Privacy policy.

Last updated: October 2025

1. Introduction

Boundless Trails CIC (“we”, “our”, “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use and store personal information when you:

  • complete a GP or Link Worker referral form or a self-referral;

  • take part in our wellbeing and mountain-biking programmes;

  • contact us by email or social media; or

  • visit our website www.boundlesstrails.com

.We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Boundless Trails CIC is registered with the Information Commissioner’s Office (ICO) as a data controller (registration number [TBC]).

2. Who we are

Boundless Trails CIC

10 Bibby Place, Elgin, Scotland IV30 1AN

Email: info@boundlesstrails.com

We are a community interest company using mountain biking and time outdoors to support mental health, confidence and connection.

3. The information we collect

We collect and process personal data that helps us deliver safe, effective programmes and communicate with participants. This may include:

  • Identity and contact information – name, postcode, phone number, email.

  • Health and wellbeing information – relevant physical or mental-health details shared on referral forms (so sessions can be planned safely).

  • Emergency contact details.

  • Demographic and participation information – age group, cycling experience, goals, attendance records, feedback forms.

  • Website or social media enquiries – any information you voluntarily provide.

  • Photographs or video – only with your explicit consent for publicity or evaluation purposes.

We do not collect payment information through our website.

4. How we use your information

We use your personal information to:

  • assess eligibility and allocate you to appropriate programmes;

  • contact you about session details, changes or cancellations;

  • ensure sessions are planned safely and meet your individual needs;

  • record attendance and monitor outcomes for evaluation and reporting to funders (information is anonymised wherever possible);

  • respond to enquiries and provide updates if you’ve opted in;

  • meet legal and safeguarding obligations;

  • improve our services and report overall programme impact (without identifying individuals).

We will never sell or trade your information and will only share it when necessary for safe service delivery.

5. Sharing your information

We may share limited personal information with:

  • GP practices or Link Workers involved in your referral (to confirm participation or feedback where appropriate);

  • Partner organisations or funders (e.g. Moray Council, NHS Grampian, Macmillan) — only anonymised or aggregated data;

  • Emergency services if there is a genuine risk to your health or safety;

  • Approved service providers (e.g. email host, website platform) who act under strict confidentiality agreements.

6. Legal basis for processing

We rely on one or more of the following lawful bases:

  • Consent – for using photos, collecting sensitive health information, and sending updates.

  • Contract – to deliver the service or activity you’ve signed up for.

  • Legal obligation – to comply with safeguarding or health-and-safety requirements.

  • Legitimate interest – to run, evaluate and improve our programmes.

7. Data retention

We keep your personal information only as long as necessary:

  • Participant and referral records – up to 3 years after your last session.

  • Financial or administrative records – 6 years (to meet statutory requirements).

  • Photos or media – until consent is withdrawn or after 3 years, whichever comes first.

After this, data is securely deleted or anonymised.

8. Data security

We store information securely on password-protected devices and encrypted cloud storage. Only authorised staff and volunteers have access for legitimate purposes. We maintain up-to-date antivirus protection and regular back-ups.

9. Your rights

You have the right to:

  • access a copy of the data we hold about you;

  • ask us to correct or delete information;

  • withdraw consent at any time;

  • object to or restrict processing; and

  • lodge a complaint with the Information Commissioner’s Office (www.ico.org.uk).

Requests can be made by emailing info@boundlesstrails.com.

10. Children and young people

We work with participants aged 12 and over. For anyone under 16, we require parental or guardian consent before collecting or processing personal information.

11. Changes to this policy

We may update this policy periodically. The latest version will always appear on our website with the date of revision.

12. Contact

If you have any questions or wish to exercise your rights, please contact:

Data Protection Lead

Boundless Trails CIC

Email: info@boundlesstrails.com