Enviroverse – Privacy and Data Protection Policy

Last Updated: May 27, 2025

1. Introduction

1.1 About This Policy

This Privacy and Data Protection Policy explains how Enviroverse (“we”, “our”, “us”) collects, uses, shares, and protects your personal information in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Enviroverse is a global network and grassroots organization connecting people who care about sustainability, equity, and community. We believe in the power of local action and international collaboration to shape a better world.

1.2 Our Commitment to Your Privacy

We are committed to protecting your personal data and respecting your privacy rights. This policy is designed to provide transparency about our data practices and to inform you about your rights and how the law protects you.

1.3 Policy Updates

We review this policy regularly and may update it from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by posting the updated policy on our website with a new “Last Updated” date. We encourage you to review this policy periodically.

2. Data Controller Information

2.1 Who We Are

Enviroverse is the data controller responsible for your personal data. As a global network focused on sustainability, we process personal data to facilitate our programs, including Operation Wildflower, Action Network, Global Forums, and Open Resources.

2.2 Contact Details

If you have any questions about this policy or our data practices, please contact us at:

Email: charlie@enviroverse.org.uk

2.3 Data Protection Officer

While Enviroverse is not legally required to appoint a Data Protection Officer under Article 37 of the GDPR (as we are not a public authority, our core activities do not consist of regular and systematic monitoring of individuals on a large scale, and we do not process special categories of data on a large scale).

3. Personal Data We Collect

3.1 Types of Personal Data

Depending on your interaction with us, we may collect, use, store, and transfer different kinds of personal data, including:

Contact Information: Name, email address, phone number
Demographic Data: Location, organisation or community name
Accessibility Requirements: Shared voluntarily via programme forms
Application or Participation Data: Programme sign-ups, forum registrations, opportunity applications
Technical Information: IP address, device, browser (via cookies/analytics)
Purchase Information: For digital handbook sales: billing email, transaction ID (via Stripe/Gumroad)

3.2 Special Categories of Personal Data

We do not intentionally collect any Special Categories of Personal Data (such as details about your race, ethnicity, religious beliefs, sexual orientation, political opinions, health information, or biometric data) unless: – You have given us your explicit consent – The processing is necessary for reasons of substantial public interest – You have made the information manifestly public

3.3 Children’s Data

Our services are not intended for children under 16 years of age without parental consent. If you are under 16, please do not provide any personal data without the consent of your parent or guardian.

If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information as soon as possible.

3.4 Data Collection Methods

We collect personal data through various methods, including:

Direct interactions: When you fill in forms, correspond with us, participate in our programs, or otherwise provide us with your information
Automated technologies: As you interact with our website, we may automatically collect Technical Data using cookies and similar technologies
Third parties: We may receive personal data about you from various third parties, such as analytics providers or social media platforms, where you have given them permission to share your data

4. How We Use Your Personal Data

4.1 Lawful Bases for Processing

We will only use your personal data when the law allows us to. Most commonly, we will process your personal data on the following lawful bases:

Consent: Where you have given us clear consent to process your personal data for a specific purpose
Contract: Where processing is necessary for the performance of a contract with you
Legitimate Interests: Where processing is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
Legal Obligation: Where processing is necessary for compliance with a legal obligation
Public Interest: Where processing is necessary for the performance of a task carried out in the public interest

4.2 Purposes of Processing

We use your personal data for the following purposes:

To register you as a participant in our programs
To manage our relationship with you
To enable you to participate in our global forums and networks
To deliver relevant content and communications to you
To improve our website, programs, and services
To administer and protect our organization and website
To use data analytics to improve our website and user experience
To comply with legal obligations

4.3 Marketing Communications

We may use your personal data to send you information about our programs, events, and resources that may be of interest to you. You can opt out of these communications at any time by:

Clicking the “unsubscribe” link in any marketing email
Contacting us directly at privacy@enviroverse.org.uk

4.4 Change of Purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.

5.1 Third-Party Service Providers

We may share your personal data with third-party service providers who perform services on our behalf, such as:

IT and system administration providers
Email and communication platforms
Analytics providers
Payment processors (if applicable)

All our third-party service providers are required to respect the security of your personal data and to treat it in accordance with the law.

