Privacy Policy

Last updated: 03 November 2025

1) Who we are and how to contact us

Controller: The Innovation Management Society Ltd (company limited by guarantee), Company No. 16577518, trading as The Institute of Innovation Management. This notice applies to the Institute of Innovation Management ("IIM") and the website https://theiim.org.

Registered office: As per Companies House
Contact for privacy matters: theteam@theiim.org
You can also write to us at the registered office marked “FAO: Privacy”. You have the right to complain to the Information Commissioner’s Office (ICO): Wycliffe House, Water Lane, Wilmslow, SK9 5AF, Tel 0303 123 1113.

2) Purpose and scope of this notice

This privacy notice explains what personal data we collect, how and why we use it, the legal bases we rely on, who we share it with, how long we keep it, and your rights. It covers your interactions with theiim.org, email or form enquiries, newsletter subscriptions, membership applications and administration, invoicing and payments, and registration for IIM events.

3) The data we collect (limited data approach)

We collect the minimum personal data needed to run our services:
• Contact enquiries – name, email, organisation, role (optional), and your message.
• Newsletter sign‑ups – email (name optional).
• Membership – name, email, organisation, role, professional interests, membership category and status, communications preferences; optional CPD/attendance records for IIM activities.
• Events – name, email, organisation, role; optional access or dietary information you choose to provide.
• Payments and invoices – payer name, billing address, email, invoice details, payment status; card details are processed securely by our payment provider(s) and are not stored by IIM.
• Technical data – essential cookies or similar technologies needed for security and service reliability. We avoid non‑essential tracking by default; if introduced, we will ask for consent first.
We do not deliberately collect special category data. If you volunteer sensitive information (e.g., accessibility needs), we will use it only for that specific purpose and protect it accordingly.

4) Where we get your data from

• Directly from you (forms, emails, membership and event registrations).
• Automatically through essential technical measures that keep our site secure and reliable.
• From service providers acting on our instructions (e.g., invoicing, email, productivity, event platforms).

5) Why we use your data and our lawful bases

• Responding to enquiries – to reply and provide information. Legal basis: legitimate interests.
• Newsletters and updates – to send IIM news and events. Legal basis: consent (unsubscribe anytime).
• Membership administration – to process applications, manage your account, deliver benefits, and maintain records. Legal basis: contract; legitimate interests for service communications.
• Events – to administer registrations, send joining instructions, and manage attendance; where you provide health‑related information (e.g., access needs), we rely on your explicit consent. Legal basis: contract; explicit consent (for any special category data you provide).
• Invoicing and payments – to issue invoices, record payments, and meet tax and accounting obligations. Legal basis: contract and legal obligation.
• Site security and reliability – to protect our services from misuse and ensure availability. Legal basis: legitimate interests.

6) Who we share your data with (no selling)

We do not sell your personal data. We may share it with:
• Service providers acting as processors under contract (e.g., productivity/email suite, cloud hosting, invoicing and payment providers, and an events platform).
• Professional advisers (e.g., legal and accounting) where necessary.
• Authorities where required by law or to protect rights, safety, and security.

7) International data transfers

Some providers may process data outside the UK. Where transfers are to the United States, we may use vendors certified under the UK Extension to the EU‑US Data Privacy Framework (the “UK‑US data bridge”). Where the data bridge does not apply, we use appropriate safeguards (e.g., the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with UK addendum) supported by transfer risk assessments. We only use reputable providers with appropriate security and contract terms.

8) How long we keep your data

We keep personal data only for as long as necessary for the purposes described:
• Enquiry emails – up to 24 months after last meaningful contact.
• Newsletter records – until you unsubscribe (plus a short suppression period to honour your opt‑out).
• Membership records – for the duration of membership and generally up to 7 years after it ends (to maintain accurate records and meet accounting requirements).
• Event records – up to 3 years after the event (or longer if needed for financial records).
• Invoices and payment records – 6 years from the end of the financial year to which they relate.
• Security logs – up to 90 days unless investigation requires a longer period.
We securely delete or anonymise data at the end of these periods.

9) Cookies and similar technologies

We currently use only essential cookies/technologies required to operate the site securely. If we introduce non‑essential analytics or marketing cookies, we will show a clear banner and provide “accept/reject/manage” choices, and will set non‑essential cookies only with your consent. A separate Cookie Policy (with a cookie table) will be provided if/when we use non‑essential cookies.

10) AI‑assisted productivity tools

We use a cloud productivity suite with AI‑assisted features (e.g., drafting and summarisation) to handle emails and documents. These tools may process your personal data as part of providing the features. We do not permit providers to use your content to train their public models, and we configure available enterprise settings to respect confidentiality. We do not carry out automated decision‑making that produces legal or similarly significant effects without human involvement.

11) Your rights

You have rights under UK GDPR, including to: be informed; access; rectification; erasure; restriction; portability; and to object to processing based on legitimate interests. Where we rely on consent, you can withdraw it at any time. To exercise your rights, contact us using the details in Section 1. You also have the right to complain to the ICO.

12) Children

Our services are aimed at adults. If we ever offer an online service directly to children on the basis of consent, the UK age at which a child can consent in their own right is 13. We would implement age‑appropriate information and consent measures.

13) Security

We take appropriate technical and organisational measures to protect personal data, including encryption in transit, role‑based access, and vendor due diligence. No method of transmission or storage is perfectly secure; if a personal‑data incident occurs, we will assess the risk and act in line with our legal obligations.

14) Changes to this notice

We may update this notice to reflect changes in our services, providers, or the law. Significant changes will be clearly signposted on this page. The date at the top shows the latest update.

Website Disclaimer

• General information only – Content on the website is for general information and is not professional advice.
• No guarantee – We endeavour to keep content accurate and up to date but make no representations or warranties, express or implied, regarding completeness, accuracy, reliability or availability.
• Third‑party links – Links do not imply endorsement. We are not responsible for external content or practices.
• Liability – To the maximum extent permitted by law, we are not liable for any loss or damage arising from use of the site or reliance on its content, or from downtime or errors.
• Changes – We may change website content at any time without notice.

— End of policy —