Gurukula Limited (“Gurukula”) takes great care to protect and respect your privacy and the
information you provide whilst engaging with us. This includes research hosted on our own
website, other websites on our behalf, or by other means including online, by telephone and
face to face.
We are committed to meeting the requirements of the following laws and codes:
▪ UK General Data Protection Regulations (UK GDPR)
▪ Data Protection Act 2018
▪ Social Research Association’s Research Ethics Guidance [1]
Gurukula Limited is registered with the Information Commissioner’s Office (reference number: C1464486)
Information we collect
Gurukula collects information in the following ways:
Website
‘Cookies’ are designed to enhance online experience and permit users access the full service
within the website. We will collect, store and process information about people who voluntarily
complete the contact form.
Participating in work with us
We will also collect information when people take part in work with us. This includes
participating in research, training and consulting exercises.
The information we collect can contain personal opinions, views and experiences, as well as
personal information such as name, email address, telephone number etc.
Where relevant to the work being undertaken, we may collect business contact information,
such as, organisation/company name, job title, and department.
If you are invited to work with us, it will be because of one of the following reasons:
▪ You were selected due to your recent engagement with one of the client organisations
for whom we work
▪ You have given permission for an organisation or company to supply your details to
Gurukula for research, training or consulting purposes
▪ You have taken part in previous work delivered by Gurukula and given us your
permission to contact you in the future
If you have been contacted by Gurukula and you do not believe you have given your
permission, let us know and we will remove you from the contact list for that particular research
project and inform the relevant organisation who supplied your details.If we invite you to take part in our work, we must provide you with information about the key
elements of the project and, if relevant, explain what you can expect from us.
All participants will also be asked to acknowledge that:
▪ They have read and understood the information provided about the work
▪ They have been able to ask questions if needed
▪ They understand that their participation is voluntary, and they can change their mind
or withdraw their data at any time, without giving a reason
▪ If relevant, that they agree to take part in an interview or focus group for the research
and that will be recorded in writing (and/or by voice recorder, with their consent).
The consent form will also set out participants’ rights under the UK GDPR and Data Protection
Act 2018, explaining how their data will be stored and processed securely, and asking for them
to confirm their understanding of these issues.
Storing personal and research data
We will maintain appropriate safeguards to ensure the security, integrity, accuracy and privacy
of the information we collect. Personal data will be stored on our systems for as long as is
necessary for the relevant activity, or as long as is set out in any relevant contract you hold
with us. We utilise Microsoft 365 for Business and our servers are held in the United Kingdom.
Anonymised research data will be held for five years and thereafter it will be deleted or
destroyed.
How we use your information
The personal information we collect is:
▪ Used to carry out obligations arising from any contracts
▪ Used to seek individual views or comments on the services we provide
▪ Combined with the responses/views/opinions/experiences of others who participated
in the same project and reported back to the client that commissioned the work in order
to address the objectives that have been set for the project.
▪ Used to administer incentives
▪ Occasionally used to re-contact you to validate your responses (if people have
consented to us doing so).
As and when stipulated, any personal identifiers will be changed or deleted when we come to
write reports. This means participants will not be identified personally in any reports or other
written outputs, unless otherwise agreed.
All responses (provided via web-based surveys, by Zoom or other online communication tool,
by telephone, or face to face) are treated as confidential. We will never intentionally disclose
personal information or individual responses to the client that commissioned the study or any
third parties unless:
▪ There is consent to sharing identifying information and individual responses▪ In the rare but possible circumstance that the information is subject to disclosure
pursuant to judicial or other government warrants, orders or for similar legal or
regulatory requirements.
Who we share the information with
Please be reassured that we will not release your information to third parties, unless you have
requested us to do so. Occasionally we may employ other companies and individuals to
perform functions on our behalf relating to the work we undertake. They will have access to
the personal information needed to perform their functions but will not use it for other purposes.
They must also process the personal information as set out in this Privacy Policy and as
permitted by UK Data Protection Law. Our staff and sub-contractors are trained in our data
security systems and procedures and are asked to sign to sign a Data Protection declaration,
to ensure they are aware of their legal duties and agree to comply with these.
If you participate in work with us, you consent to us transferring your personally identifiable
data to other organisations/companies within the EEA only for the purposes mentioned above.
We shall endeavour to ensure that your personal information is kept confidential and secure.
Data security
Gurukula maintains appropriate technical, administrative and physical safeguards to protect
information, including, without limitation, personally identifiable information, received or
collected by us. We have obtained the Cyber Essentials Certificate of Assurance, accredited by IASME.
