Data Protection Policy

Last updated: 27 February 2026

Introduction

At Generalist World, we take our responsibilities under UK data protection law seriously. This Data Protection Policy sets out how we manage personal data across our organisation — how it is collected, used, stored, protected, and deleted — and what is expected of everyone who works with us.

This policy applies to all Generalist World staff, contractors, freelancers, event hosts, local leads, and any third parties who process personal data on our behalf. Failure to comply with this policy may result in disciplinary action and could expose Generalist World and individuals to legal liability.

This policy should be read alongside our Privacy Policy, Cookie Policy, and Terms & Conditions, all available at www.generalist.world.

If you have any questions about this policy, contact our Data Protection Manager at hello@generalist.world.

Who Is Responsible

Data Controller: Generalist World is the data controller for all personal data we process. As data controller, we are responsible for determining how and why personal data is used.

Data Protection Manager (DPM): Our Data Protection Manager is Milly Tamati, reachable at hello@generalist.world. The DPM is the first point of contact for all data protection queries, subject access requests, and breach reports.

Generalist World Isle of Raasay IV40 8PB United Kingdom

Web: www.generalist.world Email: hello@generalist.world

Scope

This policy covers all personal data held by Generalist World, whether in digital or physical form, relating to:

  • Current, former, and prospective community members
  • Newsletter subscribers
  • Event attendees
  • Contractors, freelancers, and local event hosts
  • Partners and sponsors
  • Any other individuals whose data we process in the course of our work

Data Protection Principles

All personal data processed by Generalist World must comply with the six principles set out in UK GDPR. Personal data must be:

Lawfully, fairly, and transparently processed — We only collect data with a valid legal basis and always tell people what we’re doing with it.

Collected for specified, explicit, and legitimate purposes — We only use data for the purpose it was collected for and do not repurpose it without a valid legal basis.

Adequate, relevant, and limited to what is necessary — We only collect what we genuinely need. We do not collect data “just in case.”

Accurate and kept up to date — We take reasonable steps to ensure data is accurate and correct it promptly when it is not.

Kept for no longer than necessary — We retain data only for as long as needed for its original purpose or to meet legal obligations. See our Retention Schedule below.

Processed securely — We protect data against unauthorised access, loss, destruction, or damage using appropriate technical and organisational measures.

Legal Bases for Processing

We process personal data only where we have a valid legal basis. The legal bases we rely on are:

  • Consent — the individual has given clear, informed consent to the specific processing
  • Contract — processing is necessary to fulfil a contract with the individual (e.g. Premium membership)
  • Legal obligation — processing is required to comply with a legal requirement (e.g. financial records)
  • Legitimate interests — processing is necessary for our legitimate business interests, provided those interests are not overridden by the individual’s rights

Where we rely on consent, it must be freely given, specific, informed, and unambiguous. Consent must be recorded and can be withdrawn at any time.

What Data We Process

In the course of running Generalist World, we process the following categories of personal data:

Member and subscriber data: name, email address, membership status, payment records, event attendance, community activity

Contractor and host data: name, email address, location, bank or payment details, communications

Event attendee data: name, email address, event registration details

Website visitor data: IP address, browser type, device information, pages visited (via cookies and analytics tools)

Special category data: members may voluntarily share sensitive information (such as health information, ethnicity, sexual orientation, or religious beliefs) in community spaces. This is processed only with explicit consent and handled with additional care.

Our Tools and Platforms

We currently use the following tools to process personal data. Each operates under its own data processing agreement with Generalist World:

  • Stripe — payment processing
  • Slack — Premium member community
  • luma — event management and registration
  • beehiiv — newsletter and member email communications
  • Notion — member resources and internal documentation
  • Curated Connections — optional member matching (opt-in only)
  • Google Analytics / Google Tag Manager — website analytics
  • Google Fonts / Google Site Tag — website performance
  • Gmail — internal communications and member support emails
  • Google Forms — data collection including event registrations and community report forms
  • Google Sheets — internal data tracking and record keeping
  • Zapier — automated workflows that transfer data between platforms. As Zapier handles personal data in transit, a Data Processing Agreement must be in place.

This list will be reviewed and updated as our tooling changes. Any new tool that processes personal data must be reviewed by the DPM before use and added to this list.

AI Tools

Generalist World operates an AI Career Coach at generalist.lovable.app. At present, this tool does not collect or store personal data. If this changes, a Data Protection Impact Assessment (DPIA) will be conducted before any data processing begins, and this policy will be updated accordingly.

Staff and contractors also have access to AI tools including Claude (by Anthropic) and may use Google Workspace AI features. The following rules apply to all AI tool usage:

  • Do not input identifiable member, attendee, or contractor personal data into any external AI tool without first consulting the DPM
  • This includes names, email addresses, payment information, or any special category data
  • Anonymised or fictional data may be used for drafting, testing, or brainstorming purposes
  • If in doubt, ask the DPM before proceeding

Data Subject Rights

Under UK GDPR, individuals have the following rights. All requests must be forwarded to the DPM immediately and responded to within one month of receipt, free of charge.

  • Right to be informed — individuals must be told how their data is used (covered by our Privacy Policy)
  • Right of access — individuals can request a copy of the data we hold about them
  • Right to rectification — individuals can ask us to correct inaccurate or incomplete data
  • Right to erasure — individuals can ask us to delete their data where there is no legitimate reason to retain it
  • Right to restrict processing — individuals can ask us to limit how we use their data
  • Right to data portability — individuals can request their data in a portable electronic format
  • Right to object — individuals can object to processing based on legitimate interests or for direct marketing
  • Rights related to automated decision-making — individuals have rights where decisions are made about them solely by automated means (note: Generalist World does not currently carry out automated decision-making)
  • Right to withdraw consent — where processing is based on consent, individuals can withdraw it at any time
  • Right to complain — individuals can lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk

Verifying identity: Before fulfilling a data subject request, we must verify the identity of the person making the request. Do not share personal data without proper verification. Contact the DPM before responding to any data subject request.

Data Retention Schedule

Data TypeRetention PeriodReason
Member account dataDuration of membership + 12 months after closureService continuity and legal claims
Payment and billing records7 yearsUK financial and tax law
Event registration data2 yearsCommunity records and follow-up
Contractor and host recordsDuration of engagement + 7 yearsLegal and financial obligations
Website access logs7 daysSecurity monitoring
Marketing preferences / unsubscribe recordsIndefinitelyTo honour opt-out preferences
Data breach records5 yearsICO compliance
Consent recordsDuration of processing + 3 yearsEvidence of lawful basis

When data reaches the end of its retention period, it must be securely deleted or anonymised. The DPM must approve and record all deletions. See Secure Deletion below.

Data Security

All staff and contractors must take reasonable steps to protect personal data. This includes:

  • Using strong, unique passwords for all accounts that hold personal data
  • Enabling two-factor authentication wherever available
  • Not sharing login credentials with others
  • Locking devices when not in use
  • Not accessing community or member data on unsecured public Wi-Fi networks without a VPN
  • Not storing member data in personal email accounts or personal cloud storage
  • Reporting any suspected security issue to the DPM immediately

We use TLS encryption for all data transmitted through our website. Where data is stored digitally, we rely on the security measures of our approved platforms (listed above). Archived data stored independently must be encrypted using at least AES-256.

Access Control

Access to personal data is granted on a need-to-know basis. Staff and contractors should only access data that is necessary for their specific role.

Access must be reviewed when someone’s role changes and revoked promptly when they leave. The DPM is responsible for maintaining an up-to-date record of who has access to which systems.

Third-Party Data Processors

When we use external platforms or contractors to process personal data on our behalf, we remain responsible for that data as the data controller. All third-party processors must:

  • Provide sufficient guarantees about their data protection measures
  • Sign a written Data Processing Agreement (DPA) before processing begins
  • Process data only in accordance with our documented instructions
  • Notify us immediately of any security incident or data breach

Do not engage a new third-party service that will process personal data without first consulting the DPM.

International Data Transfers

Some of our platforms are based outside the UK and EEA. We only transfer data internationally where appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the ICO or European Commission, or where the receiving country has been deemed adequate.

Reporting a Data Breach

A personal data breach is any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

If you know or suspect a breach has occurred, you must inform the DPM immediately — do not wait.

The DPM will assess the breach and determine whether it needs to be reported to the ICO. Under UK GDPR, breaches that are likely to result in a risk to individuals’ rights and freedoms must be reported to the ICO within 72 hours of discovery.

Where a breach is likely to result in a high risk to individuals, those individuals must also be notified directly without undue delay.

All breaches must be documented, including those that are not reported to the ICO, covering: what happened, what data was affected, the likely consequences, and the steps taken to address it.

Data Protection Impact Assessments (DPIAs)

A DPIA must be carried out before beginning any processing activity that is likely to result in a high risk to individuals. This includes:

  • Introducing new technologies or platforms that process personal data
  • Processing special category data on a large scale
  • Systematic monitoring of members or users
  • Any significant change to how we process existing data

The DPM is responsible for conducting DPIAs and documenting the outcomes. A DPIA must include an assessment of the necessity and proportionality of the processing, the risks to individuals, and the measures in place to mitigate those risks.

Privacy by Design and Default

Data protection should be built into our processes from the start, not added on afterwards. When planning any new project, product, feature, or campaign that involves personal data, consult the DPM early.

By default, we should always process the minimum amount of personal data necessary for the purpose — and no more.

Marketing

We only send direct marketing communications to individuals who have given explicit consent. Anyone who opts out must be suppressed from marketing lists as soon as possible. Suppression records must be retained indefinitely to ensure their preferences are respected in future.

Staff and contractors must not use member or attendee contact information for their own personal or business marketing purposes.

Secure Deletion and Archiving

When personal data is no longer needed:

  • Digital files must be deleted using a secure deletion method — standard “delete” or “empty trash” is not sufficient
  • Data held in cloud platforms should be removed from those platforms directly
  • Any physical copies must be destroyed using a cross-cut shredder
  • The DPM must approve and record all data deletion

Training and Review

All staff and contractors who handle personal data must read this policy and confirm they understand it. New team members should be briefed on data protection responsibilities as part of their onboarding.

This policy will be reviewed by the DPM at least annually, or sooner if there are significant changes to our operations, tooling, or applicable law.

Glossary

Data Controller — the organisation that determines why and how personal data is processed. Generalist World is the data controller.

Data Processor — a third party that processes personal data on behalf of the data controller (e.g. Stripe, Slack).

Data Subject — the individual whose personal data is being processed.

Data Protection Manager (DPM) — the person responsible for overseeing data protection compliance at Generalist World.

Personal Data — any information that can identify a living individual, directly or indirectly.

Special Category Data — personal data that requires extra protection due to its sensitivity, including data about health, ethnicity, sexual orientation, religious beliefs, genetic or biometric data.

Data Processing Agreement (DPA) — a contract between a data controller and a data processor setting out the terms under which personal data is processed.

DPIA — Data Protection Impact Assessment. A process for identifying and reducing the risks of a new data processing activity.

UK GDPR — the UK General Data Protection Regulation, the primary data protection law applicable to Generalist World.

ICO — the Information Commissioner’s Office, the UK’s independent data protection authority. Contact: ico.org.uk / 0303 123 1113.

Contact

For any data protection queries, subject access requests, or to report a breach, contact our Data Protection Manager:

📧 hello@generalist.world 🌐 www.generalist.world

This Data Protection Policy was last updated on: 27 February 2026.

  • Privacy Policy
  • Cookie Policy
  • Data Protection Policy
  • Terms & Conditions