Skip to content

Privacy Policy

1) Overview

This Privacy Policy explains how Caribou Digital (UK) Limited and its subsidiaries and affiliates (together, “Caribou”, “we”, “us”, or “our”) collect, use, store, and share information about you, including personal data, when you use our websites, platforms, products, and services, attend our events, or otherwise interact with us.

Caribou Digital (UK) Limited is a company registered in England and Wales under company number 09241564, with its registered office at Wey Court West, Union Road, Farnham, Surrey, England, GU9 7PT. We are committed to protecting your privacy and complying with data protection laws. 

This policy complies with the UK General Data Protection Regulation (“UK GDPR”), the UK Data Protection Act 2018 (DPA 2018), and—where applicable—the General Data Protection Regulation (EU 2016/679) (“GDPR”). We also comply with the Privacy and Electronic Communications Regulations 2003 (“PECR”) for cookies and similar technologies used on our websites.

Caribou is registered as:

  • a data controller with the UK Information Commissioner’s Office (ICO), registration number ZB053921, and
  • a data processor with the Kenya Office of the Data Protection Commissioner, registration number 325-018A-98DD.

Depending on the activity, Caribou may act either as a data controller or a data processor:

  • As a data controller, we determine how and why personal data is processed (for example, in research we initiate, in our marketing and communications, or when hosting our own events).
  • As a data processor, we act on the documented instructions of a client or programme sponsor (for example, where we administer a grant programme or fund on their behalf). In these cases, the client’s or sponsor’s own privacy notice may also apply, and you should read it alongside this Privacy Policy.

Caribou is not legally required to appoint a Data Protection Officer under the UK GDPR or GDPR. Instead, we have established a Data Committee to oversee our compliance with data protection laws and best practice. You can contact the committee at data-committee@caribou.global with any data protection queries.

For details on how we safeguard personal data when it is transferred outside the UK/EEA, please see “International transfers” in Section 5.

2) What information we collect and how we collect it

We may collect different types of personal data (information that identifies or could identify you), including:

  • Identity and contact details: your name, email address, postal address, landline or mobile number.
  • Professional details: job title, organisation, qualifications, CV details (e.g., when you apply for funding, a role with us, or participate in research).
  • Images and recordings: photographs, audio or video recordings of you at our events, or where you participate in interviews, case studies or research outputs.
  • Special category data: in very limited cases, we may collect information relating to characteristics such as race, ethnicity, health or sexual orientation. We will only do so where strictly necessary, with your explicit consent, and for a clearly stated purpose.

We collect this information when you:

  • apply for a grant or other funding award through a programme we manage on behalf of a client,
  • participate in a research study (e.g., interviews, focus groups, surveys),
  • attend, register for, or engage with our events, webinars, newsletters, websites or social media channels,
  • correspond with us directly (e.g., by email, WhatsApp or other digital communications).

a) Grant and funding programmes

If you apply for a grant or other funding award:

  • We will process the information in your application and, where necessary, information about key stakeholders listed (e.g., board members, shareholders, senior management and key project staff).
  • We may obtain this information from:
    • you directly,
    • public sources such as corporate registries,
    • third-party due diligence providers (e.g., for sanctions, politically exposed person (PEP), or adverse media checks).
  • This information is used only for due diligence, eligibility and programme administration.
  • We may also request information about your business (e.g., company policies, shareholder structure, financial records, project proposals). Some of this may be confidential or commercially sensitive but not personal data. Even where GDPR/UK GDPR does not apply, we will protect this information under our confidentiality and contractual obligations.

b) Research and learning activities

We conduct and commission research in three main ways:

  1. Anonymised partner data: we may work with anonymised datasets gathered and stored by research partners. These datasets do not allow us to identify individuals.
  2. Direct participant data: we may collect information directly from you in surveys, focus groups, or interviews. Where Personally Identifiable Information (PII) such as your name or contact details is collected, we will store it separately from your study responses. PII will be deleted after a defined retention period (normally 12 months), with only anonymised data retained for research and audit purposes.
  3. Identifiable expert contributions: in some cases (e.g., expert interviews, entrepreneurs, case studies), anonymity is not offered or assumed. If we attribute information, perspectives, or quotes to you, we will seek your informed consent before collecting and publishing this data. Where photographs, video or audio recordings are also involved, we will request a separate Media Consent Form to cover usage rights for your image or likeness.

