Effective date: 9 February, 2024

Privacy Policy

BlueDot Impact Ltd is a non-profit based in the UK. We’re registered as a company limited by guarantee (company number 14964572).

You can contact us via the details on our contact page.

For the purposes of the UK GDPR and EU GDPR, BlueDot Impact is a “data controller”. This means we make decisions about how and why your information is used, and have a responsibility to make sure that your rights are protected when we do so.

What does this policy cover?

This Privacy Policy describes how BlueDot Impact Ltd (“BlueDot Impact”) collects, uses, and shares your personal information when you:

• visit any websites or applications operated by us, including bluedot.org, aisafetyfundamentals.com, biosecurityfundamentals.com (collectively “Platforms”); or
• interact with us offline (such as when you apply for a role within our organization).

If you provide us with personal information of anyone other than yourself (such as a colleague), you’re responsible for complying with all applicable privacy and data protection laws prior to providing that information to BlueDot Impact (including obtaining consent, if required).

What personal information do we collect?

We may collect and process your personal information:

• directly from you (including through online forms or in conversation with staff during the course of service delivery),
• from the devices you use to access the Platforms,
• from third parties, and
• from public sources (such as LinkedIn).

Personal information we collect from you directly

• Identity and Contact Data such as your name, profession, and email address.
• Account Data including username and password.
• Transaction Data including billing address, bank, and payment card information when used to make a payment.
• Marketing Preferences including any consents you have given us.
• The content of your Communications or any other personal information you provide to us directly, such as information provided voluntarily in relation to your profession.
• Demographic Information such as country of residence, gender, and age.
• Service Engagement with us such as your activities on the Platforms.

Personal information we collect from your devices

We may collect information from the devices you use to access the Platforms such as:

• your Internet Protocol (IP) address
• your device type, e.g. mobile or desktop
• dates and times you visit and use the Platforms
• activity on the Platforms and referring websites or applications

We typically collect this information through the use of cookies and similar technologies. For more information on how we use cookies, see our Cookies policy.

Personal information we collect from third parties

We may collect your personal information from third parties. We work with other organizations and industry experts, who may pass on data to us about individuals they interact with such as job applicants or employees so that we can assess them as potential recipients of our services, provide services to them, or consider them for a role.

We may also ask trusted informal advisors in their relevant areas to get advice, such as to get formal or informal references in recruiting.

Personal information we collect from public sources

We may collect personal information about you from publicly available sources, including social media sites (such as LinkedIn) or news articles. Such information may include your education, employment history, and credentials. We may do this, for example, when you apply for a role within our organization.

How do we use your personal information?

We use your personal information for the following purposes:

• to assess your suitability for services, collaborations, roles, or other opportunities at BlueDot Impact, and to suggest you for, or contact you about, any of these things;
• to assess the impact of our work, and to promote our work through, for example, case studies and blog posts;
• to create any accounts you request and maintain or moderate platforms we run;
• to communicate with you, including to notify you about changes to our terms and asking you to undertake surveys and give feedback, process your concerns and queries, and connect you with opportunities;
• to use data analytics to improve our Platforms, services, marketing efforts, and user experience;
• to administer and protect BlueDot Impact, our initiatives, our people, and our Platforms; and
• to generally protect our legal rights and comply with law and regulation.

Legal bases for processing your personal information

We’ll process your personal information only where we have a legal basis for doing so, including:

• when we need it to perform a contract we’re about to enter into or have entered into with you;
• when it’s necessary for our “legitimate interests” (or those of a third party) and your interests and rights don’t override our interests;
• when you’ve given us your consent; and
• when we need to comply with the law.

When we refer to our “legitimate interests,” we mean:

• to provide services you have requested;
• to improve our services;
• to keep our records updated and to study how our Platforms and other services are used;
• to administer and protect the organization and our Platforms (including troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting);
• to inform our marketing strategies.

Sensitive information

Certain types of personal information may be considered “special category data” under the UK GDPR, such as information about your race or ethnic origins. We may collect sensitive information in certain circumstances. For example, we may collect information about ethnicity for the purposes of diversity monitoring.

We’ll generally ask for your consent for this sensitive information, but we may also rely on other legal bases to collect and use it, for example when we need to do so for safeguarding purposes, to protect your vital interests or to obtain legal advice.

Automated individual decision-making

We aim to make fair and informed decisions on all applications to our courses. As a small team, we use AI systems to help us accurately and efficiently review the large volume of applications we receive.

We begin by carefully considering the intended outcomes of each course and the types of skills, experience and attributes that indicate an applicant is likely to succeed. We translate these into objective numerical rubrics, and then we (the humans) evaluate subsets of randomly selected applications to calibrate and validate these rubrics. Once finalised, we use AI systems such as large language models to score incoming applications. We ensure these scores match the ones given by humans on the sample set, and continue monitoring system performance by continuing to do random checks of application scores.

