Linkedin Instagram
Reintegration Hub

Privacy Policy

Last updated: 1st April 2026

This Privacy Policy explains how IRARA (“we”, “us”, or “our”) collects, uses, stores, and protects personal information across the business, including in connection with our reintegration support services globally. We are committed to safeguarding the privacy and confidentiality of all clients, applicants, and website users and complying with the UK GDPR, EU GDPR, and other applicable global data protection laws.

1. Who We Are (Data Controller)

For the purposes of the UK GDPR, EU GDPR, and other applicable data protection laws, the data controller is:

IRARA

Innovation Centre

217 Portobello

Sheffield

S1 4DP

dpo@irara.org

01433 627247

The services we provide include: reintegration services, visa application support, document preparation, and related services to clients across the UK and globally.

Data Protection Contact: Paul.Edwards@Irara.org

2. Information We Collect

Due to the nature of the work we undertake, we may collect the following personal information:

Personal Identification Data
  • Full name, date of birth, gender, nationality
  • Passport details, national ID numbers
  • Immigration history, visa status, travel records
  • Unique identifiers and reference numbers (including those allocated by IRARA or third parties such as the Home Office)
Contact Information
  • Email address, phone number, postal address, emergency contact details
  • Sensitive Personal Data (Special Category Data)

Collected only when necessary and with appropriate safeguards:

  • Racial or ethnic origin
  • Biometric data (e.g., passport photos)
  • Health or medical information
  • Criminal conviction history (where required for reintegration planning)
  • Mental health and wellbeing information
  • Religious or philosophical beliefs (if relevant to support needs)
Supporting Documentation and Case Information
  • Case notes and assessments
  • Risk assessments
  • Support plans
  • Birth certificates, marriage certificates, education history
  • Employment records, bank statements, financial information
Photographs and Video
  • For ID validation and verification
  • Only with consent – for publicity purposes, which may include online and social media
Employment or Contract Information
  • Pre-employment checks
  • Health and criminal record details
  • Equality & Diversity data
  • ID and right-to-work information
  • Next of kin
  • Financial information including salary, bank details, tax records etc.
Technical and Usage Data
  • IP address, browser type, device information
  • Website usage analytics and cookies
3. How We Collect Your Information
  • Directly from you – for example via our website, forms, and interactions with our staff.
  • From authorised third parties – for example referral partners and relevant agencies where appropriate.
  • Automatically – where you use our website (e.g., cookies and analytics).
4. How We Use Your Information

We process your information to:

  • Provide reintegration and support services, provide immigration advice and prepare visa applications
  • Verify identity and assess eligibility
  • Assess needs and create support plans
  • Communicate with you about your case
  • Submit applications to partner agencies and/or immigration authorities (e.g., UK Home Office)
  • Employment, training and development
  • Publicity and marketing (where you have consented, where required)
  • Maintain internal records and comply with legal and regulatory obligations
  • Audit and reporting
  • Improve our services and website functionality

We do not use your data for solely automated decision-making or profiling that produces legal or similarly significant effects.

5. Lawful Basis for Processing Your Data (UK/EU GDPR)

We process your data under one or more of the following legal bases:

  • Contract — including to provide reintegration, immigration and other support services
  • Legal obligation — compliance with applicable legal or regulatory requirements
  • Consent — for specific activities such as publicity/marketing and where required for certain special category processing
  • Legitimate interests — improving services, preventing fraud, and ensuring security (balanced against your rights)
6. Data Security (CE/CE+ aligned)

We take the security of your personal information very seriously. Our technical and organisational measures are designed to align with the UK Cyber Essentials / Cyber Essentials Plus baseline controls (firewalls, secure configuration, access control, malware protection and patch management).

  • Access control: role-based access and least privilege; access is restricted to authorised staff who require it to perform their duties.
  • Strong authentication: multi-factor authentication (MFA) is used for access to cloud services and administrative functions where available and appropriate.
  • Secure configuration: systems and devices are configured securely, with unnecessary services disabled where feasible.
  • Patch and vulnerability management: security updates are applied in a timely manner and vulnerabilities are tracked and remediated.
  • Malware protection: anti-malware protections are deployed on endpoints and servers, with monitoring and alerting where available.
  • Encryption: data is protected using encryption in transit and at rest where appropriate.
  • Logging and monitoring: security logs are maintained and reviewed to support incident detection and investigation.
  • Secure remote working: remote access is protected using secure authentication and managed device controls where applicable.

While no system can be guaranteed to be completely secure, we take reasonable and proportionate steps to protect your information.

7. Personal Data Breaches and Incident Management

We maintain procedures to detect, report, investigate, and respond to security incidents and personal data breaches.

Where required, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of a reportable personal data breach, and we will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

We keep records of personal data breaches and the remedial actions taken, whether or not notification is required.

8. How We Share Your Information

We may share your information with:

Authorities (as necessary for case delivery and legal requirements), such as:
  • UK Home Office
  • EURP
  • HM Passport Office
  • US Department of Homeland Security
  • Canadian IRCC
  • EU/Schengen consulates
  • Other relevant global immigration bodies
Service Providers (processors and sub-processors), such as:
  • Secure document storage providers
  • IT and cloud hosting services
  • Payment processors
  • Legal or professional advisers

Supplier assurance: Where third parties process personal data on our behalf, we put appropriate contractual and organisational safeguards in place, including confidentiality, security requirements, and (where appropriate) audit/assurance provisions.

Legal requirements: We may disclose information if required by law, court order, or a regulator.

We never sell your personal information.

9. International Data Transfers

Your data may be transferred outside the UK/EU when required (for example for international case processing).

When we transfer data internationally, we ensure appropriate safeguards, such as:

  • Adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Secure encrypted transmission
10. Backup, Resilience and Recovery

We maintain backup and recovery arrangements designed to protect personal data against loss, corruption, or ransomware and to support business continuity.

Backups are protected with access controls and encryption where appropriate, and recovery processes are tested periodically where feasible.

11. Data Retention

We retain your information only as long as necessary for the purposes for which it is processed and to meet legal and regulatory obligations.

  • Case files: typically 6 years (or as required by law/contract)
  • Financial records: typically 6 years for tax and accounting compliance
  • Marketing data: until you withdraw consent or opt out

After retention periods expire, data is securely deleted, destroyed, or anonymised in line with our retention and disposal procedures.

12. Your Rights

Depending on your location and the applicable law, you may have the right to:

  • Access your personal data
  • Request correction (rectification) of inaccurate data
  • Request deletion/erasure (subject to legal limits)
  • Restrict processing
  • Object to processing (in certain circumstances)
  • Request data portability (where applicable)
  • Withdraw consent at any time (where we rely on consent)
  • Lodge a complaint with a supervisory authority (e.g., the ICO in the UK)

To exercise your rights, contact us at dpo@irara.org. We will respond promptly and in line with statutory time limits.

13. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Improve website performance
  • Analyse usage patterns
  • Enhance user experience

You can manage or disable cookies through your browser settings. Where required, we will request consent for non-essential cookies.

14. Third Party Disclosures

We do not sell or share your personal information with third parties for their own marketing purposes.

We only disclose necessary data to trusted third parties to deliver our services, and we apply appropriate safeguards as described above.

15. Children’s Privacy

Our services are not generally directed at children under 18.

We only collect information about minors when necessary for family cases and where we have an appropriate lawful basis and safeguards in place.

16. Changes to This Privacy Policy

We may update this policy from time to time to reflect changes in laws or our practices. The most up to date version of this policy will be published on our website.

17. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact:

dpo@irara.org

01433 627427

IRARA

The Innovation Centre, 217 Portobello, Sheffield, S1 4D