Compliance Guide

Last updated: 13th March 2026

This guide is designed to help you — as a Lead IT Lab Business Hub user — understand your compliance responsibilities and take the right steps to protect your clients' data.

If you're a therapist, counsellor, coach, or wellness practitioner, much of this will be directly relevant to how you collect and handle client information through the platform.

This is a practical companion to our Terms & Conditions and Privacy Policy, which contain the full legal detail. This page tells you what you need to do.

1. Your Role: Data Controller

When you use the Lead IT Lab Business Hub to collect, store, or communicate with your clients' personal data, you are the data controller under UK GDPR. That means you decide what data to collect, why you're collecting it, and how it's used.

In practice, this means:

• You are legally responsible for how your clients' data is handled.
• You must have a lawful basis for collecting and processing that data.
• You must respond to data subject rights requests from your clients.
• You must report certain data breaches to the ICO within 72 hours.
• You need your own privacy policy that explains to your clients how their data is used.

2. Our Role: Data Processor

Lead IT Lab Ltd acts as your data processor. We provide the platform and infrastructure, but we only process your clients' data on your instructions. We do not decide how to use it, we do not sell it, and we do not access it unless you request support or we need to for billing purposes.

Our technology partner, Go High Level LLC, acts as a sub-processor under our direction.

The formal Data Processing Agreement between you and Lead IT Lab Ltd is set out in Section 9 of our Terms & Conditions. This covers the scope of processing, security measures, sub-processors, breach notification (within 48 hours), and your audit rights.

3. Handling Health & Sensitive Data

What counts as special category data?

• Physical or mental health information.
• Details about treatments, conditions, symptoms, or medications.
• Counselling or therapy session notes.
• Dietary requirements related to health conditions.
• Racial or ethnic origin, religious beliefs, sexual orientation, biometric or genetic data.

What you need to do

• Identify a lawful basis under Article 6 (usually contract performance or legitimate interests) AND a separate condition under Article 9 (usually explicit consent).
• Collect explicit consent from your clients before processing their health data — this must be freely given, specific, informed, and recorded.
• Only collect the minimum data necessary to provide your service.
• Never use health data for marketing unless you have separate, specific consent for that purpose.
• Consider whether you need a Data Protection Impact Assessment (see Section 10).
• Check your professional body's code of conduct (e.g., BACP, UKCP, NMC, AfSFH, CNHC) for sector-specific data handling requirements.

4. AI Agent Compliance

If you use an AI agent (included in the Platform + AI Agent plan, or configured separately), there are specific compliance steps you need to take.

How data flows through AI features

When a visitor or client interacts with your AI agent, the conversation data — including any personal information they share — is processed by third-party AI providers (currently OpenAI and/or Anthropic) to generate responses. This data is:

• Processed solely to generate the AI response.
• Not used to train AI models. Both OpenAI and Anthropic operate under enterprise API terms that exclude customer data from model training.
• Subject to the data protection agreements in place between Go High Level LLC and these providers.

What you need to do

• Disclose AI usage — inform your clients that they may be communicating with an AI agent, not a human. This can be a short statement in the chat widget or on your website (e.g., "This chat is powered by AI. A member of our team will follow up if needed.").
• Review AI responses — while the AI is trained on your business information, you are responsible for ensuring its responses are accurate, appropriate, and compliant with your professional obligations.
• Keep training data current — if your services, pricing, or availability change, update the AI's knowledge base promptly.
• Don't let AI collect sensitive data unsupervised — if there's a risk that clients may share health or sensitive information via chat, configure your AI to redirect those conversations to a human or to avoid collecting that data.
• Update your privacy policy — your own client-facing privacy policy should mention that AI-powered tools may be used in communications and that conversation data may be processed by third-party AI providers.

5. Email Marketing Compliance

Email marketing in the UK is governed by both UK GDPR and the Privacy and Electronic Communications Regulations (PECR). Here's what you need to know:

When you need consent

Scenario	Consent Required?
Sending marketing emails to someone who has never been a client	Yes — you need explicit opt-in consent before sending.
Sending marketing emails to an existing client about similar services	Soft opt-in may apply — if they gave you their email during a sale or negotiation, you can email about similar services provided you gave them a clear opt-out at the time and in every message.
Sending service/transactional emails (e.g., booking confirmations, appointment reminders)	No marketing consent needed — but these must be genuinely transactional, not disguised marketing.
Sending emails to business contacts at their work address	PECR is more relaxed for B2B email to corporate addresses, but UK GDPR still requires a lawful basis for processing their personal data.

What you need to do

• Use the platform's consent checkboxes on all forms where you collect email addresses for marketing.
• Enable double opt-in where possible — it provides stronger proof of consent.
• Include a clear, working unsubscribe link in every marketing email. The platform adds this automatically, but check it's visible.
• Keep a record of consent — when it was given, how, and what the person was told. The platform's contact records can help with this.
• Never buy or rent email lists. Every contact on your list should have been collected by you with proper consent.
• Honour unsubscribe requests promptly — PECR requires this without delay.

