We use your personal information for the following purposes:
- to assess your suitability for services, collaborations, roles, or other opportunities at BlueDot Impact, and to suggest you for, or contact you about, any of these things;
- to assess the impact of our work, and to promote our work through, for example, case studies and blog posts;
- to create any accounts you request and maintain or moderate platforms we run;
- to communicate with you, including to notify you about changes to our terms and asking you to undertake surveys and give feedback, process your concerns and queries, and connect you with opportunities;
- to use data analytics to improve our Platforms, services, marketing efforts, and user experience;
- to administer and protect BlueDot Impact, our initiatives, our people, and our Platforms; and
- to generally protect our legal rights and comply with law and regulation.
Legal bases for processing your personal information
We’ll process your personal information only where we have a legal basis for doing so, including:
- when we need it to perform a contract we’re about to enter into or have entered into with you;
- when it’s necessary for our “legitimate interests” (or those of a third party) and your interests and rights don’t override our interests;
- when you’ve given us your consent; and
- when we need to comply with the law.
When we refer to our “legitimate interests,” we mean:
- to provide services you have requested;
- to improve our services;
- to keep our records updated and to study how our Platforms and other services are used;
- to administer and protect the organization and our Platforms (including troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting);
- to inform our marketing strategies.
Certain types of personal information may be considered “special category data” under the UK GDPR, such as information about your race or ethnic origins. We may collect sensitive information in certain circumstances. For example, we may collect information about ethnicity for the purposes of diversity monitoring.
We’ll generally ask for your consent for this sensitive information, but we may also rely on other legal bases to collect and use it, for example when we need to do so for safeguarding purposes, to protect your vital interests or to obtain legal advice.
Automated individual decision-making
We aim to make fair and informed decisions on all applications to our courses. As a small team, we use AI systems to help us accurately and efficiently review the large volume of applications we receive.
We begin by carefully considering the intended outcomes of each course and the types of skills, experience and attributes that indicate an applicant is likely to succeed. We translate these into objective numerical rubrics, and then we (the humans) evaluate subsets of randomly selected applications to calibrate and validate these rubrics. Once finalised, we use AI systems such as large language models to score incoming applications. We ensure these scores match the ones given by humans on the sample set, and continue monitoring system performance by continuing to do random checks of application scores.
Humans then briefly review each applicant manually to make the actual application decision, taking into account the AI scores and other data we have on a candidate. In particular, we are careful to ensure outlier applications are dealt with appropriately and have systems in place to flag people who might not meet the scoring criteria but could be a good fit for the course anyway.
After decisions have been made, we have a different person review a sample of the decisions to check they are reasonable. We also use demographic data given to us in the application form for DEI monitoring, to understand and address any biases in our process.
Cross-border transfer of your personal information
BlueDot Impact generally stores your personal information within the UK. Sometimes we use service providers who access your personal data in other countries.
When we need to share your personal information with people or organizations outside the UK, including in the United States, it might be subject to data protection laws that offer less protection than under the UK GDPR. Where this is the case, we take steps to ensure your personal information is protected, including by entering into contracts that have been approved by the relevant authorities (such as “standard contractual clauses” or an “international data transfer agreement”). If you want to learn more about this, or to get a copy of the transfer mechanism that we use, reach out using the details given in the Who are we and how can you contact us? section.
We may share your information:
- with third-party service providers, who will process it on our behalf for the purposes identified above. We use third-party providers of certain services such as website hosting, website analytics, marketing automation, payment processing, and IT maintenance.
- in exceptional circumstances, where there’s a legal or “duty of care” imperative (for example if we need to safeguard other individuals)
- with government authorities and/or law enforcement officials if required for the purposes above, if required by law, or if required to protect our legitimate interests (e.g. with HMRC for tax regulation purposes in the UK);
- with funders and investors to help our organization grow;
- if all or part of our organization is closed, combined with another organization, or becomes its own organization, we’ll share your personal information with external advisors (such as lawyers, accountants, or financial advisors) who are helping us with this process and the owners of the new organization; and
- in connection with any legal process or potential legal process.
How long do we keep your personal information?
We’ll only keep your personal information for as long as we need it to achieve the purposes for which we collected it, to comply with our legal and regulatory obligations, to exercise our legal rights, and to protect ourselves from legal claims.
How do we secure your personal information?
We put in place organizational and technical measures to protect your personal information. These measures include taking all steps reasonably necessary to ensure our IT systems are secure and putting in place procedures to deal with suspected data breaches. In the unlikely event of a data breach, we’ll take steps to minimize the loss or destruction of data and, if required by law, we’ll notify you. We’ve implemented data security policies and procedures, and relevant staff receive data security training.
Our security measures include:
- encrypting information in transit (such as SSL/TLS);
- encrypting information at rest (such as AES256);
- enforcing the use of strong 2-step verification to access key internal services;
- using single sign-on to access most internal services;
- using password managers to reduce the likelihood of successful phishing attacks;
- making and storing encrypted backups of critical data;
- enabling built-in antivirus software and keeping devices up to date;
- using slow password hashing algorithms;
- taking reasonable steps towards the physical and cyber security of where we host our data (such as using reasonable third-party providers); and
- using PCI Compliant payment processors to securely handle your payment details
Where we’ve given you (or where you’ve chosen) a password that enables you to access certain parts of our Platforms, you’re responsible for keeping this password confidential.