Privacy Policy – Circl Learning Limited

About This Policy

This Data Privacy Policy outlines how Circl Learning Limited (“Circl”, “the Company”, “we”, “us”, or “our”) ensures compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It sets out the principles, responsibilities, and procedures governing the collection, use, and protection of personal data within the organisation.

Circl is committed to fostering a transparent, responsible, and supportive culture focused on data protection and privacy. We aim to ensure that all employees, contractors, and stakeholders are informed, self-aware, and thoughtful in how they collect, handle, store, and process personal data. This policy applies to all personal data processed by Circl, regardless of format (electronic, paper, audio, or visual) and regardless of where the data is stored or processed, provided that Circl determines the purpose and means of that processing.

This policy is owned by Circl Learning Limited’s Data Protection Officer (DPO), Charlie Stainforth. It is reviewed annually, or earlier if there are significant changes to legislation, our business operations, or the way we process personal data.

Controller Statement

Circl Learning Limited is incorporated and registered in England and Wales under company number 11557194, with its registered office at C/O MCA Shepherd Smail Ltd, Unit 5 Priory Court, Priory Estate, Poulton, Cirencester, Gloucestershire, United Kingdom, GL7 2NX.

Circl Learning Limited is the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) . This means we are responsible for determining the purposes for which, and the manner in which, personal data is processed.

As a coaching and training provider, Circl processes personal data — including limited sensitive or “special category” data — relating to our participants, clients, employees, and other stakeholders. We are committed to ensuring that all personal data is handled lawfully, securely, and transparently, in line with data protection legislation and recognised best practice standards.

Scope

This policy applies to all personal data processed by Circl Learning Limited and must be followed by:

• Circl employees at all levels.

• Volunteers, contractors and temporary staff who handle personal data on Circl’s behalf.

• Third-party partners or service providers who process personal data under contract with Circl.

Compliance with this policy is mandatory and forms part of Circl’s broader commitment to privacy, transparency, and ethical data management.

Data Protection Principles

Circl Learning Limited is committed to processing all personal data in accordance with the principles set out in Article 5 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

All employees, contractors, and partners handling personal data on behalf of Circl must adhere to the following principles:

1. Lawfulness, Fairness and Transparency: Personal data must be processed lawfully, fairly, and in a transparent manner. Individuals must be informed about how their data is used through clear and accessible privacy information.

2. Purpose Limitation: Personal data shall be collected only for specified, explicit, and legitimate purposes, and not further processed in any manner incompatible with those purposes.

3. Data Minimisation: Personal data collected must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed

4. Accuracy: Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that inaccurate or incomplete data is rectified or erased without delay.

5. Storage Limitation: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it was collected. Circl applies defined retention periods consistent with its Data Retention Schedule.

6. Integrity and Confidentiality (Security): Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage, using appropriate technical and organisational measures

7. Accountability: Circl is responsible for, and must be able to demonstrate, compliance with all of the above principles. This includes maintaining appropriate records, policies, and procedures; providing staff training; and embedding data protection by design and by default in all activities.

Who We collect Data From (Data Subjects)

Circl collects and processes personal data from a range of stakeholders, including:

• Business Clients: Individuals representing prospective or current corporate partners.

• Course Participants: Individuals enrolled in Circl coaching or leadership programmes.

• Alumni: Individuals who have completed Circl programmes.

• Youth Partner Organisations: Individuals representing schools, charities, or community partners working with Circl.

• Website Users: Visitors to Circl’s website or online platforms.

Notifying Data Subjects (Transparency)

When we collect personal data directly from data subjects, we will provide them with access to our Privacy Policy to ensure they are fully informed about:

• The purpose(s) for which we intend to process their personal data.

• How their personal data will be processed in accordance with UK GDPR.

• The types of personal data we will collect.

• Any third parties with whom their data may be shared or disclosed.

