Last updated: November 2025
At InCommon, we are committed to protecting and respecting your privacy. If you have any questions about the below, please email us at hello@incommon.org.uk.
You can download a full copy of the Data Privacy Policy here
InCommon is committed to protecting your personal data, including letting you know when and how we use it. We are also committed to supporting your data protection rights and meeting our obligations under data protection regulations.
InCommon in particular acknowledges how important protection of personal data is when working with individuals who may be at risk or with more sensitive data.
Definitions:
“Controller” this is the person or company that makes decisions about processing activities. They exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing.
“Data Subject” the individual about whom the personal data relates
“Personal data” is any information about a living individual which allows them to be identified. directly or indirectly.
“Processor” these act on behalf of the relevant controller and under their authority. In doing so, they serve the controller’s interests rather than their own.
As part of being accountable for how we process your personal data, InCommon has appointed a data protection officer and nominated a Trustee with particular responsibility for data protection.
Data protection officer: Hannah Kayi Mason
Trustee Data Lead: Hector Smethurst
To contact InCommon about the data we hold about you or for any other questions about this policy, please email hello@incommon.org.uk.
Data protection in the UK is regulated by the Information Commissioner’s Office (ICO). You can contact them via phone on 0303 123 1113 or via email or via post to the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
At InCommon we collect and process the personal data of different stakeholders.
To make it easier to find the information that is relevant to you, we have divided the policy into the stakeholder group sections below.
Each of these sections answer the questions:
What data we collect about you
What we use it for and what legal basis we are processing it under
Under data law we need to have a legal basis for processing your data and know what that is for different pieces of data.
Stakeholder groups:
Programme participants (older)
Programme participants (under 18s)
Users of our digital platform
Team, volunteers, freelancers and role applicants
Supporters
Other stakeholders not covered above
There are some parts of our policy that are relevant to everyone whose data we handle. The following sections apply to everyone:
How we process and store your data
Your rights as a data subject
Programme participants (older adults)
Name and contact details (e.g. telephone number, address and email address)
We collect the first name and last name of programme participants in order to deliver our programme effectively and keep an accurate record of participant attendance. These aggregated figures are also shared with funders, but no personal information is shared with them.
We collect contact information for participants to invite them to events, for welfare calls or as part of programme activities. We use addresses to send post to the participant, e.g. InCommon magazine and to knock on their door to invite them to events taking place in the communal lounge
What is the legal basis?
Legitimate interest (until the registration form is completed) and consent thereafter
Photographs, audio recording and video recording
We take photos and recordings in workshops to promote the impact of the programme, e.g. via our website/social media, in the form of case studies to funders, etc.
What is the legal basis?
Consent (registration form)
Equality monitoring information including gender, sexuality and ethnicity
We collect this information to report to funders about the reach of programmes. Longer term this will enable us to learn whether our programmes are reaching people from different demographics equally, and potentially explore barriers for, or target recruitment towards, underrepresented groups
What is the legal basis?
Explicit Consent (optional questions on registration form)
Demographic and personal details including age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications, hobbies, family composition, and dependants
We collect this information if it is relevant to our programme. We may process demographic information and personal details, e.g. for our equality monitoring and reporting to funders.
What is the legal basis?
Explicit Consent (registration form)
Safeguarding or welfare notes from communication with older participants
Notes are recorded for the safety of participants. We take these to ensure there is an accurate record of what we observe or are told and so we can act responsibly to safeguard participants and promote their welfare.
Sometimes older participants may share sensitive details for example health issues, difficulties with finances which might be used to make a referral for further support.
What is the legal basis?
Explicit Consent (specified on registration form)
If a sensitive disclosure is made, the individual should be reminded that we may have a duty to widen confidentiality, and where possible offer the individual control over how this happens.
If necessary and consent is not given, legal obligation (e.g. duty to safeguard an adult at risk). Please see our Safeguarding Policy for more details.
Programme participants (under 18)
Name
We collect the first and last name of participants in order to deliver our programme effectively and keep an accurate record of participant attendance. These figures are also shared with funders.
What is the legal basis?
Legitimate Interest
Photographs, audio recording and video recording
We take photos and recordings in workshops to promote the impact of the programme, e.g. via our website/social media, in the form of case studies to funders, etc.
What is the legal basis?
Consent of parents (parent permission letter).
Children’s consent should also be respected, i.e., children should be aware that photos are being taken and able to request that they don’t want their photo taken.
Children’s/young people’s equality monitoring data (gender, ethnicity)
We collect this information on programmes where funders request this to report the reach among certain demographics.
What is the legal basis?
Consent (collected via an optional form)
Safeguarding notes from communication with children
Notes are recorded for the safety of participants. We take these to ensure an accurate record of what we observe or are told, so we can act responsibly to safeguard participants and promote their welfare. We would share relevant information with emergency services in situations where there is a real risk of harm.
Legally we can store and share information for safeguarding purposes, including sensitive and personal information and this information should be treated as 'special category personal data'. This includes allowing practitioners to share information, regarding 'safeguarding of children at risk', without consent if it is not possible or reasonable to gain consent
What is the legal basis?
Legal obligation (e.g. duty to safeguard a vulnerable child). Please see our Safeguarding Policy for more details.
Users of our digital platform
Free account holders: name and email address
We collect this information to track the engagement and use of the platform, and as a user identifier on the platform.
What is the legal basis?
Consent (on account creation)
All other account holders: name and email address (of account holder and alternative account holder), phone number and photo
We collect contact information to facilitate use of the platform and arrangement of visits. This information will be visible to some other platform users, in particular:
Linked users i.e. a school user will be able to see the contact details for their linked scheme and vice versa.
Relevant partner users i.e. a housing association commissioner can view the details from their scheme users.
We collect phone numbers and photos to facilitate relationship building and to support visits. These are optional.
What is the legal basis?
Consent (on account creation or onboarding call).
Legitimate interest for the alternative contact details to contact in emergency situations.
Team, volunteers, role applicants and network
Name and contact details
We collect the name and contact details of team members, volunteers and role applicants. We also collect the name and contact details of people in our wider professional network, such as advisors or sector partners.
What is the legal basis?
Contract
Application answers
We collect and store answers from volunteer and role applicants to help us make recruitment decisions.
What is the legal basis?
Legitimate Interest
Supporters, funders and donors
Name and contact details (e.g. telephone number, email address, address)
We collect this information to provide updates; support fundraising activity and process Gift Aid Claims.
We will only contact people that have not opted out of communications with us.
If you are a subscriber to our mailing list wish to no longer receive our emails, you can click unsubscribe. If you want us to remove your information completely from Mailchimp, please contact us at hello@incommon.org.uk
What is the legal basis?
Consent (mailing list sign up, via donor platform)
Legitimate interest (e.g. contact through staff)
Financial information and records of donations
Financial reporting, for example to HMRC and our accountants, and Gift Aid claims.
What is the legal basis?
Legitimate interest and legal / best practice requirements (e.g. ‘Know your donor’ anti-money laundering practices)
Our website uses cookies. A cookie is a small file of letters and numbers that is downloaded onto your computer when you visit a website. This is anonymous information which helps us track how people use our website and is stored on Squarespace and Google Analytics.
If you continue without changing your browser settings, we'll assume you are happy to receive all cookies on our site. You can find out more about managing cookies here.
We will obey the law when we process your data.
This means we will:
Keep it up to date
Store and destroy it securely
Not collect or retain excessive amounts of data
We store data on the following online systems. These organisations all have a privacy policy available to view on their websites, please contact us if you require further information on hello@incommon.org.uk.
Google (e.g. Google Drive, Gmail and Google Calendar)
Airtable
Lavarel
Mailchimp
JustGiving
We also store some personal data in hard copy in our offices. This is stored securely and destroyed securely when no longer needed.
Your personal data will be treated as strictly confidential. It will only be shared with third parties under specific circumstances:
Where it is necessary to protect harm to yourself or others
Where you give us consent to share it, for example as part of a named case study, or for a referral to a partner organisation
Where it is shared in such a way that an individual cannot be identified
Who we share your data with
Katapult.io – hosts and supports our website. Their privacy policy can be found here: https://katapult.io/privacy-policy/
MailChimp – we use MailChimp for our email marketing and newsletters. Their privacy policy can be found here: https://mailchimp.com/help/mailchimp-european-data-transfers/
We follow the general principle of keeping data only as long as is reasonable and necessary for our purposes. This length of time will vary depending on the nature of the data. Data will be deleted when it is no longer needed.
We will keep some records permanently if we are legally required to do so or it is legally advisable, for example we would keep records of the DBS status of volunteers permanently.
We may keep some other records for an extended period of time. For example, it is best practice to keep financial records for a minimum period of 7 years to support HMRC audits.
We generally keep personal information of participants while they are involved in a programme/activity and for up to three years afterwards, unless they ask for this to be deleted. This is primarily to help us re-engage past participants, for example if a project is refunded in their area after a short break.
Some data may be kept for longer. This includes:
Email correspondence, which will remain accessible in our email archive.
Photographs, which may remain published on our communications platforms, and we may keep the digital images and photo permission records that accompany them for longer than 3 years
Notes of safeguarding concerns, which may be kept for longer in case they are required at a later date.
Your data
You have the following rights with respect to your personal data. Not all of these rights apply all the time:
1. The right to access information we hold on you
At any point you can contact us to request the information we hold on you. We will also provide information about why we have it, who we share it with, and where we obtained it. Once we have received your request we will respond within one month, however, for complex or large volume requests we may need to take up to two additional months. However, this will be communicated with you well before the initial 30-day deadline.
There are no fees or charges for the first request but additional requests for the same data may be subject to an administrative fee.
The best way to do this is to email hello@incommon.org.uk
2. The right to correct, update and complete the information we hold about you
If the data we hold about you is out of date, incomplete or incorrect, you can inform us and your data will be updated, we may need to request verification in certain circumstances. The best way to do this is to email hello@incommon.org.uk
3. The right to have your information erased
If you feel that we should no longer be using your data or that we are illegally using your data, you can request that we erase the data we hold.
The best way to do this is to email hello@incommon.org.uk
When we receive your request, we will confirm whether the data has been deleted or the reason why it cannot be deleted.
4. The right to object to processing of your data
You have the right to request that we stop processing your data. Upon receiving the request, we will contact you and let you know if we are able to comply or if we have legitimate grounds to continue to process your data. Even after you exercise your right to object, we may continue to hold your data to comply with your other rights or to bring or defend legal claims. The best way to do this is to email hello@incommon.org.uk
5. The right to data portability
You have the right to request that we transfer some of your data to another controller. We will comply with your request, where it is feasible to do so, within one month of receiving your request.
This applies to any data we hold under the legal bases of consent or performance of a contract and for data in electronic form
The best way to request this is to email hello@incommon.org.uk
6. The right to object to the processing of personal data
You have the absolute right to object to the processing of personal data for direct marketing purposes
You can also object to the processing of personal data when it is being processed under the legal basis of legitimate interests, if we have and can demonstrate legitimate interest(s) that outweighs your objection we may be able to continue with the processing or if we require the data to establish, exercise or defend a legal claim.
7. The right to restrict the processing of your personal data
You have the right to restrict the processing of your personal data when:
You contest the accuracy of the personal data we hold about you; we will restrict the processing of your personal data while we investigate
You believe that we have processed your personal data illegally and you do not want us to delete it
We no longer need to use the personal data, but you want us to restrict the processing so that you can establish, exercise or defend a legal claim
In cases where you’ve objected to our processing of your personal data and we are reviewing the case
Where we are relying on Consent as our legal basis for processing, you have the right to withdraw your consent to the processing at any time for any processing of data to which consent was sought.
The best way to do this is to email hello@incommon.org.uk
8. The right to lodge a complaint with the Information Commissioner’s Office.
You can contact them via phone on 0303 123 1113 or via email or via post to the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
We will not transfer your data abroad to any country which does not have the same standards of data protection as the UK.
We use cloud-based processing software that may use servers outside the UK where this can be done in compliance with GDPR. See ‘How we store your data’ for a list of our current processing software.
If we wish to use your personal data for a new purpose, not covered by this Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.