c) Websites and digital communications

  • Cookies and tracking: on our websites, we use cookies and collect IP addresses to understand website usage and improve user experience. This information may be shared with a third party, such as a digital media agency or analytics partner. For details (including how to manage consent), please see our Cookie Policy.
  • Newsletters: when you sign up, we collect your name and email address via our website form. This service is provided by Mailchimp, and by subscribing you agree that your data will be transferred to Mailchimp for processing in accordance with Mailchimp’s privacy practices.
  • Correspondence: when you contact us by email or other channels, we will retain records of your communications (including your email address and content of your messages) as needed to respond to you and manage our relationship.

3) How we use your information and why we can use it

We process your personal data for the following purposes. In each case, we rely on one or more lawful bases under the UK Data Protection Act 2018 (UK GDPR) and the General Data Protection Regulation (GDPR).

a) Grant and funding programmes

  • Application and assessment: to review your application, complete eligibility and due diligence checks, enter into grant-making contracts, and administer and support the programme.
    • Lawful basis: performance of a contract (or steps taken before entering into a contract).
  • Monitoring, reporting and evaluation: to analyse outcomes, produce statistics, and incorporate anonymised data into our research databases. We may share anonymised/aggregated data with programme sponsors or independent evaluators.
    • Lawful basis: legitimate interests (assessing programme effectiveness and accountability) and, where applicable, contractual obligations with programme sponsors.
  • Audit and assurance: to meet audit requirements of funders and regulators.
    • Lawful basis: legal obligation and contractual obligation.
  • Compliance checks: to detect and prevent fraud, money laundering, terrorist financing, and to comply with sanctions regimes.
    • Lawful basis: legal obligation.

b) Research and learning partnerships

  • Analysis of research responses: to generate insights into digital economies, livelihoods, and related issues.
    • Lawful basis: legitimate interests (conducting research in line with our mission) or consent where sensitive data is involved.
  • Use of personal data linked to research responses: in the rare cases where we collect your name or contact details alongside responses, we use this information only to confirm consent, provide incentives or rewards, and for essential administration.
    • Lawful basis: consent and legitimate interests.
  • Identifiable expert contributions: where we attribute quotes, perspectives, or stories to you in research outputs or case studies, we do so only with your informed consent (separate from any media consent covering image/likeness).
    • Lawful basis: consent.

c) Events, websites and digital communications

  • Event participation: to facilitate events (in-person, virtual, or hybrid), manage registrations, and communicate with you about event logistics.
    • Lawful basis: performance of a contract and legitimate interests (efficient event delivery).
  • Marketing communications: to send newsletters, promotional materials, event invitations, or updates you have opted in to receive. You may unsubscribe at any time.
    • Lawful basis: consent.
  • We use cookies and similar technologies to improve our websites and understand how they are used. For example, we use Google Analytics to collect information about visitor behaviour (such as IP address, browser type and pages visited) in order to improve user experience. For more information, please see our Cookie Policy.
    • Lawful basis: consent (for non-essential cookies).

d) General organisational purposes

  • Day-to-day business management: to administer our relationships with clients, suppliers, consultants, and partners.
    • Lawful basis: performance of a contract and legitimate interests.
  • Legal and regulatory compliance: to comply with tax, employment, anti-money laundering, and other statutory obligations.
    • Lawful basis: legal obligation.

We do not make decisions about you that are based solely on automated processing and that produce legal or similarly significant effects.

4) How we store your information and for how long

We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, including meeting contractual, legal, audit, and programme requirements. We then securely delete or anonymise the data.

a) Grant and funding programmes

We use third-party platforms such as Submittable to manage applications, communications, and grant administration. These platforms provide secure storage and restricted access for authorised Caribou staff. We may also download applicant data to our encrypted Google Workspace environment, where access is compartmentalised and role-based.

