Privacy Policies

Privacy Policies

Policy Statement


Aim Ltd, its subsidiaries and trading divisions respect your privacy.

We are registered as a company in England and Wales under company number 03997992.

We are the data controller of the data which we collect from you, and as such we control the ways your personal data is collected and the purposes for which your personal data is used.


We, Aim, process your personal data for, but not limited to, the following activities:

  • to provide our services to you;
  • as part of our candidate selection process; and
  • during your employment. 


(Note – this policy covers all personal data processed by Aim, so not all sections will necessarily apply at all times.  If you require clarification, please email our Data Protection Officer at


When we talk about data and personal data in this policy, we mean personal data which identifies you or which could be used to identify you, such as your name and contact details.  It may also include information about how you use our website.


Aim is committed to being transparent about how it collects and uses the personal data of its clients, prospects, employees and to meeting its data protection obligations. This policy sets out our commitment to data protection, individual rights and obligations in relation to personal data. As a data controller, the steps we take to ensure that any personal data you provide to us is kept secure, confidential and is only used for the purposes for which it is provided.


Aim has appointed a Data Protection Officer who has responsibility for data protection compliance within the organisation. Questions about this policy, or requests for further information should be directed to the Data Protection Officer who can be contacted at


We process data in compliance with the Data Protection Act 2018 (DPA 2018) and UK General Data Protection Regulation (UK GDPR).




This is a Level 1 Privacy Policy. 




Definitions ("Our Site") ("Aim dataServe Site").  dataServe is a product of Aim Ltd.


"Personal data" is any information that relates to an individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.


"Special categories of personal data" means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.


"Criminal records data" means information about an individual's criminal convictions and offences, and information relating to criminal allegations and proceedings.


“Cookie” means a small text file placed on your computer or device by Our Site when you visit certain parts of Our Site and/or when you use certain features of Our Site. Information on Cookies is set out in the Cookie Policy below.


"Cookie law" means the relevant parts of the Privacy and Electronic Communications (EC Directive) Regulations 2003.


Data protection principles


Aim processes business and HR related personal data in accordance with the following data  protection principles:


  • we process personal data lawfully, fairly and in a transparent manner;
  • we collect personal data only for specified, explicit and legitimate purposes;
  • we process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing;
  • we keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay;
  • we keep personal data only for the period necessary for processing; and
  • we adopt appropriate measures to make sure that personal data is secure, protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.


We tell individuals the reasons for processing their personal data, how we use such data and the legal basis for processing in this policy. We will not process personal data of individuals for other reasons.


Where the organisation processes special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this is done in accordance with the section on Special Categories of Personal Data below.


We will update personal data promptly if an individual advises that his/her information has changed or is inaccurate.


Personal data gathered during employment, as a worker, contractor, volunteer, apprenticeship or internship is held in the individual's personnel file (in hard copy or electronic format, or both), and on HR systems.


Personal data voluntarily provided to us, including communication via email or other channels, or received by us when providing a service is held in a client, prospect or employee file in hard copy or electronic format, or both.


In addition, we may collect information about you from other sources, including third parties that help us: update, expand, and analyse our records; or prevent or detect fraud.


The periods for which the organisation holds personal data are referenced below and are contained in the Information Classification and Data Retention Policy.  (Details available upon request).


The organisation keeps a record of its processing activities in respect of personal data in  accordance with the requirements of GDPR.


Information we collect from you


Depending on how you use our services and websites, as a client, during the recruitment process or during the course of your employment, we might collect the following kinds of information from you:


Information collected
When the information is collected

Your name and contact details

(this could include email, telephone number, address, work history, next of kin, bank details, workplace related health information, passport number, right to work, national insurance number, DoB)

When you create an account with us

When you make an enquiry via our website or via email

When you submit a career opportunity query

When you provide us with your curriculum vitae

When you join as a new employee

When you use our data protection training and take the online test

Information about your organisation

(your employer, or your business, your role title)

When you make an enquiry via our websites or via email

When you engage our services

Information about your training preferences

(types of training, business sector to be addressed)

When you make an enquiry via our websites or via email

When you book a training session via or with us

Work history

(previous employers, dates of employment, right to work, education, interests)

When you submit a curriculum vitae

When you make an application for a role with us

Travel records

(dates and time of travel, locations visited and medium of travel)

When you make an expense claim

When you plan a journey to attend an Aim business or client event

Accident records

(name, address, details of accident, details of physical injuries, medications taken)

When you report a work-related accident

Contact detail for next of kin

(name, telephone number, benefit beneficiaries)

When you join us as a new employee

Online communication

(name, email address)

When you interact with us via platforms such as Google My Business, EventBrite or YouTube


Special categories of personal data


Certain kinds of personal data, such as data about your racial or ethnic origin, your physical or mental health, your religious beliefs or alleged commission or conviction of criminal offences, are special categories of personal data which by law require additional protection. We try to limit the circumstances in which we collect sensitive personal data of this kind, but we do collect and process it when for example:


  • you have a work-related accident;
  • we need to assess your needs in relation to the workplace environment; and
  • we need to provide suitable food and drink at corporate events.


By providing any sensitive personal data, you explicitly agree that we may collect it and use it to provide services to you.


Information we collect from other sources


We may receive information about you from other sources, including third parties that help us: update, expand, and analyse our records; or prevent or detect fraud.  Information collected in this way may include:


Information collected
When the information is collected

Commercial marketing lists (such as name, email address, telephone number, organisation, role)

When we target a market sector

All email addresses are corporate and telephone numbers are checked against the Telephone Preference Service (TPS) and Corporate Telephone Preference Service (CTPS)

Client project team details (name, email address, telephone number, role)

When we are engaged by your organisation to implement a new service or product

Client team contact details (name, role, email address, access rights)

To ensure we are communicating with an employee of the client

To ensure we share data only with the correct client contacts

Personal details (references, security checks)

When you join Aim

To allow you to work for Government agencies

Information we may collect automatically


We may receive information about you from social media platforms including but not limited to when you interact with us on those platforms or access our social media content.


Information collected
When the information is collected

Social media platforms


(such as Facebook, Twitter, LinkedIn, YouTube)

When you interact with us on these platforms


When you access our social media content

Online platforms


(such as Google My Business, EventBrite, Bing Places for Business, Google Ads, Microsoft Advertising, Spotify for Podcasters, Outgrow (GDPR test and dataServe ROI calculator))

When you interact with us on these platforms and websites


(such as Google Analytics, Analytics from Wix)

When you access our sites


When you navigate pages on our sites

Webinars and videos


(names, email addresses and company names of people watching our content)

When you attend a webinar hosted by Aim Ltd or watch our content

Email marketing


(such as ACT, Eventbrite, Salesforce)

When you receive, open, or respond to marketing emails


When you unsubscribe from receiving marketing emails



(Remedy, CloudCoach , Salesforce)

When you create tickets on Remedy software


When you access a project plan remotely


We analyse customer statistics, sales, traffic patterns and related site information. However, we will not pass any personal information on to third parties without your consent.

The information we may receive is governed by the privacy settings, policies, and/or procedures of the applicable social media platform, and we encourage you to review them.


We may use the information we collect


We can only use your personal data if we have a legal reason for doing so. According to the law, we can only use your data for one or more of these reasons:


  • when you consent to it, or
  • to fulfil a contract we have with you, or
  • if we have a legal duty to use your data for a particular reason, or
  • when it is in our legitimate interests.


The table below details the processing completed using personal data held by AiM and the legal basis for that processing.


Legitimate interests are our business or commercial reasons for using your data.  When we use legitimate interests, we conduct a three-step test to determine if it is reasonable and does not put our interests above what is best for you.  The test considers i) the purpose of processing; ii) the necessity of the processing; and iii) the balance between Aim’s interest and your rights and freedoms.


If we rely on our legitimate interests for using your personal data, we will explain that to you.

What we use personal data for
Legal grounds for using it
Our legitimate interest

To respond to your enquiries

Fulfilling contracts


To provide you with services you request

Fulfilling contracts


To improve the services we provide

Legitimate interests

To provide relevant services using the latest knowledge, innovations and technology.

To operate, troubleshoot and improve the Digital Services

Legitimate interests

To guarantee systems are available at all times.

To ensure that the latest security updates are in place.

To maintain our list of contacts

Legitimate interests

Keeping our records up to date, working out which of our products and services may interest you.

Identifying or defining types of customers for new products of services.

