Data Protection Officer
Insight House, Riverside Business Park, Stoney Common Road. Stansted Mountfitchet, Essex, CM24 8PL
Who are nurtureuk?
We are the UK's leading charity that specialises in the practice of nurture. We also own and operate the Boxall Profile® Online tool.
Our registered charity number in England and Wales is 1115972. In Scotland, our registered charity number is SC042703.
We are registered with the Information Commissioner's Office (reference ZA229888).
We are ISO27001:2013 certified for information security management (certificate number: 188274). To achieve this certification, we successfully completed a detailed two-stage audit with an external auditor looking at every aspect of managing systems, protecting data, and continuously improving how information is managed securely.
The types of information we collect through this website
When you engage with us – for example, by ordering our services or products, applying to work with us, or getting involved in our campaigns – we may collect and process information about you, or about other people who you are working on behalf of (“your personal information”). Depending on the activity, this may include name, email address, postal and billing address, telephone number, and name of employer. If you are submitting the personal information of another person, on their behalf or as part of the work of your organisation, you must have their consent or a valid reason/legal basis for doing so.
We’ll also ask for information when you report a problem with our website, and if you contact us, we may keep a record of that correspondence.
Sometimes, we may ask you to complete surveys that we use for research purposes, but you’re under no obligation to respond to them.
We may also collect details of your visits to our website, including traffic data, location data, weblogs and other communication data, as well as the resources that you use.
Please note that if you are submitting personal information on behalf of another person, you agree that you either have their consent to do so, or are sharing the information with us for another lawful reason.
How we use your personal information
- We may use your personal details to generate helpful pre-filled forms or invoices on our website.
- We may send you information about products or services you’ve ordered, including related fundraising or campaigning activities.
- We may send you more details about roles you've applied for, or about the charity, and we may store your information on our systems so we can continue to provide a service or continue our contact with you to perform an important business task.
- We analyse the way people use our website, to make it as efficient and user-friendly as possible.
- We use IP addresses to establish your approximate location, prevent disruptive use of our website, and to see how many visits we receive from different countries or areas.
- We use personal data to understand our customers better, to make our direct marketing more targeted, and to provide our customers with the most relevant information.
All of this data will be securely stored on our servers, or as specified in the sections of this policy headed ‘Where we store information related to your use of this website’ and ‘How we store and process your data, and sub-processors we use’.
If you no longer want us to store or use your information, you can request that we delete your data (see the section headed ‘How to access or delete your personal information’).
How we’ll contact you
If we contact you by phone or letter, we won’t do so again if you ask us not to. You can contact us to change your contact preferences by logging into your account on the nurtureuk website, or – if you don’t have an account – by emailing our team on [email protected] or calling +44 (0)203 475 8980.
We will never contact you to send you information about how you can support nurtureuk by email or text, unless you’ve given us permission to do so.
How we handle your personal information
We use SSL encryption on our website to encrypt any information you give us. This ensures that the data is collected and stored securely.
Once your data has been collected, we use reasonable and appropriate measures to ensure its security, including strict controls over who can access and process your data. We explain what we do in more detail in the 'How we store and process your data, and sub-processors we use' section of this policy.
nurtureuk will never rent or sell your personal information to any other organisation, for use in their own direct marketing activities. Except as specified in the section headed ’Where we store and process information related to your use of nurtureuk services’, we will only disclose or share your personal information to third parties if:
- We are legally obliged to do so
- To protect the rights, property or safety of nurtureuk, our donors or others. This includes sharing information for the purposes of fraud detection and protection.
How we handle direct debit or credit card information
We always make sure that sensitive information, like debit cards, credit cards or personal information is collected and stored securely. Both we and our partners always use SSL encryption to encrypt data sent between us and our customers.
nurtureuk is Payment Card Industry (PCI) compliant and we use external PCI compliant providers to collect this data on our behalf. We do not store PCI data on our own systems.
To protect yourself when sending us sensitive information, please ensure that you’re using devices running supported operating systems and regularly updated browsers that offer some form of malware protection. Only ever connect your devices to networks that you trust.
How we use recurring payment methods
For some of our services, we allow individual customers to pay using recurring monthly or annual 0% interest instalments.
For some events, you can pay using a 0% monthly instalments payment system, over 6 or 8 months – depending on your preference.
If you pay for an annual membership subscription, you’ll be asked to agree to recurring annual payments before signing up. We will always notify you before your subscription is due to renew.
You can cancel a recurring payment to nurtureuk at any time. However, if you still owe us a payment, we’ll send you an invoice and reminders until the balance is settled. We’ll also explain the different ways you can pay this balance. To cancel a recurring payment, please email: [email protected].
Securing your passwords
If you’ve chosen or been given a password to access certain parts of our website, you’re responsible for keeping that password confidential and not sharing it with anyone else.
Where we store information related to your use of this website
nurtureuk uses internet service providers and servers located in the UK or the European Economic Area (EEA). We’ll ensure that your personal information related to your use of this website is held by those internet service providers, in compliance with UK data protection regulations, including the Data Protection Act 2018 and the UK GDPR.
How we store and process your data, and sub-processors we use
Depending on the nurtureuk services you use, buy, or sign up for on this website, your personal information, or the personal information of others you are working on behalf of, may be transferred, stored or processed in other systems, by other data processors, and in other locations. If you express an interest in a product, service or campaign, ask for information on the charity, or apply for a job or role with the charity, your personal information may also be transferred, stored or processed in other systems, by other data processors, and in other locations.
When we use the services of other data processors, we do so to fulfil our obligations under the terms and conditions of the services we provide, and in the legitimate interests of developing our charity, and improving your use of our products and services.
To manage contact data and our relationships with customers, members and partners, we use Salesforce CRM, a customer relationship management tool. The data we collect may include personal details including your name and email address, your relationship to an organisation, your job title, details of your use of nurtureuk products and services, including bookings for training courses and sessions.
This data is processed and stored within cloud-based Salesforce CRM servers based in the EEA. Data is stored encrypted (at rest when stored on the servers, in the database, in search index files, and in the file system).
We use Zendesk, a customer support tool, to provide support on the use of this website and nurtureuk’s products and services, and if you email one of our email addresses through this website. The data we collect and process in this way may include your name and email address, your relationship to an organisation, the content of your original enquiry or customer service query, along with any replies to resolve your query, which may include additional data you choose to share (for example, any additional information within your email signature). This data is processed and stored safely in encrypted form in the UK or EEA.
When you sign up for some of our services, including membership, and opt in to be contacted by us, we may use Mailchimp, an e-mail marketing tool, to manage mailing lists and to send emails to you. The data that is held on Mailchimp servers may include your name, your email address, the identify of your employer or another organisation you are connected to. This data may be processed and stored safely in encrypted form outside the UK or EEA. Our data processing agreement with Mailchimp includes the EU Standard Contractual Clauses and International Data Transfer Addendum approved by the Information Commissioner’s Office, which offer essentially equivalent protection as under the UK GDPR.
As part of our administration of the site, or if you opt in to be contacted by us for marketing emails, we use Salesforce Account Engagement, an e-mail tool, to manage mailing lists and to send emails to you. This data is processed and stored within cloud-based Salesforce CRM server. This data may be processed and stored safely in encrypted form outside the UK or EEA. Our data processing agreement with Salesforce includes the EU Standard Contractual Clauses and International Data Transfer Addendum approved by the Information Commissioner’s Office, which offer essentially equivalent protection as under the UK GDPR. Data is stored encrypted (at rest when stored on the servers, in the database, in search index files, and in the file system).
We use Google Cloud and Google Workspace services to store and process some information related to your use of nurtureuk services, and to store emails you may send to us through this website, and some forms you may complete within the website,. This data may be stored on Google cloud-based servers within the UK or EEA, encrypted at rest.
We use Zapier, an automation tool, to transfer some personal data between our systems. This data may include your name, email address, organisation name, and sign-ups or purchases of our between our systems. Your data may be retained for a a period in line with our retention policy after a transfer has been made, and is stored safely on cloud-based servers before being automatically deleted. While this data may be processed and stored safely in encrypted form outside the UK or EEA, our data processing agreement with Zapier includes the EU Standard Contractual Clauses and International Data Transfer Addendum approved by the Information Commissioner’s Office, giving you essentially equivalent protection as under the UK GDPR.
If you request an invoice for a purchase of a product or service from within this website, we will use a third-party service provider to process this request. As part of this processing, your name, email address and relationship to an organisation may be collected and stored by our provider, to service these requests, and to meet requirements in law, such as retention of sales records for VAT purposes. Our provider may also contact you on our behalf to resolve any issues with payment or invoices, or to comply with audit requirements. To manage invoicing and customer data related to these requests, we use Iplicit, a cloud-based accounting system. If your data is held on this system, it is stored securely on servers within the UK or EEA.
If you sign up for one of our training sessions, consultancy sessions or webinars, we use Zoom, a meetings tool, to run the session. Our Zoom accounts are set up to process data in transit and store any recordings made within the EEA, and our meetings are secured, and not open to participants without invitations.
Zoom's standard privacy statement is here. For some of our programmes that use Zoom, a separate privacy statement will apply to your data, and we will provide a link to this from within the Zoom tool.
If you order a publication from us, or book on a course or event that includes physical materials, the order will be fulfilled by our publications partner organisation, and we will share limited personal data to allow this to happen. As part of this processing, your name, email address, details of the order, and your relationship to an organisation may be collected and stored by our provider, to service these requests, and to meet requirements in law, such as retention of sales records for VAT purposes.
If you submit evidence to back up an application for our awards schemes, we may store this evidence in Google Workspace and in Salesforce CRM for the purposes of assessment against the standards of the award and to retain evidence of standards being met. We will retain this evidence for the period of the award and will delete it once the period of the awards' validity is complete. We will delete any evidence submitted in support of an award application on request from the organisation that submitted it.
When you join as a member, sign up for any of our services, make an order or contact us, we will store your data on the systems mentioned above. In some cases, we may also share this data with our public affairs partner organisation, who may contact you on our behalf in the legitimate interest of developing our charity. Any processing by this partner is undertaken in line with a specific data processing agreement that does not permit the partner organisation to use your date in any way other than on our behalf and for the specific purposes we have directed, and requires the partner organisation to remove the data from its systems once it has been used for this specific purpose.
How long we will store your data
We will ordinarily store the information we hold related to your use of this website, and related to use of products and services for a period in line with our data retention policy. To determine the appropriate period to retain data, we consider the nature and sensitivity of the data, the potential for harm, whether we can achieve our purposes through other means, as well as any applicable legal or contractual requirements.
How to access or delete your personal information
You can request that we delete your personal information that we hold. To request this, contact our Data Protection Officer and your data will be deleted from both the website, our servers and any additional systems we use, with the exceptions noted below. If we delete your data on your request, you’ll no longer be able to access your account, the information it contains, or to access or use any of our services that you have previously signed up for or purchased, or been entitled to use.
Please note that we’re legally required to hold some personal information to fulfil our statutory obligations – for example, when we collect Gift Aid or process an invoice. We may also be required to hold some data to meet other legal or contractual requirements, and in some cases where a separate data processing agreement (for example, with your employer, or with an organisation that has commissioned services on your behalf) covers the use of all or some of your data. In these cases, we may tell you to direct your access request to another organisation.
You have a right to know if nurtureuk is storing any of your personal data, and a right to be provided with that information (with some exceptions, as specified under the UK GDPR).
To ask us for your personal data, you can email [email protected] or write to:
Data Protection Officer
nurtureuk, Insight House, Riverside Business Park, Stoney Common Road, Stansted, Essex, United Kingdom, CM24 8PL.
We do not make a charge for this. It'll help us to find your information if you can tell us something about the nature of your contact with us.
We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.
A cookie is a small file that’s sent to your computer or mobile phone, containing information that tells us you’ve used our website before. Cookies are safe and secure, and are commonly used on websites.
A cookie typically contains:
- The name of the server the cookie was sent from
- The lifetime of the cookie
- A unique identifier (usually a number).
How cookies work
When you visit our website, cookies are downloaded to your device. Your browser and our web server exchange the cookie, and we use this number to recognise you when you return to our site or browse from page to page. Only the server that sends a cookie can read and use it.
This file is stored on your computer's drive or phone's storage. All websites can send a cookie to your browser if allowed by your browser settings. Many websites do this to track the flow of online traffic.
Types of cookies
Cookies can be categorised by their life span:
Session or temporary cookies
These cookies expire when you close your browser or when the session times out
Persistent or permanent cookies
These cookies are usually stored on your hard disk, survive across multiple sessions, and last longer.
We may also share information about your use of our site with our trusted social media, advertising and analytics partners.
