Privacy policy

Privacy Policy – UK 

Purpose
This Privacy Policy describes how EduSpots  (“we” or “us”) collects, processes and shares personal information about you, how we protect this information, and your rights in relation to this information. 

This Privacy Policy applies to all personal information we collect or process about you acting as a data controller. Personal information is information, or a combination of pieces of information, that could directly or indirectly identify you. 

We process personal information in accordance with applicable legislation, including the UK General Data Protection Regulation, and this Privacy Policy. All personal information will be processed securely and used only as described in this Privacy Policy.

Our contact details 

Organisation name: EduSpots

Charity number: 1166734

Registered address: Flat 3, 20 Atlingworth Street, Brighton, BN2 1PL. 

Contact email: info@eduspots.org

What information we collect, use, and why

Job applicants: 

• Contact details (e.g. name, address, telephone number or personal email address)
• CV or other document listing your competence, education, work history and any other information provided in such document by you including any links to external sources of personal information, such as a LinkedIn profile
• Names and contact information of references
• Any other personal information voluntarily submitted by you during the application process

We collect information from job applicants so we can manage the recruitment process fairly and lawfully. This includes assessing your suitability for the role, verifying qualifications and right-to-work status, communicating with you throughout the process, making informed hiring decisions, preventing fraud, ensuring the security of our systems, and maintaining records needed for equal opportunities monitoring and business planning.

Employees & Contractors: 

• Contact details (e.g. name, address, telephone number or personal email address)
• Date of birth
• National Insurance number
• Gender

• Copies of passports or other photo ID
• Copies of proof of address documents (e.g. bank statements or bills)
• Next of kin or emergency contact details
• Employment history (e.g. job application, employment references or secondary employment)
• Education history (e.g. qualifications)
• Right to work information
• Performance records (e.g. reviews, disciplinary records, complaints or disciplinary action)
• Training history and development needs
• Job role and employment contract (e.g. start and leave dates, salary, changes to employment contract or working patterns)
• Expense, overtime or other payments claimed
• Leave (e.g. sick leave, holidays or special leave)
• Maternity, paternity, shared parental and adoption leave and pay
• Pension details
• Bank account details
• Payroll records
• Tax status

We collect employee and contractor information so we can run our employment relationship properly and legally. This includes confirming your right to work, paying you, administering your contract and any applicable benefits, managing performance, supporting training and development, ensuring health, safety and security, handling disputes or disciplinary matters, protecting our systems, and carrying out essential business planning and analytics.

Funders: 

• Contact details (e.g. name, address, telephone number or personal email address)
• Employer organisation
• Donation history

We collect funder information to acknowledge support, for relationship management, to conduct due diligence, to maintain accurate financial records, and keep you updated on relevant activity.

Individual supporters: 

• Contact details (e.g. name, address, telephone number or personal email address)
• Information about donations

We collect information from individual supporters to process and acknowledge donations, keep accurate records, to conduct due diligence and for relationship management.

Users of the website and marketing contacts: 

• Contact details (e.g. name, address, telephone number or personal email address)
• Employer organisation and your role in the organisation
• IP address
• Other personal information submitted by you

We collect information from website users and marketing contacts to communicate with you, understand how our site is used, and respond to enquiries.

 

Additionally we may collect information from you using cookies and other device identifying technologies. Please see our Cookie Policy to learn more and to manage your consent choices.

Our lawful bases for the collection and use of your information

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. Which lawful basis we rely on may affect your data protection rights which are listed under section ‘Your rights over your personal information’ of this Policy.

Our lawful bases for collecting or using job applicants personal information are:

• Legitimate interest –  to evaluate your suitability for the position(s) you have applied for and to defend against potential legal claims for discrimination. 
• Contract – we have to collect or use the information so we can prepare to enter into a contract with you.

Our lawful bases for collecting or using employee and contractors personal information are: 

• Contract – we have to collect or use the information so we can enter into or carry out a contract with you.
• Legal obligation – we have to collect or use your information so we can comply with the law.

Our lawful bases for collecting or using funders personal information are: 

• Legitimate interests – to collect and process donations, to manage communications and administration of donor management.
• Contract – we have to collect or use the information so we can enter into or carry out a contract with you.
• Legal obligation – we have to collect or use your information so we can comply with the law.