  • Retention periods:
    • Successful applicants: normally for the programme duration plus up to 7 years (for audit, compliance and reporting).
    • Unsuccessful applicants: normally up to 2 years after decision, unless funder requirements specify otherwise.
  • Programme-specific retention rules will be communicated at the point of application.

b) Research data practices

We treat research data according to its type and associated risk:

  1. Anonymised behavioural data (Caribou Data programme)
    • We collect anonymised mobile and behavioural data with participants’ informed consent.
    • Personally Identifiable Information (PII), such as names and contact details, is stored separately and deleted within 12 months.
    • Only anonymised datasets are retained for research purposes.
  2. Anonymised data from research partners
    • We may receive qualitative or quantitative datasets already anonymised.
    • We do not hold any PII and cannot re-identify individuals.
  3. Directly collected participant data
    • For surveys, interviews and focus groups, PII is stored separately from study responses and deleted within 12 months.
    • Anonymised responses are retained securely for research, reporting, and auditability in Google Workspace.
  4. Identifiable expert and first-person contributions
    • Where individuals (e.g. entrepreneurs, experts) contribute identifiable interviews, quotes, or media, anonymity is not guaranteed.
    • We process and retain such data only with the participant’s informed consent.
    • Consent records are stored alongside the material for accountability.

All research data is stored in our secure Google Workspace cloud environment with access controls. We may also use approved third-party services (e.g. transcription, translation) bound by data processing agreements.

c) Newsletters and communications

  • Newsletters: subscriber data (name, email) is stored in Mailchimp, our newsletter management platform. Data is retained until you unsubscribe, and may be kept for up to 12 months thereafter for suppression (to ensure we respect opt-outs).
  • Correspondence: communications sent to us via email, WhatsApp, or other platforms are retained as long as necessary to respond and manage our relationship.

d) Websites and digital platforms

  • Google Analytics: we use Google Analytics to analyse site traffic and improve our content. Cookies are set in line with our Cookie Policy. Data may be processed on Google servers outside the UK/EEA (including in the United States). We apply IP anonymisation where supported and limit retention in accordance with our Cookie Policy.
  • Online platforms: credentials for password-protected platforms (e.g. WordPress, Metabase, Auth0) are stored and managed within those services under secure conditions.

5) Who we share your information with

We do not sell or rent your personal data. We only share it where necessary and lawful, and only for the purposes set out in this Privacy Policy.

a) Programme sponsors, funders, and research partners

  • For grant and funding programmes, we may share relevant personal data with the programme sponsor or funder in line with our contractual obligations. Sponsors may also appoint independent auditors or evaluators, who may receive access to anonymised or limited personal data for assurance purposes. Programme-specific details of recipients will be provided at the point of application.
  • For research projects, we may share anonymised datasets and outputs with research collaborators or funders. Identifiable research data is shared only where necessary and lawful, and typically only with your informed consent.

b) Service providers (processors)

We use trusted third parties to provide services such as application portals (e.g. Submittable), cloud storage (Google Workspace), transcription/translation services, newsletter management (Mailchimp), analytics (Google Analytics), and secure login/identity management (WordPress, Metabase, Auth0). These service providers only process personal data on our instructions, under contract, and are required to implement appropriate security measures.

c) Professional advisers and authorities

We may share your information with our professional advisers (e.g. auditors, lawyers, compliance consultants) or with regulators, courts, law enforcement, tax authorities, or other public bodies where required to comply with legal obligations (including fraud prevention, anti-money laundering, sanctions compliance, audit, and reporting).

d) Other disclosures

We may disclose your personal data where necessary to protect the rights, property, or safety of Caribou, our employees, clients, or others.

e) International transfers

Some recipients (including Google, Mailchimp, Submittable) may process personal data outside the UK/EEA. Where this occurs, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses (SCCs), or reliance on adequacy regulations.