6. SMS & Phone Compliance

SMS marketing

SMS marketing rules under PECR are stricter than email. The soft opt-in exception does not apply to text messages. You need explicit prior consent before sending any marketing SMS, regardless of whether the person is an existing client.

Transactional SMS

Appointment reminders, booking confirmations, and other genuinely transactional messages do not require marketing consent, but you still need a lawful basis under UK GDPR for processing the person's phone number (usually contract performance).

Phone calls and recordings

If you use the platform's calling features or record calls, you must:

• Inform the other party that the call is being recorded at the start of the call.
• Have a lawful basis for recording (usually legitimate interests or consent).
• Store recordings securely and delete them when no longer needed.

What you need to do

• Collect explicit consent before sending any marketing SMS — a form checkbox is the simplest way.
• Keep consent separate from other permissions — don't bundle SMS consent into a general T&C acceptance.
• Include clear opt-out instructions in every marketing SMS (e.g., "Reply STOP to unsubscribe").
• If recording calls, add a note to your privacy policy and inform callers at the start.

7. Consent: Getting It Right

Consent is one of the most commonly misunderstood areas of UK GDPR. Here's a quick reference:

What makes consent valid?

Requirement	What This Means in Practice
Freely given	The person must have a genuine choice. Don't make consent a condition of service unless processing is essential to deliver it.
Specific	Consent must be granular. Separate consent for email marketing, SMS marketing, and data processing — don't bundle them into one checkbox.
Informed	Tell people exactly what they're consenting to, who will process their data, and how to withdraw consent.
Unambiguous	Requires a clear affirmative action — a ticked checkbox, a signed form, a written reply. Pre-ticked boxes and silence do not count.
Recorded	You must be able to demonstrate that consent was given — when, how, and what the person was told at the time.
Withdrawable	People can withdraw consent at any time. It must be as easy to withdraw as it was to give. You must act on withdrawal promptly.

8. Cookies & Your Website Pages

If you build websites, funnels, or landing pages using the platform, those pages may set cookies on your visitors' devices. Under PECR and UK GDPR, you are responsible for:

• Displaying a cookie consent banner that allows visitors to accept or reject non-essential cookies before they are set.
• Explaining what cookies are used and why — either on the banner itself or via a link to a cookie policy.
• Not setting analytics or marketing cookies until the visitor has given consent.

The platform provides tools to add cookie consent banners to your pages. If you embed third-party scripts (e.g., Facebook Pixel, Google Analytics, Hotjar), these will set their own cookies and you must disclose them.

What you need to do

• Add a cookie consent banner to every client-facing page you publish through the platform.
• List all cookies and third-party scripts in your cookie notice.
• Don't fire tracking scripts until the visitor has consented.

9. Data Subject Rights Requests

Your clients have rights under UK GDPR. If someone contacts you asking to see, correct, or delete their data, that's a data subject rights request and you must handle it.

The rights your clients have

Right	What It Means	Your Deadline
Access	They can ask for a copy of all personal data you hold about them.	1 month
Rectification	They can ask you to correct inaccurate or incomplete data.	1 month
Erasure ("right to be forgotten")	They can ask you to delete their data, subject to certain exceptions.	1 month
Restriction	They can ask you to limit processing while a dispute is resolved.	1 month
Portability	They can request their data in a machine-readable format.	1 month
Objection	They can object to processing based on legitimate interests or for direct marketing.	Without delay for marketing; 1 month otherwise

What you need to do

• Respond to all requests within one calendar month.
• Verify the identity of the person making the request before disclosing data.
• Use the platform's contact search, export, and delete tools to fulfil requests.
• If you need help locating or removing data, contact us at [email protected] — we'll assist as your data processor.
• Keep a log of all requests received and how you responded.

10. Data Protection Impact Assessments (DPIAs)

A DPIA is a formal assessment of the risks associated with a particular type of data processing. Under UK GDPR, you must carry out a DPIA before starting any processing that is likely to result in a high risk to individuals' rights and freedoms.

When you probably need one

• You're processing health or mental health data at scale (e.g., collecting intake forms from therapy clients).
• You're using AI agents that interact with members of the public and collect personal data.
• You're profiling or scoring individuals based on their behaviour on your website or in your CRM.
• You're processing data about vulnerable individuals (which may include therapy and counselling clients).
• You're using new technology in a way that hasn't been assessed before.

What a DPIA involves

• Describe the processing — what data, why, and how.
• Assess necessity and proportionality — do you really need all that data?
• Identify risks to individuals — what could go wrong?
• Describe mitigation measures — what are you doing to reduce those risks?

11. Data Security: Your Part

We handle platform-level security (encryption, infrastructure, access controls — detailed in our Privacy Policy, Section 11). But you have responsibilities too:

• Use a strong, unique password for your platform account.
• Enable two-factor authentication (2FA) — this is available in your account settings and we strongly recommend it.
• Don't share your login credentials with anyone. If team members need access, create separate user accounts with appropriate permissions.
• Use role-based access controls — only give people access to the features and data they need.
• Review your team members' access regularly and remove anyone who no longer needs it.
• Be cautious with third-party integrations — only connect apps you trust, and review what data they can access.
• Keep your own devices secure — use up-to-date software, anti-virus, and screen locks.