Our lawful bases for collection or using individual supporters personal information are: 

• Legitimate interests – to manage communications and administration of donor management.
• Contract – we have to collect or use the information so we can enter into or carry out a contract with you.
• Legal obligation – we have to collect or use your information so we can comply with the law.

Our lawful bases for collection or using the personal information of users of the website and marketing contacts are: 

• Legitimate interests – for basic supporter management, communications, registration of events and responding to requests 
• Consent – where consent is required for marketing activities 

Where we collect your information

The personal information we collect is primarily collected directly from you. We may on occasion collect ‘Know Your Donor’ due diligence information about you from publicly available sources. 

Your rights over your personal information 

Under UK data protection law you have certain rights regarding your personal information. These include the following rights: 

• Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.
• Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.
• Your right to erasure – You have the right to ask us to delete your personal information. Read more about the right to erasure.
• Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.
• Your right to object to processing – You have the right to object to the processing of your personal information. Read more about the right to object to processing.
• Your right to information portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to information portability.
• Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this Privacy Policy.

We encourage you to contact us to update or correct your information if it changes or if the personal information we hold about you is inaccurate. We will contact you if we need additional information from you in order to process your request. 

How long we keep your information for

We only process personal information for as long as is necessary to fulfil the purpose for which it was collected and/or where we have a legal basis for continuing to do so. Reasons we may continue to hold your information include to: 

• Maintain donation records for analysis and/or audit purposes 
• Comply with record retention requirements under the law 

• Defend or bring any existing or potential legal claims 
• Deal with any complaints 

We will delete your personal information when it is no longer required for these purposes. If there is any information that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further processing or use of the information. 

Information Sharing

We may share your personal information with third parties under the following circumstances: 

• Service providers and business partners. We may share your personal information with our service providers and business partners that perform marketing services and other business operations for us. 
• Social media. With your consent, we may publish your details (including name, photo, quotes, etc) on our social media accounts, but we will never share your contact details or other personal information. 
• Law enforcement agency, court, regulator, government authority or other third party. We may share your personal information with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party. 

The recipients referred to above may be located outside the UK. See the section on “International data Transfer” below for more information. 

We will only share or exchange information with third parties with the protection of a written agreement and the ability to oversee their activities, unless information is required for legal or regulatory reasons.

Where we have relationships with other organisations that process your information on our behalf, we take care to ensure they have high information security standards. We will not allow these organisations to use your personal information for unauthorised purposes.

Information security & storage

We follow generally accepted standards to protect the personal information submitted to us, both during transmission and once it is received. Depending on the nature of your relationship with us, and what we hold your information for, we may use third party applications to store and process your information, for example Google Drive.

Protection of personal information and information security is of utmost importance to us. All personal information is handled with a high level of security and confidentiality. Personal information can only be accessed by individuals who require such access while performing their tasks or duties. All personal information is stored and reliably secured using appropriate technical and organisational measures. All service providers involved in processing personal information have signed appropriate information protection agreements and other relevant documents with us. 

International data transfer

Your personal information may be transferred to, stored, and processed in a country that is not regarded as ensuring an adequate level of protection for personal information under UK data protection law (including adequacy regulations). 

Where this is the case, we take all reasonably necessary steps to ensure that your information is treated securely, in accordance with this Privacy Policy and the requirements of applicable law.  Such measures may include, as applicable, entering into data processing agreements, standard contractual clauses or International Data Transfer Agreements and monitoring such protections to ensure the continued adequacy of such measures. 

Complaints 

If you have questions or concerns regarding the way in which your personal information has been used, please contact us using the contact details at the start of this Policy. We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, you have the right to make a complaint to the Information Commissioner’s Office. 

Changes to the Policy

You may request a copy of this Privacy Policy from us using the contact details set out at the start of this Policy. We may modify or update this Privacy Policy from time to time. 

Where changes to this Privacy Policy will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on you, we will give you sufficient advance notice so that you have the opportunity to exercise your rights (e.g. to object to the processing). 

Review and amendments

 

We are committed to reviewing this Policy annually in line with current legislation & best practice guidance, or sooner in light of any changes in legislation or guidance. 

 

This Policy came into force on: 1st July 2018	The Policy and any accompanying procedures were last reviewed on:  4th November 2025
Signed:	Name: Cat Davison Position: CEO