We use Google Analytics to better understand how our visitors are using this site and to improve their online experience. Using cookies and other technologies, Google Analytics gathers fully anonymised data about how you and other visitors use this website, which is then stored securely. The data gathered may include:
- IP address (which is stored in a de-identified form)
- The type and screen size of your device
- Your approximate geographic location
- Your domain name
- Your browser type, version and plug-ins
- Your operating system and platform
- Your settings or preferences
- Your use of the different pages of the site, or other content within the website, and your completion of defined pathways through the website or tasks within the website
- The language you use to display our website.
We use Hotjar to better understand our customers' needs and to improve their online experience. Hotjar is a technology service that tells us about people’s behaviour on our website: how much time they spend on which pages, which links they click, what they do and don’t like etc. Using cookies and other technologies, Hotjar gathers the following information about each visitor to our site:
- Their IP address (which is stored in a de-identified form)
- The type and screen size of their device (with unique device identifiers)
- Their geographic location (just the country)
- The language they use to display our website.
Hotjar stores this information for us in a pseudonymised user profile. Hotjar is contractually forbidden to sell any data collected on our behalf. For further information, please see the 'about Hotjar' section of Hotjar’s support site.
We use Facebook Pixel to serve you information or ads on your social media based on your browsing behavior. This allows your behavior to be tracked after you have been redirected to our website by clicking on the Facebook ad. The Facebook Pixel stores a cookie on your device to enable us to measure the effectiveness of Facebook ads for statistical and market research purposes. We do not have access to the information collected through the Facebook Pixel. However, the information collected via the Facebook Pixel, on this website as well as other websites on which Facebook Pixel is installed, is also stored and processed by Facebook. Facebook may link this information to your Facebook account and also use it for its own promotional purposes in accordance with Facebook’s Data Usage Policy. The Facebook Pixel also allows Facebook and its partners to show you advertisements on and outside of Facebook. You can opt-out of displaying Facebook ads by visiting your Facebook Ad Settings, and you can clear and control the information third parties share with Facebook in your Off-Facebook Activity page.
Controlling or deleting cookies
You can control and disable cookies through your browser settings. To find out more, visit the website allaboutcookies.
Data Processing Agreement
This data processing agreement (DPA) applies to use of nurtureuk services by any organisation that is a data controller. In some cases, this DPA will be replaced or supplemented by an additional DPA agreed with or on behalf of an organisation. In the case of any conflict between this agreement and an additional DPA, the additional DPA applies.
Definitions and Interpretation
Unless otherwise defined herein, capitalised terms and expressions used in this DPA shall have the following meaning:
- “The Charity” or “nurtureuk” means The Nurture Group Network Limited
- “Organisation” means any organisation that enquires about or uses nurtureuk products and services.
- “Organisation Personal Data” means any Personal Data Processed on behalf of an Organisation in connection with nurtureuk products and services;
- “Data Protection Laws” means the laws in force in the United Kingdom from time to time that relate to data protection, the processing of personal data, privacy and/or electronic communications;
- “EEA” means the European Economic Area;
- “UK GDPR” means the UK General Data Protection Regulation (as defined in the Data Protection Act 2018);
- “Restricted Transfer” means a transfer of Organisation Personal Data which is undergoing Processing or which is intended to be Processed after transfer, to a country or territory to which such transfer would be prohibited or subject to a requirement to take additional steps to adequately protect the Organisation Personal Data for the transfer to be lawful under Data Protection Laws;
- “Services” means the use of nurtureuk products and services within the limits of the terms and conditions that apply to them;
- “Subprocessor” means any person appointed by or on behalf of the Charity to process Personal Data on behalf of the Organisation in connection with this DPA;
- The terms, “controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “processor” and “Supervisory Authority” shall have the same meaning as in the UK GDPR, and their cognate terms shall be construed accordingly.
Processing of Organisation Personal Data
The Parties acknowledge and agree that, save where otherwise stated below, in the provision of the Services, the Organisation is a controller and the Charity is a processor.
The Parties acknowledge and agree that the Charity may aggregate, anonymised and/or pseudonymised Organisation Personal Data for research purpose (“Aggregated Data”) as a separate independent controller.
The Charity shall not Process Organisation Personal Data other than on the relevant Organisation’s documented instructions. For the purpose of this section, the terms and conditions that appear on the nurtureuk website are documented instructions.
Where acting as controllers, the Parties shall comply with all applicable Data Protection Laws.
