Privacy Policy

This privacy policy explains how Rooted in Place CIC (we, us, our) collects, uses, stores and shares personal information when you use our website, contact us, work with us, attend an event, or are involved in a project we are delivering.

We collect only the personal information we actually need, use it for clear purposes, keep it no longer than necessary, and handle it with care. We do not sell or rent personal data.

1. Who we are

Rooted in Place supports communities, landholders, funders and partner organisations to take on, manage and steward land and community assets to meet community needs. Our work may include consultancy, research, facilitation, programme design, project support, business planning, governance support, financial modelling, workshops, interviews, evaluation and related delivery activity.

For the purposes of this privacy policy, Rooted in Place is usually the data controller for the personal information described here. In some projects, we may process personal data on behalf of a client or partner organisation. In those cases, that client or partner may be the controller and we may act as their processor, handling data only on their instructions and within the agreed scope of the work. Under ICO guidance, controllers decide the purposes and means of processing, while processors act on behalf of controllers.

Contact details

Data protection contact: Michael Flint

Email: mike@rootedinplace.org.uk

Postal address: 5 Cornwallis Road, Oxford, OX4 3NP

ICO registration number ZC110196

2. What this policy covers

This policy covers personal information we collect through:

  • our website

  • email, phone and other communications with us

  • project enquiries and proposal development

  • client delivery work

  • events, workshops, interviews and research activity

  • ongoing professional relationships and collaboration

  • finance, contracting and administration

If we collect personal data for a more specific purpose that needs extra explanation — for example a survey, a research project, recruitment, or a particular commissioned piece of work — we may provide a separate privacy notice alongside this one.

3. The personal information we may collect

Depending on how you interact with us, we may collect and use:

  • your name and contact details, such as email address, phone number, postal address and organisation

  • your role, professional background and work-related information

  • messages, correspondence, meeting notes and records of communications

  • contract, proposal, invoicing and payment information

  • event, workshop or interview attendance information

  • feedback, survey responses, recordings, transcripts or notes where relevant to a project

  • documents, datasets and files shared with us as part of consultancy or project delivery

  • technical information from our website, such as IP address, browser type, device

  • information and cookie preferences, depending on the tools in use

We do not seek to collect more personal information than we need for the purpose in hand.

4. How we use personal information

We may use personal information to:

  • respond to enquiries and stay in touch about potential or ongoing work

  • prepare proposals, contracts and project plans

  • deliver consultancy, research, facilitation and project support

  • organise and run meetings, events, workshops, interviews and learning sessions

  • prepare notes, reports, findings, outputs and recommendations

  • manage our relationships with clients, collaborators, suppliers and partners

  • send newsletters or updates where you have asked to receive them

  • keep financial, legal and administrative records

  • maintain the security and effective operation of our website, systems and services

5. Our lawful bases for using personal information

Data protection law requires us to have a lawful basis for processing personal data, and at least one lawful basis must apply. In practice, the lawful bases we are most likely to rely on are consent, contract, legal obligation and legitimate interests. In broad terms:

  • If you contact us about potential work, we may use your information to respond to your enquiry, take steps before entering into a contract, and manage our professional relationship.

  • If you are a client, collaborator, supplier or contractor, we may use your information to enter into and deliver a contract, manage the work, and meet legal and financial obligations.

  • If you sign up to receive updates from us, we will usually rely on your consent and you can withdraw that consent at any time.

  • If we invite you to an event, workshop or conversation connected to our work, we may rely on legitimate interests where that is appropriate and proportionate, or consent where that is the better basis.

  • If we need to keep financial or tax records, we do so to comply with legal obligations.

  • If a project involves more sensitive personal information, we will make the basis for that processing clear at the point of collection or in a project-specific notice.

6. Client files, project data and information shared with us

Because Rooted in Place delivers consultancy and project work, clients and partners may sometimes share documents, spreadsheets, contact lists, interview material, workshop notes, datasets or other background information with us. Where information is shared with us for a project:

  • we ask that only information that is genuinely necessary for the agreed purpose is shared

  • please do not send us personal information that does not need to be shared

  • please do not send special category data, criminal offence data, or other highly sensitive personal information unless this has been expressly agreed in writing as necessary for the work and we have agreed how it will be handled

  • where possible, we ask clients and partners to anonymise or redact information before sharing it with us

  • if you are sharing personal data about other people with us, you are responsible for making sure there is a lawful basis for that sharing and that appropriate transparency has been provided, unless we have expressly agreed a different arrangement in writing

The ICO’s guidance is clear that organisations need to identify a lawful basis before sharing personal data and be able to show they considered this before sharing.

For some assignments, we may act only as a processor on behalf of a client. For others, we may act as an independent controller for the information we collect and use in the course of our own professional work. The position will depend on the nature of the project and the roles agreed.

7. Who we may share personal information with

We may share personal information where necessary with:

  • our website host, cloud storage providers, email provider and other IT service providers
    accounting, bookkeeping or payment service providers

  • trusted associates, delivery partners or subcontractors working with us on a project, where this is necessary and appropriate

  • professional advisers such as accountants, insurers or legal advisers

  • public authorities, regulators or law enforcement where we are legally required to do so

Where third parties process personal data on our behalf, we expect them to do so under appropriate contractual arrangements and with appropriate security measures in place. ICO guidance requires appropriate technical and organisational measures for both controllers and processors.

We do not sell, rent or trade personal data.

8. International transfers

We aim, where practical, to use service providers that store and process data in the UK or EEA. However, some of our service providers may process personal information outside the UK.

Where we make a restricted international transfer, we will only do so where there is a valid legal mechanism in place, such as adequacy regulations or appropriate safeguards, and we will carry out additional risk assessment where required. ICO guidance notes that restricted transfers must be covered by appropriate safeguards where adequacy does not apply.

9. Retention

We keep personal information only for as long as it is needed for the purpose for which it was collected, and longer only where this is necessary for legal, contractual, accounting, insurance, safeguarding or dispute-resolution reasons.

Rather than keeping everything indefinitely, we review what we hold and delete, redact, anonymise or archive information when it is no longer needed. Our retention decisions are based on factors such as:

  • the nature of the relationship

  • the type of work involved

  • whether the information is needed to evidence decisions, deliver follow-on work, or meet

  • legal or financial obligations

  • the sensitivity of the information

  • whether there is an ongoing risk, complaint, dispute or claim

ICO guidance says privacy information should tell people either the retention period or the criteria used to decide it.

10. Security

We take the security of personal information seriously and use appropriate technical and organisational measures proportionate to the risks involved. ICO guidance describes this as the security principle. Depending on the circumstances, this may include:

  • secure cloud storage

  • password protection and multi-factor authentication where available

  • device and account access controls

  • restricting access to information on a need-to-know basis

  • regular software and security updates

  • backups and recovery arrangements

  • care in how documents are shared, stored and deleted

  • procedures for identifying and responding to data incidents

No online transmission or storage system can ever be guaranteed to be completely secure. For that reason, please avoid sending sensitive personal information by ordinary email unless this has been agreed and appropriate safeguards are in place.

11. Cookies and website analytics

Our website may use cookies and similar technologies. Some cookies are necessary for the website to function properly. Others may help us understand how the site is used or improve performance.

The rules on cookies and similar technologies are covered by PECR, and ICO guidance confirms that this includes technologies such as tracking pixels. Consent is required for many non-essential cookies and similar technologies, subject to limited exceptions.

Our website is built using Hostinger Website Builder which by default does not use any cookies. At present we have no integrations such as analytics connected to our site. For non-essential cookies or analytics tools be used in the future; we will ask for consent through our cookie banner or settings tool before placing them.

You can also manage cookies through your browser settings.

12. Social media and third-party websites

Our website may include links to third-party websites or social media platforms. If you follow those links or interact with us on those platforms, your information will be handled according to the privacy policies of those third parties. We are not responsible for the privacy practices of websites or services we do not control.

13. Your rights

Under data protection law, you may have the right to:

  • be informed about how your personal information is used

  • request access to the personal information we hold about you

  • ask for inaccurate information to be corrected

  • ask for information to be erased in some circumstances

  • ask for processing to be restricted in some circumstances

  • object to processing in some circumstances

  • receive a portable copy of certain personal information in some circumstances

  • withdraw consent where we rely on consent

ICO guidance sets out these rights and explains that organisations usually have one month to respond to a subject access request, although this can be extended for complex requests in limited circumstances.

We do not currently carry out solely automated decision-making that has legal or similarly significant effects on individuals.

14. Complaints and how to contact us

If you would like to exercise your rights, ask a question about this policy, or raise a concern about how we have handled personal information, please contact us using the details above.

We may ask for information to verify your identity where this is necessary and proportionate.

If you are unhappy with how we have handled your information, we would appreciate the chance to address it first. You also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters. ICO guidance says people should usually raise concerns with the organisation first, but they can then take the matter to the ICO.

15. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our work, our systems, or the law. The most current version will always be available and will include the latest revision date.

Contact

Reach out for support or questions

Email

Phone

hello@rootedinplace.org.uk

+44 7738 216 748

© 2026. All rights reserved.

Policies

Privacy Policy