Login

Volunteer-run Boards

Charities, Sports, Housing Associations and more

Small & Medium businesses

Perfect for any size and type

Partners & Resellers

Find out more about our partnership options

Our Platform

Explore our range of features

Board Meeting Portal

Risk Register toolkit

Action Register and Document store

Director Academy

Trial Governance360

Start a free trial in less than 12 minutes

More about Governance360

Pricing Plans

Find a Partner

Board Meeting Portal

Run better board meetings

Risk Register

Manage and mitigate risk

Action Register

Build board accountability

Director Academy

Upskilling Directors

All Features

Platform overview

Trial Governance360

Start your free trial today

About Governance360

Pricing Plans

Start Free Trial

Privacy & GDPR Policy

Privacy & GDPR Policy

Last Updated: 28 October 2025

  1. Introduction

This Privacy and GDPR Policy explains how Board Secure Limited (“we”, “us”, “our”), trading as Governance360, collects, uses, stores, and protects your personal data.

Company Details:

  • Registered Name: Board Secure Limited
  • Company Number: 11363367
  • Registered Address: Alacrity House, Moderator Wharf, Kingsway, Newport, Wales, NP20 1HG
  • VAT Number: 317342813
  • ICO Registration Number: ZA509974
  • Email: support@governance360.com

This policy applies to:

  • Our website at www.governance360.com
  • Our platform at governance360.app
  • Our Director Learning Academy at www.directoracademy.co.uk
  • All services provided under the Governance360 brand

Plain English Note: This policy tells you what information we collect about you, why we collect it, how we use it, and what rights you have. We’re required by UK law (specifically the UK GDPR) to give you this information. We’ve tried to make it as clear as possible.

  1. Who We Are and What We Do

Governance360 is a B2B SaaS platform that provides:

  1. Platform Subscription Service: A governance management platform for organisations (typically purchased on annual subscription)
  2. Director Learning Academy: Individual learning modules that can be purchased and consumed by your organisation’s directors and board members

We work exclusively with business customers in the UK. We do not sell directly to consumers.

Plain English Note: We only work with businesses, not individual consumers. If you’re reading this, you’re either someone at an organisation that uses our services, or you’re considering using our services for your organisation.

  1. Important Definitions

Before we continue, here are some important terms we’ll use:

Term

What It Means

Data Controller

The organisation that decides why and how personal data is processed. When you use our platform to manage your board’s information, you are the Data Controller for your board members’ data.

Data Processor

An organisation that processes personal data on behalf of a Data Controller. When we store your board’s data on our platform, we are the Data Processor and you are the Data Controller.

Personal Data

Any information relating to an identifiable person (name, email address, IP address, etc.).

Your Board’s Personal Data

Any information about your board members that you choose to enter into our platform.

Director Learning Academy User

An individual within your organisation who accesses learning modules through the Director Learning Academy.

Plain English Note: These legal terms matter because they determine who’s responsible for what. When you put your board members’ information into our platform, you’re in charge of that data – we just store and process it for you. This means you have certain responsibilities to your board members under GDPR, and we have responsibilities to you as our customer.

  1. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  1. The right to be informed – You have the right to know what data we collect and how we use it (that’s what this policy does)
  2. The right of access – You can request a copy of the personal data we hold about you
  3. The right to rectification – You can ask us to correct inaccurate data
  4. The right to erasure – You can ask us to delete your personal data (subject to certain conditions)
  5. The right to restrict processing – You can ask us to limit how we use your data
  6. The right to data portability – You can request your data in a format that allows you to move it elsewhere
  7. The right to object – You can object to certain types of processing
  8. Rights related to automated decision-making and profiling – You have protections against solely automated decisions (we don’t use these)

Plain English Note: These are your legal rights. In practice, this means you can ask us what information we have about you, ask us to correct it if it’s wrong, or ask us to delete it. We’ll explain how to exercise these rights later in this policy.

  1. What Personal Data We Collect

The personal data we collect depends on your relationship with us:

5.1 If You’re a Platform Subscriber (Account Holder)

We collect:

  • Name and job title
  • Company name and address
  • Email address and telephone number
  • Billing and payment information
  • IP address and device information
  • Login credentials (securely encrypted passwords)
  • Usage data (how you use the platform)
  • Communications with our support team

5.2 If You’re a Platform User (Within a Subscriber Organisation)

We collect:

  • Name and email address
  • Job title and role
  • Login credentials (securely encrypted passwords)
  • Usage data (how you use the platform)
  • Information you choose to add to the platform

5.3 If You Purchase Director Learning Academy Modules

We collect:

  • Name and email address
  • Organisation name
  • Billing and payment information
  • Module purchase history
  • Module completion data
  • IP address and device information

5.4 Your Board’s Personal Data (That You Add to the Platform)

When you use our platform, you may add information about your board members and governance activities. This might include:

  • Names and contact details of board members
  • Meeting attendance records
  • Documents and papers
  • Actions and decisions
  • Other governance-related information

Important: We have designed our platform to avoid storing sensitive personal data (as defined by GDPR). Please do not use the platform to store sensitive categories of data such as health information, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, or data concerning sex life or sexual orientation.

Plain English Note: We collect different information depending on how you interact with us. If your organisation subscribes to our platform, we need your business contact details and payment information. If you’re using the platform within an organisation, we just need enough to set up your account. For the Learning Academy, we need to know who purchased what and track your progress through the modules.

The most important thing to understand: any information you put into the platform about your board members is your data, not ours. You control it, and you’re responsible for making sure you have the right to put it there.

  1. How We Collect Personal Data

We collect personal data through:

  1. Direct interactions – When you sign up, make purchases, contact support, or use our services
  2. Automated technologies – When you use our website and platform (via cookies and similar technologies – see our separate Cookie Policy)
  3. Your input – When you add information about your board to the platform
  4. Third parties – Payment processors and technology service providers (see Section 11)

Plain English Note: Most of the information we have about you is information you’ve given us directly. Some is collected automatically (like which pages you visit on our website), and some comes from payment companies when you make a purchase.

  1. Why We Collect and Use Your Personal Data (Legal Basis)

Under UK GDPR, we must have a legal basis for processing your personal data. Here’s what we collect and why:

7.1 Contract Performance (Providing Our Services)

We use your personal data to:

  • Set up and manage your subscription account
  • Provide access to the platform
  • Process Director Learning Academy purchases
  • Deliver learning modules
  • Provide customer support
  • Send service-related communications (e.g., renewal reminders, service updates)

Legal Basis: This processing is necessary for us to fulfil our contract with you.

7.2 Legitimate Interests

We use your personal data to:

  • Improve our services and develop new features
  • Analyse platform usage to enhance user experience
  • Prevent fraud and ensure platform security
  • Maintain business records
  • Exercise or defend legal claims

Legal Basis: These activities are in our legitimate business interests, balanced against your rights and freedoms.

7.3 Consent (Marketing Communications)

With your explicit consent, we may:

  • Send you email newsletters about governance best practices
  • Contact you about new features or services
  • Invite you to webinars or events
  • Send promotional offers for the Director Learning Academy

You can withdraw consent at any time by clicking “unsubscribe” in any marketing email or contacting us directly.

Legal Basis: Your explicit consent, which you can withdraw at any time.

7.4 Legal Obligations

We may process your personal data to:

  • Comply with accounting and tax requirements
  • Respond to lawful requests from authorities
  • Meet regulatory obligations

Legal Basis: Compliance with legal obligations.

Plain English Note: We need different types of permission to use your data for different purposes. We can use it to provide the service you’ve paid for (that’s part of our contract). We can use it for legitimate business reasons like improving the service or keeping you safe from fraud. For marketing, we need your specific permission, and you can change your mind at any time. Finally, sometimes the law requires us to process data, and we have no choice about that.

  1. Director Learning Academy – Specific Terms

The Director Learning Academy operates as a product-based business with the following important terms:

8.1 Purchase and Access

  • Modules are individual products purchased for single use
  • Once a module is opened or started, access to the content is granted
  • Each module is licensed for use by the named purchaser only

8.2 No Refund Policy

Once a learning module is opened, started, or accessed, it cannot be refunded. This is because:

  • Digital content is delivered immediately
  • The product is consumed upon access
  • We cannot “take back” knowledge or content once delivered

Exceptions may be made only in cases of:

  • Technical failure that prevents access (we’ll fix it or refund)
  • Duplicate purchases made in error (within 48 hours, before opening)

8.3 Data We Collect

For the Director Learning Academy, we collect and store:

  • Purchase records (who bought what, when)
  • Access logs (when modules were opened)
  • Progress data (completion status, time spent)
  • Assessment results (if applicable)
  • Certificate generation data (if applicable)

This data is retained to:

  • Prevent fraudulent claims
  • Maintain accurate business records
  • Provide proof of completion
  • Improve course content

Plain English Note: The Learning Academy is like buying a book or a film online – once you’ve opened it and started reading or watching, you can’t return it. We keep records of what you’ve purchased and how far you’ve progressed through the modules. This protects both you (you have proof of completion) and us (we can prove what was delivered).

  1. How Long We Keep Your Personal Data

We retain personal data only for as long as necessary. Here are our retention periods:

Data Type

Retention Period

Reason

Active platform subscription data

Duration of subscription + 6 years

Contract performance and legal obligations (UK tax law)

Inactive User account data

12 months after subscription ends, then deleted (unless legal obligation requires retention)

We give you time to reactivate your account

Director Learning Academy purchase records

6 years from purchase

UK tax and accounting requirements

Director Learning Academy completion data

Indefinitely (unless deletion requested)

To provide ongoing proof of completion

Marketing consent records

Until consent is withdrawn + 3 years

To prove compliance with consent requirements

Your board’s personal data

As long as you choose to keep it on the platform

You control this data

Financial records

6 years

UK tax law requirement

Support communications

3 years

Business records and service improvement

Deleting Your Board’s Data

If you are a platform subscriber, you can:

  • Delete individual records, documents, or board members at any time through the platform
  • Request bulk deletion of all your board’s data by contacting us (we’ll complete this within 30 days)
  • Important: Once deleted, data cannot be recovered by you or by us

Plain English Note: We don’t keep your data forever. Most information is kept for as long as you’re a customer, plus 6 years (that’s how long UK tax law requires us to keep financial records). The exception is Learning Academy completion records – we keep these indefinitely so you can always prove you completed a module, but you can ask us to delete them if you want.

The information you put into the platform about your board is different – you’re in control. You can delete it anytime, or we can delete it all for you if you ask.

  1. How We Protect Your Personal Data

We take data security seriously and implement appropriate technical and organisational measures, including:

10.1 Technical Security Measures

  • Data encryption in transit (TLS/SSL) and at rest
  • Secure, password-protected access with strong password requirements
  • Regular security updates and patching
  • Firewall protection and intrusion detection
  • Regular security testing and vulnerability assessments
  • Secure backup systems with encryption

10.2 Organisational Measures

  • Staff training on data protection
  • Access controls (staff only access data when necessary)
  • Confidentiality agreements with all staff
  • Incident response procedures
  • Regular policy reviews

10.3 Data Breach Procedures

In the unlikely event of a data breach affecting your personal data, we will:

  1. Assess the breach within 24 hours of discovery
  2. Notify the Information Commissioner’s Office (ICO) within 72 hours if required by law
  3. Notify affected individuals without undue delay if there is a high risk to their rights and freedoms
  4. Take immediate steps to contain and remediate the breach
  5. Document the breach and our response

For more detailed information about our security measures, please visit: www.governance360.com/security-measures

Plain English Note: We use industry-standard security measures to protect your data, including encryption, secure passwords, and strict controls over who can access what. We also have a plan ready if something goes wrong. While no system is 100% secure, we do everything reasonably possible to keep your data safe.

  1. Who We Share Your Personal Data With

We do not sell your personal data to anyone. We only share it in the following limited circumstances:

11.1 Service Providers (Data Processors)

We use trusted third-party service providers to help us operate our business. These may include:

  • Cloud hosting providers – To store data securely
  • Payment processors – To handle subscription payments and Learning Academy purchases
  • Email service providers – To send service updates and (with your consent) marketing
  • Customer support tools – To manage and respond to your enquiries
  • Analytics providers – To understand how our platform is used (anonymised where possible)

All service providers:

  • Are contractually bound to protect your data
  • Can only use your data for the specific purposes we’ve instructed
  • Must meet our security and data protection standards
  • Are regularly reviewed and audited

You can see a full list of our sub-processors here.

11.2 Legal Requirements

We may be required to share personal data:

  • To comply with a court order or legal obligation
  • To enforce our terms and conditions
  • To protect our rights, property, or safety, or that of others
  • In connection with the prevention or detection of crime

11.3 Business Transfers

If we sell our business or merge with another company, your personal data may be transferred to the new owner (only if they agree to protect it according to this policy).

We never share your board’s personal data stored on the platform with third parties – that’s your data, not ours to share.

Plain English Note: We use other companies to help run our business (like hosting companies that store data, or payment companies that process your credit card). These companies are carefully chosen and contractually required to protect your data. We only share what’s necessary for them to do their job. We might also have to share data if the law requires it, but we’ll only do this when legally obliged. The information you’ve put into the platform about your board stays private – we don’t share it with anyone.

  1. International Data Transfers

We aim to store all data within the UK. However, some of our service providers may process data outside the UK or European Economic Area (EEA) in countries that may not have equivalent data protection laws.

When we transfer data internationally, we ensure appropriate safeguards are in place:

  • UK International Data Transfer Agreement (IDTA) or UK Addendum to Standard Contractual Clauses (SCCs)
  • Adequacy decisions – We may transfer to countries the UK government has deemed to provide adequate protection
  • Additional security measures – Including encryption, pseudonymisation, and access controls

You have the right to request information about:

  • Which countries your data is transferred to
  • The safeguards in place for those transfers

Plain English Note: We try to keep everything in the UK, but some of the companies we use to run our service (like cloud hosting or payment processing) might store data abroad. When this happens, we use special legal contracts approved by UK regulators to make sure your data stays protected to UK standards, even when it’s stored overseas.

  1. Your Responsibilities as a Data Controller

This section is important if you are a platform subscriber.

When you use our platform to store information about your board members, you are the Data Controller and we are the Data Processor. This means you have specific obligations under UK GDPR to your board members:

13.1 Your Obligations

You must:

  • Have a lawful basis for processing your board members’ personal data
  • Inform your board members that their data is stored on the Governance360 platform
  • Provide your board members with privacy information (you may reference this policy or provide your own)
  • Ensure you have appropriate consent or another legal basis before adding their data
  • Only store data that is necessary and relevant
  • Not store sensitive categories of personal data on the platform (health data, etc.)
  • Respond to data subject requests from your board members (access requests, deletion requests, etc.)

13.2 How We Support You

As your Data Processor, we:

  • Process your board’s data only according to your instructions
  • Provide tools for you to export data (usually in CSV format) upon request
  • Enable you to delete data from the platform
  • Assist with data subject access requests where reasonably required
  • Maintain appropriate security measures
  • Notify you immediately if we receive any direct requests from your board members

13.3 Template Privacy Notice for Your Board Members

To help you meet your obligations, we can provide you with a template privacy notice to share with your board members. However, we cannot verify the legal validity of this template for your specific circumstances – you should have it reviewed by your own legal advisers before use.

Plain English Note: This is really important to understand. When you put information about your board members into our platform, you’re the one in charge of that data under the law, not us. You need to make sure you have the right to put it there, and you need to tell your board members what you’re doing with their information. We’ll help you by providing secure storage and tools to manage the data, but the legal responsibility sits with you. If you’re unsure about any of this, speak to a solicitor or data protection adviser.

  1. Cookies and Tracking Technologies

We use cookies and similar technologies on our website and platform. For detailed information about what cookies we use and why, please see our separate Cookie Policy.

In summary:

  • Essential cookies – Required for the platform to function
  • Analytics cookies – Help us understand how people use our services (with your consent)
  • Marketing cookies – Allow us to show you relevant content (with your consent)

You can control cookie settings through our cookie banner and your browser settings.

Plain English Note: Cookies are small files stored on your device that help our website work properly and remember your preferences. Some are essential (the platform won’t work without them), others help us improve our service or show you relevant content. You can choose which types you’re happy with.

  1. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

Plain English Note: We don’t use systems that make important decisions about you automatically without human involvement.

  1. Children’s Privacy

Our services are designed for business use only. We do not knowingly collect personal data from anyone under the age of 18. If we discover we have inadvertently collected data from someone under 18, we will delete it promptly.

Plain English Note: Our service is for businesses only, not for children. If someone under 18 has somehow used our service, we’ll delete their information as soon as we find out.

  1. How to Exercise Your Rights

You can exercise any of your rights by contacting us using the details below. Here’s what to do for common requests:

17.1 Access Your Personal Data (Subject Access Request)

To request a copy of the personal data we hold about you:

  1. Email us at: support@governance360.com (For the attention of: Clive Bawden)
  2. Confirm your identity (we may ask for proof to protect your data)
  3. Specify what information you’d like (we can provide a Subject Access Request Form if helpful)

We’ll respond within one month (free of charge unless your request is manifestly unfounded or excessive).

17.2 Export Your Board’s Data

If you want to export the information you’ve stored about your board:

  1. Contact us at support@governance360.com
  2. We’ll provide the data in a portable format (usually CSV)
  3. This is typically done within 5 working days

17.3 Delete Your Personal Data (Right to Erasure)

To delete your personal data:

If you’re a platform user: Contact your organisation’s account administrator, or contact us directly at support@governance360.com

If you’re an account holder wanting to delete your board’s data:

  • You can delete individual records through the platform interface at any time
  • For bulk deletion of all data, contact us at support@governance360.com – we’ll complete deletion within 30 days
  • Warning: Once deleted, data cannot be recovered

17.4 Correct Inaccurate Data

To correct information we hold about you:

  • Platform users can update their profile information directly
  • Account holders can contact support@governance360.com
  • We’ll update information within 5 working days

17.5 Withdraw Marketing Consent

To stop receiving marketing communications:

  • Click “unsubscribe” in any marketing email
  • Contact support@governance360.com
  • Update your preferences in your account settings (where available)

17.6 Object to Processing or Restrict Processing

If you want to object to how we process your data or ask us to restrict processing:

  • Email support@governance360.com explaining your objection
  • We’ll respond within one month

Plain English Note: You can contact us at any time to see what information we have about you, ask us to correct it, or ask us to delete it. For most requests, just email our support team and they’ll help you. We aim to respond within a month, but usually much faster.

  1. Making a Complaint

We hope you’ll give us the chance to resolve any concerns you have about how we handle your personal data. However, you have the right to complain to the UK’s data protection authority:

Information Commissioner’s Office (ICO)

  • Website: www.ico.org.uk
  • Telephone: 0303 123 1113
  • Online: Use the ICO’s online reporting tool

Plain English Note: If you’re not happy with how we’ve handled your data, please let us know first so we can put things right. If you’re still not satisfied, you can complain to the ICO, which is the official regulator for data protection in the UK.

  1. Contact Us

For any questions about this Privacy Policy or how we handle your personal data:

Data Protection Contact: Clive Bawden Email: support@governance360.com Post: Board Secure Limited, Alacrity House, Moderator Wharf, Kingsway, Newport, Wales, NP20 1HG

Plain English Note: If you have any questions about this policy or your data, just get in touch. We’re here to help.

  1. Changes to This Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in law or regulatory requirements
  • Changes to our services
  • Changes to how we process data

When we make changes:

  • We’ll update the “Last Updated” date at the top of this policy
  • We’ll make the new version available on this page
  • For significant changes, we’ll notify active subscribers by email
  • Platform users will be notified through the platform interface

We recommend you review this policy periodically to stay informed about how we protect your personal data.

Plain English Note: Laws change, our business changes, and sometimes we need to update this policy. When we do, we’ll always publish the new version here and let you know if the changes are significant. It’s worth checking back occasionally to stay up to date.

  1. Governing Law

This Privacy Policy is governed by the laws of England and Wales. Any disputes will be subject to the exclusive jurisdiction of the courts of England and Wales.

Plain English Note: This policy follows UK law, specifically English and Welsh law. If there’s ever a legal dispute about it, it would be dealt with in English or Welsh courts.

Last Updated: 28 October 2025 Version: 1.0

© 2025 Board Secure Limited trading as Governance360. All rights reserved.