Privacy Policy

Updated November 2025

---

Purpose of this Privacy Policy

This Privacy Policy explains how Highlands Innovation CIC (“we”, “us”, “our”) collects, uses, stores and protects personal data when you use this Website or otherwise interact with us. We are the data controller for the purposes of UK data protection law (including the UK GDPR and the Data Protection Act 2018).

Personal data we collect

We may collect and process the following categories of personal data:

• Identity and contact details – such as your name, organisation, role, postal address, telephone number and other contact details you choose to provide.
• Communication data – information contained in or relating to enquiries, feedback, forms or other communications you send to us.
• Usage data – information about how you access and use the Website, including pages viewed, links clicked, approximate location, browser type and device information. This may be collected through analytics tools and cookies.
• Technical data – IP address, browser settings, operating system and other technical identifiers necessary for the secure operation of the Website.
• Project and partnership data – limited information relating to individuals who take part in or support our projects, events or partnerships, where this is necessary for planning, delivery, monitoring or reporting.

How we collect personal data

We collect personal data in several ways, including when you:

• browse or use the Website;
• submit an enquiry or request through our online forms;
• sign up to hear more about our work, projects or opportunities;
• take part in consultations, events, surveys or project activities;
• enter into a partnership, grant, service or supplier relationship with us;
• engage with us via social media or other online channels.

Lawful bases for processing

We process personal data only where we have a lawful basis under UK data protection law. Depending on the context, this may include:

• Legitimate interests – where processing is necessary to operate, improve and protect the Website, run our organisation, develop our projects and communicate with users, partners and stakeholders, provided these interests are not overridden by your rights and freedoms.
• Consent – where we rely on your clear consent, for example for certain types of communications or optional cookies. You can withdraw your consent at any time.
• Contract – where processing is necessary to enter into or perform a contract with you or your organisation.
• Legal obligation – where we must process data to comply with a legal or regulatory requirement.
• Vital or public interest – in rare cases where processing is necessary to protect vital interests or support our community purpose in line with applicable law.

How we use personal data

We use personal data for the following purposes:

• to operate, maintain and improve the Website and its security;
• to respond to enquiries, requests and feedback;
• to plan, deliver and evaluate our projects, programmes and services;
• to manage relationships with partners, funders, suppliers and participants;
• to send information about our work, opportunities or events where permitted by law and your preferences;
• to generate anonymised statistics and reports that help us understand how our Website and projects are used;
• to comply with legal, regulatory, reporting and governance requirements;
• to protect our rights, property, systems and the safety of users and the wider community.

Analytics and cookies

We use cookies and similar technologies to help the Website function correctly, to remember your preferences and to understand how visitors use the site.

Some cookies are strictly necessary for security and basic functionality and are set automatically. Other, non-essential cookies (such as analytics) are used only with your consent where required. For full details of the types of cookies we use, how long they last and how you can manage your preferences, please refer to our Cookies Policy.

Sharing personal data

We do not sell personal data. We may share personal data with carefully selected third parties in the following circumstances:

• Service providers – trusted organisations that support our operations (for example, web hosting, IT support, cloud services, analytics or professional advisers). These providers are required to keep data secure and use it only on our instructions.
• Project partners and funders – where this is necessary to plan or deliver joint initiatives, meet funding conditions or evidence social impact, and where appropriate safeguards are in place.
• Legal and regulatory bodies – where we are required to do so by law, regulation, court order or to protect our rights or the rights, property or safety of others.
• Successor organisations – in the unlikely event of a reorganisation or transfer of activities, where personal data is relevant to the continuity of our community purpose and is protected by appropriate safeguards.

International transfers

Our primary systems are located in the UK or the European Economic Area (EEA). Where personal data is transferred outside the UK or EEA, we will ensure that appropriate safeguards are in place, such as adequacy regulations, standard contractual clauses or equivalent measures required by UK data protection law.

Data retention

We keep personal data only for as long as is reasonably necessary for the purposes described in this Privacy Policy, including to meet legal, accounting, reporting or funder requirements.

Retention periods may vary depending on the type of data and context. When data is no longer required, we will securely delete, anonymise or archive it in line with our data retention practices.

Data security

We take reasonable technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction or damage. These measures may include access controls, encryption, secure hosting and regular review of our systems and practices.

However, no method of transmission or storage is completely secure. We cannot guarantee the absolute security of information transmitted to or from the Website and you do so at your own risk.

Your data protection rights

Under UK data protection law, you have a number of rights in relation to your personal data. Subject to certain conditions and exemptions, these may include the right to:

• request access to the personal data we hold about you;
• request correction of inaccurate or incomplete data;
• request erasure of your data in certain circumstances (“right to be forgotten”);
• request restriction of processing in certain circumstances;
• object to processing that is based on our legitimate interests;
• object to direct marketing at any time;
• request the transfer of your data to another organisation where technically feasible;
• withdraw consent where we rely on consent as the lawful basis.

To exercise any of these rights, please contact us using the details provided on our Contact page. We may need to verify your identity before responding to your request.

Children and vulnerable individuals

Our Website is primarily aimed at adults and organisational stakeholders. Where we work directly with children, young people or vulnerable individuals through specific projects, additional safeguards, notices and consent processes may apply. We do not knowingly collect personal data from children via the Website without appropriate consent and supervision.

Links to other websites

The Website may contain links to third-party websites. This Privacy Policy applies only to this Website and to our own processing of personal data. We are not responsible for the privacy practices or content of other sites. We recommend that you read the privacy notices of any external websites you visit.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, guidance, best practice or our operations. The “Updated” date at the top of this page shows when it was last revised. We encourage you to review this page periodically to stay informed about how we handle personal data.

Concerns and complaints

If you have any questions or concerns about how we use personal data, or if you wish to raise a complaint, please contact us via our Contact page and we will do our best to resolve the issue.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO), which is the supervisory authority for data protection in the UK. Further information about your rights and how to contact the ICO is available on its official website.