Privacy Policy & GDPR Compliance Statement
This privacy policy sets out how THRIVE FOR SEND CIC uses and protects any information that you give to THRIVE FOR SEND CIC when you use or register with thrivecic.org
THRIVE FOR SEND CIC is committed to ensuring that your privacy is protected.
Should we ask you to provide personal data by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.
THRIVE FOR SEND CIC may change this policy from time-to-time by updating this page. If you opt in to receive emails from us, we will notify you of any changes or updates we make. If you do not opt in to receive emails, you should check this page occasionally to ensure that you are happy with any changes. This policy was last updated on 27.11.2018.
If you have any questions, please email us at: hello@thrivecic.org
About GDPR
As of 25 May 2018, all organisations that process personal data on citizens of the EU are required to comply with the EU General Data Protection Regulation (GDPR).
The GDPR replaced the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way that organisations, which operate within the region, approach data privacy.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular reference to an identifier. A broad range of personal identifiers constitute personal data, including: name, location data and IP address.
Our commitment to GDPR
THRIVE FOR SEND CIC has always been committed to data protection and the new regulations have provided us with a welcome opportunity to review our already robust data protection policies and procedures, and strengthen our commitment to data protection.
Everybody at THRIVE FOR SEND CIC, at the highest management level and throughout the organisation, understands the need for stringent data protection policies and procedures, and we all take responsibility for complying with the GDPR.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
We take a data protection by design and default approach, and put appropriate data protection measures in place throughout the entire lifecycle of our processing operations.
We are also committed to ensuring that all third party data processors that process personal data on our behalf fully comply with the GDPR. We do not enter into contracts with other data processors unless they can demonstrate the steps they have taken towards compliance.
Please note: as the personal data we process is not sensitive or likely to result in high risk to individuals’ interests, it has not been necessary for us to conduct any data protection impact assessments or appoint a data protection officer.
As an organisation, however, we are dedicated to continually reviewing and improving our data protection procedures and accountability measures. If you have any questions relating to data protection and/or our privacy policy, please send us an email at hello@thrivecic.org
What personal data do we collect?
In order for students to get the most out of thrivecic.org we capture a selection of personal data about each student when creating their user account. This allows us to target specific careers information to specific users via the platform, or via email if we have consent to distribute information to them in this way.
Please note: we only create user accounts for school students who are in the following year groups:
- Year 9
- Year 10
- Year 11
- Year 12
- Year 13
We also capture data on a student through their interaction with our careers platform.
Our lawful basis for collecting this data
Before we process any of personal data, we obtain active, clear consent from the user. According to the GDPR, this should be explicit and requires a very clear and specific statement of consent.
When we ask users to opt in or opt out of our Privacy Policy, we provide them with all of the information they need on how and why we process this data.
This is hugely important, as we want to offer all individuals real choice and control when using our websites.
How do we obtain consent to process personal data?
We make sure we obtain active consent from all users before processing their data, explicitly asking them to confirm that they agree with our Privacy Policy and are thus happy for us to process their personal data.
We make it easy for users to control and update how we process their personal data.
These data processing consent requests are separate from our general Terms & Conditions and we always try to make sure these requests are communicated in a clear and concise way. They require users to provide a positive opt-in and we don’t use pre-ticked boxes or any other methods of default consent.
Please note: there are no third party controllers who rely on this consent. All of the information shared with us is solely controlled by Thrive For Send CIC. We do use third party data processors to help us process some personal data. A list of these can be found below.
We are committed to ensuring that all of the third party data processors that process personal data on our behalf fully comply with the GDPR. Indeed, we do not enter into contracts with other data processors unless they can demonstrate the steps they have taken towards compliance.
If a student or staff user is not happy for us to process their data and does not agree with our Privacy Policy, their data will be deleted from our database as soon as possible.
Please note: even if a user provides us with consent initially and chooses to receive email communications from us, they can remove consent at a later date and opt out of emails too.
Users can do this by logging into their account and changing their preferences. Alternatively, they can unsubscribe directly from one of the emails they are sent, or can just send us an email to make this request at: hello@thrivecic.org
We will act on these withdrawals of consent as soon as we can and will not penalise any individuals who wish to withdraw their consent.
Before users access the Thrive platform, as well as providing consent for us to process personal data, we require them to change their password.
They are also given the opportunity to opt in to receive information from THRIVE FOR SEND CIC via email before they start using the tool. It is just as easy for a user to opt out as it is to opt in.
Please note: all email communications will never come directly from one of our clients. They will always come from thrivecic.org and we will never share individual user data directly with our client partners.
Occasionally, we may share aggregate data about a school with employers, but this will simply extend to identifying trends within a particular school. For example, 68% of the female pupils at their school in Years 12 and 13 are interested in engineering. 9% of those individuals are eligible for Free School Meals.
The data we share with client partners will never include any personal data about a user.
The core functionality of the service we provide to schools relies on us being able to process personal data. Therefore, we do require users to agree to our Privacy Policy in order to be able to use our careers platform.
For example, access to the platform is password protected. We need to store login details (email and password), otherwise users would need to re-register every time they use the platform, which would be inconvenient and affect user experience. Also in order for advisers to run career preference reports on individual students or groups of students, they need to be able to identify them within their dashboard.
Moreover, in order for users to receive careers advice and school leaver job alert emails. We need to store their email address. Indeed, it is impossible for us to send you these emails without being able to process personal data.
Please note: we don’t just send generic emails to our registered users. That is why we request for more data than just an email address. To make sure you users are kept informed and are given the best chance of securing a job or a place on a course of their choice, we use the other data we process to target really useful, relevant information to users via email or through the thrivecic.org platform.
When using our website generally, even as an unregistered user, we may place cookies on a user’s browser to log their session and record user traffic via Google Analytics. Users can control which cookies we place on their browser via our cookie control module. This allows users to accept some cookies and reject others.
Age restrictions
You must be aged 13 or older to use or register with thrivecic.org.
Any personal information you choose to share on the site is at your own risk, but if you are concerned at all, and are aged between 13 and 17, we recommend that you seek advice from your parents or guardians before deciding to share your personal data with us.
Why do we collect this personal data and what do we do with it?
We process this personal data for a number of reasons:
- It allows us to target suitable careers information to users via the platform and customise their experience.
- It allows your school to analyse detailed data and identify career preference trends for your school. Indeed, it enables a careers adviser to connect the careers data to the demographic data.
- It allows advisers to filter student data and assign them to customisable groups more easily for reporting purposes.
- It means that we can help school leaver employers and apprenticeship training providers to target specific users and share their employment opportunities with the right young people via thrivecic.org email alerts, if the user provides us with consent to do this.
- We may also use the information to improve our products and services.
- We may also use the information to contact the users for market research purposes.
- We also use this information to allow our clients to target particular groups with their promotional messages, based on particular users’ general trends, i.e. this page, X, is the most popular page for sixth form students. Please note: our clients will never contact you directly, and we will not share your contact details with them. All of the messages you receive will come from us on behalf of other organisations.
We may also sell aggregate information from time-to-time about our users, i.e not personal data specific to an individual user, but data about our user group as a whole.
Your personal data will only be shared with other people that you have opted to share it with, i.e. your teachers or parents.
Please note: we do not transfer your personal data to any third countries or international organisations, and we do not process personal data for the purposes of automated individual decision making or profiling.
Diversity and inclusion is very important to the employers we work with. They are committed to ensuring that their recruitment processes do not discriminate against particular groups and making sure that everybody is given equality of opportunity.
Some employers may even take part in initiatives to widen access to their profession, particularly for people from under-represented backgrounds in the interests of promoting social mobility. With that in mind, we process the following categories of student data to allow employers to reach particular groups of people with information about their opportunities:
- Eligibility for free school meals
- In LEA care
- Special educational needs
- Eligibility for Pupil premium funding
- Service children (i.e. are your parents in the armed forces?)
- Ever in care
- Ethnicity
- English as an additional language
- First language
- Gender
Similarly, some employers with specific entry requirements for certain programmes, e.g. students who are studying certain subjects, are high achieving individuals, are at a specific academic stage, are involved in certain extracurricular activities, may choose to target their information to particular groups of users. We process the following data for this purpose:
- Current National Curriculum year
- Admission date
- Leaving date
- Gifted and talented status
- Subjects name
- Preferred industries
- Preferred occupations
- Preferred career pathways
- Preferred apprenticeship standards
- Favourite school subjects
- Hobbies / extracurricular activities
We use the following information to improve our products and services, customise the website according to your interests:
- Which pages you visit;
- The time of your visit;
- How long you spend on each page;
- How long you remain on the website;
- The method/ by which you were referred to our website, e.g. via Google or social media channel;
- Your general site browsing habits;
- The type of device you used to access the website;
- The type of web browser you used to access the website;
- The type of operating system you used to access the website;
- Your network location and IP address.
