1. Introduction

Karron Lifestyle CIC (trading as Pathways to Progress) ("we", "our", "us") is a Community Interest Company registered in England and Wales (Company No 16630551) and is committed to protecting and respecting your privacy. This policy explains how we, as the data controller, collect, use, and protect personal information in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable privacy laws.

Transparency and security are the cornerstones of our relationship with potential funders, partners, and the carers and individuals we serve. We are committed to not only meeting but exceeding our legal obligations, aligning our practices with best practice guidelines from the National Cyber Security Centre (NCSC) and working towards certifications such as Cyber Essentials.

2. Information We Collect

We may collect and process the following data about you:

2.1. Information You Provide Voluntarily

• Funding Applications: Contact details, organisational information, financial and project proposal details.
• Service Enquiries & Delivery: Name, contact details, and relevant personal circumstances when you enquire about or use our services.
• Donations: Payment information, gift aid declarations, and contact preferences.
• Correspondence: Information contained in emails, letters, phone calls, or other communications.

2.2. Information Collected Automatically

• Technical Data: IP address, browser type and version, operating system, and device type.
• Usage Data: Pages visited, time spent on pages, navigation paths, and referral sources.
• Cookies: Small data files stored on your device (see our dedicated Cookie Policy for full details).

2.3. Information from Third Parties

We may receive information about you from:

• Publicly available sources (e.g., Companies House, charity registers).
• Referral partners (where you have provided your consent to them).
• Social media platforms (where you interact with our content).

2.4. Special Category (Sensitive) Data

In providing direct support, we may need to process sensitive data as defined by UK GDPR Article 9. This may include information about an individual's physical or mental health, racial or ethnic origin, or religious beliefs.

We will only ever process this data under one of the following specific legal conditions:

• Explicit Consent: We have obtained the individual's clear and explicit consent for one or more specified purposes.
• Substantial Public Interest: The processing is necessary for reasons of substantial public interest, is proportionate to the aim pursued, and is in line with our CIC objectives to safeguard the rights of vulnerable individuals.

3. How We Use Your Information & Our Legal Basis

We will only use your personal data when the law allows us to. We have set out below the specific lawful bases we rely on for each processing purpose.

Purpose of Processing	Type of Data	Lawful Basis for Processing
To process grant applications and manage funding relationships	Contact, Organisational, Proposal Details	Necessary for Contract / Legitimate Interests
To provide information, support, and services to carers	Contact, Circumstances, Special Category	Explicit Consent / Substantial Public Interest
To administer donations and process Gift Aid	Payment, Contact Details	Necessary for Contract / Legal Obligation
To send marketing communications and impact reports	Contact Details, Preferences	Consent
To improve our website, services, and user experience	Technical, Usage Data	Legitimate Interests
To comply with legal, regulatory, and accounting requirements	Any Relevant Data	Legal Obligation
To evaluate programme effectiveness and report to funders	Anonymised/Aggregated Data	Legitimate Interests

4. Data Sharing and International Transfers

4.1. Data Sharing

We will not sell or rent your information to third parties. We may share your information with:

• Service Providers: Carefully selected partners who provide services on our behalf (e.g., cloud hosting, payment processing, IT support, professional advisors). All third-party processors are subject to a rigorous due diligence process and are bound by a UK GDPR-compliant Data Processing Agreement (DPA) that stipulates their confidentiality, security, and data handling obligations.
• Regulatory Bodies: Where required by law or to comply with our regulatory obligations (e.g., HMRC for Gift Aid, the CIC Regulator).
• Collaborative Partners: With your explicit consent, when collaborating on joint initiatives with other organisations.

We maintain a central register of all processors, which is reviewed quarterly by our Data Protection Officer.

4.2. International Transfers

We do not routinely transfer personal data outside the UK. If such transfers become necessary (e.g., using a cloud service with servers in the US), we will implement appropriate safeguards as required by UK law, such as the International Data Transfer Agreement (IDTA) or UK Addendums to the EU Standard Contractual Clauses (SCCs).

5. Data Security: Our Technical & Organisational Measures

We implement a defence-in-depth strategy to secure your personal data. Our measures include:

• Encryption: End-to-end encryption (TLS 1.3+) for all data in transit and AES-256 encryption for sensitive data at rest.
• Access Control: Strict principle of least privilege enforced through role-based access controls (RBAC). Multi-factor authentication (MFA) is required for all system access. All access is logged and audited.
• Resilience: Regular, encrypted backups of our systems are maintained and tested for integrity.
• Testing & Assurance: We undertake annual penetration testing conducted by CREST-approved cybersecurity firms, supplemented by ongoing internal vulnerability scanning.
• Culture: Mandatory, quarterly data protection and cybersecurity training for all staff and contractors.

We have robust procedures to deal with any suspected personal data breach and will notify you and the ICO of a breach where we are legally required to do so.

6. Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the processing purposes, and applicable legal requirements.

Detailed retention schedules for different data types are available in our internal Data Retention Policy, which you can request a summary of by contacting us.

7. Your Legal Rights

Under data protection law, you have rights including:

• Right of Access: To request copies of your personal data.
• Right to Rectification: To request correction of inaccurate or incomplete data.
• Right to Erasure ('Right to be Forgotten'): To request deletion of your personal data.
• Right to Restrict Processing: To request limitation of how we use your data.
• Right to Data Portability: To request the transfer of your data to another organisation.
• Right to Object: To object to the processing of your personal data.
• Right to Withdraw Consent: To withdraw consent at any time where we rely on consent to process your data.

We are committed to responding to all legitimate requests within one calendar month. There is no charge for exercising your rights.

To exercise any of these rights, please contact us using the details below. We may need to request specific information from you to confirm your identity.

8. Data Protection Officer (DPO)

As an organisation processing data on a large scale, including sensitive data, we have appointed an external Data Protection Officer to provide independent expert oversight.

Our DPO is responsible for monitoring compliance, advising on our data protection obligations, and conducting Data Protection Impact Assessments (DPIAs).

You can contact our DPO directly at:

9. Complaints

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us or our DPO in the first instance.

10. Changes to This Policy

We may update this policy from time to time. Any changes will be posted on this page with an updated revision date. We will notify you of significant changes where appropriate via email or a prominent notice on our website.

Have Questions?

For any questions about this privacy policy or our data practices, please contact us at: