Grace Foundation Privacy Notice

Last updated 20 January 2023

Grace Foundation is dedicated to protecting the confidentiality and privacy of information entrusted to us in accordance with the UK General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. Please read this Privacy Notice to learn about your rights, what information we collect, how we use and protect it.

1. Who are we?

Grace Foundation is a Charity who partners with IM Group, enabling us to expand our work across a network of Educational Trusts. For a full listing of companies within the Group, refer to

2. Who can you contact for privacy questions or concerns?

If you have questions or comments about this Privacy Notice or how we handle personal data, please direct your correspondence to:

Ceri Clarke of Grace Foundation in the first instance and thereafter the Data Protection Officer at IM Group, The Gate, International Drive, Solihull, West Midlands, B90 4WA Telephone: 0121 747 4000 Email:

3. How do we collect Personal Data?

  • Directly: We obtain personal data directly from individuals in a variety of ways, including obtaining personal data from individuals who provide us with their business card(s), complete our online forms, engage in social media interaction, subscribe to our newsletters and mailing list and online services, attend events we host, visit our offices, or for recruitment purposes. We may also obtain personal data directly when, for example, we are establishing a business relationship.
  • Indirectly: We obtain personal data indirectly about individuals from a variety of sources.
  • Online: We collect information about you that you give to us via our websites or our social media pages or by contacting us by phone, email or otherwise.
  • Cookies: We may automatically collect personal data that our web servers store as standard details of your browser and operating system, the website from which you visit our websites, the pages that you visit on our websites, the date of your visit, and, for security reasons, e.g., to identify attacks on our websites, the Internet protocol (IP) address assigned to you by your internet service. We collect some of this information using cookies, please see our Cookies Policy for further information;
  • Social media: We may also collect personal data which you allow to be shared that is part of your public profile on a third-party social network;
  • Third party: We may obtain certain personal data about you from sources outside our business through referrals related to our work.
  • Recruitment: We may obtain personal data about candidates from an employment agency to aid in recruitment.

4. What Information do we collect?

Grace Foundation operate in the Education sector although this includes sectors that contribute to Educational development. We may obtain the following categories of personal data about individuals:

  • Personal data: Here is a list of personal data we commonly collect to conduct our business activities:
  • Contact details including but not limited to name, physical address, company name and contact details, work and personal landline and mobile numbers, email addresses.
  • Other details including but not limited to date of birth, gender, marital status and contact preferences.
  • CCTV at some of our sites may collect images of visitors. Our policy is to automatically overwrite CCTV footage within 30 days.
  • Sensitive personal data: We typically do not collect sensitive or special categories of personal data about individual adults other than our own employees. please see below regarding Child Data
  • Child data: Name and year of birth. Sensitive Personal data may include gender, safeguarding and health issues if relevant to the specific work required.
  • Location-based data: We may process geographical locations you enter when seeking a school or office near you.
  • Correspondence: We also hold electronic copies of our correspondence sent to or received from the schools and their employees and any contractors and suppliers who work with us. This correspondence is primarily in email format.

5. How will your information be used?

Grace Foundation will only use the personal data for the benefit of those we work alongside or for some other lawful purpose. For example, we may use your personal data:

  • to respond to your requests or enquiries;
  • for marketing activities e.g., to tailor marketing communications or send targeted marketing messages via social media and other third-party platforms;
  • to create a better understanding of you as a customer or visitor;
  • to administer our websites and for internal operations, including troubleshooting, testing, statistical purposes;
  • for the prevention of fraud and other criminal activities;
  • to correspond and communicate with you;
  • for network and information security for us to take steps to protect your information against loss or damage, theft or unauthorised access;
  • for efficiency, accuracy or other improvements of our databases and systems e.g., by combining systems or consolidating records we or our group companies hold about you;
  • for general administration including managing your queries, complaints, or claims, and to send service messages to you.
  • to comply with a request from you in connection with the exercise of your rights (for example where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request);
  • to enforce or protect our contractual or other legal rights or to bring or defend legal proceedings;
  • to provide personalised content and services
  • We may use your personal data to tell you about relevant services and information relevant to your enquiries. This is what we mean when we talk about ‘marketing’. The personal data we have for you is made up of what you tell us.
  • We may use our customers’ home or work address, phone numbers, email address and social media or digital channels (for example, Facebook, Google and message facilities in other platforms) to contact you according to our customers’ preferences.

We study this to form a view on what we think you may want or need, or what may be of interest to you. We can only use your personal data to send you marketing messages if we have either your consent or a ‘legitimate interest’. That is when we have a business or commercial reason to use your information. It must not unfairly go against what is right. You can ask us to stop sending you marketing messages by contacting us at any time. We may ask you to confirm or update your choices. We will also ask you to do this if there are changes in the law, regulation, or the structure of our business. If you change your mind, you can update your choices at any time by contacting us. We will never sell the personal data to a third party. We will only pass the personal data to third parties where there is a business need to do so and where we have an Article 28 Agreement in place with them.

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to honour the terms of the contract, for example, to provide you with goods or services. In this case, we may have to cancel a product or service you have with us; however, we will notify you if this is the case at the time.

