Back to site

Privacy Policy

Version 2026-05-01 · Last updated 2026-05-01

1. Who we are

Equitas is operated by Social Justice Innovation Hub CIC (Social Justice Innovation Hub CIC (UK Community Interest Company — incorporation pending)), registered at Apartment 5, 104 Gravelly Lane, Birmingham B23 6LS, United Kingdom. We are the data controller for personal data processed through Equitas, and we are registered with the UK Information Commissioner's Office under pending registration. You can contact our Data Protection lead at amidutom@yahoo.com.

2. What we collect

  • Account data: name, email, role, tenant, authentication metadata (incl. MFA enrolment).
  • Beneficiary records entered by partner staff: contact, demographics, pathway enrolment, outcome observations, goals, skills, documents and audit history.
  • Technical data: IP address, device/browser, timestamps, and audit log entries.
  • Consent records: the version of these policies you accepted and when.

3. Lawful bases (UK GDPR Art. 6)

  • Contract — to provide Equitas to you and your tenant.
  • Legal obligation — safeguarding, audit, and statutory reporting.
  • Legitimate interests — securing the platform, preventing fraud, improving the service.
  • Consent — optional analytics and marketing cookies, marketing emails.

4. Special category data

Where the service holds special category data (e.g. health, ethnicity, sexual orientation, safeguarding notes), we rely on UK GDPR Art. 9(2)(b)/(g)/(h) — substantial public interest, social protection, and the provision of social-care services — and on tenant-level safeguarding policies. Safeguarding notes are restricted by role-based access and never exposed in participant self-service exports without DPO review.

5. Who sees your data

  • Authorised staff in your tenant (delivery partner).
  • The Hub super-admin team for support, security and inspection.
  • Commissioners with explicit cohort access where permitted by contract.
  • Sub-processors: our cloud and database provider (UK/EU regions), authentication, transactional email and (if enabled) payments.

6. Where we store it

Personal data is stored in UK/EU data regions. Where any sub-processor processes data outside the UK, we rely on UK International Data Transfer Agreements / EU SCCs.

7. How long we keep it

Account data is retained while your account is active and for up to 12 months after closure. Beneficiary records are retained per the relevant safeguarding/funder retention schedule (typically 6 years from the end of engagement). Audit logs are retained for 6 years.

8. Your rights

Under UK GDPR you have the right to access, rectify, erase, restrict or object to processing, and to data portability. Participants can exercise self-service access and portability via Profile → Download my data. To exercise other rights, email amidutom@yahoo.com. You may also complain to the ICO at ico.org.uk.

9. Security

Row-Level Security, role-based access control, MFA for elevated roles, encrypted transport and at-rest encryption, and full audit logging are in place. Suspected incidents are triaged within 72 hours and notifiable breaches reported to the ICO as required.

10. Changes

Material changes will be notified in-product. The current version is shown above; previous versions are available on request.