6) Your rights

You have rights under UK GDPR/GDPR. These include:

  • Right to be informed – to know how your personal data is collected, used, shared, and stored (which this Privacy Policy explains).
  • Right of access – to request a copy of the personal data we hold about you.
  • Right to rectification – to ask us to correct or complete inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”) – to request that we delete your data in certain circumstances, such as where it is no longer needed for the purposes for which it was collected, or you withdraw consent.
  • Right to restriction of processing – to ask us to limit how we use your data in certain circumstances.
  • Right to data portability – to request that we transfer your data to another organisation or to you, where processing is based on consent or contract and is carried out by automated means.
  • Right to object – to object to processing of your data where we rely on legitimate interests or for direct marketing.
  • Rights related to automated decision-making and profiling – to not be subject to decisions made solely by automated means without human involvement, where those decisions have legal or significant effects on you.

Your rights to withdraw consent and object to processing

Where we rely on your consent, you may withdraw it at any time by contacting data-committee@caribou.global. Withdrawing consent will not affect the lawfulness of processing carried out before your withdrawal.

Where we rely on legitimate interests, you have the right to object. We will balance your rights and freedoms against our interests and will stop processing unless we can demonstrate compelling legitimate grounds.

We may require proof of identity before fulfilling any rights request. We will respond without undue delay and within one month, unless an extension is permitted by law.

To exercise your rights, contact data-committee@caribou.global with “Data rights request” in the subject line and tell us which right you wish to exercise.

7) Children’s data

We do not knowingly collect personal data from children under the age of 18. Where our research or programmes involve young people, we only collect and process their data with the informed consent of a parent or legal guardian, and only where it is necessary to advance the child’s rights and interests.

8) Photography and video recordings

We may take photographs and video recordings at Caribou events, workshops, or convenings. Where individuals are identifiable, these may constitute personal data.

We use such photographs and recordings for:

  • documenting and reporting on events,
  • sharing highlights with participants,
  • promoting future Caribou events and activities through our website, reports, or social media.

We will make it clear when photography or filming is taking place, and you may always let us know if you do not wish to appear in photos or videos. At events, we display signage to indicate photography/filming and how to opt out.

For specific projects (e.g. case studies, interviews, or first-person storytelling), we will seek your informed consent before using your quotes, perspectives, or identifiable information, and a separate Media Consent Form for the use of your image, voice, or likeness. 

9) Cookies and online tracking

We use cookies and similar technologies to improve our websites, understand visitor behaviour, and support our communications. For example, we use Google Analytics to collect information such as IP addresses, browser type, and site usage. This helps us improve our content and user experience.

Non-essential cookies (such as analytics) are used only with your consent. For more detail on the types of cookies we use and how you can manage your preferences, please see our separate Cookie Policy.

10) Data security

We implement technical and organisational measures to protect personal data against loss, misuse, unauthorised access, disclosure, alteration, or destruction. These include:

  • encrypted cloud storage (Google Workspace, Submittable, Mailchimp),
  • role-based access controls and multi-factor authentication,
  • regular audits and monitoring,
  • training for staff and contractors on data protection and information security.

Despite these measures, no system can be guaranteed 100% secure. We will act quickly to investigate and mitigate any suspected security incident.

11) Data breach response

If a personal data breach occurs, we will:

  • investigate and contain the incident,
  • notify the Information Commissioner’s Office (ICO) within 72 hours where required,
  • inform affected individuals promptly where there is a high risk to their rights and freedoms.

12) Updates to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, technology, or our practices. When we do, we will post the updated version on our website with the “last updated” date. If the changes are significant, we will notify you directly (for example, by email if you are subscribed to our communications).

13) How to contact us or make a complaint

Questions, comments, or requests concerning this Privacy Policy or your data rights are welcome and should be addressed to:

Caribou Digital (UK) Limited
Wey Court West, Union Road, Farnham, Surrey, England, GU9 7PT
Email: data-committee@caribou.global 

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you are unhappy with how we have used your data:

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
www.ico.org.uk