5.2 International Transfers

As a global organization, we may transfer your personal data to countries outside the European Economic Area (EEA). Whenever we transfer your personal data internationally, we ensure a similar degree of protection by implementing at least one of the following safeguards:

Transferring to countries that have been deemed to provide an adequate level of protection by the European Commission
Using specific contracts approved by the European Commission (Standard Contractual Clauses)
Implementing appropriate supplementary measures where necessary

5.3 WordPress.com Data Processing

Our website is built on WordPress.com, which processes certain personal data on our behalf. WordPress.com (operated by Automattic Inc.) has implemented measures to comply with GDPR, including offering a Data Processing Agreement. For more information about how WordPress.com processes data, please visit their privacy policy at: https://automattic.com/privacy/

6. Data Security

We have implemented appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. These measures include:

Encryption of sensitive data
Regular security assessments
Access limitations to personal data
Staff training on data protection
Secure backup procedures

We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

7. Data Retention

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

7.1 Specific Retention Periods

We maintain the following retention periods for different types of data:

Data Type	Retention Period
Operation Wildflower Sign-Up	3 years from last interaction
Accessibility Needs (OW)	Deleted at the end of the programme
Global Forum Sign-Up	2 years after last attended forum or until opt-out
Global Forum Summaries & Speaker Info	Indefinitely (unless requested otherwise)
Recruitment Listings / Opportunities	2 weeks after application deadline unless renewed
Recruiter Contact Info	1 year (or 3 years if opted in for updates)
Digital Handbook Purchase Data	6 years for legal and tax purposes
Follow-Up Communications (Handbook)	3 years unless opted out
General Mailing List Subscribers	Until you unsubscribe
General Enquiries	1 year from last contact
Cookie / Analytics Data	26 months (Google Analytics default)

We review and delete or anonymise data that is no longer needed.

7.2 Determining Appropriate Retention

To determine the appropriate retention period for personal data, we consider: – The amount, nature, and sensitivity of the personal data – The potential risk of harm from unauthorized use or disclosure – The purposes for which we process the data – Whether we can achieve those purposes through other means – The applicable legal requirements

In some circumstances, we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

8. Your Legal Rights

Under the GDPR, you have the following rights in relation to your personal data:

Right to Access: The right to request copies of your personal data
Right to Rectification: The right to request that we correct any inaccurate or incomplete personal data
Right to Erasure: The right to request that we delete your personal data in certain circumstances
Right to Restrict Processing: The right to request that we restrict the processing of your personal data in certain circumstances
Right to Data Portability: The right to request that we transfer your personal data to you or a third party
Right to Object: The right to object to processing of your personal data in certain circumstances
Rights Related to Automated Decision-Making: The right not to be subject to a decision based solely on automated processing

8.2 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@enviroverse.org.uk. We will respond to all legitimate requests within one month. Occasionally, it may take us longer if your request is particularly complex or you have made a number of requests, in which case we will notify you.

8.3 No Fee Usually Required

You will not have to pay a fee to access your personal data or to exercise any of your other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

8.4 Complaints

If you are not satisfied with our response to your request or believe our processing of your personal data does not comply with data protection law, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

9. Data Breach Procedures

9.1 Breach Detection and Response

We have implemented procedures to detect, report, and investigate personal data breaches. In the event of a breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach
Notify affected individuals without undue delay when a breach is likely to result in a high risk to their rights and freedoms
Document all breaches, including the facts, effects, and remedial actions taken

9.2 Breach Notification Content

Our breach notifications will include: – The nature of the personal data breach – The name and contact details of our Data Protection Lead – The likely consequences of the breach – The measures taken or proposed to address the breach and mitigate possible adverse effects

10. Cookies and Tracking Technologies

10.1 What Are Cookies

Cookies are small text files that are placed on your device when you visit our website. They allow us to recognize your device and store information about your preferences or past actions.

10.2 How We Use Cookies

We use cookies for the following purposes: – To enable certain functions of the website – To provide analytics – To store your preferences – To enable appropriate marketing and advertising (where applicable)

10.3 Types of Cookies We Use

Necessary Cookies: Essential for the website to function properly
Preference Cookies: Enable the website to remember your preferences
Statistics Cookies: Help us understand how visitors interact with our website
Marketing Cookies: Used to track visitors across websites to enable targeted advertising

10.4 Managing Cookies

Most web browsers allow you to control cookies through their settings. You can usually find these settings in the “options” or “preferences” menu of your browser. You can also delete cookies already stored on your computer.

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit http://www.allaboutcookies.org.

11. Links to Other Websites

Our website may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the privacy policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

12. Contact Us

If you have any questions about this Privacy and Data Protection Policy or our data practices, please contact us: