Referrals Privacy Policy

This privacy policy was last reviewed on 27 November 2025.

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that is provided by a 3rd party agency who refers potential participants to us.

Personal Information. The personal information we collect may include the following:

  • Direct identifiers:  Name, home address, email address, telephone number
  • Location data: Geographic location information
  • Health data: Information about a person’s physical or mental health
  • Other information: Info that when combined can be used to identify a person. This includes Age, Gender and Employment Status.

Sensitive Information.

  • Genetic, biometric, and health data

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

2. HOW DO WE PROCESS THIS INFORMATION?

In Short: We process this information to provide, improve, and administer our Services, communicate with the referrer and the participant, for security and fraud prevention, and to comply with law. We may also process this information for other purposes with consent.

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

In Short: We only process personal information when we believe it is necessary and we have a valid legal reason (i.e. legal basis) to do so under applicable law, like with consent, to comply with laws, to provide the participant with services to enter into or fulfil our contractual obligations, to protect personal rights, or to fulfil our legitimate business interests.

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process any personal information. As such, we may rely on the following legal bases to process any personal information:

  • Consent. We may process personal information if you have given us permission (i.e. consent) to use your personal information for a specific purpose. You can withdraw your consent at any time. Click here to learn more.
  • Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
  • Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

Data is shared with the relevant partner organisation that is responsible for delivering digital support. We may also need to share your personal information, if we are required to do so by law.

5. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep any personal information for as long as necessary to fulfil the purposes outlined in this privacy notice unless otherwise required by law.

We will only keep personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). No purpose in this notice will require us keeping any personal information for longer than 1 year.

When we have no ongoing legitimate business need to process any personal information, we will either delete or anonymise such information, or, if this is not possible (for example, because personal information has been stored in backup archives), then we will securely store any personal information and isolate it from any further processing until deletion is possible.

6. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We aim to protect any personal information through a system of organisational and technical security measures.

We take the security of personal information very seriously. We have set up security measures, policies, and procedures such as:

  • Ensuring only legitimate users can access the data
  • Training all staff in data and security protection
  • Monitoring our platform to keep personal information secure
  • Having security and confidentiality policies in place across the organisation, to which staff must agree before they’re given access to personal information
  • Restricting access to personal information to only those staff who need access to perform their role

However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorised third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect any personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

7. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: In the United Kingdom (UK) you have rights that allow you greater access to and control over your personal information.

We respect your rights to access and control the personal data that we hold about a participant, as required by data protection legislation. This includes:

  • right to be informed
  • right to get access to it
  • right to rectify or change it
  • right to restrict or stop processing it

If a participant wishes to know what personal data we hold about them, or to rectify or change this data, or to restrict or stop processing this data, they should contact us at hello@glosdigi.org.uk

Following receipt of a request the relevant team will respond in accordance with applicable data protection laws.

If a participant wishes to make a complaint about how we have managed their data, contacts for the Regulator are provided below:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, WSK9 5AF.

If a participant believes we are unlawfully processing their personal information, they also have the right to complain to their local data protection supervisory authority. Contact details can be found here:

https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

Withdrawing consent: If we are relying on consent to process any personal information, a participant has the right to withdraw their consent at any time. They can withdraw their consent at any time by contacting us by using the contact details hello@glosdigi.org.uk

However, please note that this will not affect the lawfulness of the processing before its withdrawal, nor will it affect the processing of any personal information conducted in reliance on lawful processing grounds other than consent.

8. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may email us at hello@glosdigi.org.uk or by post to XXXX.