We, at Project Access International, have a strong commitment to protect the privacy of all individuals in respect of which it processes information. We will only collect and use information in a manner consistent with your rights and our obligations under applicable law.

This Privacy Policy (the “Policy”) describes how information about you is collected and used by us or shared with others, how we safeguard it and how you may access and control its use.

This Policy applies to visitors to our website located at www.projectaccess.org (the “Site”) inclusive of any sub-domains of the Site, our social media pages, and to all users or potential users (mentees and mentors) of our services (the “Services”).

Protecting your privacy is paramount to us. Please read the following carefully to understand our views and practices regarding your information. By using the Site and the Services and/or otherwise interacting with Project Access International, you consent to us processing your personal data and other information in accordance with this Policy.

If you do not accept and agree with this Privacy Policy, you must stop using our Services immediately.

If you have any questions, concerns or comments about this Policy, please contact us at support@projectaccess.org.

Our Privacy Motto

1. We are transparent about the information we hold about you.
2. We will work with you to keep your information accurate and current.
3. We will do our best to keep your information secure and prevent unauthorised access to it.
4. We will delete information when it is no longer required to deliver our Services or when you ask us to do so and we have no legal obligation to retain such information.

Definitions

For the purpose of the General Data Protection Regulation (EU) 2016/679 (the “GDPR”), the Data Controller is Project Access. Project Access refers to the registered charity in England and Wales, Project Access International (charity number: 1190102), and our incorporated entities across the world. During the course of our charitable activities, we will process personal data about you in accordance with the GDPR.

“Personal data” means information we hold about you from which you can be or are identified. Personal data may be held in paper or electronic format or in another recorded form including photographs or video clips. It may include the following information: your name, contact details (personal and/or work details), next of kin details, criminal offences, financial background, educational background, university preferences, and expressions of opinion about you or indications of our management intentions towards you.

“Processing” means doing anything with personal data, such as accessing, disclosing, destroying, transferring, holding, amending, deleting or using the personal data.

We will comply with the six key principles in the GDPR. Your personal data shall be:

1. Lawfulness, fairness and transparency: Processed lawfully, fairly and in a transparent manner in relation to individuals.
2. Purpose limitation: Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the initial purposes.
3. Data minimisation: Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4. Accuracy: Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
5. Storage limitation: Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the data is processed solely for archiving purposes in the public interest, scientific or historical research, or statistical purposes, subject to appropriate safeguards.
6. Integrity and confidentiality: Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Quick Guide to Content

1. Data collection
2. Cookies and analytics
3. Data processing
4. Data sharing
5. Aggregated and anonymised data
6. Data security
7. Data retention
8. Your rights
9. Consent to processing and transfer of information outside of EEA
10. Third party websites
11. Changes to our Policy

1. Data Collection

We are a mentorship network for helping students apply to top universities worldwide. We continuously expand our network and our focus is on building close, long-term relationships that enable us to deliver this service free of charge to those who need it. To do our job well and connect people in the best possible way, we need to understand our Mentees and Mentors well. To achieve the above, we create detailed profiles about our Mentees and Mentors to understand exactly who they are.

We collect six categories of personal data:

1. Personal data we collect from Mentees.
2. Personal data that we collect from Mentors.
3. Personal data that we collect from Content Contributors.
4. Personal data that we collect from Donors.
5. Personal data that we collect from Team Members.
6. Personal data we get from Visitors to our Site and social media pages.

We may collect and process the following data about you:

1. Information that you provide by filling in forms on the Site.
2. Information that you share with us at special events that we host.
3. Information that you share with us over email or social media exchanges and in questionnaires.
4. Information that third parties who have worked with you or have otherwise interacted with you, share with us.

1.1 Mentees

We collect the following personal data when potential Mentees sign up to receive our emails:

1. Contact details
2. Country

Our lawful basis for processing is consent.

We collect the following personal data when Mentees sign up to our mentorship platform:

1. Contact details
2. Date of birth
3. Hobbies, interests and career plans
4. LinkedIn profile link
5. Inequality data such as demographics, socioeconomic background, geography and access to information
6. Educational background such as school, predicted grades and past degrees (if applicable)
7. University preferences such as university, course and topics of interest
8. Application outcomes such as conditional offers and final acceptance

Our lawful basis for processing is to raise and fulfil a contract.

We process special category data, specifically ethnicity, for equality of opportunity in the public interest (Article 9(2)(g), Schedule 1 of the DPA 2018).

We use automated algorithms to match Mentees and Mentors based on the personal data provided. However, any decision for matching will have the final sign-off by a Project Access team member.

1.2 Mentors

We collect the following personal data when potential Mentors sign up to receive our emails:

1. Contact details
2. Country
3. University

Our lawful basis for processing is consent.

We collect the following personal data when Mentors sign up to our mentorship platform:

1. Contact details
2. Date of birth
3. LinkedIn profile link
4. Mentoring experience
5. Inequality data such as demographics, socioeconomic background, geography and access to information
6. Educational background data such as school, offers received and past degrees (if applicable)
7. University data such as university name, course, college, entry dates and graduation dates

Our lawful basis for processing is to raise and fulfil a contract.

We process special category data, specifically ethnicity, for equality of opportunity in the public interest (Article 9(2)(g), Schedule 1 of the DPA 2018).

We use automated algorithms to match Mentees and Mentors based on the personal data provided. However, any decision for matching will have the final sign-off by a Project Access team member.

1.3 Content Contributors

We collect the following personal data when content contributors provide us with information for our knowledge bases, both online and in print:

1. Contact details
2. Educational background data such as school, offers received and past degrees (if applicable)
3. University data such as university name, college, course
4. Application experience data such as interview and admission test experiences
5. Photos and videos relating to university life

Our lawful basis for processing is consent.

We don’t require you to provide special category data (i.e. ethnicity), but if you do provide such data, you consent to our use of it for publishing both online and in print.

1.4 Donors

We collect the following personal data when donors make a contribution:

1. Contact details
2. IP address
3. Country
4. Donation amount

Our lawful basis for processing is to raise and fulfil a contract. We will not contact you for the purposes of direct marketing without your explicit consent.

1.5 Team Members

We collect the following personal data when potential Team Members sign up to receive our emails:

1. Contact details
2. Country
3. University

Our lawful basis for processing is consent.

We collect the following personal data when potential Team Members send us an application for a volunteer or job opening:

1. Contact details
2. Country
3. University
4. CV
5. Responses to interview questions

Our lawful basis for processing is legitimate interests.

We collect the following personal data when Team Members are on-boarded:

1. Contact details
2. Date of birth
3. University details
4. Bank account details
5. Contract dates

Our lawful basis for processing is to raise and fulfil a contract.

We process special category data, specifically ethnicity, for equality of opportunity in the public interest (Article 9(2)(g), Schedule 1 of the DPA 2018).

1.6 Visitors to our Site and social media pages

When you visit the Site, visit our social media pages or interact with the Services, we may use a variety of technologies that automatically or passively collect information about how the Site is used (“Usage data”).

We collect the following data when users visit our Site:

1. IP address
2. Usage data

Usage data may include weblogs and other communication data, browser type, operating system, the page served, the duration of your visit, the time, referring URLs and other information normally transmitted in HTTP requests. Usage Data is statistical data about our users’ browsing actions and patterns and does not identify any individual. We will treat Usage data as personal data if we combine it with you as a specific and identifiable person.

Our lawful basis for processing is legitimate interests.

2. Cookies and Analytics

A cookie is a small file of letters and numbers that we put on your computer if you use the Site. By browsing the Site you agree to having these cookies placed on your computer. The cookies collect information in an anonymous form, including the number of visitors to a website, from where visitors to a website have come from and the pages visited.

Please read our Cookie Policy for further information.

2.1 Google Analytics

We use Google Analytics to collect anonymous data about the users of our Site such as:

1. How often they visit
2. What pages they visit
3. What time they visit
4. How long they stay
5. What country they are visiting from

You can prevent Google Analytics from collecting this information by installing the Google opt-out browser add-on:
https://tools.google.com/dlpage/gaoptout.

However, if you block all cookies you may not be allowed access to all or parts of our Site, and some functions and features of the Site and/or the Services may not work properly. Unless you have adjusted your browser settings so that it will refuse cookies, our system will issue cookies as soon as you visit our Site.

To learn how Google uses data collected from our Site, please see the following link:
https://policies.google.com/privacy/partners?hl=en-GB&gl=uk.

2.2 Hotjar

We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand users’ experience – for example:

1. How much time they spend on which pages
2. Which links they choose to click
3. What users do and don’t like

This enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on users’ behaviour and their devices. This includes:

1. IP address (captured and stored only in anonymized form)
2. Device screen size
3. Device type (unique device identifiers)
4. Browser information
5. Geographic location (country only)
6. Preferred language used to display our website

Hotjar stores this information in a pseudonymized user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user.

