Effective date: 10 Jun, 2024

Privacy Policy

BlueDot Impact Ltd is a UK non-profit, registered as a company limited by guarantee (company number 14964572). You can contact us via the details on our contact page.

We are a data controller. This means we make decisions about how your information is used, and have a responsibility to protect your rights when we do so.

This policy describes how we collect, use, and share your personal information when you:

What personal information do we collect?

Personal information we collect from you directly

  • Activity on our Platforms, such as applications to our courses, attendance at sessions, or exercise responses on our Course Hub.
  • Communications between us, such as emails or Slack messages to our staff.

Personal information we collect from your devices

  • Usage data, associated with technical identifiers such as a cookie on your web browser.
  • Information about what marketing channel you came from, if relevant.

We typically collect this information through the use of cookies and similar technologies. For more information on how we use cookies, see our Cookies policy.

Personal information we collect from third parties

We may receive information about you from third parties, including:

  • Your contact details. For example, an organisation might want us to run a version of our courses just for them, and in doing this share a list of staff to invite to that event.
  • Recommendations relating to you. For example, we might ask around to find someone who would be good to review our content for accuracy. In the course of this, someone else might suggest your name as someone to reach out to.
  • References relating to you. For example, if you apply for one of our jobs we might contact your references. We’ll usually tell you before reaching out to any references.

Personal information we collect from public sources

We may collect your information from public sources, including sites like LinkedIn or GitHub. This information may include your education, employment history, and credentials. We may do this, for example, when you apply to our courses or jobs.

How do we use your personal information?

Legal bases for processing your personal information

We’ll process your personal information only where we have a legal basis for doing so, including:

  • our contractual obligations with you, or to begin entering a contract with you;
  • our legitimate interests (or those of a third party) and your interests and rights don’t override our interests;
  • your consent; or
  • to comply with the law.

When we refer to our legitimate interests, we mean:

  • to assess your suitability for our courses, jobs, or other opportunities;
  • to operate your account with us, and maintain platforms we run such as our Course Hub or the community Slack;
  • to improve our Platforms, services, marketing efforts, and user experience;
  • to communicate with you, including collecting feedback and connecting you with opportunities;
  • to assess the impact of our work, and to promote our work through, for example, case studies and blog posts;
  • to advance the fields we operate in;
  • to generally protect our legal rights.

Special category data

Some information is “special category data” under the UK GDPR. We sometimes collect special category data, for example we ask for your ethnic origin in our course application form for diversity monitoring.

We’ll usually collect this from you directly, and ask for your consent before processing this data. In rare situations we may rely on other legal bases to process it, for example, to protect your vital interests or to obtain legal advice.

Automated individual decision-making

We aim to make fair and informed decisions on all applications to our courses. As a small team, we use AI systems to help us review the large volume of applications we receive.

We begin by considering the intended outcomes of each course. We work backwards to the types of skills, experience and attributes that indicate an applicant is likely to succeed. We translate these into objective numerical rubrics, and then we manually evaluate subsets of randomly selected applications to calibrate and validate these rubrics. Once finalised, we use AI systems such as large language models to score incoming applications. We ensure these scores match the ones given by humans on the sample set, and continue monitoring system performance by doing random checks of application scores.

After initial scoring, humans review each applicant manually to make the actual application decision, taking into account the scores and other data we have on a candidate. We are careful to ensure outlier applications are appropriately handled, and have systems in place to flag people who might score low on the rubrics but could be a good fit for the course anyway.

After decisions have been made, we have a different person review a sample of the decisions to check them. We also use demographic data given to us in the application form for aggregate DEI monitoring, to understand and address any biases in our process.

Under data protection legislation, you may have the right to have a human re-review the scoring part of the application process, express your point of view and to contest the decision. To exercise this right contact us via the details at the top of this privacy policy.

Information sharing

We may share your information:

  • with people on our courses, for example by adding you to a calendar invites for your cohort where you can see each other’s names and emails.
  • publicly, for example if you’ve consented to us publishing your course project submission.
  • with third-party service providers, who will process it on our behalf. We use third-party providers of certain services such as database hosting, website hosting, website analytics, email automation, and payment processing.
  • with other organizations for the purposes set out in this Privacy Policy, including those with relevant opportunities if you consented to this when applying
  • in exceptional circumstances, where there’s a legal or “duty of care” imperative (for example if we need to safeguard other individuals)
  • with government authorities and/or law enforcement officials if required for the purposes above, if required by law, or if required to protect our legitimate interests (e.g. with HMRC for tax regulation purposes in the UK);
  • with funders and investors to help our organization grow;
  • if all or part of our organization is closed, combined with another organization, or becomes its own organization, we’ll share your personal information with external advisors (such as lawyers, accountants, or financial advisors) who are helping us with this process and the owners of the new organization; and
  • in connection with any legal process or potential legal process.

Cross-border transfer of your personal information

When we share your information with people or organizations outside the UK it might be subject to data protection laws that offer less protection than inside the UK. Where this is the case, we take steps to protect your personal information, including by entering into contracts that have been approved by the relevant authorities (such as “standard contractual clauses” or an “international data transfer agreement”).

How long do we keep your personal information?

We’ll keep your personal information while we need it to achieve the purposes for which we collected it, to comply with our legal and regulatory obligations, to exercise our legal rights, and to protect ourselves from legal claims.

If we no longer need this personal information for the purposes set out in this Privacy Policy, we’ll delete it or anonymize it so that nobody can identify you from the information.

How do we secure your personal information?

We put in place organizational and technical measures to protect your personal information. These measures include taking all steps reasonably necessary to ensure our IT systems are secure and putting in place procedures to deal with suspected data breaches. In the unlikely event of a data breach, we’ll take steps to minimize the loss or destruction of data and, if required by law, we’ll notify you. We’ve implemented data security policies and procedures, and relevant staff receive data security training.

Our security measures include:

  • encrypting information in transit;
  • encrypting information at rest;
  • using single sign-on to access most internal services;
  • enforcing TOTP or hardware security key 2-step verification to access key internal services;
  • using password managers to reduce the likelihood of successful phishing attacks;
  • making and storing encrypted backups of critical data;
  • enabling built-in antivirus software and keeping devices up to date;
  • using slow password hashing algorithms;
  • taking reasonable steps towards the physical and cyber security of where we host our data (such as using reputable third-party providers); and
  • using PCI Compliant payment processors to securely handle your payment details

Where we’ve given you (or where you’ve chosen) a password that enables you to access certain parts of our Platforms, you’re responsible for keeping this password confidential.

Your personal information rights

You can contact us via the details above to:

  • get a copy of your personal information (sometimes in a structured, machine readable format);
  • ask us to correct, delete, or restrict use of your personal information;
  • object to the use of your personal information;
  • withdraw consent you’ve given us to process your data; and

These rights are sometimes limited. For example, we can’t comply if answering your request would reveal personal information about another person, or if you ask us to delete information which we’re required by law to keep.

If you’re based in the UK or EU you can also complain to a data protection authority, such as the UK’s Information Commissioner’s Office.

Updates to this Privacy Policy

We reserve the right to change this Privacy Policy. We’ll alert you when we do this by updating the date of this Privacy Policy, or as otherwise may be required by law.

We use analytics cookies to improve our website and measure ad performance. Cookie Policy.