Privacy Policy

Data Maturity Assessment privacy policy for the Nonprofit Data Capacity Navigator

 
 

We respect your privacy and are committed to protecting your personal data. Data Orchard CIC is a Data Controller registered with the Information Commissioner’s Office, registration reference: ZA045001.

This policy explains how we manage the personal information of users of Data Orchard’s Data Maturity Assessment Tool subdomain (datamaturity.dataorchard.org.uk).

Data Orchard CIC, ‘Data Orchard’, or ‘us’ or ‘we’ is a social enterprise registered with Companies House as a community interest company and company limited by guarantee in England and Wales. Our company number is 08674626 and our registered office is at Lower House Business Park, Staunton-on-Wye, Hereford HR4 7LR.

Personal data

Personal data we collect about you, the legal basis of processing, and how long we hold it.

Personal data, or personal information, means any information about an individual from which that person can be identified as the subject or source. You can find out more about personal data from the Information Commissioners Office. We may collect, use, store and transfer different kinds of personal data about you as follows:

If you set up an account to use our Data Maturity Assessment Tool as part of the Nonprofit Data Capacity Navigator project: We will request that you provide email address, job title/role, the organization you work for, the types of services you provide, the geographic scope of your services and activities, and referral source. The legal basis for collecting data is consent. Data Orchard will securely hold personal data (email, job role and IP address) for all respondents for a period of two years from the point of delivering the Data Maturity Assessment. Your personal data will be shared with the Nonprofit Data Capacity Navigator partners, who include: Blueprint, Purpose Analytics, PolicyWise for Children & Families, Canadian Centre for Nonprofit Digital Resilience (CCNDR), and Tamarack Institute. These parters will be using this data for sector wide research purposes to understand data maturity in the Canadian nonprofit sector. It will also be used to match you with tailored resources and advice if you choose to engage.

Data Protection, data processing, and data sharing

For the absence of doubt Data Orchard will assume the responsibilities of a Data Controller for the following purposes:

  • research and benchmarking at a sector level;

  • validation of users and organizations;

  • analysis of the role types of people who use Data Orchard’s Data Maturity Assessment tool;

  • to monitor IP addresses for potentially malicious attacks; and

  • to analyse the state of the sector data maturity.

Your non-anonymized response data will be shared with the Nonprofit Data Capacity Navigator partners for the purpose of providing you with tailored support and advice through a coordinated and supportive pathway. This will include analysis of the results to identify strengths, weaknesses and priorities for improving data maturity. Members from the Nonprofit Data Capacity Navigator partnership may contact you to follow up on your responses to help provide additional context to the benchmarking assessment and provide additional opportunities for support. An agreement exists between Data Orchard and the lead of the Nonprofit Data Capacity Navigator, Blueprint, and data sharing agreements exists between the each of the Nonprofit Data Capacity Navigator’s partners for this purpose. Non-anonymized data will not be shared with any other third parties, unless under contract to provide advisory services as part of the project. Anonymized aggregate data may be shared with funders, researchers, and the public in the form of a report or overview of the benchmarking of the Nonprofit Data Capacity Navigator initiative, and other interested stakeholders who have an interest in understanding the work we are doing. Neither you nor your organization will be identifiable in any aggregate data that is shared with project stakeholders.

To the extent that Data Orchard is a data processor we shall:

  • process the Data only to the extent, and in such a manner, as is necessary for the Purpose;

  • except to the extent that we are required by law to retain any copies of any Data, upon the expiry or termination of the contract between Data Orchard and Blueprint, Data Orchard will deliver any Data to Blueprint or destroy and/or permanently delete from our information technology systems all copies of any Data in our possession.

  • implement appropriate technical, security and organizational measures (including maintaining Cyber Essentials Plus Certification), appropriate to the risks of processing the Data under the Contract against unauthorized or unlawful processing of the Data, and against accidental loss or destruction of or damage to the Data, to ensure compliance with Data Protection Law.

  • not permit personal data to be transferred outside of the European Economic Area, except by secure encrypted link to Blueprint or any subsequent licence holder in Canada.

