Home / About / Legal & Professional Information / Privacy Policy & GDPR
Privacy Policy
Effective date: 1 April 2026
- Who I am
- What this policy covers
- What personal data I collect
- Contact & Enquiry Data
- How I collect your data
- Why I use your data (and legal bases)
- Sensitive and special category data
- How long I keep your data
- When I share your data
- How I protect your data
- Your data protection rights
- Cookies
- Links to other sites
- Changes to this policy
I run STERBAVA Virtual Assistant and administrative support services.
- Business trading name: STERBAVA.online
- Website: https://sterbava.online and associated domains: sterbava.co.uk, sterbava.com
- Email: tom@sterbava.online
- Contact name: Thomas Sterba
For UK data protection law (UK GDPR and the Data Protection Act 2018), I am the data controller for the personal data collected through this website and when I work with you as a client.
If you have any questions about this policy or your data, you can contact me at tom@sterbava.online.
This policy explains how I collect, use, store, share and protect your personal data when you:
- Visit or use my website.
- Contact me by email, contact form, social media, or other channels.
- Work with me as a client, prospective client, collaborator or supplier.
It also explains your rights under UK GDPR and how you can use them.
Information you provide
When you interact with me, you may give me:
- Identity details: your name, title, business name and role.
- Contact details: email address, phone number, postal/billing address, website, social media handles.
- Business and project information: details about your business, services, systems and operations, plus any instructions, notes and materials I need to do the work.
- Billing details: invoicing contact, business name and address, purchase order numbers or payment references. I do not store your payment card details myself; those are handled by payment providers where needed.
Depending on the work we do together, I may sometimes be able to see or access sensitive information, for example health‑related or clinically sensitive material where you work in mental health or healthcare.
Information collected automatically
When you use my website or interact with some emails, certain data may be collected automatically, such as:
- Technical data: IP address, browser type and version, device type, operating system and similar details.
- Usage data: pages you visit, how long you spend on them, navigation paths and how you move around the site.
- Cookies and similar technologies: small files placed on your device to make the site work properly and help me understand how it is used.
What I collect
When you submit an enquiry through my website, I collect the information you choose to share with me. This usually includes your name, email address, business website if you have one, what best describes you, what you need help with, how urgent the support is, and any other details you include in your message, including anything sensitive you think I should be aware of.
Why I collect it
I use this information only to review your enquiry, reply to you, and decide whether I am the right fit to support you. If we go on to discuss working together, I may also use it to clarify the scope, urgency, and context of the support you need.
Lawful basis
I process this information because I have a legitimate interest in responding to genuine enquiries about my services. Where you choose to submit information through my enquiry form after agreeing to my privacy wording, I also rely on your consent for the information you choose to provide.
How long I keep it
If we do not go ahead, I keep enquiry information only for as long as needed to manage the conversation and any reasonable follow-up, after which it is securely deleted. If we do work together, I keep relevant information in line with my business record-keeping and contractual requirements.
Your rights
You can ask to access, correct, or request deletion of your personal information at any time, subject to any legal or contractual reasons for keeping it. You can contact me directly using the details on this website.
I collect personal data in a few ways:
- Directly from you: when you email me, use a contact form, book a call, sign a contract, or send me information to complete tasks.
- Automatically: via cookies, analytics and similar technologies when you browse my website.
- From third parties: where you or a referrer share your details with me, or where you give me access to tools (such as email, calendars or project systems) so I can do my work.
I only use your personal data when I have a lawful reason to do so.
| Responding to enquiries | Answering emails, contact forms and messages, scheduling calls (Legitimate interests (to respond and grow my business); steps needed before entering a contract ) |
|---|---|
| Providing services | Planning and carrying out virtual assistant work, communicating about tasks and deadlines (Performance of a contract; legitimate interests (to run my services)) |
| Managing our relationship | Invoicing, account/admin messages, service updates and feedback (Performance of a contract; legal obligations; legitimate interests) |
| Business operations | Accounting, tax, record‑keeping, legal or insurance purposes (Legal obligations; legitimate interests (business management, audits)) |
| Website performance and security | Monitoring usage patterns, troubleshooting, security checks (Legitimate interests (site security and improvement)) |
| Light‑touch marketing | Occasionally letting you know about relevant services or content you might reasonably expect to hear about as a client or enquirer Legitimate interests (developing my business), or consent where required |
Where I rely on consent (for example, certain types of email marketing), you can withdraw it at any time by contacting me or using an unsubscribe option if provided.
Because of my background working with Mental Health Act and clinical information, I am used to handling highly confidential material.
If our work means I may see or handle special category data (such as health information):
- I only access and use it where it is genuinely necessary for the agreed tasks, and under your clear written instructions.
- I apply strong confidentiality and security measures, and restrict access to what is strictly needed.
- Where required, I rely on your organisation’s lawful basis and safeguards under UK GDPR Article 9 (for example if you are a clinical provider).
If this applies to your project, I will set out more detail and responsibilities in our service agreement or any data processing schedule we put in place.
I keep your data only for as long as I reasonably need it for the purposes stated in this policy, including meeting legal, accounting or reporting requirements.
In general:
- Enquiries from people who don’t become clients are usually kept for up to 12–24 months after our last contact.
- Client records and project information are kept while we are working together and then usually for at least 6 years afterwards, to meet UK tax and accounting rules.
- Technical and analytics data is kept according to my analytics providers’ standard retention settings, which I review periodically.
When data is no longer needed, I will delete it securely or anonymise it.
I do not sell your data.
I may share it with:
- Service providers (processors): such as website hosting, email and calendar services, cloud storage, project management tools, document creation tools, accounting software and payment processors, who help me deliver my services.
- Professional advisers: such as accountants, legal advisers or insurers, where needed for advice, insurance or to establish or defend legal claims.
- Authorities or regulators: if I am legally required to do so (for example HMRC, law enforcement or the ICO).
Where someone processes data on my behalf, they only act on my instructions, must keep it confidential, and must protect it appropriately.
If you want to know which key third‑party tools I currently use with client data, you can email me at tom@sterbava.online and I will share an up‑to‑date list.
I take a clinical‑grade approach to confidentiality and information security, drawing on my experience handling sensitive records under regulatory standards.
Measures include:
- Using reputable, security‑conscious software and cloud services.
- Limiting access to client information and using strong passwords and (where available) multi‑factor authentication.
- Keeping systems and tools under regular review.
- Being registered with the UK Information Commissioner’s Office (ICO) as a data controller, as required for many small businesses.
No system is completely secure, and I cannot guarantee absolute security of information transmitted over the internet, but I work to minimise risks in a practical, proportionate way.
Under UK GDPR, you have several rights in relation to your personal data.
You can:
- Ask for access to the personal data I hold about you.
- Ask me to correct inaccurate or incomplete data.
- Ask me to delete your data in certain circumstances (the “right to be forgotten”).
- Ask me to restrict how I use your data in certain situations.
- Object to some types of processing, for example where I use “legitimate interests” or for direct marketing.
- Ask for a copy of your data in a usable format or for it to be transferred to another organisation, where technically possible (data portability).
- Withdraw consent where I rely on your consent to process your data.
If you want to exercise any of these rights, email me at tom@sterbava.online and I will respond in line with legal requirements.
You also have the right to complain to the Information Commissioner’s Office (ICO) if you are unhappy with how I handle your personal data.
You can find their contact details at https://ico.org.uk.
My website uses cookies and similar technologies to:
- Make sure the site works properly.
- Remember some of your preferences.
- Help me understand how people use the site so I can improve it.
Cookies are small data files that are stored on your device and help this website run smoothly and securely. Some cookies are strictly necessary so the site can function at all – things like loading pages, keeping you logged in, or making forms work properly. These essential cookies are always on and do not require your consent.
With your permission, I can also use optional cookies to personalise content, understand how the site is used, and gently improve your experience over time. This may include privacy‑respecting analytics and, in some cases, tools that connect with social media or marketing platforms. Where this happens, those partners may combine limited information from this site with other details you have shared with them or that they collected when you used their services.
By law, I can only set the strictly necessary cookies without your say‑so, and I need your consent for everything else. You can give, change, or withdraw that consent at any time using these settings, and your choices will update immediately.
My website may contain links to other websites or social media platforms.
Those sites have their own privacy policies. I am not responsible for how they handle your data, so I recommend reading their privacy information when you visit them.
I may update this privacy policy from time to time, for example if the law or my services change.
When I do, I will update the “Effective date” at the top of this page and, where it makes sense, I may also highlight changes on the site or by email.