• Whether their personal data will be transferred outside the UK or EU jurisdictions

• The legal basis for processing their personal data. We will also inform data subjects that Circl Learning Limited is the data controller responsible for their personal data.

Information We Collect

This section provides a summary of the types of data Circl may collect from all individuals involved in our programmes, including course participants, alumni, clients and youth partner organisations. Circl collects and processes personal data to administer programmes, support learning, ensure safety, and monitor diversity and impact. We may collect, but are not limited to, the following types of data:

• Personal and Contact Information: Name, email, phone number, age and/ or date of birth, city/country, and gender

• Communications data: Emails, messages, survey responses.

• ID Verification Documents: Documents submitted to verify identity and age, to confirm eligibility, and to ensure programme safety. Stored securely for up to one year and deleted thereafter.

• Background, Education & Employment: Current employment or education status, career interests, and relevant experience.

• Programme Participation & Motivation: Motivations, goals, learning objectives, attendance records, session participation, programme assignment results, self-reflections, and feedback responses.

• Technical and website data: IP address, device/browser information, cookies, and analytics.

• Aggregated/Anonymised Data: Data derived from personal information but processed so that individuals cannot be identified. May be used indefinitely for research, evaluation, and statistical purposes.

• Session Recordings and Media: Group session recordings (for learning and catch-up purposes), and images/videos for internal or promotional use (with explicit consent).

• Client Data: Information about organisations that purchase or participate in Circl programmes, including organisation name, sector, size, and other details needed to manage programme delivery. Any personal data of representatives (e.g., names, email addresses) is processed in accordance with GDPR.

• Publicly Available Data: Information about organisations or individuals that is publicly accessible, such as staff numbers, job titles, or professional profiles.

• Other Data You May Provide: Any additional information you submit through forms, optional extras, or other means, including reasonable adjustments, support needs, or details for tailored programme offerings.

• Personal and Contact Information: Name, email, phone number, age and/or date of birth, city/country, and gender

• Demographics, Circumstances & Special Categories (Optional/Consent-Based): Information to assess eligibility for underrepresented groups, ensure inclusion, and monitor impact. This may include first-generation university student status, school type (state or private), care-leaver/provider status, ethnic background, f irst- or second-generation immigrant status, household income, disability, and LGBTQIA+ identity. All information is optional and collected with consent.

Not all categories apply to everyone, and you will be clearly informed when specific information is required. If we ask you for your personal information, we will:

• Clearly explain why we need it and how it will be used

• Only collect information for legitimate and relevant purposes.

• Ensure that only authorised individuals have access to it.

• Store your information securely and protect it from unauthorised access or misuse

• Inform you if your information will be shared with any third parties, and explain why.

• Keep your information only for as long as necessary to fulfil the purpose it was collected for or to meet legal obligations.

How We Use Your Information

The work carried out at Circl involves processing personal data only for specific, lawful purposes, and in a manner consistent with the UK General Data Protection Regulation (GDPR). We may use your information to:

• Administer and manage programmes: Including application and onboarding processes, matching participants (which may involve sharing contact details), delivering programme activities, and issuing certificates.

• Communicate updates and materials: Sharing programme information, resources, reminders, and follow-up correspondence.

• Support participant learning, engagement, and development: Tracking progress, monitoring attendance, providing feedback, and tailoring delivery and support where needed.

• Process diversity and inclusion data and produce anonymised reports: Monitoring equality, representation, and accessibility, assessing impact and supporting research and programme improvement. Data is aggregated or anonymised in reporting so individuals cannot be identified.

• Monitor, evaluate, and improve programme quality and impact: Analysing outcomes and feedback to enhance programme delivery.

• Alumni engagement and communications (with consent) : Supporting ongoing learning, networking, and professional development, and sharing updates about Circl programmes, events, and opportunities for those who have opted in.

• Compliance and record management: Ensuring that Circl meets legal, safeguarding, and contractual obligations and maintains accurate records. This also supports secure and effective communication and collaboration with clients, participants, and partners.

• When processing special category data (such as demographic or background information), we do so to promote equality, monitor diversity, and evaluate impact.

○ This processing is based on the legal ground of substantial public interest (Equality of Opportunity or Treatment) and conducted with strict measures, limited access, and defined retention periods. Providing this information is voluntary and collected with explicit consent.

Legal Basis for Processing

All processing of personal data carried out by Circl is based on one or more of the following lawful grounds under the UK GDPR:

• Contractual Necessity: To fulfil our contractual obligations in delivering programmes and services. This includes administration, reporting, and support related to programme participation, as well as obligations to clients or funding bodies.

• Consent: Where processing is based on consent, it is freely given, specific, informed, and can be withdrawn at any time. Examples include marketing communications, testimonials, use of media or session recordings, and the collection of diversity and equality data.

• Legitimate Interests: We may process personal data for our legitimate interests, provided these are not overridden by your rights and freedoms. This includes evaluating programme effectiveness, improving programme delivery, and engaging with alumni to maintain professional networks and opportunities

• Legal Obligation: We may process personal data to comply with statutory or regulatory requirements, including safeguarding, record-keeping, and reporting to clients, regulators, or funding bodies.

• Substantial Public Interest: Some processing is carried out in the public interest, for example, to monitor social impact, diversity, and inclusion, ensure equal access to education and training, and evaluate participation of underrepresented groups. This typically applies to special category data (e.g., demographics or protected characteristics).

Data Sharing

We may share personal data only when necessary and for legitimate purposes, including:

• Employers/Clients: For programme administration and communication about participation

• Matched Participants/Peer Contact: Contact details may be shared with other participants to facilitate 1-2-1 matching or group activities, with prior notice

• Contractors (including Programme Facilitators): To support tailored delivery, execute programme activities, provide feedback, and promote accessibility.

• Service Providers: IT systems, cloud storage, survey tools, and communications platforms, all GDPR-compliant.

• Regulatory Authorities: Where required by law, for example safeguarding, fraud prevention, or other statutory obligations.

• Safeguarding & Mandatory Disclosures: Certain personal data may be shared for safeguarding or legal reasons. Participants will be informed of circumstances where confidentiality may be overridden.

• Anonymised/Aggregated Data: Data that cannot identify individuals may be shared for research, evaluation, or reporting purposes.

We never sell your personal data.

International Data Transfers

Circl Learning Limited ensures that all personal data is managed and transferred in full compliance with the UK General Data Protection Regulation (UK GDPR) and, where applicable, the EU GDPR.

While Circl primarily processes and stores personal data within the United Kingdom, some of our trusted service providers may transfer or access data from outside the UK or European Economic Area (EEA) – for example, where cloud services or collaboration tools are hosted internationally.

To ensure that personal data remains protected to the same high standards wherever it is processed, Circl applies the following safeguards:

• Data Processing Agreements (DPAs): We maintain written agreements with all key subcontractors and service providers to ensure they handle personal data securely and only in accordance with our documented instructions.

• Standard Contractual Clauses (SCCs) with UK Addendum: Where personal data is transferred outside the UK or EEA (for example, to the United States), we use the UK-approved SCCs and Addendum as lawful transfer mechanisms that provide enforceable rights and effective legal remedies.

• Transfer Impact Assessments (TIAs): We conduct or rely on published TIAs from our providers to verify that transferred data continues to receive an adequate level of protection consistent with UK GDPR standards.

Circl regularly reviews its international data transfer arrangements to ensure continued compliance, transparency, and protection of individuals’ rights

International Participants

Circl typically delivers its programmes online from the United Kingdom. All personal data is primarily processed and stored in the UK in accordance with UK GDPR.

Some programme activities involve using third-party platforms (e.g., Salesforce, survey tools, communications platforms) which may process or store your personal data outside the UK. These providers are GDPR-compliant and use appropriate security measures to protect your information.