For Aim business purposes, including data analysis; submitting invoices; detecting, preventing, and responding to actual or potential fraud; illegal activities, or intellectual property infringement

Legitimate interests

Being efficient about how we fulfil our contracts, provide our services and fulfil our legal duties.

Identifying ways to improve the way we deliver services to our customers.

To evaluate, recruit and hire personnel

Fulfilling contracts


As we believe reasonably necessary or appropriate to comply with our legal obligations; respond to legal process or requests for information issued by government authorities or other third parties; or to protect your, our or others’ rights

Legitimate interests

Being efficient about how we fulfil our contracts, provide our services and fulfil our legal duties.

To provide certificates earned as part of Aim training and/or information relating to services you have accessed Legitimate interests To provide feedback you have requested, for example certificates, and information related to feedback you have requested


How long do we keep your data


We keep your data only for as long as we need it.  How long we need data depends on what we are using it for, whether that is to provide services to you, for recruitment purposes, for our own legitimate interests (described above) or so that we can comply with the law. Please refer to the retention period table in the Information Classification and Data Retention Policy for further information (details available on request).


We will actively review the information we hold and when there is no longer a customer, legal or business need for us to hold it, we will either delete it securely or in some cases anonymise it.


How we may share the information we collect


Aim is a provider of business consultancy and technology services. Our offices will share information with each other for business and recruitment purposes, internal administration, billing, promoting our events and services, and providing you or your organisation with services.


We do not sell, rent, or otherwise share information that reasonably identifies you or your organisation with unaffiliated entities for their independent use except as expressly described in this Privacy Policy or with your prior permission. We may share information that does not reasonably identify you or your organisation as permitted by applicable law; for example, if as an employee you change your address, Aim has an obligation to inform our pension provider of that change.  The data we send may include your pension scheme number and new address, neither of which directly identify you, but could be used along with other data to determine your identity. 


We may also disclose information we collect:


  • to our third-party service providers that perform services on our behalf; and
  • to law enforcement, other government authorities, or third parties as required by the laws that may apply to us; as provided for under contract; or as we deem reasonably necessary to provide our services.  In these circumstances, we take reasonable efforts to notify you before we disclose information that may reasonably identify you or your organisation, unless prior notice is prohibited by applicable law or is not possible or reasonable in the circumstances.


Individual rights


As a data subject, individuals have a number of rights in relation to their personal data.




The right to be properly informed about Aim’s activities in relation to personal data, and for this information to be provided in a clear, concise, transparent, intelligible and easily accessible form.


Subject access requests


Individuals have the right to make a subject access request, i.e. a request for the data Aim holds about that individual. If an individual makes a subject access request, the organisation will tell him/her:


  • whether or not his/her data is processed and if so why, plus the categories of personal data concerned, and the source of the data if it is not collected from the individual;
  • to whom his/her data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
  • for how long his/her personal data is stored (or how that period is decided);
  • his/her rights to rectification or erasure of data, or to restrict or object to processing;
  • his/her right to complain to the Information Commissioner if he/she thinks the organisation has failed to comply with his/her data protection rights; and/ or
  • whether or not the organisation carries out automated decision-making and the logic involved in any such decision-making.


We will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless the client or applicant agrees otherwise.


If the individual wants additional copies, the organisation will charge a fee, which will be  based on the administrative cost to the organisation of providing the additional copies.


To make a subject access request, the individual should send the request to In some cases, the organisation may need to ask for proof of identification before the request can be processed. The organisation will inform the individual if it needs to verify his/her identity and the documents it requires.


We will normally respond to a request within a period of one month from the date it is received.


If a subject access request is manifestly unfounded or excessive, the organisation is not obliged to comply with it. Alternatively, we can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the organisation has already responded. If an individual submits a request that is unfounded or excessive, the organisation will notify him/her that this is the case and whether or not it will respond to it.


