Privacy Notice & Use of Cookies

1. Purpose

upReach has prepared this Privacy Policy to outline our practices regarding the collection, use, disclosure, transfer and other processing of individually identifiable information about you (“Personal Information”) collected when you use upReach’s website. upReach will process any Personal Information fairly and lawfully, in accordance with this Privacy Policy and in accordance with the General Data Protection Regulation (“GDPR”).

In accordance with GDPR definitions, upReach CAN Mezzanine, 7 - 14 Great Dover Street, SE1 4YR is the Data Controller, with the CEO and Trustees therefore ultimately responsible for its implementation.  UpReach has designated Nicola Lewis, Operations Manager the person responsible for Data Protection matters at upReach. Her contact details can be found at the end of this document.

2. Information collection and use

While using our website, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to your name and contact details ("Personal Information").

A. Personal Information Collection

Subject to this Policy, upReach will treat as confidential the Personal Information that it collects about you. upReach may collect the following categories of Personal Information:

(1) For potential applicants: Your name, photo, home contact information (address and telephone number), date of birth, gender, family status, educational details (including the name of your school/college and previous school(s)/college(s), and A-level grades), details relating to any work experience or job that you may have had or will have (including salary information), personal interests and academic/career aspirations. We may also collect Sensitive Personal Data (as defined by the GDPR) from you. This includes information about your ethnic origin, family income and any disabilities or medical conditions you may have.

(2) For supporters, including employers, mentors, volunteers, donors and subscribers: Your name, contact information, employment information, information relating to your or your employees’ relationship with Associates and your bank or card details if applicable.

B. Purposes of Use of Personal Information

upReach may use the Personal Information listed above for the following purposes:

(1) For potential applicants: To process your application for a place as an Associate, various administrative purposes in connection with the operation of the programmes including your job applications, for statistical purposes, promotional purposes, programme evaluation purposes, job applications and outcomes and for the purposes of reviewing career progression. All Associate applications are processed on the basis of signed consent at the time of application. If you decide you no longer want to receive any such services or communications, you have the right to inform us and opt-out.

(2) For supporters, including employers and university partners, mentors, volunteers, donors and subscribers: For the purpose of processing your information as a mentor, volunteer or potential partnership, administrative purposes in connection with the operation of our programmes, programme evaluation purposes, fundraising purposes, for the purpose of keeping you up to date with our activity relating to our existing relationship.  You will only receive our stakeholder newsletter, updates and event invitations, if you have positively opted into receiving them. In all other cases your data is processed on the basis of Legitimate Interest. You can decide you no longer want to receive communications at any time, you have the right to inform us and opt-out.

3. Disclosure and international transfers of personal information

(1) For Associates: We may disclose your Personal Information or application progress to the employers at which you’ve applied, your university, your mentors and prospective supporters.

(2) For subscribers: For the purposes of sending you our newsletters your Personal Information will be stored on, the service we use to maintain our distribution lists.  We will only do this if you have given us permission to do so.

(3) For supporters, including employer and university partners, mentors, volunteers and donors: We will only disclose your information internally. Disclosure externally will only be with your prior agreement or your consent via an individual user agreement or contract.

The recipients of the Personal Information that upReach collects from you will be located in the United Kingdom or Europe, except in exceptional and temporary circumstances such as server maintenance. upReach has taken steps to establish appropriate data protection and information security requirements with such recipients to confirm that Personal Information is properly protected in accordance with this Policy and applicable laws. If necessary and in accordance with applicable laws, upReach may disclose Personal Information to our outside professional advisers and to other third parties that provide products or services to upReach, such as IT systems providers.

Where the processing of Personal Information is delegated to a third party data processor, such as that listed above, upReach will delegate such processing in writing, will choose a data processor that provides sufficient guarantees with respect to technical and organisational security measures governing the relevant processing and will ensure that the processor acts on our behalf and under our instructions. In addition, upReach will impose in writing appropriate data protection and information security requirements on such third party data processors.

4. Cookies

This site uses cookies to optimise your user experience. Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer's hard drive.

By using this site you are consenting to our use of these cookies.

5. Log Data

Like many site operators, we collect information that your browser sends whenever you visit our website ("Log Data").

This Log Data may include information such as your computer's Internet Protocol ("IP") address, browser type, browser version, the pages of our website that you visit, the time and date of your visit, the time spent on those pages and other statistics. This helps us to improve the site by monitoring how you use it.

We may use third party services such as Google Analytics and Hotjar to collect, monitor and analyze this in order to help us measure traffic and usage trends for the website. We collect and use this analytics information in aggregate form such that it cannot reasonably be manipulated to identify any particular individual user.

6. Changes to the policy

Should upReach decide to substantially modify the manner in which it collects or uses Personal Information, the type of Personal Information that it collects or any other aspect of this Policy, the upReach will notify you as soon as possible of such changes by re-issuing a revised Policy on our website (

7. Accuracy of and access to your personal information

You are entitled to request and access the information that upReach holds about you (subject to limited exceptions), as stated in General Data Protection Regulation (GDPR). In addition, you have the right to have inaccurate Personal Information corrected or removed and to object to the processing of your Personal Information. If you wish to access such Personal Information, you should apply in writing to the Operations Manager of upReach via the details below or at the email address set out on our website (

To assist us in maintaining accurate Personal Information, you must advise us of any changes to your Personal Information. In the event that upReach becomes aware of any inaccuracy in the Personal Information that it has recorded, the upReach will correct that inaccuracy at the earliest practical opportunity.

8. Retention of Data

upReach will maintain Personal Information for only as long as it is required to do so by or for as long as necessary for the purpose(s) for which it was collected. upReach will remove all identifiable Personal information when it is no longer needed for upReach to deliver their services and fulfill its reporting obligations.  More detail about retention is included in individual service user agreements.

9. Security

upReach maintains appropriate technical and organisational security measures including staff training to protect Personal Information against accidental or unlawful destruction, or accidental loss, alteration, unauthorised disclosure or access, in compliance with applicable laws.

10. Links to Other Websites and Services

upReach is not responsible for the practices employed by websites or services linked to or from its website (, including the information or content contained therein. Please remember that when you use a link to go from this site to another website, our Privacy Policy does not apply to third-party websites or services. Your browsing and interaction on any third-party website or service, including those that have a link or advertisement on our website, are subject to that third party’s own rules and policies.

11. Questions?

Please address all questions to Nicola Lewis, Operations Manager of upReach at or via the contact email address set out on our website (

Glossary of Terms

GDPR defines this as any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed. Consent can be withdrawn after it has been given.
Where data is “sensitive”, express consent is always sought from the data subject before the data can be given to a third party.

Any information which will be processed, or, used on or by a computerised system, additionally it also includes information contained within a “relevant filing system” of information. Data can therefore be written, tape, photographic or digital.

Personal Data
Personal data means any information relating to a living individual who can be identified:

Examples of data which would fall into this category include:

  • Names
  • Gender
  • Date of birth
  • University details
  • Emails, phone number and personal address
  • IP address from where registration forms are sent
  • Postcode aged 16
  • Schools attended
  • A level qualifications
  • Career interests
  • Interview question answers
  • Applications and application status outcomes

Sensitive Data (termed Special Category under GDPR)
This means data which relates to sensitive aspects of a living and identifiable individual’s life

Examples of data which would fall into this category include:

  • Family income
  • Number of active guardians
  • Parents’ occupation, employment etc.
  • Student Finance arrangements
  • Information relating to siblings
  • Mitigating circumstances
  • Photos of an individual
  • Photos of student finance documents
  • Disability information
  • Equal opportunity information eg ethnicity, sexual orientation, religion, marital status e
  • Free School Meal eligibility
  • Whether or not a person is a care leaver
  • POLAR 3 / POLAR 4 data
  • ACORN deprivation data

Data Subject 
The person who is the subject of the “personal data”.

Data Controller
A person who determines the purposes for which, and the manner in which, any personal data are, or are to be, processed.

Data Processor
Any person (other than an employee of the data controller) who processes data on behalf of the data controller. The data controller retains responsibility for the actions of the data processor.

Limited Exceptions
Processing of personal and sensitive data including responding to a Subject Access Request may, in rare circumstances, be restricted when personal data is subject to situations involving “crime and taxation purposes” which include:

  • the prevention or detection of crime;
  • the capture or prosecution of offenders; and
  • the assessment or collection of tax or duty.

Covers almost anything which is done with or to the data, including:

  • obtaining data
  • recording or entering data onto the files
  • holding data, or keeping it on file without doing anything to it or with it
  • organising, altering or adapting data in any way
  • retrieving, consulting or otherwise using the data
  • disclosing data either by giving it out, by sending it on email, or simply by making it available
  • combining data with other information
  • erasing or destroying data
  • using the data within research

Any person to whom the data are disclosed, including any person to whom they are disclosed in the course of processing the data for the Data Controller (e.g. an employee of the data controller, a data processor or employee of the data processor).

Subject Access Request
The process by which individuals can find out what personal or sensitive data an organisation holds about them, why they hold it and who they disclose it to.

Third Party
A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor are authorised to process personal data.



upReach Privacy Notice and Use of Cookies

Prepared by:

Nicola Lewis

Effective from:


Review on or before: