Grassroots Privacy Notice

Last Revised: 12.05.2025

At Grassroots (We or Us), your privacy is important to us. This Privacy Policy explains how we collect, use, and protect your personal data when you visit or interact with our website and services, including the Grassroots data-sharing platform (the "Service"). Please view our Terms of Use regarding the rules and requirements for the use of the service.

For the purpose of the Data Protection Act 2018 (the Act), the data controller is Earlham Institute, based at Norwich Research Park, Colney, Norwich, NR4 7UZ.

What Information do we hold about you?

We collect the following types of information when you use the Service:

• Personal Information: WWhen you create an account or interact with our platform, we may collect personal details such as your name, email address, and any other information you provide voluntarily.
• Usage Data: We automatically collect information about how you interact with our platform, such as your IP address, browser type, operating system, device information, and other diagnostic data.
• Data Contributions: If you share datasets or contribute content, we may collect metadata related to the data, such as information about the source, location, and content of the data.

How We Use Your Information

We use your information for the following purposes:

• To provide and improve our services.
• To communicate with you, including responding to inquiries and sending updates related to the Service.
• To analyse how users interact with the platform, allowing us to optimise the user experience.
• To promote the Service, share success stories, and demonstrate the impact of the platform. This may include contacting you (if you have opted into receiving communications from us) for permission to use your data or experiences in news stories, research publications, case studies, or promotional content.
• To contact you to provide updates about products, services, promotions, special offers, news and events at Earlham Institute, if you have consented.

What is our lawful basis for processing your information?

Under UK data protection law, we must have a "lawful basis"" for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the Information Commissioner’s Office website. We process your personal data under the following legal bases:

• Consent
• Legitimate Interest

Your Rights

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO's website:

• Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right on the Information Commissioner's Office (ICO) website.
• Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. You can read more about this right on the ICO website.
• Your right to erasure - You have the right to ask us to delete your personal information. You can read more about this right on the ICO website.
• Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. You can read more about this right on the ICO website.
• Your right to object to processing - You have the right to object to the processing of your personal data. You can read more about this right on the ICO website.
• Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. You can read more about this right on the ICO website.
• Your right to withdraw consent - If we use consent as our lawful basis you have the right to withdraw your consent at any time. You can read more about this right on the ICO website.

Please note that some rights may not apply in all situations. If we cannot comply with your request, we will explain why and inform you of your right to complain to the Information Commissioner's Office if you are not satisfied with our response.

For more information about your rights, visit the ICO's website.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the bottom of this privacy notice.

How do we store and share your information?

Your information is stored and shared in the following ways:

• On EI secure systems and servers
• It will be shared with authorised Grassroots team developers
• It may be shared in repositories that Grassrootsrequires to provide the service including:
• If you contribute data to the platform, such data may be made publicly accessible, subject to your consent and relevant privacy settings.
• We use anonymised Google Analytics to track usage - you can alter your preferences for this by using the consent form upon access.
• If you have consented to receiving communications, we may share your contact details with other members of staff at Earlham Institute to contact you to provide updates about products, services, promotions, special offers, news and events at Earlham Institute.

Security of your information

We are committed to keeping your personal information safe and secure. As indicated above, your personal information is created, stored and transmitted in electronic formats. Access to your personal information is limited to the team who have a legitimate interest in it for the purposes of carrying out their contractual duties.

Please note that, although We will do our best to protect your personal data, We cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once We have received your information, We will use strict procedures and security features to try to prevent unauthorised access.

Retaining and disposing of your information

Any personal data (name, email address, organisation details) and metadata obtained from you will be retained as long as the service is live, even if you stop using the service. Your name, email address, and ORCid identifier (ID) may be visible on our website after you make any submissions. Your email address will be submitted to public repositories and will be visible on public records as a metadata submitter.

Access to the web and security logs containing personal data are restricted to the relevant Open Data team developers.

Cookies

This service uses "cookies" to store information about the web pages on the service that the visitor has accessed or visited. The information is used to log any errors or exceptions that may occur and user sessions.

Updates to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will post the updated policy on this page with a new effective date. We encourage you to review this Privacy Policy periodically for any changes.

Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us.

Compliance with data protection legislation

For the Earlham Institute, the person with responsibility for advising on compliance with data protection legislation is Sarah Cossey at dpa@earlham.ac.uk.