We review, monitor and evaluate our privacy practices and protection systems
on a regular basis. This includes ensuring that any security measures taken include:
▪ Taking steps to control physical access security – restricting access to offices, desks,
storage areas, equipment and other places where unauthorised access by people
could compromise security
▪ Putting in place controls on access to information – procedures for authorising and
authenticating data users, as well as software controls for restricting access, and
techniques for protecting data such as encryption
▪ Establishing a business continuity plan – ensuring there are procedures for protecting
and restoring if possible personal data held by the business in the event of a disaster
▪ Training staff and sub-contractors on security systems and procedures – includes
asking all sub-contractors to sign a Data Protection declaration, to ensure they are
aware of their duties under the Act and agree to comply with these
▪ Detecting and investigating breaches of security should they occur – ensuring that any
breaches of data security (loss or theft of data, etc) are reported immediately and
appropriate actions taken.
Only certain employees have access to the personal information you provide to us and are
only granted access for data analysis and quality control purposes. Gurukula is not responsible
for any errors by individuals in submitting personally identifiable information to us.
Accessing and updating your information
The accuracy of your information is important to us. If you change email address, or any of
the other information we hold is inaccurate or out of date, please email us at:
David[at]gurukula.co.uk
Your co-operation in any of our work is voluntary at all times, and we are always thankful for
your help. You are entitled to access the personal information we hold about you (which is
known as a subject access request) and you have the right to update any incorrect
information.
You also have the right to withdraw consent you gave for participation in our research at any
time and have your personal details erased. To do this, please submit your request in writing
to the following email address: David[at]gurukula.co.uk
Your rights
Under Data Protection Law you have a number of important rights free of charge. In summary,
those include rights to:
▪ Access your Personal Data and to receive certain supplementary information about
how we use or share it
▪ Require us to correct any mistakes in your Personal Data which we hold
▪ Require the erasure of your Personal Data in certain situations
▪ Object at any time to processing of your Personal Data for direct marketing
▪ Object in certain other situations to our continued processing of your Personal Data
▪ Otherwise restrict our processing of your Personal Data in certain circumstances.
If you wish to exercise any of the rights set out above, please email us at: David[at]gurukula.co.uk describing which right you want to exercise. We are entitled to ask
for further information to clarify your request or verify your identity before we can proceed.
If you believe that we have not handled your Personal Data in accordance with Data Protection
Law or we have not complied with your request when you exercise the above rights, you have
the right to make a complaint to the Information Commissioner’s Office (‘ICO’), the UK
regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the
chance to deal with your concerns in the first instance.
Links to other websites
Our website may contain links to other websites run by other organisations. This privacy policy
applies only to this website‚ so we encourage you to read the privacy statements on the other
websites you visit. We cannot be responsible for the privacy policies and practices of other
sites even if you access them using links from our website. In addition, if you linked to this
website from a third-party site, we cannot be responsible for the privacy policies and practices
of the owners and operators of that third-party site and recommend that you check the policy
of that third-party site.
International transfers
Countries outside of the United Kingdom or European Economic Area (EEA) do not always
offer the same levels of protection to your Personal Data as you enjoy here, so Data Protection
Law generally restricts the transfer of personal data outside the UK (and EU/EEA) unless the
destination country’s own laws protect personal data to standards approved under UK/EU law
or there are other appropriate safeguards in place to protect such data.
Your Personal Data will usually only be processed by us in the UK. If, in exceptional
circumstances, we do send your Personal Data outside the UK or EEA, this will only be done
with your consent or if there’s an applicable legal exemption. Otherwise, we will take
appropriate measures to ensure that any personal data we send overseas is duly protected in
accordance with Data Protection Law.
Queries and review of this privacy policy
We may change this privacy policy from time to time so please check this page occasionally
to ensure that you’re happy with it.
If you have any questions concerning this privacy policy, our website or our research, or you
wish to make a further request relating to how we use your Personal Data as described above,
please contact: David[at]gurukula.co.uk
Gurukula keeps this privacy policy under regular review. This privacy policy was last updated
in February 2025.
[1] — https://www.the-sra.org.uk/SRA/Ethics/Research-Ethics-Guidance
[2] — https://www.mrs.org.uk/standards/code-of-conduct
[3] — https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-
legislation/uk-policy-framework-health-social-care-research/
[4] — https://ico.org.uk/for-the-public/online/cookies
Contact David Owen, director at Gurukula and the Danish Institute for Participation and Public Engagement (DIPPE)
David is freelance consultant, facilitator and researcher based in UK and Denmark.
