Privacy Policy

Grow Outdoors Institute (“we”, “us”, or “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website, apply for or hold membership, or engage with our services. Please read this policy carefully. If you do not agree with its terms, please cease use of our website and services.

This policy applies to personal data we collect through our website and in the course of operating as a membership body for professionals and organisations engaged in education and training in outdoor settings.

1. Who We Are

Grow Outdoors Institute is a membership organisation supporting practitioners, educators, and training providers who deliver education and learning in outdoor environments.

Organisation name: Grow Outdoors Institute
Website: www.growoutdoors.institute
Registered address: Fern Lodge, Priest Hill, Nettlebed, Oxon RG9 5AP
Company/charity registration number: 1202637
Contact email: amanda@growoutdoors.institute

2. What Personal Data We Collect and Why

We collect personal data from visitors, members, and applicants. The types of data we collect, and the reasons we collect them, are set out below.

2.1 Member and Applicant Data

When you apply for membership or renew your membership, we may collect:

• Full name, job title, and professional role
• Organisation name and address
• Email address and telephone number
• Professional qualifications, training records, and CPD history
• Disclosure and Barring Service (DBS) check status (where applicable)
• Payment information (processed securely via our payment provider — we do not store card data)

We process this data on the legal basis of contractual necessity (to administer your membership) and, in some cases, legitimate interests (to maintain professional standards across our membership body). Where we collect sensitive data such as DBS status, we do so on the basis of legal obligation or explicit consent.

2.2 Website Visitors

When you visit our website, we may automatically collect technical data including your IP address, browser type, operating system, pages visited, and time spent on site. This data is collected via cookies and analytics tools (see Section 5) and is used to improve the functionality and content of our website.

2.3 Contact Forms and Enquiries

If you submit an enquiry through our website contact form, we will collect your name, email address, and the content of your message. We retain contact form submissions for up to 12 months for the purposes of responding to your enquiry and maintaining a record of correspondence. This information is not used for marketing without your explicit consent.

2.4 Comments and User-Generated Content

If our website includes a members’ area or community forum where you can post comments or content, we will collect your name and any information you voluntarily include in your submission. Please note that any content posted publicly will be visible to other users.

2.5 Sensitive Personal Data

In certain circumstances, for example where membership requires evidence of suitability to work with children or vulnerable adults, we may collect sensitive personal data such as DBS check information or health-related data relevant to outdoor practice. We will always seek explicit consent before collecting sensitive personal data and explain how it will be used and retained.

3. Cookies

Our website uses cookies — small text files placed on your device — to improve your browsing experience and gather analytics. We use the following types of cookies:

• Essential cookies: Required for the website to function (e.g. session management, login status). These cannot be disabled.
• Analytics cookies: Used to understand how visitors interact with our site (e.g. Google Analytics). These are only set with your consent.
• Preference cookies: Used to remember your settings and preferences.

You can manage or withdraw your consent to non-essential cookies at any time through the cookie settings banner on our website, or by adjusting your browser settings. Please note that disabling certain cookies may affect the functionality of the site.

4. Analytics

We use [Google Analytics] to collect anonymised data about how visitors use our website. This includes pages viewed, time on site, and traffic sources. This information helps us improve our website and services.

You may opt out of analytics tracking by declining analytics cookies through our cookie banner, or by emailing amanda@growoutdoors.institute

5. Who We Share Your Data With

We do not sell your personal data to third parties. We may share data with the following categories of trusted third-party providers, only to the extent necessary and under appropriate data protection agreements:

• Membership management software providers (to administer your membership record)
• Payment processors (to handle membership subscription payments securely)
• Email marketing platforms (only where you have opted in to receive communications)
• Website hosting and cloud storage providers
• Analytics providers (using anonymised data)
• Legal and regulatory authorities, where required by law

We require all third parties to maintain the security of your personal data and to treat it in accordance with the law. We do not permit third parties to use your data for their own marketing purposes.

6. How Long We Retain Your Data

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Our general retention schedule is as follows:

• Membership records: Retained for the duration of your membership and for 6 years following its end, in line with standard contractual limitation periods.
• Contact form submissions and general enquiries: Retained for 12 months from the date of submission.
• Financial and transaction records: Retained for 7 years in accordance with HMRC requirements.
• Website analytics data: Retained for up to 26 months in anonymised form.
• Sensitive personal data (e.g. DBS information): Retained only for as long as required for the relevant safeguarding purpose and then securely deleted.

When your data is no longer required, it will be securely deleted or anonymised.

7. Your Rights Over Your Data

Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

• Right of access: To request a copy of the personal data we hold about you.
• Right to rectification: To ask us to correct any inaccurate or incomplete data.
• Right to erasure: To request deletion of your data where there is no compelling reason for us to continue processing it.
• Right to restriction: To request that we restrict how we process your data in certain circumstances.
• Right to data portability: To request a copy of your data in a structured, commonly used, machine-readable format.
• Right to object: To object to our processing of your data where we rely on legitimate interests as our legal basis.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time.

To exercise any of these rights, please contact us. We will respond to your request within one calendar month. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk or by calling 0303 123 1113.

8. Where Your Data Is Sent

Your data is primarily stored and processed within the United Kingdom and European Economic Area. Where data is transferred outside the UK or EEA — for example, by cloud-based software providers — we ensure that appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the ICO or European Commission
• Adequacy decisions recognising the recipient country’s data protection standards
• UK International Data Transfer Agreements (IDTAs)

Details of the specific safeguards in place for any international transfers are available on request.

9. How We Protect Your Data

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, loss, or disclosure. These measures include:

• Encryption of data in transit using SSL/TLS protocols
• Password protection and access controls for systems holding personal data
• Regular software updates and security reviews
• Staff awareness and data protection training
• Restricted access to personal data on a need-to-know basis

Whilst we take all reasonable steps to protect your data, no method of transmission over the internet is entirely secure. If you have concerns about the security of your data, please contact us immediately.

10. Data Breach Procedures

In the event of a personal data breach, we have procedures in place to identify, report, and investigate the breach promptly. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware, and will notify affected individuals without undue delay where required.

If you become aware of or suspect a data breach involving your information, please contact us immediately.

11. Data Received From Third Parties

We may in some circumstances receive data about you from third parties, for example from awarding bodies, regulatory authorities, or referees who provide information as part of a membership application. Where we receive such data, we will handle it in accordance with this Privacy Policy and ensure that those third parties have a lawful basis for sharing it with us.

12. Automated Decision Making

We do not currently use automated decision making or profiling that produces legal or similarly significant effects for individuals. All membership decisions are made with human review. Should we introduce any automated processing in the future, we will update this policy accordingly and ensure that appropriate rights are communicated to you.

13. Industry and Regulatory Context

Grow Outdoors Institute operates within the outdoor education and training sector. Where members are involved in the delivery of regulated activities with children or vulnerable adults, we may process data in accordance with safeguarding legislation including the Children Act 1989 and 2004, the Safeguarding Vulnerable Groups Act 2006, and applicable statutory guidance. Our data processing in these contexts is carried out in compliance with our legal obligations.

14. Contact Information and Data Protection Enquiries

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Data Protection Contact: Amanda Foister, Company Secretary

Email: amanda@growoutdoors.institute

Postal address: Fern Lodge, Priest Hill, Nettlebed, Oxon RG9 5AP

If you are not satisfied with how we handle your concern, you have the right to complain to the Information Commissioner’s Office (ICO) at www.ico.org.uk.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The date at the top of this document indicates when it was last revised. We encourage you to review this policy periodically. Where changes are significant, we will notify members directly by email.