Data Security and Privacy Policy

Gurukula Limited (“Gurukula”) takes great care to protect and respect your privacy and the

information you provide whilst engaging with us. This includes research hosted on our own

website, other websites on our behalf, or by other means including online, by telephone and

face to face.

We are committed to meeting the requirements of the following laws and codes:

▪ UK General Data Protection Regulations (UK GDPR)

▪ Data Protection Act 2018

▪ Social Research Association’s Research Ethics Guidance [1]

Gurukula Limited is registered with the Information Commissioner’s Office (reference number: C1464486)

Information we collect

Gurukula collects information in the following ways:

Website

‘Cookies’ are designed to enhance online experience and permit users access the full service

within the website. We will collect, store and process information about people who voluntarily

complete the contact form.

Participating in work with us

We will also collect information when people take part in work with us. This includes

participating in research, training and consulting exercises.

The information we collect can contain personal opinions, views and experiences, as well as

personal information such as name, email address, telephone number etc.

Where relevant to the work being undertaken, we may collect business contact information,

such as, organisation/company name, job title, and department.

If you are invited to work with us, it will be because of one of the following reasons:

▪ You were selected due to your recent engagement with one of the client organisations

for whom we work

▪ You have given permission for an organisation or company to supply your details to

Gurukula for research, training or consulting purposes

▪ You have taken part in previous work delivered by Gurukula and given us your

permission to contact you in the future

If you have been contacted by Gurukula and you do not believe you have given your

permission, let us know and we will remove you from the contact list for that particular research

project and inform the relevant organisation who supplied your details.If we invite you to take part in our work, we must provide you with information about the key

elements of the project and, if relevant, explain what you can expect from us.

All participants will also be asked to acknowledge that:

▪ They have read and understood the information provided about the work

▪ They have been able to ask questions if needed

▪ They understand that their participation is voluntary, and they can change their mind

or withdraw their data at any time, without giving a reason

▪ If relevant, that they agree to take part in an interview or focus group for the research

and that will be recorded in writing (and/or by voice recorder, with their consent).

The consent form will also set out participants’ rights under the UK GDPR and Data Protection

Act 2018, explaining how their data will be stored and processed securely, and asking for them

to confirm their understanding of these issues.

Storing personal and research data

We will maintain appropriate safeguards to ensure the security, integrity, accuracy and privacy

of the information we collect. Personal data will be stored on our systems for as long as is

necessary for the relevant activity, or as long as is set out in any relevant contract you hold

with us. We utilise Microsoft 365 for Business and our servers are held in the United Kingdom.

Anonymised research data will be held for five years and thereafter it will be deleted or

destroyed.

How we use your information

The personal information we collect is:

▪ Used to carry out obligations arising from any contracts

▪ Used to seek individual views or comments on the services we provide

▪ Combined with the responses/views/opinions/experiences of others who participated

in the same project and reported back to the client that commissioned the work in order

to address the objectives that have been set for the project.

▪ Used to administer incentives

▪ Occasionally used to re-contact you to validate your responses (if people have

consented to us doing so).

As and when stipulated, any personal identifiers will be changed or deleted when we come to

write reports. This means participants will not be identified personally in any reports or other

written outputs, unless otherwise agreed.

All responses (provided via web-based surveys, by Zoom or other online communication tool,

by telephone, or face to face) are treated as confidential. We will never intentionally disclose

personal information or individual responses to the client that commissioned the study or any

third parties unless:

▪ There is consent to sharing identifying information and individual responses▪ In the rare but possible circumstance that the information is subject to disclosure

pursuant to judicial or other government warrants, orders or for similar legal or

regulatory requirements.

Who we share the information with

Please be reassured that we will not release your information to third parties, unless you have

requested us to do so. Occasionally we may employ other companies and individuals to

perform functions on our behalf relating to the work we undertake. They will have access to

the personal information needed to perform their functions but will not use it for other purposes.

They must also process the personal information as set out in this Privacy Policy and as

permitted by UK Data Protection Law. Our staff and sub-contractors are trained in our data

security systems and procedures and are asked to sign to sign a Data Protection declaration,

to ensure they are aware of their legal duties and agree to comply with these.

If you participate in work with us, you consent to us transferring your personally identifiable

data to other organisations/companies within the EEA only for the purposes mentioned above.

We shall endeavour to ensure that your personal information is kept confidential and secure.

Data security

Gurukula maintains appropriate technical, administrative and physical safeguards to protect

information, including, without limitation, personally identifiable information, received or

collected by us. We have obtained the Cyber Essentials Certificate of Assurance, accredited by IASME.

We review, monitor and evaluate our privacy practices and protection systems

on a regular basis. This includes ensuring that any security measures taken include:

▪ Taking steps to control physical access security – restricting access to offices, desks,

storage areas, equipment and other places where unauthorised access by people

could compromise security

▪ Putting in place controls on access to information – procedures for authorising and

authenticating data users, as well as software controls for restricting access, and

techniques for protecting data such as encryption

▪ Establishing a business continuity plan – ensuring there are procedures for protecting

and restoring if possible personal data held by the business in the event of a disaster

▪ Training staff and sub-contractors on security systems and procedures – includes

asking all sub-contractors to sign a Data Protection declaration, to ensure they are

aware of their duties under the Act and agree to comply with these

▪ Detecting and investigating breaches of security should they occur – ensuring that any

breaches of data security (loss or theft of data, etc) are reported immediately and

appropriate actions taken.

Only certain employees have access to the personal information you provide to us and are

only granted access for data analysis and quality control purposes. Gurukula is not responsible

for any errors by individuals in submitting personally identifiable information to us.

Accessing and updating your information

The accuracy of your information is important to us. If you change email address, or any of

the other information we hold is inaccurate or out of date, please email us at:

David[at]gurukula.co.uk

Your co-operation in any of our work is voluntary at all times, and we are always thankful for

your help. You are entitled to access the personal information we hold about you (which is

known as a subject access request) and you have the right to update any incorrect

information.

You also have the right to withdraw consent you gave for participation in our research at any

time and have your personal details erased. To do this, please submit your request in writing

to the following email address: David[at]gurukula.co.uk

Your rights

Under Data Protection Law you have a number of important rights free of charge. In summary,

those include rights to:

▪ Access your Personal Data and to receive certain supplementary information about

how we use or share it

▪ Require us to correct any mistakes in your Personal Data which we hold

▪ Require the erasure of your Personal Data in certain situations

▪ Object at any time to processing of your Personal Data for direct marketing

▪ Object in certain other situations to our continued processing of your Personal Data

▪ Otherwise restrict our processing of your Personal Data in certain circumstances.

If you wish to exercise any of the rights set out above, please email us at: David[at]gurukula.co.uk  describing which right you want to exercise. We are entitled to ask

for further information to clarify your request or verify your identity before we can proceed.

If you believe that we have not handled your Personal Data in accordance with Data Protection

Law or we have not complied with your request when you exercise the above rights, you have

the right to make a complaint to the Information Commissioner’s Office (‘ICO’), the UK

regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the

chance to deal with your concerns in the first instance.

Links to other websites

Our website may contain links to other websites run by other organisations. This privacy policy

applies only to this website‚ so we encourage you to read the privacy statements on the other

websites you visit. We cannot be responsible for the privacy policies and practices of other

sites even if you access them using links from our website. In addition, if you linked to this

website from a third-party site, we cannot be responsible for the privacy policies and practices

of the owners and operators of that third-party site and recommend that you check the policy

of that third-party site.

International transfers

Countries outside of the United Kingdom or European Economic Area (EEA) do not always

offer the same levels of protection to your Personal Data as you enjoy here, so Data Protection

Law generally restricts the transfer of personal data outside the UK (and EU/EEA) unless the

destination country’s own laws protect personal data to standards approved under UK/EU law

or there are other appropriate safeguards in place to protect such data.

Your Personal Data will usually only be processed by us in the UK. If, in exceptional

circumstances, we do send your Personal Data outside the UK or EEA, this will only be done

with your consent or if there’s an applicable legal exemption. Otherwise, we will take

appropriate measures to ensure that any personal data we send overseas is duly protected in

accordance with Data Protection Law.

Queries and review of this privacy policy

We may change this privacy policy from time to time so please check this page occasionally

to ensure that you’re happy with it.

If you have any questions concerning this privacy policy, our website or our research, or you

wish to make a further request relating to how we use your Personal Data as described above,

please contact: David[at]gurukula.co.uk

Gurukula keeps this privacy policy under regular review. This privacy policy was last updated

in February 2025.

[1]https://www.the-sra.org.uk/SRA/Ethics/Research-Ethics-Guidance

[2]https://www.mrs.org.uk/standards/code-of-conduct

[3]https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-

legislation/uk-policy-framework-health-social-care-research/

[4]https://ico.org.uk/for-the-public/online/cookies