1. Introduction

Create Curiosity CIC is committed to protecting and respecting your privacy. This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.

When processing personal data, Create Curiosity CIC complies with the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018. We adhere to the following principles:
 

1. Personal data shall be processed lawfully, fairly and in a transparent way.

2. Personal data shall be collected for specified, explicit and legitimate purposes only.

3. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

4. Personal data shall be accurate and kept up to date. Create Curiosity CIC has in place processes for identifying and addressing out-of-date, incorrect and redundant personal data.

5. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

6. The integrity and confidentiality of personal data shall be maintained at all times through appropriate technical and organisational measures, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

​

2. Data Controller

The data controller for Create Curiosity CIC is:

​

•    Sasha Hobday (SH)

​

Contact: If you have any questions about this privacy policy or how we handle your personal data, please contact us at: createcuriositycicoffice@gmail.com 

​

3. Data Processors

Data processors are appointed to process personal data on behalf of Create Curiosity CIC. Our current data processors are:

•    Microsoft OneDrive (cloud storage)
•    Gmail

We have, or will ensure we have, appropriate Data Processing Agreements (DPAs) in place with all data processors, as required by UK GDPR.

​

4. Legal Bases for Processing

The legal bases on which we process your personal data are:

7.    Consent – you have given your consent for us to process your data for one or more specific purposes. Where we rely on consent, you have the right to withdraw it at any time by contacting us using the details in section 2.
8.    Contract – processing is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into a contract.
9.    Legitimate interests – processing is necessary for our legitimate interests, or those of a third party, where those interests are not overridden by your rights and interests. Our legitimate interests include the administration and management of our services, maintaining effective communications with partner organisations, and ensuring service delivery on behalf of contractual partners. We conduct Legitimate Interests Assessments (LIAs) where we rely on this basis.

​

5. Staff and Volunteer Personal Data

We collect and process the following personal data in order to enter into and perform contractual agreements whereby staff and volunteers deliver services on behalf of Create Curiosity CIC:

•    First and last name
•    Home address
•    Telephone number
•    Email address
•    Curriculum Vitae (CV)
•    Emergency contact name and telephone number
•    Qualification certificates
•    DBS number and issue date
•    DBS Update Service ID and date of birth (if enrolled in the DBS Update Service)
•    Dates Create Curiosity CIC policies were read
•    Dates of training and associated certificates

DBS data is handled in strict accordance with the Disclosure and Barring Service Code of Practice. DBS certificate information is not retained beyond the period for which it is required for safer recruitment purposes and is handled with appropriate confidentiality.

​

6. Personal Data of Service Users

What data we collect

​

When you register yourself and your child/ren for our services, we collect the following personal data:

•    Full name of the adult
•    Email address of the adult
•    Occasionally, the phone number of the adult
•    Age/s of child/ren attending
•    Allergies or access needs

We also collect the following information, which we hold in anonymous form only (meaning it cannot be used to identify any individual):

•    Postcode (used to understand the geographic reach of our services)
•    Disability or additional needs (used to understand the needs of the adults and children we work with and improve our provision)
•    Age bracket of adult

Newsletter sign-up

​

​We offer parents, guardians and other interested individuals the opportunity to sign up to our newsletter. If you choose to sign up, we will collect your name and email address for this purpose.

Signing up to our newsletter is entirely optional and is separate from registering for our services. You will be asked to opt in clearly and explicitly, and we will not add you to our mailing list without your consent.

You can unsubscribe from our newsletter at any time by clicking the unsubscribe link in any newsletter email, or by contacting us using the details in section 2. We will process any unsubscribe request promptly.

Why we collect this data

We collect personal data about service users for the following purposes:

•    To register families for our programmes and activities.
•    To communicate with parents and guardians about sessions, changes, or cancellations.
•    To ensure the safety and wellbeing of adults and children attending our sessions.
•    To comply with our legal and safeguarding obligations.
•    To report to funders on the reach and impact of our services (using anonymous data only).
•    To send our newsletter to those who have opted in, including updates about our programmes, events, and activities.

Our lawful basis for processing

We process personal data relating to service users on the following lawful bases under UK GDPR:

•    Contract — to fulfil our agreement with you to provide services to you and your child.
•    Legal obligation — to comply with our safeguarding duties.
•    Legitimate interests — to operate and improve our programmes effectively, where this does not override your rights.
•    Consent — to send you our newsletter. You may withdraw this consent at any time without affecting the lawfulness of processing carried out before withdrawal, or your ability to access our services.

Where we collect information about disability or additional needs, this is special category data under UK GDPR. We process this data on the basis of explicit consent, and it is held in anonymous form only. You may withdraw your consent for this at any time by contacting us using the details in section 2.

Who we share this data with?