For further details, please see Hotjar’s privacy policy:
https://www.hotjar.com/legal/policies/privacy/.

You can opt out of the creation of a user profile, Hotjar’s storing of data about your usage of our site, and Hotjar’s use of tracking cookies on other websites by following this opt-out link:
https://www.hotjar.com/policies/do-not-track/.

3. Data Processing

Your personal data has only been collected, utilised or shared by Project Access if:

1. You have consented to the processing;
2. The processing is necessary for the performance of (or entering into) a contract;
3. The processing is a result of an existing legal obligation to which we are subject;
4. The processing is in your vital interests;
5. The processing is in the public interest; or
6. The processing is in our legitimate interests.

We use the information you provide to us to:

1. Provide you with relevant information and services;
2. Share information with mentors and the country team responsible for connecting you with that mentor;
3. Ensure that content from the Site is presented in the most effective manner for you;
4. Carry out our obligations arising from any contracts entered between you and us;
5. Invite you and allow you to take part in special events that we host from time to time;
6. Respond to communications from you;
7. Ask for feedback from you to improve our Services;
8. Analyse your activity on our Services to make improvements; and
9. Ensure safeguarding procedures are met.

We will keep the personal data we store about you accurate and up to date. Please notify us if your personal details change or if you become aware of any inaccuracies in the personal data we hold about you. We will not keep your personal data for longer than is necessary for the purpose. This means that data will be erased from our systems or anonymised when it is no longer required.

Any email marketing messages we send are done so through an EMS (email marketing service). An EMS is a third-party service provider of software/applications that allows marketers to send out email marketing campaigns to a list of users. Our EMS is SendGrid. Email marketing messages that we send may contain tracked clickable links or similar server technologies in order to track subscriber activity within email marketing messages. Where used, such marketing messages may record a range of data such as times, dates, IP addresses, opens, clicks, forwards, geographic and demographic data. Such data, within its limitations, will show the activity each subscriber made for that email campaign. Any email marketing messages we send are in accordance with the GDPR and the PECR. We provide you with an easy method to withdraw your consent (unsubscribe) or manage your preferences at any time. See any marketing messages for instructions on how to unsubscribe or manage your preferences; you can also contact the EMS provider (SendGrid).

4. Data Sharing

We will not share your information with any third parties for the purposes of direct marketing.

We use data processors who are third parties that provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

In some circumstances, we are legally obliged to share information. For example, when we are involved in legal proceedings such as a safeguarding incident, or when we are complying with the requirements of legislation, a court order, or a governmental or regulatory authority.

Where we share your data with a third party, we will have regard to the six data protection principles.

We may disclose your personal information to third parties:

1. If Project Access or substantially all of its assets are acquired by a third party, in which case personal data held by it will be one of the transferred assets. If any of your personal data is to be transferred in such a manner, you will be contacted in advance and informed of the changes.
2. If we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation or request.
3. To enforce a contract entered into between you and us.
4. To investigate potential breaches.
5. To protect the rights, property or safety of our Mentees, Mentors or anyone else. This includes exchanging information with other organisations for the purposes of fraud protection, the checking of criminal records and other references.

Currently, we share information with the following organisations, who operate under their own privacy policies referenced below:

1. Verifile Ltd. – for the purposes of checking criminal proceedings, criminal convictions and other references. Privacy Policy here.
2. Typeform S.L. – for the purposes of collecting information from our Mentees, Mentors and Team Members. Privacy Policy here.
3. Microsoft Corporation – for the purposes of data storage and internal collaboration. Privacy Policy here.
4. SendGrid, Inc. – for the purpose of managing our mailing lists. Privacy Policy here.
5. Squarespace Ireland Ltd. – for the purpose of hosting our websites. Privacy Policy here.
6. Donorbox (Rebel Idealist LLC) – for the purpose of managing our donor payments. Privacy Policy here.
7. Patreon – for the purpose of managing our donor payments. Privacy Policy here.
8. Stripe, Inc. – for the purpose of managing our payments. Privacy Policy here.

5. Aggregated and Anonymised Data

We may combine your Usage Data and/or your personal data with those of other users of the Services and the Site and share or provide this trend information in aggregated and anonymised form with third parties, such as prospective investors, affiliates, partners, advertisers and research bodies. This will only ever be anonymised data, and will never be capable of personally identifying an individual, and will only be shared in accordance with applicable law. For example, we may anonymise your personal information and use it in aggregated form in order to report on industry, marketing and employment trends.

