Privacy Notice & Use of Cookies

  1. Purpose
  2. upReach has prepared this Privacy Notice to outline our practices regarding the collection, use, disclosure, transfer and other processing of individually identifiable information about you (“Personal Information”) collected when you use upReach’s website or services. upReach will process any personal information fairly and lawfully, in accordance with this Privacy Notice and in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

    In accordance with GDPR definitions, upReach (Ground Floor, Studio 18, Blue Lion Place, 237 Long Lane, London, SE1 4PU) is the Data Controller, with the CEO and Trustees therefore ultimately responsible for its implementation. upReach has designated Gavin Davis (Finance Manager) as the person responsible for Data Protection matters at upReach. He can be contacted via or 0207 089 9105.

  3. Information collection and use
  4. While using our website, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to your name and contact details ("Personal Information").

    A. Personal Information Collection

    Subject to this Notice, upReach will treat as confidential the personal information that it collects about you. upReach may collect the following categories of personal information:

    1. For Associate applicants: Your name, mobile number, university & personal email addresses, educational details (including the name of your school/college, your course and entry requirements, your previous school(s)/college(s), and A-level & GCSE or equivalent subjects and grades), household income and details relating to your academic/career aspirations. We will collect additional information at various stages of your application. Your consent to the processing of which will be sought via other agreements including the Associate User Agreement; getEmployable User Agreement and REALrating User Agreement.
    2. For job applicants & candidates in upReach recruitment processes: Your name, mobile number, email address, educational details (including the name of your school/college, your course and entry requirements, your previous school(s)/college(s) and A-level & GCSE or equivalent subjects & grades) and details of your work experience, career aspirations and references. We may also ask for special category information (see Glossary below) for monitoring purposes only.
    3. For supporters, including employers, mentors, volunteers, donors, subscribers, and any other interested party: Your name, contact information, employment information, information relating to your or your employees’ relationship with Associates and your bank or card details if applicable.

    B. Purposes of Use of Personal Information

    upReach may use the Personal Information listed above for the following purposes:

    1. For potential Associate applicants:To process your application for a place as an Associate, various administrative purposes in connection with the operation of the programmes including your job applications, for statistical purposes, promotional purposes, programme evaluation purposes, job applications and outcomes and for the purposes of reviewing career progression. All Associate applications are processed on the basis of signed consent at the time of application. If you decide you no longer want to receive any such services or communications, you have the right to inform us and opt-out.
    2. For upReach job applicants and candidates in upReach recruitment processes:To process and assess your application, various administrative purposes in connection with the recruitment process, for statistical purposes, recruitment evaluation purposes. All candidate applications are processed on the basis of signed consent at the time of application.
    3. For supporters, including employers and university partners, mentors, volunteers, donors, subscribers and any other interested party:For the purpose of processing your information as a mentor, volunteer or potential partnership, administrative purposes in connection with the operation of our programmes, programme evaluation purposes, fundraising purposes, for the purpose of keeping you up to date with our activity relating to our existing relationship. You will only receive our stakeholder newsletter, updates and event invitations, if you have positively opted into receiving them. In all other cases your data is processed on the basis of Legitimate Interest. You can decide you no longer want to receive communications at any time, you have the right to inform us and opt-out.
  5. Disclosure and international transfers of personal information
    1. For potential Associate applicants: We may disclose your personal information or application progress to the employers at which you’ve applied, your university, your mentors and prospective supporters.
    2. For upReach job applicants and candidates:We will only disclose your information internally. Disclosure externally will only be with your prior agreement or your consent via an individual contract.
    3. For subscribers:For the purposes of sending you our newsletters your personal information will be stored on, the service we use to maintain our distribution lists. We will only do this if you have given us permission to do so.
    4. For supporters, including employer and university partners, mentors, volunteers, donors and any other interested party:We will only disclose your information internally. Disclosure externally will only be with your prior agreement or your consent via an individual user agreement or contract.

    upReach may disclose personal data to our outside professional advisers and to other third parties processors that provide products or services to upReach, such as IT systems providers.

    Where the processing of personal data is delegated to a third party data processor, upReach will choose a data processor that provides sufficient guarantees with respect to technical and organisational security measures governing the relevant processing and will ensure that the processor acts on our behalf and under our instructions.

    Where third party processing or storage takes place outside the United Kingdom or EEA (European Economic Area), upReach recognises these as ‘restricted transfers’ and conducts an ‘adequacy assessment’ to ensure the proposed transfer will provide an adequate level of protection for the rights of the data subjects and takes steps to establish appropriate data protection and information security requirements with recipients to confirm that data is properly protected in accordance with this Notice and all applicable laws.

  6. Use of Cookies
  7. This site uses cookies to optimise your user experience. Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer's hard drive.

    By using this site you are consenting to our use of these cookies.

  8. Log Data
  9. Like many site operators, we collect information that your browser sends whenever you visit our website ("Log Data").

