Privacy Policy

Effective date: 14/05/2026

Last updated: 14/05/2026

At a glance

This Privacy Policy explains how Evolve Catalyst LTD handles personal data. We are committed to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

  • We are the data controller for personal data about website visitors, prospects, clients, newsletter subscribers, and customers of our digital products.
  • Where we handle personal data on behalf of a client charity (for example, setting up their CRM), we act as a data processor. That work is also governed by a separate Data Processing Agreement.
  • You have rights over your personal data, including the right to access, correct, delete, or object to how we use it. We explain how to exercise them in section 9.
  • If you have concerns, contact us at [email protected]. You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

1. Who we are

This Privacy Policy is published by Evolve Catalyst LTD, a company registered in England and Wales (company number 16007722), with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.

In this Policy:

  • “we”, “us”, and “our” mean Evolve Catalyst LTD;
  • “you” means the person whose personal data is being processed;
  • “Personal Data” has the meaning given in the UK GDPR.

For most of what’s described in this Policy, we are the data controller. This means we decide why and how your personal data is used. Where we process personal data on behalf of a client charity, we are a data processor, and the client is the controller – see section 11.

2. What this Policy covers

This Policy covers personal data we collect when you:

  • visit our website at www.evolvecatalyst.org;
  • subscribe to our newsletter or download a free resource;
  • buy a digital product from our products store at products.evolvecatalyst.org;
  • book a discovery call or contact us;
  • engage us for consultancy services, projects, or subscriptions;
  • listen to or interact with our podcast and other content.

This Policy does not cover the personal data that third-party platforms (such as YouTube, LinkedIn, or Spotify) collect when you use them – that’s governed by their own privacy policies.

3. Personal data we collect

3.1 Information you give us directly

We collect personal data when you:

  • Sign up to our newsletter or download a lead magnet: your name, email address, and any preferences you choose.
  • Buy a digital product: your name, email address, billing address, and payment details (which are handled directly by Stripe, not by us).
  • Book a discovery call or complete the intake form: your name, email address, charity or organisation name, phone number, and information about what you’d like to discuss.
  • Engage us for services: any information you share as part of the engagement, including (depending on the project) governance details, trustee details, beneficiary information, donor details, and other information relevant to the work.
  • Contact us: your name, email address, the content of your message, and any information you choose to share.

3.2 Information we collect automatically

When you visit our website, we automatically collect:

  • technical information (browser type, device type, operating system, IP address);
  • usage information (pages you visit, time spent, navigation patterns);
  • cookies and similar technologies (see section 8 and our Cookie Policy).

4. How we use personal data and our lawful basis

Under UK GDPR, we can only process personal data when we have a lawful basis. We rely on different bases for different activities:

4.1 Performance of a contract

We use your personal data to provide services you’ve engaged us for. This includes processing your intake form, issuing invoices, delivering the engagement, and corresponding with you during and after the work.

4.2 Legitimate interests

We rely on legitimate interests for activities where the processing is reasonable, expected, and not overridden by your rights. This includes:

  • responding to enquiries you make through the website or by email;
  • understanding how our website is used so we can improve it;
  • protecting our website and systems from security threats;
  • conducting prospect outreach where we have a reasonable expectation of interest (e.g. following up after a discovery call).

You can object to processing based on legitimate interests at any time – see section 9.

4.3 Consent

We rely on your consent for:

  • sending you marketing emails (newsletters and similar);
  • setting non-essential cookies on your device.

You can withdraw consent at any time. For marketing emails, click the unsubscribe link in any email or email us at [email protected]. For cookies, manage your preferences through our cookie banner.

4.4 Legal obligation

We process some personal data to comply with legal obligations, including:

  • keeping accounting records (HMRC requires 6 years);
  • responding to lawful requests from regulators, courts, or law enforcement.

5. Marketing emails

We use Mailerlite to send marketing emails (such as our newsletter, charity sector updates, and announcements about our services and resources). People are added to our mailing list when they:

  • subscribe through a sign-up form on our website;
  • download a free resource or lead magnet;
  • buy a digital product (in which case you’ll be asked separately whether you want to opt in);
  • book a discovery call with us (in which case you’ll be asked separately whether you want to opt in).

In every case, we ask for clear, opt-in consent before adding anyone to a marketing list. We keep records of when and how consent was given.

Every marketing email includes a one-click unsubscribe link. You can also email us at [email protected] to be removed.

We comply with the UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR) for all marketing communications.

6. Who we share your personal data with

We don’t sell your personal data to anyone. We share it only with:

6.1 Our service providers

We use third-party providers (“sub-processors”) to help us run our business and deliver services. The current list is in section 7 below. They process personal data only on our instructions and are bound by contract to protect it.

6.2 Professional advisers

Where necessary, we may share personal data with our accountants, solicitors, insurers, or other professional advisers in connection with running our business.

6.3 Authorities

We may share personal data if required by law – for example, to comply with a court order, a request from HMRC, or a request from the Information Commissioner’s Office or another regulator.

6.4 Business transfers

If we ever sell or restructure the business, personal data may be transferred as part of the transaction. We’d take reasonable steps to keep your data confidential and notify you where required.

7. Sub-processors we use

We use the following sub-processors to help us deliver our services. This list is current as of the last updated date at the top of this Policy. We will update this list if we change sub-processors and notify clients with active Data Processing Agreements as required.

7.1 Sub-processors used across our work

Provider

Purpose

Location & transfer mechanism

Hostinger International Ltd

Primary email hosting and website hosting

Registered in Cyprus; data processed in UK, Netherlands, Lithuania, or Cyprus

Microsoft Corporation

OneDrive (cloud storage), Microsoft Teams, Outlook (secondary email)

United States; UK Extension to EU-US Data Privacy Framework / UK IDTA

Google LLC

Gmail (secondary email), Google Drive (secondary cloud storage), Google Analytics, Google Tag Manager

United States; UK Extension to EU-US Data Privacy Framework

Airtable, Inc.

Client intake forms and client management

United States; UK IDTA / SCCs

Stripe Payments Europe, Limited (SPEL)

Payment processing

Ireland; some processing in United States; UK Extension to EU-US Data Privacy Framework

MailerLite

Email marketing and newsletters

Lithuania / EU

ClickUp, Inc.

Project management

United States; UK IDTA / SCCs

Zoom Video Communications, Inc.

Video calls and meeting recordings (where used)

United States; UK IDTA / SCCs

Cal.com (primary) and Calendly (secondary)

Discovery call bookings

United States; UK IDTA / SCCs

WeTransfer B.V.

File transfers (where used)

Netherlands / EU

FileTransfer.io

File transfers (where used)

Verify at filetransfer.io/privacy

Cookiebot (Cybot A/S)

Cookie consent management

Denmark / EU

7.2 Sub-processors used only during setup engagements

These providers are used only during specific setup engagements (such as setting up a CRM or email marketing system for a client). Once the system is handed over to the client, we no longer process personal data through these tools – the client uses them directly.

Provider

Purpose

Location

Salesforce, Inc.

CRM setup

United States

ActiveCampaign LLC

Email marketing setup

United States

7.3 Sub-contractors

We may engage individual sub-contractors (such as designers, developers, or writers) to assist with delivering services. Where sub-contractors handle personal data, they are bound by written confidentiality and data protection obligations.

7.4 International transfers

Some of the providers above are based outside the UK (mainly the United States and the EEA). When personal data is transferred outside the UK, we rely on safeguards required by the UK GDPR. The current safeguards used for each non-UK provider are noted in the tables above.

8. Cookies and similar technologies

We use cookies and similar technologies on our website. A cookie is a small file stored on your device when you visit a website.

When you first visit our website, you’ll see a cookie banner managed by Cookiebot. Non-essential cookies (including Google Analytics and any advertising or tracking cookies) are blocked until you give consent. You can change your preferences at any time by clicking the cookie banner icon on any page.

The full list of cookies we use – including their purpose, duration, and the provider – is in our Cookie Policy at https://www.evolvecatalyst.org/cookies/.

Cookies fall into four categories on our site:

  • Necessary cookies: required for the website to function. These don’t need consent.
  • Preferences cookies: remember your settings. These need consent.
  • Statistics cookies: help us understand how the website is used (Google Analytics). These need consent.
  • Marketing cookies: track your activity for advertising purposes. These need consent.

9. Your data protection rights

Under the UK GDPR, you have the following rights over your personal data:

  • Right to access: ask for a copy of the personal data we hold about you.
  • Right to rectification: ask us to correct inaccurate or incomplete data.
  • Right to erasure: ask us to delete your personal data (subject to legal obligations that may require us to retain it).
  • Right to restrict processing: ask us to pause processing in certain circumstances.
  • Right to data portability: ask us to provide your data in a structured format or transmit it to another controller, where technically feasible.
  • Right to object: object to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent: withdraw consent at any time where we process on the basis of consent.
  • Right not to be subject to automated decision-making: we don’t carry out automated decision-making that produces legal effects, but if we ever do, you have rights to challenge it.

To exercise any of these rights, email us at [email protected]. We may ask for proof of identity before responding (to make sure we don’t release personal data to the wrong person). We’ll respond within one month.

If you’re not happy with how we handle a request, you can complain to the Information Commissioner’s Office (ICO):

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We’d appreciate the chance to address your concerns directly first.

10. How long we keep personal data

We keep personal data only for as long as we need it. Specific retention periods are:

Type of data

Retention period

Client engagement records (Engagement Letter, deliverables, invoices)

6 years after the engagement ends (matches the contract limitation period and HMRC accounting requirements)

Prospect notes and discovery call records (for prospects who didn’t engage)

4-5 years

Marketing email subscribers

Until you unsubscribe, plus 30 days to process the request and to maintain a suppression record

Website contact form enquiries

2-3 years from your last contact with us

Cookies and website analytics data

Up to 1 year, depending on the cookie (see Cookie Policy)

Personal data processed on behalf of clients

Returned or deleted at the end of the engagement, in line with the relevant Data Processing Agreement

After these periods, we securely delete or anonymise the data. Where the law requires longer retention (for example, tax records), we keep only what’s necessary and protect it appropriately.

11. When we act as a data processor

Some of our engagements involve us handling personal data on behalf of a client charity. Examples include setting up a CRM with their donor list, configuring email marketing with their subscribers, or managing data within systems we set up for them.

In these cases, the client is the data controller and we are the data processor. The relationship is governed by a separate Data Processing Agreement (DPA), which sets out:

  • the specific processing being carried out;
  • the types of data and categories of data subjects;
  • the security measures in place;
  • how we handle data breaches, data subject rights requests, and the return or deletion of data at the end of the engagement.

If you’re a beneficiary, donor, or other person whose data is being processed by us on behalf of a charity, please contact that charity in the first instance – they are the controller of your data and the right point of contact for questions about it.

12. Children

Our services and content are aimed at adults (18 and over). We do not knowingly collect personal data from anyone under 18. If you’re a parent or guardian and you believe your child has provided personal data to us, please email [email protected] and we will delete it.

13. Links to other websites

Our website includes links to other websites (for example, social media platforms, partner organisations, and regulator websites). We’re not responsible for the privacy practices of those sites. Check their own privacy policies before sharing personal data.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version is always at https://www.evolvecatalyst.org/privacy-policy/, with the effective date shown at the top.

For material changes, we’ll update the Last updated date and, where you’ve given us your email address, we may notify you by email. Continued use of our website or services after a change means you accept the updated Policy.

15. Contact us

If you have any questions about this Privacy Policy or how we handle personal data:

Evolve Catalyst LTD

Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

Company number: 16007722

Email: [email protected]

We typically respond to data protection enquiries within 5 working days, and to formal requests under your data protection rights within one month (as required by UK GDPR).