Privacy Policy — Impact Ops

Our privacy policy

Last updated 26 April 2023

What does this policy cover?

This Privacy Policy describes how Impact Operations Limited (“Impact Ops”) collects, uses, and shares your personal information when you:

visit any websites operated by us, including https://impact-ops.org and any other sites or applications containing a link to this Privacy Policy (collectively “Websites”); or
interact with us offline (such as when you apply for a role within our organization).

It also provides additional details regarding how we process the personal information of individuals in the United Kingdom (“UK”), including a description of rights you may have over your personal information under applicable UK law.

If you provide us with personal information of anyone other than yourself (such as a colleague), you’re responsible for complying with all applicable privacy and data protection laws prior to providing that information to Impact Ops (including obtaining consent, if required).

If you have any questions, contact us using the details in the Who we are and how you can get in touch section below.

What personal information do we collect?

When we refer to “personal information,” we mean information that can be used to identify a person or can be linked directly to an individual. We may collect and process your personal information:

directly from you (including through online forms or in conversation with staff during the course of service delivery),
from the device(s) you use to access the Websites,
from third parties, and
from public sources (such as LinkedIn).

Personal information we collect from you directly

Identity and Contact Data such as your name, profession, and email address.
Account Data including username and password.
Transaction Data including billing address, bank, and payment card information when used to make a payment.
Marketing Preferences including any consents you have given us.
The content of your Communications or any other personal information you provide to us directly, such as information provided voluntarily in relation to your profession.
Demographic Information such as country of residence, gender, and age
Service Engagement withImpact Ops such as your activities on the Websites.

Where we need your information to open an account and to review you for some service, we won’t be able to do so if you don’t provide us with it.

Personal information we collect from your device(s)

We may collect information from the device(s) you use to access the Websites such as your Internet Protocol (IP) address; device type; dates and times you visit and use the Websites; activity on the Websites and referring websites or applications; Uniform Resource Locators, or URLs (i.e. website addresses) visited prior to arriving and after leaving our Websites; and approximate geolocation. We typically collect this information through the use of cookies and similar technologies. For more information on how we use cookies, see our Cookie Policy.

Personal information we collect from third parties

We may collect your personal information from third parties. We work closely with organizations and industry experts, who may pass on data to us about individuals they interact with such as job applicants or employees so that we can assess them as potential recipients of our services, provide services to them, or consider them for a role.

We may also ask trusted informal advisors in their relevant areas to get advice, such as to get formal or informal references in recruiting.

Publicly available sources

We may collect personal information about you from publicly available sources, including social media sites (such as LinkedIn) or news articles. Such information may include (as relevant) your education, employment history, and credentials. We may do this, for example, when you apply for a role within our organization.

How do we use your personal information?

We use your personal information for the following purposes:

to assess your suitability for services, collaborations, roles, or other opportunities at Impact Ops, and to suggest you for, or contact you about, any of these things;
to assess the impact of our work, and to promote our work through, for example, case studies and blog posts;
to create any accounts you request and maintain or moderate platforms we run;
to communicate with you, including to notify you about changes to our terms and asking you to undertake surveys and give feedback, process your concerns and queries, and provide you with information we think may be useful to you;
to use data analytics to improve our Websites, services, marketing efforts, and user experience;
to administer and protect Impact Ops, our initiatives, our people, and our Websites; and
to generally protect our legal rights and comply with law and regulation.

GDPR

The UK General Data Protection Regulation (“UK GDPR”) requires us to provide additional information about how we handle the personal information of individuals subject to those laws. If you’re a UK resident, or are otherwise within the scope of the UK GDPR, the following sections apply to our processing of your personal information.

Our role

For the purposes of the UK GDPR, Impact Ops is a “controller” of your personal information as it is described in this Privacy Policy. This means we make decisions about how and why your information is used, and have a responsibility to make sure that your rights are protected when we do so.

Legal bases for processing your personal information

We’ll process your personal information only where we have a legal basis for doing so, including:

when we need it to perform a contract we’re about to enter into or have entered into with you;
when it’s necessary for our “legitimate interests” (or those of a third party) and your interests and rights don’t override our interests;
when you’ve given us your consent; and
when we need to comply with the law.

When we refer to our “legitimate interests,” we mean:

to improve our services;
to keep our records updated and to study how our Websites and other services are used;
to administer and protect the organization and web presence (including troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting);
to inform our marketing strategies.

Sensitive information

Certain types of personal information may be considered “sensitive” under the UK GDPR, such as information about your race or ethnic origins. We may collect sensitive information in certain circumstances. For example, we may collect information about ethnicity for the purposes of diversity monitoring.

We’ll generally ask for your consent for this sensitive information, but we may also rely on other legal bases to collect and use it, for example when we need to do so for safeguarding purposes, to protect your vital interests, to obtain legal advice, or because we’re subject to a legal obligation.

Your personal information rights

Under the UK GDPR, you may have the right to ask us for a copy of your personal information; to correct, delete, or restrict (stop any active) use of your personal information; and in certain cases to obtain the personal information you provide to us in a “structured, machine readable format.” You can also object to the use of your personal information in some circumstances (in particular, when we don’t have to use the data to meet a contractual or other legal requirement, or when we’re using the data to send you marketing emails).

Where you’ve given us your consent to use your personal information, you can take back that consent at any time. If you do, we’ll stop using your personal information immediately, unless we collected it for a different purpose (for example, the information is necessary to comply with a legal obligation). If you decide to take back your consent, this won’t affect the lawfulness of our actions before you made that decision. This means that our use of your personal information before you took back your consent remains legal.

These rights may be limited, for example, if answering your request would reveal personal information about another person or if you ask us to delete information which we’re required by law to keep or have important legitimate interests to keep.

You also have the right to complain to a data protection authority about how we process your personal information. In the UK, the supervisory authority is the Information Commissioner’s Office. To exercise any of these rights, or to make a complaint to us, you can get in touch using the details set out in the Who we are and how you can get in touch section below.

Your personal information rights

Cross-border transfer of your personal information

Impact Ops generally stores your personal information within the UK and the US. Sometimes we use service providers who access your personal data in other countries.

When we need to share your personal information with people or organizations outside the UK, including in the United States, it might be subject to data protection laws that offer less protection than under the UK GDPR. Where this is the case, we take steps to ensure your personal information is protected, including by entering into contracts that have been approved by the relevant authorities (such as “standard contractual clauses” or an “international data transfer agreement”). If you want to learn more about this, or to get a copy of the transfer mechanism that we use, reach out using the details given in the Who we are and how you can get in touch section below.

How do we share your personal information?

In exceptional circumstances, we reserve the right to pass on your personal information when there’s a legal or “duty of care” imperative (for example if we need to safeguard other individuals).

We may share your personal information with our affiliate companies and organizations for the purposes set out in this Privacy Policy.

We may also share your personal information with third-party service providers, who will process it on our behalf for the purposes identified above. We use third-party providers of certain services such as but not exclusively website hosting, website analytics, behavioural remarketing services, marketing automation, payment processing, and IT maintenance. We also pass information to our payment processing partner when you make a payment —we don’t generally store your card details when doing so.

Other than that, we may share your personal information:

with government authorities and/or law enforcement officials if required for the purposes above, if required by law, or if required to protect our legitimate interests (e.g. with HMRC for tax regulation purposes in the UK);
with funders and investors to help our organization grow;
if all or part of our organization is closed, combined with another organization, or becomes its own organization, we’ll share your personal information with external advisors (such as lawyers, accountants, or financial advisors) who are helping us with this process and the owners of the new organization; and
in connection with any legal process or potential legal process.

How do we secure your personal information?

We put in place organizational and technical measures to protect your personal information. These measures include taking all steps reasonably necessary to ensure our IT systems are secure and putting in place procedures to deal with suspected data breaches. In the unlikely event of a data breach, we’ll take steps to minimize the loss or destruction of data and, if required by law, we’ll notify you. We’ve implemented data security policies and procedures, and relevant staff receive data security training.

Our security measures include:

sending the most sensitive information over encrypted channels (SSL/TLS);
using slow password hashing algorithms (such as Bcrypt);
taking reasonable steps towards the physical security of where we host our data (such as using reasonable third-party providers); and
using PCI Compliant payment processors to avoid storing your payment details (e.g. credit card numbers).

Where we’ve given you (or where you’ve chosen) a password that enables you to access certain parts of our Websites, you’re responsible for keeping this password confidential. Don’t share a password with anyone.

Although we use reasonable security measures once we’ve received your personal data, the transmission of data over the internet (including by email) is never completely secure. We work to protect personal information, but we can’t guarantee the security of information transmitted to or by us.

How long do we keep your personal information?

We’ll only keep your personal information for as long as we need it to achieve the purposes for which we collected it, to comply with our legal and regulatory obligations, to exercise our legal rights, and to protect ourselves from legal claims.

If we no longer need this personal information for the purposes set out in this Privacy Policy, we’ll delete it or anonymize it so that nobody can identify you from the information.

Updates to this Privacy Policy

We reserve the right to change this Privacy Policy from time to time. We’ll alert you when changes have been made by indicating the date this Privacy Policy was last updated or as otherwise may be required by law. We recommend that you periodically revisit this Privacy Policy to learn of any changes.

Who we are and how you can get in touch

Impact Ops is a company limited by guarantee, the registration number of which is 14627777. Impact Ops’ registered office is at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ. If you have questions in relation to this Privacy Policy or on how we use your personal information, contact us at hello@impact-ops.org.