6. Data Security

We will take appropriate steps to ensure that the processing of personal data is lawful or authorised, and to prevent the accidental loss, or damage to, personal data. We continuously strive, in accordance with industry standards, to have in place procedures and technologies to maintain the security of all personal data and confidential data from the point of collection to the point of destruction.

We transfer personal data to third parties where they agree to comply with similar procedures and policies or have in place adequate measures. An adequate measure would be a privacy shield certification, a Data Processing Agreement or a contract based on the EU Model Clauses.

To protect your personal data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure data collected through our Services. Steps we take to secure and protect your data include:

1. Regular backups of your data including retention policies;
2. Mailbox and data access auditing;
3. Full SSL (https) connection to our Site;
4. User-level authentication to personal data;
5. Data loss prevention policies; and
6. Personal data is stored at rest in an encrypted format so are non-human readable.

Please remember that the transmission of information via the internet is not completely secure. We will do our best to protect your information, but we cannot guarantee the security of your data transmitted to our Site. Any transmission is at your own risk. Once we have received your information, we will use security features to try to prevent unauthorised and unlawful access.

If a security breach causes an unauthorised intrusion into our system that materially or non-materially provides a risk to you, we will notify you as soon as possible and later report the action we took in response to any breach.

7. Data Retention

We will not retain your personal data longer than is necessary to fulfil the purposes for which it was collected. However, we may be required by applicable laws and/or regulations to hold your personal data longer than this period. If no contradicting legal obligation exists, we reserve the right to delete Mentor or Mentee profiles that have been inactive for at least 36 months, or when you request that your personal data be erased and no longer processed by us. Additionally, where there is a contradicting statutory obligation for us to retain your personal data, we will restrict/block further processing and then erase the relevant personal data when we no longer have a requirement to retain it.

8. Rights

You have:

1. The right to be informed;
2. The right of access;
3. The right to rectification;
4. The right to erasure;
5. The right to restrict processing;
6. The right to data portability;
7. The right to object; and
8. Rights in relation to automated decision-making and profiling.

Please note that all these rights are qualified in various ways. For example, where we store your personal data for statistical purposes, we may not be able to comply with an erasure request where it would likely impair such statistical purposes, or where we require your personal data for compliance with a legal obligation or in connection with legal proceedings.

You may contact our Data Protection Lead about all issues related to this Policy, your personal data and to exercise your rights under Data Protection laws. Requests must be made in writing and sent to support@projectaccess.org.

You can exercise your right to erasure at any time by contacting us at the same email address. We will, however, retain your name solely to record that you do not want us to keep further information about you.

If you feel that the processing of your personal data is not in line with our data-protection obligations, you can complain to our supervisory authority:

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Phone: 0303 123 1113
Website: https://ico.org.uk/

9. Consent to Processing and Transfer of Information Outside the EEA

We are a charity registered in England and Wales that operates globally. Consequently, our use of your information involves international data transmission, including to countries outside the European Economic Area (EEA) where data-protection laws may not be considered “adequate” by the European Commission.

For data transfers to countries without an adequacy decision, we rely on several mechanisms to safeguard your data:

1. Standard Contractual Clauses (SCCs): Latest SCCs (2021) incorporated into new contracts and retro-applied where required.
2. International Data Transfer Agreement (IDTA): Used for transfers from the UK, or the UK Addendum to the EU SCCs where appropriate.
3. Binding Corporate Rules (BCRs): Applied for intra-group transfers when relevant.
4. Transfer Impact Assessments (TIAs): Conducted for transfers to non-adequate countries in line with Schrems II requirements.
5. Derogations: Used in limited circumstances under Article 49 GDPR (e.g., explicit consent or contract necessity).

By using our Site and Services, or by providing us with your information, you consent to such international transfers and processing, including to countries where privacy rights may be less comprehensive than in your country of residence.

10. Third-Party Websites

The Site may contain links to, or appear within, third-party websites and online media. Each of these external sites has its own privacy policy. We cannot accept responsibility or liability for their content or policies. Please review those policies carefully before submitting any personal data to those websites.

11. Changes to Our Policy

We may change this Policy from time to time, in whole or in part, at our sole discretion. Please check our website for the most recent version. You may also request a copy by contacting us. If we decide to use your personal data for a purpose different from the one originally notified, we will contact you to inform you of the change.

Last update: 2nd July 2024

We welcome any questions, comments or requests regarding this Policy. Please email us at support@projectaccess.org.