    This Log Data may include information such as your computer's Internet Protocol ("IP") address, browser type, browser version, the pages of our website that you visit, the time and date of your visit, the time spent on those pages and other statistics. This helps us to improve the site by monitoring how you use it.

    We may use third party services such as Google Analytics and Hotjar to collect, monitor and analyze this in order to help us measure traffic and usage trends for the website. We collect and use this analytics information in aggregate form such that it cannot reasonably be manipulated to identify any particular individual user.

  10. Changes to the Notice
  11. Should upReach decide to substantially modify the manner in which it collects or uses Personal Information, the type of Personal Information that it collects or any other aspect of this Notice, the upReach will notify you as soon as possible of such changes by re-issuing a revised Notice on our website.

  12. Accuracy of and access to your personal information
  13. You are entitled to request and access the information that upReach holds about you (subject to limited exceptions), as stated in the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. In addition, you have the right to have inaccurate personal information corrected or removed and to object to the processing of your personal information. If you wish to access such personal information, please contact us at

    To assist us in maintaining accurate personal information, you must advise us of any changes to your personal information. In the event that upReach becomes aware of any inaccuracy in the personal information that it has recorded, the upReach will correct that inaccuracy at the earliest practical opportunity.

  14. Retention of Data
  15. upReach will maintain personal information for only as long as it is required to do so by or for as long as necessary for the purpose(s) for which it was collected. upReach will remove all identifiable personal information when it is no longer needed for upReach to deliver their services and fulfill its reporting obligations. More detail about retention is included in individual service user agreements or contracts.

  16. Security
  17. upReach maintains appropriate technical and organisational security measures including staff training to protect personal information against accidental or unlawful destruction, or accidental loss, alteration, unauthorised disclosure or access, in compliance with applicable laws.

  18. Links to Other Websites and Services
  19. upReach is not responsible for the practices employed by websites or services linked to or from its websites, including the information or content contained therein. Please remember that when you use a link to go from this site to another website, our Privacy Notice does not apply to third-party websites or services. Your browsing and interaction on any third-party website or service, including those that have a link or advertisement on our website, are subject to that third party’s own rules and policies.


    Please address all questions to Gavin Davis, Finance Manager of upReach at

    Glossary of Terms

    Adequacy Assessment

    An assessment of the risk of transferring data outside the EEA ensuring protection is adequate in all the circumstance of the case. The assessment considers the nature of the data, the risk to the rights of the individual, the purposes and period of transfer.


    GDPR defines this as any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed. Consent can be withdrawn after it has been given.


    Any information which will be processed, or, used on or by a computerised system, additionally it also includes information contained within a “relevant filing system” of information. Data can therefore be written, tape, photographic or digital.

    Personal Data

    Personal data means any information relating to a living individual who can be identified:

    Examples of data which would fall into this category include:

    • Your name/s
    • Mobile number
    • University & personal email addresses
    • University details
    • Educational details (including the name of your schools/colleges, subjects & grades)
    • Household income


    This means data which relates to sensitive aspects of a living and identifiable individual’s life

    Examples of data which would fall into this category include:

    • Race
    • Ethnic origin
    • Politics
    • Student Finance arrangements
    • Religion
    • Trade Union Membership
    • Genetics
    • Biometrics (when used for ID purposes)
    • Health
    • Sex life
    • Sexual orientation

    Data Subject

    The person who is the subject of the “personal data”.

    Data Controller

    A person who determines the purposes for which, and the manner in which, any personal data are, or are to be, processed.

    Data Processor

    Any person (other than an employee of the data controller) who processes data on behalf of the data controller. The data controller retains responsibility for the actions of the data processor.

    Limited Exceptions

    Processing of personal and sensitive data including responding to a Subject Access Request may, in rare circumstances, be restricted when personal data is subject to situations involving “crime and taxation purposes” which include:

    • the prevention or detection of crime;
    • the capture or prosecution of offenders; and
    • the assessment or collection of tax or duty.


    Covers almost anything which is done with or to the data, including:

    • obtaining data
    • recording or entering data onto the files
    • holding data, or keeping it on file without doing anything to it or with it
    • organising, altering or adapting data in any way
    • retrieving, consulting or otherwise using the data
    • disclosing data either by giving it out, by sending it on email, or simply by making it available
    • combining data with other information
    • erasing or destroying data
    • using the data within research


    Any person to whom the data are disclosed, including any person to whom they are disclosed in the course of processing the data for the Data Controller (e.g. an employee of the data controller, a data processor or employee of the data processor).

    Restricted Transfer

    A transfer of personal data outside the protection of the GDPR most often involves a transfer from inside the EEA to a country outside the EEA.

    Subject Access Request

    The process by which individuals can find out what personal or sensitive data an organisation holds about them, why they hold it and who they disclose it to.

    Third Party

    A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor are authorised to process personal data.