Where is this personal data stored?
All of the data you give us consent to use by opting into cookies on your browser is processed by Google Analytics or DoubleClick for Publishers (Google).
3rd party data processors we may use to help process your data.
Here is a list of the 3rd party data processors we may use to store or process your personal data:
- Google Analytics
- CapsuleCRM
- DoubleClick for Publishers (Google)
- Eventbrite
- Sprout Social
- Survey Monkey
- Mailchimp
- Wix
We are committed to ensuring that all of the above third party data processors that process personal data on our behalf are fully compliant with the GDPR.
We do not enter into contracts with other data processors unless they can demonstrate the steps they have taken towards compliance.
Security measures and procedures
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have analysed the risks presented by our processing and have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
thrivecic.org has an SSL Certificate installed. This means when you are browsing on our website a secure connection will be established, and the connection between your browser and our server will be secure. You can see that our SSL Certificate is working correctly because a padlock or green bar will show in the address bar in your browser, depending on which one you use.
This is a method of cryptography and encrypts the data that is sent from your browser to our server. This means that if a hacker was to intercept that message, they will only be able to see a cryptographic code that it is impossible for them to break. Only the intended recipient of this data (i.e. our secure server) will be able to understand and process it.
You can access and update your own personal data via the Account Settings page once you have logged in. You can only access this data by entering your password. This password is encrypted within our database.
We regularly review our information security policies and measures and improve them where necessary. We also conduct regular testing and reviews of our measures to ensure they remain effective. We also make sure that any data processors we use implement appropriate technical measures.
How long do we retain your data?
The GDPR states that personal data should be stored for no longer than is necessary for the purposes for which the personal data is processed.
If a student provides an email address, we will store their personal data for a maximum of five more years from the date on which they register, unless they request otherwise.
We feel that five years is a legitimate amount of time for those individuals to still be deemed an active job seeker in the early careers market. Indeed, even when a user has left school, they are highly likely to be actively considering job and course opportunities that are available to undergraduates, graduates, school leavers and current apprentices.
We prompt all registered users on an annual basis to update their data processing preferences, so if a user would like us to store and process their data for longer than this five years, it is advisable for them to update their consent preferences when prompted.
Please note: both ‘Students’ and ‘Advisers’ can opt out, and withdraw their consent for the processing of their personal data, at any time.
Data breach policy and procedure
Since we started our company, we have never suffered any data breaches or attacks on our system. This is because we are fully committed to securing your personal data. We make sure that we constantly review and update our security practices where necessary.
In the event that our is database subject to a data breach, however, we have a data breach policy and procedure in place to help mitigate against impact this may have on your personal security.
We have prepared a response plan for addressing any personal data breaches and have put a data breach procedure in place. All members of our staff are educated about this procedure and are given access to the guidance and resources required to notify our Head of Operations if they suspect that a data breach has occurred.
If it is ascertained that a data breach has, in fact, taken place, we have outlined a process to assess the likely risk to individuals as a result of the breach.
We will then notify the ICO of a breach within 72 hours and the individuals affected without undue delay. We will also provide any affected individuals with advice on how to protect themselves from its effects.
Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information, which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
Your rights as a data subject & controlling your personal data
Once you have registered as a member of thrivecic.org, you are entitled to:
- Access the data we hold on you;
- Rectify the data we hold on you if you believe it to be incorrect;
- Request that the data we hold on you be erased;
- Request that we restrict the processing of the data we hold on you;
- Obtain and reuse the data we hold on you for different services;
- Object to the use of your data for direct marketing.
To exercise your rights and request any of the above, please email hello@thrivecic.org, or write to us at THRIVE FOR SEND CIC, Suite 5a, 30 Dean Street, Bangor, Gwynedd, United Kingdom, LL57 1YA
We will not charge you to request any of the above, unless the request is deemed to be excessive. In the unlikely event of this happening, we may charge you a small fee to cover the costs of this excessive request.
If you have any concerns about this Privacy Policy or how we handle your personal data, you have the right to lodge a complaint to the GDPR’s supervisory authority in the UK.