Your Privacy, Protected

Goal 17 Privacy Policy

Effective Date: 20 March 2025 | Last Reviewed: April 2026

ICO Registration Number: A8854423

A note from us before you read on:

At Goal 17, our work is built on trust. We work with a wide range of stakeholders including connecting volunteers with young people who need support — care leavers and vulnerable young people who have often experienced systems that let them down. That means the way we handle people’s information matters enormously to us, and we take it seriously.

We do use data — and we want to be honest about that. Understanding who our volunteers are, how our programmes are working, and how we can better support young people means we need to collect and use information thoughtfully. We use technology, including AI tools, to help us do this more effectively. But we believe that using data well and protecting people’s privacy are not in conflict — they go hand in hand.

We will never use your data in ways that aren’t fair, transparent, or necessary. We won’t sell it, share it without good reason, or hold onto it longer than we need to. And if you ever want to know what we hold, change it, or ask us to delete it — we will make that easy.

The policy below sets out the detail. We’ve tried to make it as clear as possible. If anything isn’t clear, please do get in touch — we’d much rather you ask than feel uncertain.

Francesca Salussolia | Chief Executive, Goal 17 Ltd

Goal 17 Ltd · ICO Registration: A8854423 · Effective 20 March 2025 · Last Reviewed April 2026

1. Who We Are

Goal 17 Ltd ("we", "us", "our") is a UK-registered limited company delivering high-impact mentoring, volunteering, and training programmes. We work under contract with local authorities, public sector commissioners, and other partners to support care leavers and vulnerable young people across England.

This policy explains how we collect, use, store, and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies to all individuals we engage with, including volunteers, clients and service users, learners, and professional contacts.

This policy covers Goal 17 Ltd's services only. Our separate technology platform, Wowment, operates under its own privacy policy.

Data Protection Contact

Francesca Salussolia

Chief Executive Officer, Goal 17 Ltd

📧 fran@goal17.global

📞 +44 7897 020591

📍 2 Lakeview Stables, Lower St. Clere, Kemsing, Sevenoaks, Kent TN15 6NL

General data protection queries may also be directed to team@goal17.global.

2. What Personal Data We Collect

We collect different categories of data depending on your relationship with us. All data collection is limited to what is necessary and proportionate for the relevant purpose.

a. Volunteers

Full name, contact details (including phone number and email address), and date of birth
References, DBS check information, and recruitment documentation
Emergency contact information
WhatsApp contact details, where you have opted in to our WhatsApp-based onboarding and engagement programme
Communication records, including WhatsApp message histories, stored and managed within our case management system
Volunteer training records, participation history, and engagement notes
AI-assisted check-in summaries and outreach drafts generated in connection with your engagement profile (see Section 5)

b. Clients and Service Users

Full name, contact details, and date of birth
Referral information provided by local authority commissioners or partner organisations
Information relevant to your support needs, including any relevant vulnerabilities or personal circumstances
Progress notes, key worker records, and safeguarding documentation
Goals, feedback, and records of any communications

c. Learners (Training Participants)

Name, email address, organisation, and job title
Progress through training modules, quiz and assessment results
CPD certificates and university accreditation records (issued in partnership with Oxford Brookes University and The CPD Certification Service)
Course feedback and reviews

d. Platform and Website Users

IP address, browser and device data
Usage data, including progress through learning modules and resource downloads on The Goal17 Learning Platform and Scorecards
Cookie and analytics data (see Section 11)

e. Communications and Storytelling

Survey responses, interview content, and service feedback
Case studies, quotes, and testimonials
Photographs and video content — collected only where a signed image release form is in place

f. Professional and Commissioner Contacts

Names, job titles, and professional contact details
Records of correspondence and programme management communications

3. How We Collect Your Data

We collect personal data through the following channels:

Sign-up and referral forms for training, volunteering, or client services
Our digital platforms, including The Goal17 Learning Platform and Scorecards
Direct communication via phone, email, or WhatsApp
WhatsApp Business messaging, as part of our volunteer onboarding and engagement programme, where individuals have consented to this channel
Referrals from local authorities, public sector commissioners, and trusted partner organisations
Surveys, feedback forms, and interviews
Our case management and volunteer management systems

4. Legal Basis for Processing

We process your personal data under the following lawful bases, as defined in UK GDPR Article 6:

Consent	Where you have given clear, specific consent — for example, to receive marketing communications, to participate in media content, or to be contacted via WhatsApp.
Contract	To deliver a programme, training course, or service you are engaged in, or to fulfil our obligations under a contract with a commissioning body.
Legal Obligation	Where processing is required to comply with our legal duties — for example, safeguarding responsibilities, reporting to statutory authorities, or maintaining DBS records.
Legitimate Interests	To improve our services, monitor programme impact, manage volunteer relationships, and operate our technology infrastructure, where these interests are not overridden by your rights.
Vital Interests	In exceptional circumstances where processing is necessary to protect the life of a service user or other individual.

For special category data (including criminal records information from DBS checks), we rely additionally on the substantial public interest condition under UK GDPR Article 9(2)(g), in connection with our safeguarding obligations.

Where we rely on legitimate interests, we conduct a Legitimate Interests Assessment (LIA) to ensure your rights are not overridden.

5. How We Use Your Data

We use personal data to:

Deliver mentoring, volunteering, and training programmes under contract with local authorities and other commissioners
Match and manage volunteers with young people and clients, including through our AI-assisted volunteer intelligence system
Deliver accredited training and issue certificates in partnership with Oxford Brookes University and The CPD Certification Service
Provide access to The Goal17 Learning Platform and Scorecards
Manage volunteer engagement through tiered contact programmes, including WhatsApp-based communication
Draft and review personalised volunteer outreach and check-in messages using AI tools (Claude API, provided by Anthropic) — all AI-generated content is reviewed by a staff member before sending
Record and respond to safeguarding concerns, and fulfil our statutory reporting obligations
Share data with the Wowment platform to facilitate secure, safeguarded connections between volunteers and young people, where individuals have been invited to use that service
Analyse engagement and produce impact reports for commissioners and funders (typically in anonymised or aggregated form)
Feature quotes, photographs, or case studies in communications and marketing (only with signed consent)
Improve the quality, accessibility, and reach of our services

A note on automated processing: Our AI-assisted outreach system analyses volunteer engagement data to draft personalised messages. This does not constitute automated decision-making in the legal sense — all messages are reviewed and sent by a staff member. No decisions with legal or significant effects on individuals are made by automated means alone.

6. Data Processors and Third-Party Sharing

We do not sell or rent personal data. We share data only with trusted parties when necessary and under appropriate data-sharing agreements or contracts.

Monday.com	Our primary case management, CRM, and volunteer management platform. Volunteer records, communication histories (including WhatsApp message logs), engagement notes, and AI-generated outreach content are stored here.
WhatsApp / Meta	Used as a direct communication channel for volunteer onboarding and engagement. Message content is logged to Monday.com. WhatsApp is a processor acting under Meta's data processing terms.
TimelinesAI	Used to connect WhatsApp Business accounts to our case management system and to maintain communication records.
Anthropic (Claude API)	AI model used to draft personalised volunteer outreach messages. No data is used to train AI models under our API agreement.
PythonAnywhere	Hosts automation scripts that process personal data, including daily synchronisation of WhatsApp message data and AI-assisted outreach workflows.
Kajabi	Hosts our CPD-certified training courses and manages learner enrolment, progress tracking, and certificate delivery.
Goal17 Learning Platform / Scorecards	Delivers online training and progress tracking for learners.
Wowment Ltd	Where service users or volunteers are invited to use the Wowment platform, relevant introductory data is shared under a data-sharing agreement. Wowment Ltd operates its own privacy policy.
Oxford Brookes University / CPD Certification Service	Receive learner data to facilitate university accreditation and CPD certificate issuance.
Local Authorities and Statutory Bodies	We share data with commissioning local authorities and, where required by law, with safeguarding services and statutory authorities.
Funding Partners	Impact data is shared in anonymised form, or with individual consent where identifiable.

All data processors are subject to written contracts requiring them to process data only on our documented instructions and in compliance with UK GDPR.

7. Commissioning and Joint Controller Arrangements

Goal 17 Ltd operates under contract with local authorities and other public sector commissioners. In many cases, the commissioning body is a separate data controller in respect of the individuals referred to us, and Goal 17 Ltd acts as either a joint controller or a processor depending on the nature of the arrangement.

Where a joint controller arrangement applies, the respective responsibilities of Goal 17 Ltd and the commissioning authority are documented in a Data Sharing Agreement or Controller-to-Controller Agreement.

If you are a service user referred to us by a local authority and wish to understand how your data is used, you may also wish to contact the relevant local authority directly.

8. Special Category Data and Criminal Records Information

DBS (Disclosure and Barring Service) certificates contain criminal records information, treated as sensitive data under UK GDPR and subject to additional protections under the DBS Code of Practice.

We use DBS information solely to assess suitability for volunteering roles involving contact with children and vulnerable adults. We do not retain DBS certificate numbers, and we do not create a separate record of the content of a certificate beyond recording whether a check was carried out, the level, and the date. Original certificates are seen briefly for verification and are not retained or copied.

DBS data is processed under the substantial public interest condition (UK GDPR Article 9(2)(g)) and Schedule 1, Part 2 of the Data Protection Act 2018, in connection with our safeguarding obligations.

9. Children and Young People

Many of our service users are care leavers and young people, some of whom may be under 18. We treat all personal data relating to young people with heightened care.

We do not collect personal data from individuals under the age of 16 without appropriate consent from a parent, guardian, referring authority, or other responsible adult. Where a young person is referred to us by a local authority, that authority's consent process will apply.

If we become aware that we hold data about a child collected without valid consent, we will delete or otherwise remediate that data immediately.

10. International Data Transfers

Some of our platforms and service providers may process data outside the UK. Where this occurs, we ensure that appropriate safeguards are in place, such as:

UK International Data Transfer Agreements (IDTAs)
Standard Contractual Clauses (SCCs) approved by the ICO
Transfers to countries with UK adequacy decisions

Specific processors who may process data outside the UK include Anthropic (Claude API, USA), Monday.com (USA), and Kajabi (USA). Each is subject to appropriate transfer safeguards.

11. Cookies and Analytics

Our platforms use cookies and analytics tools to improve user experience, track learning progress, and understand how users navigate our content. We do not use advertising or third-party tracking cookies.

You can manage or disable cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our learning platforms.

12. Retention of Data

We retain personal data only for as long as is necessary for the relevant purpose, or as required by law.

Category	Retention Period
Volunteers	Up to 6 years after your last engagement, including communication records and WhatsApp message logs
Clients and Service Users	Up to 6 years from the date of last contact or case closure
Learners	3 years after completion of the relevant course or training programme
Safeguarding Records	In accordance with statutory requirements, which may extend beyond standard periods
DBS Records	Date of check and level only; no retention of certificate content beyond initial verification
AI Outreach Drafts	Retained as part of the volunteer communication record, in line with the volunteer retention period above
Media and Storytelling	3 years after signing the relevant image or media release form, or earlier upon withdrawal of consent
Survey and Feedback Data	Anonymised and retained for impact reporting; identifiable data deleted after 12 months

Data is securely deleted or anonymised when retention periods expire or when it is no longer required.

13. Marketing and Communications

We may send you occasional updates about opportunities, training, news, or events — but only where you have given explicit permission to do so.

You can withdraw consent and opt out at any time by clicking "unsubscribe" in any email, or by contacting us at team@goal17.global. WhatsApp-based marketing communications can be stopped by replying "STOP" or by contacting us directly.

We will continue to send essential service communications (such as information about your programme, safeguarding matters, or your training course) regardless of marketing preferences.

14. Your Rights

Under UK GDPR, you have the following rights:

👁
Right of AccessTo request a copy of the personal data we hold about you.
✏️
Right to RectificationTo request correction of inaccurate or incomplete data.
🗑
Right to ErasureTo request deletion of your data where no overriding legal obligation requires us to retain it.
⏸
Right to RestrictionTo request that we limit the processing of your data in certain circumstances.
🚫
Right to ObjectTo object to processing based on legitimate interests.
📦
Right to Data PortabilityTo request your data in a structured, machine-readable format.
↩️
Right to Withdraw ConsentTo withdraw any consent you have given at any time, without affecting the lawfulness of prior processing.
🤝
Automated Decision-MakingTo request human review of any decision made solely by automated means. Our AI outreach always involves human review before action is taken.

To exercise any of these rights, please contact us at fran@goal17.global. We will respond within one calendar month.

15. How We Keep Your Data Safe

We implement a range of technical and organisational measures to protect your personal data, including:

Encrypted cloud storage and role-based access controls across all platforms
Password protection and multi-factor authentication for staff access to systems
Staff training in data protection, information security, and safeguarding
Data processing agreements with all third-party processors
A documented Information Security Policy, reviewed regularly
Secure access protocols for The Goal17 Learning Platform, Scorecards, and Monday.com
Scheduled security audits and reviews

No system can guarantee absolute security online. If you believe your data may have been compromised, please contact us immediately at fran@goal17.global. We have a data breach response procedure in place and will notify the ICO within 72 hours where required.

16. External Links

Our platforms and website may contain links to third-party websites. Goal 17 Ltd is not responsible for the privacy practices or content of those sites. We recommend reviewing the privacy policy of any external site before providing personal data.

17. Changes to This Policy

This policy is reviewed at least annually and updated as required. The current version is always available at goal17.global/privacy. Where changes are material, we will notify affected individuals by email or via our platforms where appropriate.

18. Contact Us and How to Complain

For any questions, concerns, or to exercise your data rights: