PRIVACY POLICY
1. About this policy
This Privacy Policy explains how the Institute for Advanced Learning and Metacognition (IALM, “we” or “us”) collects and uses personal data, and the rights you have in relation to your data. It is provided in accordance with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).
IALM is the data controller for the personal data described here. We are a charity registered in England and Wales (registered charity number 1189445), with our registered office at 23 Old Oak Gardens, Walton Le Dale, Preston, PR5 4BF. We are registered with the Information Commissioner's Office (registration number ZC173366). Questions about this policy, or about your data, can be sent to our Data Protection Lead at [email protected].
This is our public-facing notice; it is supported by our internal Data Protection (GDPR) Policy. We may update this policy from time to time, and will post any changes on our website.
2. The personal data we collect
The personal data we hold depends on your relationship with us. It may include:
- members and subscribers — name, contact details, date of birth, professional details, membership grade and history, and payment information;
- event and training participants — name, contact details, and any access or dietary requirements you tell us;
- donors and supporters — name, contact details, donation history, and Gift Aid status;
- job, trustee and volunteer applicants — the information in your application, references and, where relevant to the role, eligibility and background-check information;
- website users — technical data collected through cookies and similar technologies (see our Cookie Notice); and
- enquirers — the contact details and information you provide when you get in touch.
3. How we collect your data
We collect personal data directly from you (for example, when you apply for membership, book an event, make a donation, or contact us); automatically when you use our website (through cookies and similar technologies); and occasionally from third parties (for example, a referee, or a partner organisation delivering a project with us).
4. Why we use your data, and our lawful bases
We only process personal data where we have a lawful basis to do so under the UK GDPR:
- Contract — to administer your membership or deliver a service you have requested, such as a course or event;
- Legitimate interests — to run our charitable activities, keep records, and send you relevant professional information, where this does not override your rights;
- Legal obligation — to meet legal and regulatory duties, such as Gift Aid and tax reporting, safeguarding, and responding to lawful requests;
- Consent — for activities such as marketing communications, optional participation in research, or the use of case studies; and
- Vital interests — in rare cases, to protect someone's life in an emergency.
5. Special category data
Some data — such as data about health, ethnicity, religion or sexual orientation — is “special category” data requiring extra protection. We process it only where a condition under Article 9 of the UK GDPR applies, for example with your explicit consent, to meet employment or safeguarding obligations, or for equality and diversity monitoring on an anonymised basis.
6. Children's data
Because our work includes children and young people, we may process their personal data. Where we do, we apply appropriate safeguards and, where required by law, obtain the consent of a parent or guardian. We handle children's data in accordance with this policy and our Safeguarding Children Policy.
7. Marketing
We will only send you marketing communications where you have agreed to receive them, or where we are otherwise permitted to do so by law. You can ask us to stop at any time, by using the unsubscribe link in our emails or by contacting us. Stopping marketing will not affect communications we need to send you to administer your membership.
8. Who we share your data with
We do not sell your personal data. We share it only where necessary:
- with service providers who process data on our behalf (for example, IT, hosting, payment and email providers), under contracts that require them to protect it;
- with our professional advisers, where necessary; and
- with regulators, authorities or other third parties where we are required to do so by law, or to protect someone's safety.
9. International transfers
Where any personal data is transferred outside the UK — for example, because a service provider is based abroad — we will ensure that appropriate safeguards are in place to protect it, as required by data protection law.
10. How long we keep your data
We keep personal data only for as long as necessary for the purposes for which it was collected, and to meet our legal and regulatory obligations. For example, membership records are typically kept for the duration of membership plus six years. Further detail is set out in our Records Retention Schedule and our internal Data Protection (GDPR) Policy.
11. How we protect your data
We use appropriate technical and organisational measures to keep personal data secure, including access controls, secure storage, and training for those who handle data. If you are concerned that your information may have been put at risk, please contact us immediately.
12. Your rights
Under the UK GDPR, you have the right to:
- be informed about how we use your data (through this notice);
- request access to a copy of your data;
- have inaccurate data corrected;
- have your data erased in certain circumstances;
- restrict or object to certain processing;
- data portability; and
- withdraw consent at any time, where we rely on consent.
To exercise any of these rights, please contact our Data Protection Lead. We will respond within the statutory period (usually one month), and there is normally no charge.
13. Cookies
Our website uses cookies and similar technologies. How we use them, and how you can manage your choices, is explained in our Cookie Notice.
14. How to contact us, and how to complain
If you have any questions, or wish to exercise your rights, please contact our Data Protection Lead at [email protected], or write to us at our registered office.
If you are unhappy with how we have handled your personal data, you have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection regulator, at ico.org.uk or on 0303 123 1113. We would, however, appreciate the chance to address your concerns before you approach the ICO, so please do consider contacting us first.
15. Review of this policy
This policy will be reviewed by the Board of Trustees at least every two years, or sooner if required by changes in law or our practices.
Approved by the Board of Trustees on 24th June 2026.
