Privacy Policy

Your privacy and data protection are fundamental to how we operate.

Last Updated: November 11, 2025

Effective Date: November 11, 2025

1. Introduction

The ETHOS Institute ("we," "our," or "us"), a registered charity in England and Wales, is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our services, or interact with us in any other way.

As a data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are responsible for ensuring that your personal data is processed lawfully, fairly, and transparently. Our legal basis for processing personal data is primarily to fulfil our charitable objectives of advancing education and research in the field of AI governance for the public benefit. This includes processing based on your consent, our legitimate interests, the performance of a contract, or a legal obligation.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide to us, including:

  • Assessment Tool Responses: Organization name, type, sector, and optional contact details (e.g., email address) to provide you with assessment results
  • Contact Form Submissions: Your name, email address, and the content of your message when you contact us for inquiries
  • Newsletter Subscriptions: Your email address when you subscribe to our newsletters and updates
  • Training & Certification Programs: Your name, contact details, professional information, and payment information when you register for our courses or certification programs
  • Donations: Your name, contact details, and payment information when you make a donation to support our charitable work

2.2 Information Collected Automatically

When you visit our website, we automatically collect certain technical information:

  • Log and Usage Data: IP address, browser type, operating system, pages visited, time spent on site, and referring website addresses
  • Cookies and Similar Technologies: We use cookies to enhance your user experience, analyze site traffic, and for other purposes as described in our Cookie Policy

2.3 Information from Third Parties

We may receive information about you from third-party sources, such as:

  • Analytics Providers: We use services like Google Analytics to understand how our website is used. This information is aggregated and does not personally identify you
  • Social Media Platforms: If you interact with us on social media, we may receive information from your profile
  • Payment Processors: When you make a donation or purchase a service, our payment processors (e.g., Stripe, PayPal) may provide us with transaction details

3. How We Use Your Information

We process your personal data for the following purposes, in accordance with UK GDPR Article 6:

  • Service Delivery: To provide our assessment tools, training programs, certification, and other resources (Legal basis: Performance of a contract or legitimate interest)
  • Communication: To respond to your inquiries, send you information you have requested, and provide updates about our work (Legal basis: Consent or legitimate interest)
  • Marketing & Fundraising: To send you newsletters, event invitations, and fundraising appeals, where you have provided your consent (Legal basis: Consent)
  • Website Improvement: To analyze website usage and improve our content, services, and user experience (Legal basis: Legitimate interest)
  • Legal Compliance: To comply with our legal and regulatory obligations as a registered charity (Legal basis: Legal obligation)
  • Security: To protect our website and services from fraud, and to maintain the security of our systems (Legal basis: Legitimate interest)

4. How We Share Your Information

We do not sell, rent, or trade your personal data. We may share your information only in the following limited circumstances:

  • Service Providers: Third-party vendors who provide services on our behalf, such as website hosting, payment processing, email delivery, and analytics. These providers are contractually obligated to protect your data and use it only for the purposes for which it was disclosed
  • University Partners: For accredited training programs, we may share necessary information with our university partners for registration and certification purposes
  • Legal Requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency)
  • With Your Consent: We may share your information with any other third party with your explicit consent

International Transfers:

Some of our service providers may be located outside the UK or European Economic Area (EEA). When we transfer personal data internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the UK Information Commissioner's Office
  • Transfers to countries with adequacy decisions (e.g., EEA countries)
  • Appropriate technical and organisational security measures

5. Your Data Protection Rights

Under UK GDPR and Data Protection Act 2018, you have the following rights:

Right to Access

Request copies of your personal data

Right to Rectification

Request correction of inaccurate data

Right to Erasure

Request deletion of your personal data

Right to Restrict Processing

Request limitation of data processing

Right to Data Portability

Receive your data in a portable format

Right to Object

Object to certain types of processing

To exercise these rights, please contact:
Email: info@ethos.institute
We will respond to your request within one month. In some cases, we may need to verify your identity before processing your request.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with legal obligations. Our retention periods are:

  • Assessment Data: Anonymized and aggregated for research purposes indefinitely. Personal data (if provided) will be deleted after 24 months
  • Contact Form Submissions: Retained for 24 months after the last communication
  • Newsletter Subscriptions: Retained until you unsubscribe, after which your data will be suppressed to prevent further marketing
  • Training & Certification Records: Retained indefinitely to maintain a record of your qualifications
  • Donation Records: Retained for 7 years to comply with financial and charity regulations

After the retention period expires, we securely delete or anonymise your personal data. You can request earlier deletion by contacting us at info@ethos.institute.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. While no system is completely secure, we take our security responsibilities seriously.

Our security measures include:

  • Encryption: Data is encrypted in transit (HTTPS/TLS) and at rest
  • Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis
  • Regular Assessments: We conduct regular security risk assessments and vulnerability scanning
  • Staff Training: All staff and volunteers receive regular training on data protection and information security
  • Incident Response: We have a documented incident response plan to manage any data breaches effectively

8. Contact Us & Complaints

Get in Touch

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about how we handle your personal data:

Email: info@ethos.institute
Website: www.ethos.institute

Right to Complain: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your personal data in accordance with UK GDPR and the Data Protection Act 2018.

Information Commissioner's Office (ICO):
Website: https://ico.org.uk
Helpline: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or organisational structure. Any changes will be posted on this page with an updated "Last Updated" date at the top.

For material changes that significantly affect your rights or how we use your data, we will:

  • Display a prominent notice on our website homepage for at least 30 days
  • Send an email notification to subscribers (if we have your email address)
  • Provide a reasonable period for you to review changes before they take effect

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal information. Your continued use of our website after changes are posted constitutes your acceptance of the updated policy.