Your rights under UK GDPR, and where applicable EU GDPR, continue to apply.

Data Security

Circl Learning Limited is committed to protecting all personal data from unauthorised access, loss, misuse, or disclosure. We apply appropriate technical and organisational measures, in line with Article 32 of the UK General Data Protection Regulation (UK GDPR and the Data Protection Act 2018, to ensure that personal data is processed securely and with integrity.

Technical Measures

We use a range of safeguards to maintain the confidentiality and security of information, including:

• Secure servers and cloud environments protected by firewalls and access controls.

• Encryption of data in transit and at rest, using industry-standard technologies.

• Multi-factor authentication (MFA) and strong password requirements for system access.

• Role-based access controls to ensure only authorised personnel can view or process personal data

• Regular updates, security patches and system monitoring to prevent vulnerabilities.

• Secure backup, recovery and continuity processes to maintain data availability and integrity

Organisational Measures

We also implement internal policies and procedures designed to reduce the risk of data breaches or misuse, including:

• Mandatory staff training on data protection, confidentiality, and information security.

• Confidentiality obligations for employees, contractors, and third-party partners, formalised through contracts and/or agreements.

• “Clean desk” and secure disposal practices for both physical (shredding) and digital (secure deletion) information.

• Regular internal reviews and audits to ensure ongoing compliance with our data protection standards.

Third-Party Security

Where Circl engages third-party service providers (such as cloud, survey, or communication platforms) to process personal data on our behalf, we ensure that:

• Formal Data Processing Agreements (DPAs) are in place.

• Providers meet appropriate security and compliance standards (e.g., UK GDPR, ISO 27001, Cyber Essentials, or equivalent).

• Regular due diligence is carried out to assess their data protection practices.

Data Breach Management

Circl maintains a documented Data Breach Response Procedure. Any suspected or confirmed personal data breach is promptly investigated and, where necessary, reported to the Information Commissioner’s Office (ICO) within 72 hours, in accordance with UK GDPR Articles 33 and 34. Affected individuals will be notified if there is a high risk to their rights or freedoms. Post-incident reviews are conducted to update procedures and prevent recurrence.

Data Retention

Any personal data collected is retained only for as long as necessary to fulfil the purposes for which it was collected. After this point, it is securely deleted, or anonymised, in line with Circl’s Data Retention Schedule. Retention periods may vary depending on the type of data.

• Personal & Participation Data: Retained for up to 7 years for reference, reporting, and programme evaluation. After this period, data may be anonymised so it can no longer be linked to an individual, while still allowing us to analyse overall participation and cohort trends.

• Session Recordings & Participant Evaluation/Feedback: This includes observation notes and any associated video or audio recordings. Retained for up to 1 year to allow review, evaluation, and so that participants can access their own learning sessions if needed.

• Proof of ID/Eligibility Documents: Retained for up to 1 year after verification. Documents are stored in a secure, password-protected system accessible to authorised staff and once no longer needed, these documents are securely deleted.

• Other Data: In addition to the data categories listed above, we may process other personal data in connection with our programmes. It remains that any such data is retained only for as long as necessary to fulfil the purposes for which it was collected and is securely deleted or anonymised once no longer required.

Your Rights: You can ask us what personal data we hold about you, how long it is retained, or request deletion/anonymisation where applicable. Requests can be made via the contact details provided in this policy.

Cookies and Tracking

We use cookies and similar tracking technologies to enhance your browsing experience, understand engagement with our website, and support the delivery, evaluation, and continuous improvement of our programmes.

Types of Cookies We Use

• Necessary Cookies: Essential for core site functionality (e.g., security, page navigation). These are processed under our legitimate interests.

• Functional Cookies: Improve your experience by remembering preferences. These are used only with your consent.

• Analytics Cookies: Help us understand how visitors engage with our website so we can improve usability, accessibility, and programme-related content. These are used only with your consent.

• Third-party tools: We may use services such as Google Analytics and Zoom. We may use third-party services — such as analytics platforms, embedded media tools, and CRM integrations — that set their own cookies. These providers may process data outside the UK or EEA, but all are GDPR-compliant and use appropriate safeguards.

• Purpose: Cookies and tracking data help us monitor website use, evaluate programme engagement, and enhance user experience.

• Cookie Retention: Each cookie has a defined duration. Session cookies expire when you close your browser. Longer-term cookies (e.g., analytics) may last up to two years.

• External Websites: Our website may contain links to external sites. We are not responsible for the cookie policies or data practices of those websites, and we encourage you to review their privacy information.

Photography, Media and Session Recordings

As part of our programmes, we may collect photographs, videos, and session recordings. These materials are used to support programme delivery, internal evaluation, and, where consent has been given, programme promotion.

Purpose and Use

• Internal Use: Facilitator review, learning capture, quality assurance, training materials, and internal programme reporting.

• External Use: Website, social media, brochures, case studies, promotional campaigns, and client presentations; where necessary, explicit consent will be requested.

• Consent: Participants must give explicit consent before any recordings, photos, or videos are taken or used externally.

• Access: Raw media is accessible only to programme staff and authorised partners. Any media used for promotional purposes will only be shared externally if participants have provided explicit consent.

• Usage: Media may be used in internal reports, training materials, marketing communications, and public promotional channels, always in line with the consent provided.

Marketing Communications

We communicate with participants for marketing purposes only if explicit consent has been provided:

• Consent-based Opt-in: Marketing messages are sent only to those who have chosen to receive them.

• Unsubscribe Option: You can opt out of marketing communications at any time using the unsubscribe link or by contacting us directly.

• CRM/marketing platform forms that clearly explain what content you will receive. Consent is never assumed or pre-ticked.

• Separation from Programme Data: Marketing data is stored and processed separately from operational programme data and used solely for marketing purposes.

• Data Protection: Any third-party platforms we use for marketing communications comply with UK GDPR and maintain appropriate security measures.

• Your Rights: You can request access to, correction of, or deletion of your marketing information at any time.

What Counts as Marketing

Marketing communications may include:

• Programme updates and leadership insights

• Event invitations and webinars

• Alumni opportunities and professional development resources

• News about Circl, its impact, or new programmes

These communications are optional and separate from operational programme emails.

Your Rights

Under the UK General Data Protection Regulation (UK GDPR), you have a number of rights regarding how your personal data is used and protected. These include:

● Right of Access – You can ask for confirmation of whether we process your personal data and request a copy of the data we hold about you.

● Right to Rectification – You can ask us to correct or update any inaccurate or incomplete personal data.

● Right to Erasure (“Right to be Forgotten”) – You can request that we delete your personal data where there is no legal or contractual reason to keep it.

● Right to Restrict or Object to Processing – You can ask us to stop or limit how we process your personal data in certain situations.

● Right to Withdraw Consent – Where we rely on your consent to process data, you may withdraw it at any time. Please note that doing so may affect your ability to take part in some programmes or services.

● Right to Data Portability – You can request to receive your personal data in a structured, commonly used, and machine-readable format, and have it transferred to another organisation where technically possible.

● Right to Complain – If you are unhappy with how we have handled your personal data, you have the right to raise a complaint with the UK’s data protection authority, the Information Commissioner’s Office (ICO).

Exercising Your Rights

To exercise any of these rights, please contact Circl’s Data Protection Officer (DPO) or designated privacy contact. We may ask for information to verify your identity before processing your request. All requests must be submitted in writing to:

DPO Email: charlie@circl.org

Alternative group inbox: privacy@circl.org

We aim to respond to all requests within 30 calendar days.

Changes to This Policy

Circl Learning Limited keeps this policy under regular review and may update it from time to time to reflect changes in legislation, business practices, or regulatory requirements.