Humans then briefly review each applicant manually to make the actual application decision, taking into account the AI scores and other data we have on a candidate. In particular, we are careful to ensure outlier applications are dealt with appropriately and have systems in place to flag people who might not meet the scoring criteria but could be a good fit for the course anyway.

After decisions have been made, we have a different person review a sample of the decisions to check they are reasonable. We also use demographic data given to us in the application form for DEI monitoring, to understand and address any biases in our process.

Under data protection legislation, you may have the right to have a human re-review the scoring part of the application process, express your point of view and to contest the decision. If you’d like to exercise this right please contact us via the details at the top of this privacy policy.

Cross-border transfer of your personal information

BlueDot Impact generally stores your personal information within the UK. Sometimes we use service providers who access your personal data in other countries.

When we need to share your personal information with people or organizations outside the UK, including in the United States, it might be subject to data protection laws that offer less protection than under the UK GDPR. Where this is the case, we take steps to ensure your personal information is protected, including by entering into contracts that have been approved by the relevant authorities (such as “standard contractual clauses” or an “international data transfer agreement”). If you want to learn more about this, or to get a copy of the transfer mechanism that we use, reach out using the details given in the Who are we and how can you contact us? section.

Information sharing

We may share your information:

• with our affiliate companies and organizations for the purposes set out in this Privacy Policy
• with third-party service providers, who will process it on our behalf for the purposes identified above. We use third-party providers of certain services such as website hosting, website analytics, marketing automation, payment processing, and IT maintenance.
• in exceptional circumstances, where there’s a legal or “duty of care” imperative (for example if we need to safeguard other individuals)
• with government authorities and/or law enforcement officials if required for the purposes above, if required by law, or if required to protect our legitimate interests (e.g. with HMRC for tax regulation purposes in the UK);
• with funders and investors to help our organization grow;
• if all or part of our organization is closed, combined with another organization, or becomes its own organization, we’ll share your personal information with external advisors (such as lawyers, accountants, or financial advisors) who are helping us with this process and the owners of the new organization; and
• in connection with any legal process or potential legal process.

How long do we keep your personal information?

We’ll only keep your personal information for as long as we need it to achieve the purposes for which we collected it, to comply with our legal and regulatory obligations, to exercise our legal rights, and to protect ourselves from legal claims.

If we no longer need this personal information for the purposes set out in this Privacy Policy, we’ll delete it or anonymize it so that nobody can identify you from the information.

How do we secure your personal information?

We put in place organizational and technical measures to protect your personal information. These measures include taking all steps reasonably necessary to ensure our IT systems are secure and putting in place procedures to deal with suspected data breaches. In the unlikely event of a data breach, we’ll take steps to minimize the loss or destruction of data and, if required by law, we’ll notify you. We’ve implemented data security policies and procedures, and relevant staff receive data security training.

Our security measures include:

• encrypting information in transit (such as SSL/TLS);
• encrypting information at rest (such as AES256);
• enforcing the use of strong 2-step verification to access key internal services;
• using single sign-on to access most internal services;
• using password managers to reduce the likelihood of successful phishing attacks;
• making and storing encrypted backups of critical data;
• enabling built-in antivirus software and keeping devices up to date;
• using slow password hashing algorithms;
• taking reasonable steps towards the physical and cyber security of where we host our data (such as using reasonable third-party providers); and
• using PCI Compliant payment processors to securely handle your payment details

Where we’ve given you (or where you’ve chosen) a password that enables you to access certain parts of our Platforms, you’re responsible for keeping this password confidential.

Your personal information rights

Under the UK GDPR or EU GDPR, you may have the right to ask us for a copy of your personal information; to correct, delete, or restrict (stop any active) use of your personal information; and in certain cases to obtain the personal information you provide to us in a “structured, machine readable format.” You can also object to the use of your personal information in some circumstances (in particular, when we don’t have to use the data to meet a contractual or other legal requirement, or when we’re using the data to send you marketing emails).

Where you’ve given us your consent to use your personal information, you can take back that consent at any time. If you do, we’ll stop using your personal information immediately, unless we collected it for a different purpose (for example, the information is necessary to comply with a legal obligation).

These rights may be limited, for example, if answering your request would reveal personal information about another person or if you ask us to delete information which we’re required by law to keep or have important legitimate interests to keep.

To exercise any of these rights, or to make a complaint to us, you can get in touch using the details set out in the Who are we and how can you contact us? section.

You also have the right to complain to a data protection authority about how we process your personal information. In the UK, the supervisory authority is the Information Commissioner’s Office.

Updates to this Privacy Policy

We reserve the right to change this Privacy Policy from time to time. We’ll alert you when changes have been made by indicating the date this Privacy Policy was last updated or as otherwise may be required by law.