6. What is our legal basis for processing your data?

Where we do not have your consent pursuant to Article 6 1. (a) of GDPR, we may have a legitimate interest pursuant to Article 6 1. (f). In addition, or alternatively from time to time we process personal data pursuant to lawful bases contained in other provisions of Article 6 such as the performance of a contractual obligation.

  • Consent: there may be circumstances where we hold personal data with your consent, such as when you provide it to us through online forms or an events registration system. You can remove your consent at any time. You can do this by contacting in the first instance and thereafter
  • Contractual Obligations: we often have a duty to process personal data as part of a contractual obligation. In these circumstances we will only retain personal data for as long as is necessary to fulfil that obligation.
  • Legal obligations: We may process personal data in order to meet our legal and regulatory obligations or mandates
  • Vital interests: the processing is necessary to protect someone’s life.
  • Legitimate Interest: to enable us to carry on our various businesses we inevitably need to process personal data in a vast variety of situations. Where we rely on Legitimate Interest we will always carry out, beforehand, a Legitimate Interest Assessment to ensure that our use of personal data does not exceed that which is strictly necessary to perform the job in hand, nor that it unnecessarily infringes the rights and expectation of privacy of the Data Subject.

Whatever the legal basis upon which our processing rests we always aim to practise data minimisation so as to ensure that we only hold that personal data which is necessary for the task in hand and that we only retain that data for as long as necessary to fulfil our legal obligation or legitimate business interest. We never transfer personal data to third parties unless we have a proper reason for doing so and where we have an Article 28 agreement (or equivalent) in place. Privacy by Design is the principle we follow whenever we gather, use or process personal data.

7. Who receives your information?

As well as Grace Foundation , we often share the personal data with third parties who carry out processing on our behalf pursuant to the terms of an Article 28 agreement. Such processing is necessary for IM Group to do their job properly and to service the needs of its customers. As a generality, such third parties fall into the following main categories:

Each school within the Educational Trusts that we work with namely:




8. Where your information is stored and how it is kept secure

On our secure computer systems and in some cases in hard form in our offices and schools. We have invested in state of the art technical and organisational security measures to safeguard your personal data.

9. Transfers to third countries and safeguards in place

Generally, we are unlikely to transfer your personal data outside the European Economic Area (‘EEA’). We will only send your data outside of the EEA to:

  • Follow your instructions.
  • Comply with a legal duty.

If we do transfer personal data to our agents or advisers outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA. We’ll use one of these safeguards:

  • Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA.
  • Put in place a contract with the recipient that means they must protect it to the same standards as the EEA.
  • Transfer it to Organisations that are part of Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are like that used within the EEA.

10. How long your information will be held

If we collect your personal data, the length of time we retain it is determined by several factors including the purpose for which we use that data and our obligations under other laws. We do not retain personal data in an identifiable format for longer than is necessary.

We may need your personal data to establish, bring or defend legal claims, in which case we will retain your personal information for 7 years after the last occasion on which we have used your personal information.

The only exceptions to this are where:

  • the law requires us to hold your personal data for a longer period, or delete it sooner;
  • you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted in this paragraph, or because we are required under the law (see further Erasing your personal data in paragraph 13 below;
  • and in limited cases, the law permits us to keep your personal information indefinitely provided we put certain protections in place.

11. Cookies

‘Cookies’ are small pieces of information sent to your device and stored on its hard drive to allow our websites to recognise you when you visit. These help us understand how you use our websites so that we can customise our marketing for you. It may also save you from having to re-enter information when you return to our websites. We will, however, only ever use cookies when we have your permission to do so.

We also use some cookies that do not collect personal information but that do help us collect anonymous information about how people use our website. We use Google Analytics for this purpose. Google Analytics generates statistical and other information about website usage by means of cookies, which are stored on users computers. The data is collected anonymously, stored by Google and used by us to create reports about website usage. Googles privacy policy is available at

For more information on how IM Group use ‘cookies’ see our Cookie Policy by visiting our websites and clicking on the “Cookie Policy” link

12. Do we link to other websites?

Our websites may contain links to other sites, including sites maintained by the schools with the Trusts that we work with, that are not governed by this Privacy Notice. Please review the destination websites’ privacy notices before submitting personal data on those sites. Whilst we try to link only to sites that share our high standards and respect for privacy, we are not responsible for the content, security, or privacy practices employed by other sites.

13. What is your data protection rights?

Under data protection law, you have rights including:

  • Your right of access: You have the right to ask us for copies of your personal information.
  • Your right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • Your right to object to processing: You have the the right to object to the processing of your personal information in certain circumstances.
  • Your right to data portability: You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances. If you would like to exercise your Data Subject Rights, you can email in the first instance, thereafter We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

14. How to make a complaint to us and our supervisory authority

If you have any concerns about our use of your personal information, you can make a complaint to us at or

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Helpline number: 0303 123 1113 ICO website:

15. Do we change this Privacy Notice?

We regularly review this Privacy Notice and will post any updates to it on this webpage. This Privacy Notice was last updated on 20th January