Other rights


Individuals have a number of other rights in relation to their personal data. They can require us to:


  • rectify inaccurate data;
  • stop processing or erase data that is no longer necessary for the purposes of processing;
  • stop processing or erase data if the individual's interests override the organisation's legitimate grounds for processing data (where the organisation relies on its legitimate interests as a reason for processing data);
  • stop processing or erase data if processing is unlawful;
  • stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual's interests override the organisation's legitimate grounds for processing data;
  • provide data to a data subject in a structured, commonly used, machine readable format, or to have that data transmitted to another controller where that data was provided to the original data controller, and the lawful basis for processing is consent or the performance of a contract; and
  • the right to not be subject to automated decision making.  In this case the individual has the right to request manual intervention in the decision-making process.
  • To ask us to take any of these steps, the individual should send the request to


Data Security


We take the security of personal data seriously. Aim is ISO 27001:2013 accredited and has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.


Where the organisation engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.


Cookie Policy


How we use cookies


We use cookies for a variety of reasons detailed below. Unfortunately, in most cases there are no industry standard options for disabling cookies without completely disabling the functionality and features they add to the Aim websites.


Functional (session) cookies


Websites have no memory, so when you move from page to page the site does not remember your credentials or any decisions you have made.  Session cookies are stored in memory, are essential for the websites to function and give a good user experience.  Session cookies are deleted when you exit the websites and it is not necessary to get consent to use these cookies.


Non-functional (persistent) cookies


Non-essential actions, such as remembering your user credentials, language, region you are in, or changes you have made to customise your web browser, are stored in persistent cookies.  Whilst making websites use user friendly, they are not essential.  Persistent cookies have an expiry date, so remain on your machine until you remove them, or the cookie expiry date.


When you first access the Aim websites you will be asked for your consent to use these cookies.


Essential-only cookies


Data Subjects accessing the Aim sites from other jurisdictions are offered the right to select only essential cookies.  If they do not want cookies used at all, we state that they should exit the site and clear their browsing data.


Disabling cookies


You can prevent the setting of cookies by adjusting the settings on your browser. Be aware that disabling cookies will reduce the functionality of this and many other websites that you visit so that some features may not work. Therefore, it is recommended that you do not disable cookies.


Third party cookies


In some special cases we also use cookies provided by trusted third parties.


Aim uses Google Analytics, one of the most widespread and trusted analytics solutions on the web, to help us understand how you use the sites and ways that we can improve your experience. These cookies may track things such as how long you spend on the sites and the pages you visit so that we can continue to produce engaging content and improve how our websites work.


For more information on Google Analytics cookies, see the official Google Analytics page.


By using our sites, you agree that we may place these types of cookies on your device.


Third party websites and social networks


If you click on a hyperlink from our sites to any third-party websites (e.g. if you 'share' content from Aim's websites with friends or colleagues through social networks including LinkedIn, Twitter and YouTube), you may be sent cookies from these third-party websites.


Third party websites will have their own privacy and cookie policies which Aim cannot control. Please check the third-party websites for more information about their cookies and how to manage them.


Data breaches


If the organisation discovers that there has been a breach of personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. The organisation will record all data breaches regardless of their effect.


If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.


Individual responsibilities


Individuals are responsible for helping us keep their personal data up to date. Individuals should let the organisation know if data provided changes, for example if an individual moves house or changes his/her bank details or information relating to a job application have changed.


Individuals may have access to the personal data of other individuals and of our customers and clients in the course of their employment, contract, volunteer period, internship or apprenticeship, for example their CVs and interview notes. Where this is the case, Aim relies on individuals to help meet its data protection obligations to employees and to customers and clients.


Individuals who have access to personal data are required:


  • to access only data that they have authority to access and only for authorised purposes;
  • not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation;
  • to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);
  • not to remove personal data, or devices containing or that can be used to access personal data, from our premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
  • not to store personal data on local drives or on personal devices that are used for work purposes.


Failure to observe these requirements may amount to a disciplinary offence, which will be dealt with under Aim’s disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing employee, candidate, client or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.




The organisation will provide training to all individuals about their data protection responsibilities as part of the induction process and at regular intervals thereafter.


Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.


Changes to our Privacy Policy


Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check to see any updates or changes.




If you have any complaints concerning Aim’s processing of your personal data please email us at or write to us at Data Protection, Aim Limited, The Base, Dartford Business Park, Victoria Road, Dartford, Kent, DA1 5FS.


Please note that you have the right to lodge a complaint with the Information Commissioner’s Office by telephone on 0303 123 1113, or by using the live chat service which is available through the Information Commissioner’s website


Contact Us


You can email us at