We do not sell or share personal data of service users with any third parties. We may share data in the following limited circumstances:

•    With funders or commissioners, where required as a condition of funding — anonymous and aggregated data only.
•    With statutory agencies such as social services or the police, where we have a safeguarding concern or legal obligation to do so.
•    With our staff and volunteers, on a need-to-know basis, to deliver our services safely.

How long we keep this data?

We retain personal data of service users for as long as you and your child/ren are actively using our services, and for no more than one year afterwards, in line with our safeguarding obligations and funder requirements.

For newsletter subscribers, we will retain your name and email address for as long as you remain subscribed. If you unsubscribe, we will delete your details within 7 days, except where we are required to retain a record of your consent and subsequent withdrawal for compliance purposes.

Anonymous data may be retained indefinitely for statistical and reporting purposes.

​

​

7. Storage of Personal Data

Your personal data is stored as follows:

​

•    Electronic copies are stored in cloud storage and on virus-protected, password-protected device used by the data controller.
•    Staff and volunteer names and telephone numbers are stored on a virus-protected, password-protected mobile phone used by the data controller.

​

We take appropriate technical and organisational measures to ensure the security of your personal data against unauthorised access, loss or destruction.

8. International Data Transfers

Create Curiosity CIC uses Microsoft OneDrive to store some personal data. As a result, personal data may be transferred to and stored at destinations outside the United Kingdom (UK).

Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR. Microsoft's international data transfers from the UK under its Microsoft commercial services are governed by the UK International Data Transfer Agreement (IDTA), as set out in Microsoft's Online Services Data Protection Addendum. This constitutes an appropriate safeguard under Article 46 of the UK GDPR.

For further information about the safeguards in place for international data transfers, please contact us using the details in section 2.

​

9. Sharing of Personal Data

We may share staff and volunteer personal data with third parties in the following circumstances:

​

•    Partner organisations: Your name, email address and/or telephone number may be shared with organisations where you carry out work on behalf of Create Curiosity CIC. Such sharing will be limited to what is necessary for the delivery of services.
•    Legal or regulatory obligations: We may disclose personal data where required to do so by law, or in response to a request from a regulatory body or law enforcement agency.

​

We do not sell personal data to third parties, and we do not share personal data for marketing purposes.

​

10. Retention of Personal Data

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law or contract.

​

•    Staff and volunteer personal data is retained for one year after you have stopped providing services to Create Curiosity CIC.
•    DBS data is retained in accordance with DBS guidance and relevant legal requirements.

​

At the end of the applicable retention period, personal data will be securely deleted or destroyed. Electronic files will be permanently deleted, and any paper records will be shredded.

​

11. Data Breaches

In the unlikely event that a data breach should occur, Create Curiosity CIC has implemented procedures for containment, investigation and remediation. Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR. Where the breach is likely to result in a high risk to individuals, we will also notify the affected data subjects without undue delay.

12. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

​

10.    Right of access: You have the right to request a copy of the personal data we hold about you (known as a Subject Access Request or SAR). We will respond within one month of receiving your request.
11.    Right to rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
12.    Right to erasure: You have the right to request that we delete your personal data in certain circumstances, for example where it is no longer necessary for the purposes for which it was collected.
13.    Right to restrict processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while we investigate a dispute about its accuracy.
14.    Right to data portability: Where processing is based on your consent or on a contract, you have the right to receive your personal data in a structured, commonly used and machine-readable format, and to request that we transmit it to another controller where technically feasible.
15.    Right to object: You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to processing based on legitimate interests, we will cease processing unless we can demonstrate compelling legitimate grounds which override your interests, rights and freedoms.
16.    Rights related to automated decision-making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on you. Create Curiosity CIC does not currently carry out solely automated decision-making of this nature.
17.    Right to withdraw consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

​

To exercise any of the above rights, please contact us using the details provided in section 2. We will respond to your request within one month. In some circumstances, we may need to extend this by a further two months, in which case we will notify you. We will not charge a fee for handling your request unless it is manifestly unfounded or excessive.

​

13. Complaints

If you have concerns about how we handle your personal data, please contact us in the first instance using the details provided in section 2. We will do our best to resolve your concern promptly.

​

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent supervisory authority for data protection:

​

•    Website: www.ico.org.uk
•    Telephone: 0303 123 1113
•    Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

14. Data Protection Officer

Create Curiosity CIC has assessed its obligations under UK GDPR and has determined that the appointment of a Data Protection Officer (DPO) is not currently required. The data controllers (SH and RG) are responsible for ensuring compliance with this policy and with UK GDPR.
                                                                                    
   

Create Curiosity CIC are committed to reviewing this policy and good practice annually, and whenever there is a significant change in our processing activities or in applicable law.

This policy statement & accompanying procedures were last reviewed on 10th March 2026.

​

 

Signed:  Rachael Gildersleeve (Director)
Date: 10th March 2026

Signed:  Sasha Hobday (Director)
Date: 10th March 2026

​

​

​

​

​

​

​

​

​

​

​