Privacy Policy

Citizen Hub | Grove | Pesky Small Squad Limited
Version 1.0 | Last updated: 8 May 2025

1.  Who We Are

This Privacy Policy applies to the following organisations (referred to collectively as "we", "us", or "our" throughout this document):

  • Pesky Small Squad Limited (trading as Grove)
    Company number: 16366781 — a private limited company incorporated in England and Wales, whose registered office is at 58a Market Square, St. Neots, England, PE19 2AA. Pesky Small Squad Limited operates the national infrastructure and shared services platform for the Citizen Hub network, trading publicly as Grove.
  • Citizen Hub St Neots CIC
    Company number: 15598331 — a Community Interest Company incorporated in England and Wales, registered office at 58a Market Square, St. Neots, England, PE19 2AA. Citizen Hub St Neots CIC operates the Citizen Hub in St Neots, Cambridgeshire.
  • Citizen Hub South West London CIC
    Company number: 16637040 — a Community Interest Company incorporated in England and Wales, registered office at 267 The Broadway, London, England, SW19 1SD. Citizen Hub South West London CIC operates the Citizen Hub in South West London.

Each entity listed above is an independent data controller in respect of personal data it processes. Where Pesky Small Squad Limited processes personal data on behalf of a CIC (for example, where it operates shared systems), it acts as a data processor for that CIC.

This policy covers all three entities and should be read as applying to each one individually as well as collectively. Where a provision applies to one entity only, this is stated clearly.

You can contact us about privacy matters by emailing: info@citizenhub.co.uk.

2.  What Personal Data We Collect

We collect and process personal data in the following categories, depending on how you interact with us:

2.1  Data you provide to us directly

  • Name, email address, telephone number, and postal address
  • Information you share with us when registering for services, completing referral forms, or contacting us
  • Employment and skills information (for example, qualifications, employment history, career goals)
  • Health and wellbeing information, where you voluntarily share this and only to the extent necessary to refer you to appropriate support
  • Diversity and equality monitoring data (always optional)
  • Financial information where relevant (for example, if we assess benefit entitlements or financial resilience as part of our support offer)
  • Feedback, survey responses, and communications you send to us

2.2  Data collected automatically

  • Technical data when you visit our website(s), including IP address, browser type, device type, pages visited, and time of visit — collected via cookies and similar technologies (see Section 10)
  • Interaction data if you engage with us via social media platforms

2.3  Data received from third parties

  • Referral information from partner organisations, GPs, social prescribers, local authorities, or other agencies who refer individuals to us
  • Publicly available professional information (for example, from LinkedIn) in the context of partnership development

3.  How We Use Your Personal Data

We use personal data for the following purposes. For each purpose, we identify the legal basis we rely on under UK GDPR and, where applicable, the Data Protection Act 2018.

3.1  Delivering community services and support

We use personal data to provide health, social, skills, employment and enterprise support to individuals who engage with a Citizen Hub.

Legal basis: Performance of a task carried out in the public interest (Article 6(1)(e) UK GDPR); and/or Legitimate interests (Article 6(1)(f) UK GDPR). Where health data is processed, we rely on substantial public interest (Article 9(2)(g) UK GDPR), supported by our Data Protection Policy and appropriate safeguards.

3.2  Social prescribing and onward referrals

Where you consent, or where it is in your vital interests, we may refer your details to a partner organisation, health service, or public authority for the purpose of connecting you with relevant support.

Legal basis: Consent (Article 6(1)(a) UK GDPR) or vital interests (Article 6(1)(d) UK GDPR), as appropriate to the circumstances.

3.3  Impact measurement and reporting

We record anonymised or pseudonymised data about the outcomes of our services for the purposes of measuring social impact, securing funding, and demonstrating accountability to funders and commissioners. Where possible, data used for reporting is aggregated and does not identify individuals.

Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR) — we have a legitimate interest in demonstrating the impact of our services.

3.4  Partnership and stakeholder engagement

We process contact details of partners, funders, commissioners, and stakeholders to manage relationships and develop partnerships.

Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR).

3.5  Recruitment

When you apply for a role with us, we process your personal data to assess your application.

