Last updated: July 2026

Introduction

This Privacy Notice explains when and why Canopi (“we”, “us”) collects personal information, how we use it, the conditions under which we may disclose it to others, and how we keep it secure. It also explains your rights under UK data protection law and how to exercise them. This Notice applies to our customers, human resources, and our marketing activities.

Who We Are

Canopi is a registered charity and company limited by guarantee registered in England and Wales under 3635124. For the activities described in this Notice, Canopi generally acts as a data controller.

Contact Information, Queries and Complaints

If you have questions about this Privacy Notice or how we process your personal data, or if you wish to exercise your rights, please contact our Data Protection Lead:

What Personal Data We Collect and Why

The data we collect and how we use it depends on your relationship with us. Please see the appendices for details:

  • Appendix 1 – Customers
  • Appendix 2 – Human Resources (employees, trustees, contractors)
  • Appendix 3 – Marketing
  • Appendix 4 – Complaints Procedure

Your Rights

Under UK data protection law, you have the following rights. Some rights are subject to limitations (for example, safeguarding or legal obligations) and may not always apply. If we cannot fulfil a request, we will explain why.

  • Right to be informed – to know how your data is used.
  • Right of access – to request a copy of your personal data.
  • Right to rectification – to correct inaccurate or incomplete data.
  • Right to erasure – to request deletion where legally permitted.
  • Right to restrict processing – to limit how we use your data in certain circumstances.
  • Right to data portability – to receive certain data in a structured, machine-readable format.
  • Right to object – to processing based on legitimate interests or for direct marketing.
  • Rights around automated decision-making – we do not make decisions that produce legal or similarly significant effects solely by automated means.
  • Right to complain- to complain against any of our activities.

International Data Transfers

Where personal data is transferred outside the UK, we put in place appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, and we perform transfer risk assessments where required.

How Long We Keep Your Data

We retain personal data only for as long as necessary to fulfil the purposes set out in this Notice and to meet legal, regulatory, contractual and funder requirements. Specific retention periods are set out in Canopi’s Retention Schedule and may vary by project (for example, safeguarding records or research evaluation data). We will provide further information on request.

How We Protect Your Data

We use appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit and at rest (where appropriate), data minimisation, secure deletion, staff training, confidentiality agreements, and vendor due diligence. We regularly review and improve these measures.

Changes to This Notice

We review this Privacy Notice regularly. Significant changes will be communicated directly or via a notice on our website.

 

 

Appendix 1 – Customers

This appendix explains how Canopi uses personal data in providing and managing its workspace facilities for charities and social sector organisations.

Canopi provides flexible and affordable workspace for charities and other social sector organisations. Our mission to support charities and social sector organisations in creating lasting impact drives everything we do, from offering flexible work environments to providing support services and events tailored to a like-minded community of changemakers.

 

What Personal Data We Collect

We only collect the minimum data necessary for each purpose. Depending on the activity, we may collect:

  • Identity and contact data – name, business/company name, job title, email address, telephone number, address.
  • Financial information – credit/debit card numbers.
  • Business/Company information – list of staff names, job titles, business email addresses, other publicly available information such as industry sector and turnover
  • Safeguarding information – disclosures or concerns, risk assessments, chronology/incident logs
  • Research and evaluation data – surveys, case studies

Where We Get Your Data From

We get your information from limited sources such as:

  • Directly from you or the organisation you work for.

How We Use Your Data

We use your information for limited purposes, some of which include:

  • To manage enquiries and provide information about our workspace
  • To provide and manage your account
  • To manage booking hot desks and/or meeting rooms
  • To sing you in for the purpose of security in the building e.g. in case of fire alerts
  • To safeguard adults at risk – including assessing risk, recording and responding to concerns.
  • To evaluate and improve services, including independent evaluations commissioned by funders.

 

Our Lawful Bases (Article 6 UK GDPR)

To comply with UK GDPR, we rely on a lawful basis to process your personal data

  • We rely on legitimate interests when we respond to your enquiries and process any reasonable adjustments. We also rely on legitimate interests for the use of CCTV on our premises.
  • We rely on contractual obligation to process and administer your accounts and bookings for our workspace.
  • In rare instances of safeguarding, processing is necessary to protect someone’s life or prevent serious harm; we rely on the lawful basis of vital interests.
  • We may rely on consent for optional activities such as certain participation opportunities, recordings/photography, case studies, surveys or where required by law for specific communications.

Special Category Data (Article 9 UK GDPR)

Where we process special category data (e.g., health, ethnicity, beliefs, sexuality) or criminal offence data, we do so only where strictly necessary and with additional safeguards. Our typical conditions include:

  • When we process information relating to reasonable adjustments, we rely on substantial public interest condition of equality of opportunity or treatment to ensure access to use our workspace.
  • We rely on vital interests in circumstances where the individual is incapable of giving consent and processing necessary to protect life.

Who We Share Data With

We will never share your data unless it is for a legitimate reason, some of which may include:

  • Delivery partners and subcontractors working with us on a project, under data-sharing or processing agreements, based on legitimate interest/ consent
  • In instances of safeguarding, we will share your information with Authorities on the basis of legitimate interest

 

 

Appendix 2 – Human Resources

 

This appendix explains how we process personal data for job applicants, employees, workers, contractors, consultants, or trustees.

How We Collect Your Information

We process your information when you apply for a position with Canopi, and such information is received from the following sources:

  • Directly from you during recruitment and onboarding, and during your engagement with us.
  • From agencies and referees (with your knowledge).
  • From pre-employment screening such as right-to-
  • From internal systems (e.g., HR, payroll, learning and development).

What Personal Data We Collect

We may collect the following information about you for our engagement:

  • Personal details and contact information.
  • Application, CV and interview information; references; employment history and qualifications.
  • Contract terms, job role, pay/fees, benefits, working time, leave and absence, performance and supervision records, disciplinary and grievance records, training records.
  • Next of kin and emergency contacts.
  • Right-to-work, and other compliance records.
  • Special category data (where necessary) – health/occupational health information (e.g., reasonable adjustments), and equality, diversity and inclusion data provided voluntarily.

 

How We Use HR Data (Purposes and Lawful Bases)

We only use your information to fulfill our employment obligations, which include:

  • We rely on contractual obligation to process your information as a staff member or trustee, or legitimate interest to process any information for unsuccessful job applicants and trustees.
  • We also rely on legal obligation to meet our employment obligations such as sharing information with HMRC, as well as processing right-to-work information and health and safety.
  • To manage performance, supervision, learning and development, security and IT systems, we rely on legitimate interests.
  • We may also rely on substantial public interest for equal opportunities monitoring, or employment and social security for any reasonable adjustment related information.

 

Who We Share Your Data With

We will only share your data wherever necessary, such as with:

  • Payroll, pension, HR and benefits providers (processors).
  • Regulators and statutory bodies (e.g., HMRC, Home Office).
  • Occupational health and wellbeing providers.
  • IT service providers.
  • Professional advisers and insurers where necessary.

 

 

Appendix 3 – Marketing

This appendix explains how we process personal data for marketing and communications activities, including promoting our workspace, sharing news and updates, and communicating with current and prospective users of our facilities.

What We Collect

We may collect the following information about you:

  • Identity and contact data; communication preferences.
  • Engagement information (e.g., email opens/clicks), where permitted.
  • Payment information processed securely by our payment service providers; we do not store full card details.

How We Use Supporter Data

We use your information for limited purposes, some of which include:

  • To send you marketing about our work and ways to support us, in line with your preferences and PECR.
  • To comply with legal and regulatory requirements and prevent fraud.

Lawful Bases (Marketing)

We may collect and process personal information under the following lawful bases:

  • For email marketing to individuals where required by PECR, we rely on consent
  • We rely on legitimate interest for soft opt-in related email communications when you have expressed interest.
  • Legal Obligation is relied upon for financial record-

 

Appendix 4: Complaints Process

 

If you are unhappy with how we handle your personal data, you have the right to raise a complaint with us.

You can contact us by:

Please provide:

  • Your name and contact details
  • A clear description of your concern
  • Any relevant dates or reference numbers

What Happens Next?

  1. We will acknowledge your complaint within 30 days of receiving it.
  1. We will investigate your concerns.
  1. We may contact you if we need further information.
  1. We will respond as soon as possible and without undue delay.

Our response will explain:

  • What we have found
  • Whether any action has been taken
  • What happens next

If You Are Not Satisfied

If you remain unhappy with our response, you have the right to complain to the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Website: https://ico.org.uk

Accessibility

If you require this information in an alternative format, please contact us and we will be happy to assist.