Any significant updates to this policy will be communicated to relevant stakeholders through appropriate channels, such as email notifications or publication on our website.

This policy is intended to comply with applicable UK data protection laws. It does not override any national data privacy laws or regulations in other countries in which Circl operates.

A version history, including the date of the most recent update, will be maintained and clearly indicated in this document.

Contacting us

If you have any questions, comments, or concerns about this Privacy Policy or how we handle your personal data, please contact us at:

DPO Email: charlie@circl.org

Alternative group inbox: privacy@circl.org

If you remain unhappy after contacting us, you can raise your concern directly with the Information Commissioner’s Office (ICO) at:

Website: https://ico.org.uk/make-a-complaint/

Phone: 0303 123 1113

Appendix

Definitions

Data: Information stored electronically, on paper, or in any other format, including personal data and sensitive personal data.

UK GDPR: Refers to the retained EU law version of the General Data Protection Regulation (EU) 2016/679 as it forms part of UK law under section 3 of the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018.

Data Subjects: Any living individuals whose personal data Circl holds or processes. A data subject does not need to be a UK national or resident. All data subjects have legal rights concerning their personal data.

Data Controller: An individual or organisation that determines the purposes and means of processing personal data. Circl Learning Limited is the data controller for all personal data it processes.

Data Processor: Any individual or organisation that processes personal data on behalf of Circl, in accordance with our documented instructions. Data processors must handle personal data securely and in compliance with this policy, contractual obligations, and applicable data protection laws.

Data Protection Officer (DPO): the individual responsible for overseeing Circl’s compliance with data protection laws, advising on obligations, and acting as a point of contact for individuals and regulatory authorities.

Personal Data: Any information relating to an identified or identifiable living individual. This includes factual data (such as a name, address, or date of birth) and opinions about that person, their actions, or behaviour

Special Category Data (Sensitive Personal Data): Information revealing a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual orientation, or similar sensitive matters. Processing special category data requires both a lawful basis under Article 6 and an additional lawful condition under Article 9 of the UK GDPR.

Processing: Any operation performed on personal data, including collection, recording, organisation, storage, retrieval, alteration, disclosure, erasure, or destruction. Processing also includes transferring personal data to third parties.

Personal Data Breach: Any act or omission that compromises the security, confidentiality, integrity, or availability of personal data. This includes unauthorised access, disclosure, loss, or destruction of personal data.

Anonymisation and Pseudonymisation: Anonymisation refers to the process of altering personal data so that individuals can no longer be identified. Pseudonymisation refers to processing personal data in such a way that it cannot be attributed to a specific individual without the use of additional information kept separately and securely.

ROPA (Register of Processing Activities): Circl’s formal record of data processing activities, outlining what data is collected, how it is used, where it is stored, and with whom it is shared. The ROPA demonstrates Circl’s compliance with UK data protection laws.

Data Processing Agreements (DPAs): Formal written agreements between Circl Learning Limited and any subcontractors or service providers who process personal data on Circl’s behalf. DPAs ensure that personal data is handled securely, lawfully, and only in accordance with Circl’s documented instructions and data protection obligations.

Standard Contractual Clauses (SCCs) with UK Addendum: Legally approved data transfer mechanisms issued by the European Commission and adopted by the UK Information Commissioner’s Office (ICO). Circl uses SCCs, together with the UK Addendum, to safeguard personal data transferred outside the UK or European Economic Area (EEA), ensuring enforceable rights and effective legal remedies for individuals.

Transfer Impact Assessments (TIAs): Assessments carried out by Circl or relied upon from service providers to evaluate the legal and practical risks of transferring personal data to a third country. TIAs confirm that the level of protection for personal data remains consistent with UK GDPR standards.

Document Owned by: Rosa Cerron-Reina, Evie Walter

Data Protection Officer: Charlie Stainforth

How UK GDPR Principles are Reflected in Our Privacy Policy