  • ensure that the Data is processed only by employees, contractors or other personnel that are subject to an appropriate duty of confidentiality.

  • notify you without undue delay on becoming aware of a Personal Data Breach.

  • maintain complete and accurate records and information to demonstrate our compliance with this clause.

For the avoidance of doubt, Data Orchard acknowledge that unless a particular disclosure of Data is explicitly made as being on the basis of data controller to data processor, the Data disclosed under the Contract is made on a data controller to data controller basis.

If you fail to provide personal data

Where we need to process your personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to provide you with goods or services. In this case, we may have to cancel, modify or reduce the functionality or extent of a product or service that we provide to you. We will notify you if this is the case at the time.

Sharing your information with other organizations

Data Orchard will not sell or otherwise provide your information to any third party in any way that could be used to identify you except to the very limited extent we expressly set out in this policy. We may share your information with third parties where we have a legal duty to do so, where it is required to provide you with a service or to carry out any contractual rights or obligations we may have, or where you have given explicit consent for us to do so.

We will share aggregated non personal data for research and statistical analysis purposes, and for scientific research and associated legitimate interests in accordance with privacy laws in force at the time.

We may transfer personal data to external organizations where we have contracts to provide direct operational services for us (including hosting and cloud services; but unless you have given explicit consent, this does not extend to any arrangement to enable the external organization to contact you on its own behalf or enable any other part to do so.

We have contracts in place with all third-party suppliers to ensure they are obligated to treat our customers’ personal data in compliance with Data Protection Laws and to ensure confidentiality is maintained where applicable.

If Data Orchard is acquired by a third party, personal data held by Data Orchard will be one of the assets transferred as part of that transaction. Any personal data that is transferred to a new owner or newly controlling party will continue to be protected in accordance with this privacy policy and your rights will not be prejudiced as a result of that transfer. If only part of Data Orchard’s services are acquired by a third party then in order to continue to provide that service your personal data may need to be transferred to that third party, but we will tell you in advance where this applies so that you have the option to decline before that transfer takes place.

Your rights

Under certain circumstances you may request that your personal data be copied, transferred, erased, rectified, amended, or completed. Under certain circumstances you may also object to our processing your personal data and restrict our processing of your personal data.

Your right to complain

If you believe that we have mishandled your personal data, please let us know as soon as possible with as much detail as you can provide at the time. You have the right to lodge a complaint with the UK’s supervisory authority for personal data: the Information Commissioner’s Office (ICO). You can report a concern here (but we ask that you try to contact us first, so that we can try to resolve your complaint without the need to escalate it to the ICO).

Your right to access

You may contact us at any time to ask for a copy or summary of the personal data we hold about you. Please contact us to request this.

Although we may require you to provide proof of your identity in advance, we will aim to respond to your request within one month and we will provide the information without any charge unless we consider your request to be more significant or complex but only where we are legally allowed to charge you.

Your right to erasure

You may request that we destroy the personal data that we hold about you, provided that there is no legitimate reason for us continuing to hold it. If you want us to stop sending you marketing then it may be better to ask us to apply a suppression to your account rather than deleting your information as this may be best to avoid unwanted marketing in the future. If we delete all record of your email address then we won’t know not to contact you in case we collect that email address again in the future for any reason. Please contact us to request this or to find out more about your rights.

Privacy compliance

Our privacy policy is designed to be compliant with Data Protection Laws which apply to UK and EU data subjects, including but not limited to the following laws as they are amended or replaced over time:

  • The UK Data Protection Act 2018

  • The General Data Protection Regulations 2016/679 (GDPR)

  • The UKGDPR

  • The Privacy and Electronic Communications regulations (PECR) which relate to direct marketing.

Changes to our privacy policy

We keep our privacy policy under regular review and we will place any updates on this website. This privacy policy was last updated on May 29, 2026.

Contact us about our privacy policy

If you have an enquiry or concern about our privacy policy, please contact us at info@dataorchard.org.uk or by phone Mon-Fri 9am-5pm on 01432 800523.

If you are not satisfied with our response to your concern you may wish to contact Information Commissioner’s Office (ico.gov.uk).