participation (your employer, or the organisation that invited you to participate).

If you contact ELT directly with a rights request relating to data we hold as a processor, we will acknowledge your request and promptly notify the relevant client organisation so that they can respond to you in accordance with their legal obligations. We will cooperate fully with them to facilitate your request. 

How we keep your data secure

ELT maintains an Information Security Management System (ISMS) aligned to ISO 27001, with full certification expected by 31 July 2026. Our technical and organisational security measures include:

  • Microsoft 365 with multi-factor authentication (MFA) and conditional access controls

  • Encryption of data at rest and in transit across all primary platforms

  • Role-based access controls (RBAC), applying the principle of least privilege

  • Continuous compliance monitoring through Vanta

  • Managed IT services provided by Umbrella Cyber (UK)

  • A documented incident response plan, with regulatory notification procedures in place

  • Regular security awareness training for all staff

  • Article 28 Data Processing Agreements in place with all sub-processors

How long we keep your data

Retention periods vary by the type of data and our processing purpose. Our standard approach is:

  • Client and prospect contact data: Duration of relationship + 3 years, or deleted on request

  • Supplier and contract records: Duration of contract + 6 years (Limitation Act 1980)

  • Business communications: Up to 3 years since last contact

  • Employee / contractor records: Duration of employment + 6 years

  • Security and access logs: Duration of employment / engagement + 3 years

  • ISMS and incident records: 3 years from the date of the record

  • Processor / assessment data: As instructed by the relevant client organisation (Data Controller)  

When data is no longer needed, it is deleted or anonymised in accordance with our Data Management Policy. If you would like to know more about how long we retain specific data about you, please contact us.

Your rights (controller processing)

Where ELT is the Data Controller (Part A above), you have the following rights under UK data protection law. These rights apply to you personally and free of charge.

  • Right of access (Article 15) — you can ask for a copy of the personal data we hold about you.

  • Right to rectification (Article 16) — you can ask us to correct inaccurate data or complete incomplete data.

  • Right to erasure (Article 17) — you can ask us to delete your personal data where there is no compelling reason for us to continue processing it.

  • Right to restriction (Article 18) — you can ask us to limit how we use your data in certain circumstances.

  • Right to data portability (Article 20) — you can ask for your data in a structured, commonly-used, machine-readable format to transfer to another organisation, where processing is based on consent or contract and carried out by automated means.

  • Right to object (Article 21) — where we rely on legitimate interests (Article 6(1)(f)) as our lawful basis, you have the right to object at any time. We will stop processing your data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless the processing is necessary for legal claims.

  • Right to withdraw consent (Article 7(3)) — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. 

To exercise any of these rights, please contact us at tzuki@exceptionalleadership.co.uk. We will respond within one calendar month of receiving your request. If a request is particularly complex, we may extend this period by a further two months, in which case we will let you know. We may need to verify your identity before we can respond to your request.

Automated decision-making and profiling

ELT does not use automated decision-making or profiling that produces legal or similarly significant effects about any individual in its activities as a Data Controller.

In our processor role, assessment data generated by the Hogan Assessment is used for insight and decision support only. It does not constitute automated decision-making within the meaning of Article 22 UK GDPR.

How to contact us

If you have any questions about this privacy notice, wish to exercise your rights, or have a concern about how we handle your data, please contact:

Tzuki Stewart (Data Privacy Contact)

Exceptional Leadership Technology Ltd

Email: tzuki@exceptionalleadership.co.uk

How to make a complaint

If you are not satisfied with how we have handled your personal data, you have the right to make a complaint to the Information Commissioner’s Office (ICO), which is the UK’s data protection supervisory authority.

Information Commissioner’s Office (ICO)

Website: www.ico.org.uk

Helpline: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

 We would, however, appreciate the chance to address your concerns before you approach the ICO, so please do contact us in the first instance.

Changes to this notice

We may update this privacy notice from time to time, for example to reflect changes in our processing activities, legal requirements, or best practice. Any updates will be published on our website, and where the changes are significant we will take reasonable steps to draw them to your attention.

The “Last updated” date at the top of this notice tells you when it was most recently reviewed.