12. Data Breach: What to Do

A data breach is any incident where personal data is accidentally or unlawfully accessed, lost, altered, disclosed, or destroyed. This includes things like:

• Sending a client's data to the wrong person.
• Losing a device that's logged into the platform.
• Unauthorised access to your account.
• A platform or third-party service outage that results in data loss.

If something goes wrong on our side

Lead IT Lab Ltd will notify you within 48 hours of becoming aware of any breach affecting your data. We'll provide details of what happened, what data was affected, and what we're doing about it. This is covered in our Terms & Conditions (Section 9.6) and Privacy Policy (Section 12).

If something goes wrong on your side

• Contain it — change passwords, revoke access, or take whatever immediate action is needed.
• Assess the risk — what data was affected? How many people? What's the likely impact?
• Report to the ICO within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms. Report at ico.org.uk.
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights.
• Document everything — even if you decide not to report to the ICO, you must keep a record of the breach, your assessment, and your decision.
• Contact us at [email protected] if you need help investigating or containing a breach on the platform.

13. Where Your Data Is Stored

The platform infrastructure is provided by Go High Level LLC, a US-based company. Personal data may be stored or processed on servers in the United States, hosted on Google Cloud Platform and Amazon Web Services.

To ensure lawful transfers from the UK, the following safeguards are in place:

• EU-US Data Privacy Framework (with UK extension).
• Standard Contractual Clauses (SCCs).
• UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU SCCs.

Full details are in our Privacy Policy (Section 8).

14. Sub-Processors

The following third-party providers process data as part of delivering the platform:

Sub-Processor	Purpose	Location
Go High Level LLC	Core platform infrastructure, CRM, automations	United States
Twilio Inc.	SMS and voice communications	United States
Mailgun Technologies Inc.	Email delivery	United States
Stripe Inc.	Payment processing	United States
LeadConnector	Usage billing, telephony, and email services	United States
OpenAI	AI-powered features (where enabled)	United States
Anthropic	AI agent capabilities (where enabled)	United States
Google Cloud Platform	Data hosting and infrastructure	United States
Amazon Web Services (AWS)	Data hosting and infrastructure	United States

We will notify you of any material changes to this list. Full details are in our Terms & Conditions (Section 9.5).

15. Record Keeping

Under UK GDPR, both controllers and processors must maintain records of processing activities. As your data processor, Lead IT Lab Ltd maintains our own records and can supply compliance documentation on request, including our DPA, security overview, and sub-processor list.

What you should keep records of

• What personal data you collect and why.
• Your lawful basis for each type of processing.
• How and when consent was obtained (including the wording shown at the time).
• Any data subject rights requests and how you responded.
• Any data breaches (whether or not reported to the ICO).
• Any DPIAs you've carried out.

16. GDPR Tools in the Platform

The Lead IT Lab Business Hub includes built-in tools to help you stay compliant:

Tool	What It Does	Where to Find It
Consent checkboxes	Add opt-in checkboxes to any form for email, SMS, or data processing consent.	Form builder → Add element → Checkbox
Double opt-in	Sends a confirmation email before adding the contact, providing stronger consent evidence.	Settings → Email Services
Unsubscribe links	Automatically included in marketing emails. Contacts can opt out with one click.	Automatic in email campaigns
Cookie consent banner	Add a cookie notice to your funnels and websites.	Funnel/Website settings → Tracking & Analytics
Contact deletion	Permanently delete a contact and their data to fulfil erasure requests.	Contacts → Select contact → Delete
Contact export	Export contacts and data in CSV format for portability requests.	Contacts → Export
DND (Do Not Disturb)	Block all outbound communications to specific contacts — useful for honouring opt-out requests across all channels.	Contact record → DND toggle
Audit logs	Track changes and actions within your account for accountability.	Settings → Audit Logs

17. Further Resources

Resource	Link
ICO — Guide to UK GDPR	ico.org.uk/for-organisations
ICO — Guide to PECR	ico.org.uk — PECR guide
ICO — DPIA guidance and template	ico.org.uk — DPIAs
ICO — Data breach reporting	ico.org.uk — Report a breach
Go High Level — GDPR compliance	GHL GDPR policy
Lead IT Lab — Terms & Conditions	leaditlab.co.uk/terms-and-conditions
Lead IT Lab — Privacy Policy	leaditlab.co.uk/privacy-policy
Lead IT Lab — Extra Costs	leaditlab.co.uk/extra-costs

18. Contact

If you have any questions about compliance, data protection, or your responsibilities as a platform user, get in touch:

📧 [email protected]
🏢 Lead IT Lab Ltd, 59 Woodland Avenue, Penryn, Cornwall, TR10 8PG, United Kingdom

If you have concerns about how your own data is being handled, you also have the right to contact the Information Commissioner's Office (ICO):

🌐 ico.org.uk/make-a-complaint
📞 0303 123 1113