Legal basis: Pre-contractual steps taken at your request (Article 6(1)(b) UK GDPR).

3.6  Website and communications

We use technical data to maintain and improve our website, and may use your contact details to send you information about our activities where you have opted in.

Legal basis: Consent (Article 6(1)(a) UK GDPR) for marketing communications; legitimate interests (Article 6(1)(f) UK GDPR) for website analytics.

4.  Special Category and Sensitive Data

Some of the personal data we process may constitute "special category data" under UK GDPR — for example, health information, information about disability, mental health, or other sensitive characteristics.

We process this data only where:

  • You have given us explicit consent; or
  • Processing is necessary for reasons of substantial public interest, including the provision of social welfare and safeguarding (Schedule 1, Part 2 of the Data Protection Act 2018); or
  • Processing is necessary to protect your vital interests or those of another person where you are unable to give consent.

We maintain an Appropriate Policy Document as required by the DPA 2018 and apply the principle of data minimisation — collecting only the minimum special category data necessary for the specific purpose.

5.  Who We Share Your Personal Data With

We do not sell personal data. We may share personal data with:

5.1  Within the Citizen Hub network

Personal data may be shared between Pesky Small Squad Limited and individual Citizen Hub CICs where this is necessary for the delivery of services, national reporting, or shared system administration. Where Pesky Small Squad Limited processes data on behalf of a CIC, appropriate data processing agreements are in place.

5.2  Partner organisations and referral bodies

Where you have been referred to us by, or we refer you to, a partner organisation (such as a GP surgery, college, local authority, or charity), we may share relevant personal data to facilitate that referral. We will always seek your consent before sharing your data in this way, except where sharing is necessary to protect your vital interests.

5.3  Funders and commissioners

We may share anonymised or aggregated data with funders and commissioners for the purposes of reporting on outcomes. We will not share identifiable data with funders without your explicit consent unless required to do so by law.

5.4  Technology providers

We use third-party software providers to operate our CRM, website, and communications systems. These providers act as data processors under contract and may not use your data for their own purposes. Current categories of processor include:

  • CRM and case management software providers
  • Website hosting and analytics providers
  • Email and communications platforms

Where processors are based outside the UK, we ensure appropriate safeguards are in place (see Section 8).

5.5  Legal and regulatory requirements

We may disclose personal data where required to do so by law, court order, or a regulatory authority, including (but not limited to) the Information Commissioner's Office, HMRC, or the police.

5.6  Safeguarding

Where we have a safeguarding concern — for example, where we believe that you or someone else may be at risk of harm — we may share personal data with relevant authorities (such as social services or the police) without your consent where we are legally required or authorised to do so.

6.  How Long We Keep Your Data

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law or regulatory guidance. Our standard retention periods are as follows:

  • Service user records: Retained for six years from the date of last contact, after which records are securely deleted or anonymised.
  • Referral records: Retained for three years from the date of referral.
  • Recruitment records (unsuccessful applicants): Six months from the date the role was filled.
  • Marketing consent records: Until consent is withdrawn.
  • Financial and accounting records: Six years, in accordance with HMRC requirements.
  • Safeguarding records: In line with statutory guidance, which may exceed the above periods.

At the end of the relevant retention period, personal data is securely deleted, anonymised, or disposed of in accordance with our secure disposal procedures.

7.  Your Rights Under UK GDPR

You have the following rights in relation to your personal data. Please note that some rights are not absolute and may be subject to conditions or exemptions:

  • Right of access (Subject Access Request): You can request a copy of the personal data we hold about you.
  • Right to rectification: You can ask us to correct inaccurate or incomplete personal data.
  • Right to erasure ("right to be forgotten"): You can ask us to delete your personal data in certain circumstances — for example, where we no longer need it.
  • Right to restrict processing: You can ask us to pause processing your data in certain circumstances.
  • Right to data portability: Where processing is based on consent or contract and carried out by automated means, you can ask us to transfer your data in a structured, machine-readable format.
  • Right to object: You have the right to object to processing based on legitimate interests or carried out in the public interest, including profiling. You also have an absolute right to object to direct marketing at any time.
  • Rights relating to automated decision-making and profiling: We do not use automated decision-making processes that have a significant effect on individuals.

To exercise any of these rights, please contact us at:

info@citizenhub.co.uk

We will respond to your request within one calendar month. We may need to verify your identity before processing your request. There is no charge for exercising your rights, unless a request is manifestly unfounded or excessive.

8.  International Transfers of Personal Data

Where we use third-party software providers whose infrastructure is located outside the United Kingdom, we ensure that any transfer of personal data outside the UK is subject to an appropriate safeguard recognised under UK GDPR, such as:

  • An adequacy decision made by the UK Secretary of State; or
  • Standard Contractual Clauses approved for use in the UK (the UK International Data Transfer Agreement or UK Addendum to the EU SCCs).

If you would like further information about the specific safeguards we have in place for international transfers, please contact us.

9.  How We Protect Your Data

We take the security of personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or disclosure. These measures include:

  • Password protection and role-based access controls for systems holding personal data
  • Use of secure, encrypted communications and file storage
  • Staff training on data protection responsibilities
  • Data processing agreements with all third-party processors
  • Regular review of our data protection practices

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it, and will notify affected individuals where required.

10.  Cookies and Similar Technologies

Our website(s) use cookies — small text files placed on your device — and similar technologies to help the site function correctly and to understand how it is used.

Types of cookies we use

  • Strictly necessary cookies: Required for the website to function. These cannot be switched off.
  • Performance and analytics cookies: Help us understand how visitors use the site (for example, via Google Analytics). These are only set with your consent.
  • Preference cookies: Remember your settings and choices. Set with your consent.

When you first visit our website, you will be shown a cookie banner giving you the opportunity to accept or reject non-essential cookies. You can change your preferences at any time via the cookie settings link in the footer of our website.

For further information about managing cookies, please visit:

https://www.allaboutcookies.org

11.  Summary of Legal Bases

The table below summarises the primary legal bases we rely on under UK GDPR:

Article 6(1)(a) — Consent: Marketing communications; optional diversity monitoring; sharing referral data with third parties.

Article 6(1)(b) — Contract/pre-contract: Processing job applications; delivering services where a formal agreement exists.

Article 6(1)(d) — Vital interests: Safeguarding situations where sharing is necessary to protect life.

Article 6(1)(e) — Public interest: Delivering community services; social prescribing; civic and skills programming.

Article 6(1)(f) — Legitimate interests: Impact measurement; stakeholder engagement; website analytics; partnership development.

Article 9(2)(g) — Substantial public interest (DPA 2018 Schedule 1): Processing health and other special category data in the context of social welfare support.

12.  Children's Personal Data

Where Citizen Hub services are accessed by or on behalf of individuals under the age of 18, we apply enhanced care to the processing of their personal data. We will only process children's data with the consent of a parent or guardian, except where required to do so for safeguarding purposes.

Our website is not directed at children and we do not knowingly collect personal data from children under 13 via our website without parental consent.

13.  Complaints and the ICO

If you have concerns about how we handle your personal data, we encourage you to contact us in the first instance so that we can address them:

info@citizenhub.co.uk

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the supervisory authority for data protection in the UK:

Information Commissioner's Office

Website: https://ico.org.uk

Telephone: 0303 123 1113

Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

14.  Changes to This Privacy Policy

We review this Privacy Policy at least annually and following any significant change to our processing activities or applicable law. When we make material changes, we will update the date at the top of this document and, where appropriate, notify you directly.

The current version of this policy is always available on our website at:

https://www.citizenhub.co.uk/privacy

15.  Contact Us

For any questions, requests, or concerns relating to this Privacy Policy or the way we handle your personal data, please contact us:

By email: info@citizenhub.co.uk

By post: 58a Market Square, St. Neots, England, PE19 2AA

For matters relating specifically to a Citizen Hub CIC, you may also contact the relevant hub directly:

Citizen Hub

58 Market Square
St Neots
Cambridgeshire
PE19 2AA

GROVELatest NewsPrivacy PolicyContact us
GROVE is the trading name of Pesky Small Squad Ltd, a company limited by shares (No. 16366781), registered in England.
© Copyright 2026 - All rights reserved.