Privacy Statement

Who We Are

Beyond the Box CIC (“we”, “us”, “our”) is a Community Interest Company registered in England and Wales.

We collect and process personal data to deliver our services, support our beneficiaries, and fulfil our social purpose in line with the UK GDPR and the Data Protection Act 2018.

We act as a Data Controller for the information we collect.

What Information We Collect

We may collect and process the following categories of personal data:

  • Personal data — name, email address, phone number, postal address

  • Special category data — only when necessary (e.g., health, ethnicity) and only with explicit consent

  • Service‑related information — details about your engagement with our programmes, events, or support services

  • Technical data — IP address, browser type, device information, and website usage analytics

We only collect what is necessary for our work.

Lawful Bases for Processing

We process your data under one or more lawful bases:

  • Consent — when you opt in to communications or provide special category data

  • Legitimate interests — delivering our programmes, evaluating impact, improving services

  • Contract — when processing is necessary to deliver a service you have requested

  • Legal obligation — safeguarding, financial reporting, or regulatory requirements

  • Vital interests — in rare cases where someone is at risk of serious harm

We will always tell you which lawful basis applies.

How We Use Your Information

We use your information to:

  • Provide, manage, and improve our services

  • Communicate with you about programmes, events, or opportunities

  • Evaluate our impact as a CIC and fulfil our community purpose

  • Meet legal, regulatory, and reporting obligations

  • Ensure safeguarding and duty of care where relevant

We do not use your data for automated decision‑making or profiling.

Sharing Your Information

We never sell your data.

We may share your information with:

  • Trusted partners or service providers who support our work (e.g., event platforms, evaluation tools)

  • Funders or regulators, where reporting is required

  • Authorities, if legally obligated (e.g., safeguarding concerns, law enforcement)

All partners must comply with UK data protection law and our Data Protection Policy.

Data Storage and Security

We store your data securely using appropriate technical and organisational measures, including:

  • Access controls

  • Encryption

  • Secure cloud storage

  • Staff training on data protection responsibilities

We take all reasonable steps to protect your data from loss, misuse, or unauthorised access.

How Long We Keep Your Data

We retain personal data only for as long as necessary to:

  • Deliver our services

  • Meet legal, financial, or safeguarding requirements

  • Demonstrate impact to funders

  • Resolve queries or disputes

Retention periods are set out in our internal data retention schedule.

Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data

  • Request correction of inaccurate information

  • Request deletion (“right to be forgotten”)

  • Withdraw consent at any time

  • Object to certain types of processing

  • Request data portability

  • Restrict processing in certain circumstances

To exercise your rights, contact us at:

admin@beyondtheboxconsultants.com 

Complaints

If you are unhappy with how we handle your data, you can contact us directly.

You also have the right to complain to the Information Commissioner’s Office (ICO):

ICO website: www.ico.org.uk  

ICO helpline: 0303 123 1113

Contact Us

For questions about this Privacy Statement or how we handle your data, contact:

Beyond the Box CIC  

Email: admin@beyondtheboxconsultants.com