Privacy Policy

Enactus UK respects your privacy and is committed to protecting your personal information. The EU General Data Protection Regulation (GDPR) came into force in the EU, including the UK, on 25th May 2018. This privacy policy will inform you how we collect and look after your personal information in accordance with GDPR and tell you about your privacy rights.

Updated: September 2025

1. Introduction

This policy explains how Enactus UK & Ireland and its NextGenLeaders programme (collectively referred to as "we," "us," or "our") collect, use, and protect your personal information. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (GDPR) and other applicable data protection laws. This policy applies to all participants, partners, and stakeholders of both Enactus UK and the NextGenLeaders programme.

2. Controller

Enactus UK is the data controller responsible for your personal data. This means we determine how and why your data is collected, stored, and used.

3. Contact Details

If you have any questions about this Privacy Policy or wish to exercise your rights, you can contact our Executive Director:

• Amy Brereton

• Email: abrereton@enactus.org

4. Changes to This Privacy Policy

We regularly review our Privacy Policy to ensure it remains accurate and up-to-date. This version was last updated in September 2025. We encourage you to check our website at www.enactusuk.org/privacy-policy for the most current version.

5. The Personal Data We Collect and Why

Personal data is any information that can identify an individual. We collect your data to effectively manage our programmes and provide our services. We collect your personal data when you:

• Interact with us in person, by phone, email, or via our website.

• Join the Enactus UK or NextGenLeaders community as a student, university or school lead, partner, or volunteer.

• Register for one of our events or sign up for our mailing list.

The types of data we collect and our reasons for doing so are:

• Contact Information: Name, email address, phone number, and address. We use this to communicate with you about your membership, events, and other relevant programme information.

• Special Categories of Data: For events, we may collect information related to dietary requirements, accessibility needs, or other health data to ensure your safety and full participation. This is done only with your explicit consent.

• Third-Party Data: We use a range of trusted third-party service providers to manage our operations. These include:

  • Events: We typically use Fillout or Google Forms to manage event registrations. Your personal information is collected through their platform.

  • Mailing Lists: We typically use Brevo to send out our newsletters and marketing communications.

  • Programme Management: We use Google Workspace (Google Forms, Docs, Sheets), Notion, and Fillout for surveys, data collection, and programme management.

  • Digital Signatures: We use DocuSign for any necessary digital agreements.

  • File Sharing: We may use secure file transfer providers for large documents such as WeTransfer.

We ensure that all our service providers are contractually obligated to protect your data in line with GDPR.

6. Data Processing and Legal Basis

Under GDPR, we must have a legal basis to process your personal data. We rely on the following:

• Legitimate Interests: We process your data when it is necessary for our legitimate interests as a charitable organisation and does not override your rights. This includes:

  • Administering our programmes and ensuring effective communication between members.

  • Monitoring and evaluating programme impact and creating anonymised statistics (e.g., student demographics) for reporting to funders or regulators like the Charity Commission.

• Consent: We will process your data where you have given us clear and explicit consent. For example, when you sign up for our newsletter. You have the right to withdraw this consent at any time.

7. Children and Young People

We work with young people under the age of 18 through the NextGenLeaders programme. When a participant is under 18, we will seek parental or guardian consent before collecting or using their personal data. We handle the information of young people with additional care in line with safeguarding best practices.

8. Sharing and International Transfers

We will not sell, rent, or share your personal information with any third-party organisations.

However, we may share anonymised data with our partner organisations, both inside and outside of the UK and EU (including in the USA and Australia). This data is aggregated and does not contain any personal information that could identify you. The purpose of this sharing is purely to support and make improvements to the programme, such as reporting on our impact or providing our partners with general insights into our community. We ensure that any such data transfer is made in a way that provides an adequate level of protection, consistent with UK and EU law.

9. Data Retention and Security

We only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including to satisfy any legal, accounting, or reporting requirements. Our data retention policy ensures that we delete or anonymise data when it is no longer needed. For example:

• Contact information and event data for participants and members will be retained for 2 years after their last interaction with us to support ongoing relationships and for impact analysis.

• Financial records related to donations or expenses are retained for a minimum of 6 years to comply with UK accounting and tax laws.

• Records of unsuccessful job applicants or volunteers are kept for 1 year after the hiring process is complete.

We have put in place appropriate security measures to prevent your data from being accidentally lost, used, or accessed in an unauthorised way.

10. Data Breach Notification

In the unlikely event of a personal data breach, we have a clear procedure in place to respond swiftly. If a breach is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. If the breach poses a high risk, we will also inform you directly without undue delay.

11. Your Rights

You have several rights under GDPR concerning your personal data. You can exercise these rights at any time by contacting us using the details provided above. These rights include:

• The right to access your personal data.

• The right to request correction of any inaccurate data.

• The right to request erasure of your data (the "right to be forgotten").

• The right to object to the processing of your data, particularly for direct marketing purposes.

• The right to data portability, which allows you to receive your data in a structured, machine-readable format and transmit it to another controller.

• The right to withdraw consent at any time.

We may need to ask for specific information from you to confirm your identity before we can respond to your request. We will aim to respond to all legitimate requests within one month.

12. Cookies

Our website uses cookies to collect technical and usage data to improve your browsing experience and analyse website traffic. You can manage your cookie preferences through your browser settings. For more information on the types of cookies we use and why, please see our Cookie Policy.

13. Complaints

If you have a complaint or are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. You can find more information on their website: www.ico.org.uk.