The Organisation warrants to the Processor that:
- It has all necessary rights to authorise the Charity to Process Organisation Personal Data in accordance with this DPA and the Data Protection Laws;
- Its instructions to the Charity relating to Processing of Organisation Personal Data will not put the Charity in breach of Data Protection Laws, including with regard to Restricted Transfers;
- It has a lawful basis for Processing the Organisation Personal Data for the Services in accordance with the Data Protection Laws; and
- Where the relevant lawful basis relied upon is the consent of the Data Subject, it has obtained the Data Subject’s consent in accordance with the Data Protection Laws and maintains a record of such consent.
The Charity shall take reasonable steps to ensure the reliability of any employee, agent, consultant or contractor of any Subprocessor who may have access to the Organisation Personal Data, ensuring in each case that such individuals comply with the DPA and are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Charity shall in relation to the Organisation Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
In assessing the appropriate level of security, Charity shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
The Organisation authorises the Charity to engage Subprocessors. The Charity will inform the Customer of any intended changes concerning the addition or replacement of Subprocessors through an update to this DPA or to the Data, Privacy and Cookies policy that applies to the Services, and will give the Organisation ten working days to object to such changes.
If the Charity appoints any Subprocessor, the Charity will ensure a written contract in place between the Charity and the Subprocessor that specifies the Subprocessor’s Processing activities and imposes on the Subprocessor similar terms to those in this DPA is concluded between the Charity and Subprocessor. The Charity will remain liable to the Organisation for performance of the Sub-Charity’s obligations.
Data Subject Rights
Taking into account the nature of the Processing, the Charity shall provide reasonable assistance to the Organisation by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Organisation obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.
The Charity shall:
- Promptly notify the Organisation if it receives a request from a Data Subject under any Data Protection Law in respect of Organisation Personal Data; and
- Ensure that it does not respond to that request except on the documented instructions of Organisation unless required to do so by Applicable Laws to which the Charity is subject, in which case the Charity shall to the extent permitted by Applicable Laws inform Organisation of that legal requirement before the Charity responds to the request.
Personal Data Breach
The Charity shall notify the Organisation without undue delay upon Charity becoming aware of a Personal Data Breach affecting Organisation Personal Data.
The Charity shall co-operate with the Organisation and take reasonable commercial steps as are directed by Organisation to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Data Protection Impact Assessment and Prior Consultation
The Charity shall provide reasonable assistance to the Organisation with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, in each case solely in relation to Processing of Organisation Personal Data by, and taking into account the nature of the Processing and information available to, the Charity.
Deletion or return of Organisation Personal Data
At the option of the Organisation, the Charity will delete or return to the Organisation all Organisation Personal Data.
The Charity will be entitled to retain the Aggregated Personal Data and any Organisation Personal Data which it has to keep to comply with any applicable law or which it is required to retain for insurance, accounting, taxation or record keeping purposes. Any Organisation Personal Data retained in accordance with this section will be kept by the Charity as a Controller.
Subject to this section, the Charity shall make available to the Organisation on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Organisation or an auditor mandated by the Organisation in relation to the Processing of the Organisation Personal Data.
Information and audit rights of the Organisation only arise under the previous section to the extent that the Organisation cannot itself access the information via the Boxall Profile Online website.
The Charity may make or authorise a Restricted Transfer if it demonstrates or implements an appropriate safeguard for that Restricted Transfer in accordance with Data Protection Laws. Such appropriate safeguards may include the standard contractual clauses for the transfer of personal data which have been approved by the European Commission or such alternative body in the United Kingdom, in which case the Organisation will execute any documents relating to that Restricted Transfer which the relevant Charity requires it to execute from time to time.
Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
- (a) disclosure is required by law;
- (b) the relevant information is already in the public domain.
Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out below or such other address as notified from time to time by the Parties changing address.
The Charity’s details:
[email protected] or by post to:
Data Protection Officer
Nurtureuk, Insight House, Riverside Business Park, Stoney Common Road, Stansted, Essex, United Kingdom, CM24 8PL.
Nurtureuk is ISO27001:2013 certified for information security management (certificate number: 188274).
To achieve certification, nurtureuk successfully completed a detailed two-stage audit with an external auditor looking at every aspect of managing systems, protecting data, and continuously improving how information is managed securely.
Achieving the ISO standard shows the effectiveness of nurtureuk’s approach to handling information, from recruiting and developing team members, to managing access to systems, and making sure data is backed up regularly.