Privacy & Cookie Policy

Institute of Legacy Management (“ILM” / “we” / “our” / “us“) is committed to protecting and respecting your privacy. This policy sets out the basis on which any personal data will be processd, including personal data that we collect from you, or that you provide to us as an individual or corporate member of our organisation or through using our website (, booking one of our training events courses or otherwise interacting with us.

Topics covered:

Please read the following carefully to understand how we will treat your personal data.

About us

The Institute of Legacy Management is a company registered in England and Wales under company number 4340249 whose registered office is at Cumberland Court, 80 Mount Street, Nottingham, NG1 6HH.  The Institute of Legacy Management is the data controller in respect of your personal data. This means that we are responsible for deciding how we hold and use personal data about you.

What information we collect and how we will use it

We collect personal data so that we can operate effectively and provide you with the best possible service. The information we collect depends on the context of your interactions with our website and how you use our services. We will only use your personal data where we have a valid lawful basis to do so.

The table below summarises what information we collect about you, explains how we intend to use it and what our legal basis is for using it.

What information may we collect about you? How will we collect information about you?  Why are we processing information about you?  What is our legal basis for processing information about you?

Name, address, email address and phone number

Marital status, age and gender

Payment information

Place of work, previous places of work, length of time working in the legacy sector

Feedback, questions and other information you provide when you contact us (e.g. for membership support)

Collected when you sign up to be a member with us or apply to attend one of our events.

To perform essential business operations

To provide and improve our services

To provide customer support, including dealing with enquiries, correspondence and complaints

To complete any transactions or provide any training events you have chosen to attend

To protect security of our website  and to prevent fraud

To communicate and personalise communications with your individual or corporate membership and any other services that you request from us

To collate and analyse information about the legacy sector which is useful to our members

To resolve disputes and to prevent fraud

To allow us to perform our contract with you as an individual or corporate member or to provide you with training events

To enable us to pursue our legitimate interests to:

  • deliver services that you have requested;
  • provide you with information about training courses;
  • provide you with updates and newsletters relating to legacy administration;
  • improve our services;
  • maintain the security of our computer systems;
  • and protect our rights
We will not routinely collect any special category data from you. The only circumstances in which we might collect and store special category data are where you have provided information to us which is necessary for us to facilitate your access to events or to our services. For example, we might retain information about your mobility, dietary requirements or any needs arising from your religious beliefs. This information will be retained securely and only used for the purpose set out above. You may ask us to remove this information from our records at any time.

More about the information we collect and why

We have a duty to process personal data fairly, lawfully and in a manner that you would expect given the nature of our relationship with you. Where we have a legal basis to use your personal data without consent (as set out in the table above), this policy fulfils that duty by giving you appropriate notice and explanation of the way in which your personal data will be used.

If you have any questions or require any further information regarding our use of your personal data please contact us at or Cumberland Court, 80 Mount Street, Nottingham, NG1 6HH.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Sharing your information

You acknowledge that we may share your personal data with your consent or as necessary with selected third party service providers that support us in the performance of the activities set out in the table above. For example, when you make a purchase we will share payment information with banks and other entities that process payment transactions.

We may also share your personal data with other third parties, for example where we are required to provide the names of delegates on a training course to a venue or host or where we provide qualifications alongside an external course provider. We may also need to share your personal data with a regulator or otherwise to comply with the law.

We require all our third party service providers to take appropriate and stringent security measures to protect your personal data in line with our policies. We do not allow our third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes in accordance with our instructions.

Why might you share my personal data with third parties?

We may share your personal data with third parties where required by law or it is necessary in order to book your training event or to provide our membership services or where we have another legitimate interest in doing so that is not overridden by your interests and fundamental rights. For example, to protect our customers or to operate and maintain the security or our computer systems).

Which third party service providers process my personal data?

Sage – accounting software – processing of membership, course booking and other payments

ThankQ – CRM platform provider – storage and management of contact and member data

MailChimp – third party bulk mailer – provision of ILM communications (inc. Newsletter)

WordPress – website platform / widget – provision of member services via personal logon

Freeths – Company Secretary – register of members held at registered office

University of Law – provision of CiCLA qualification

Event venues – charity, partner or commercial – provision of access and course content

External business strategy consultants – data analysis / recommendations / reporting e.g. Professional Develoment, Partnerships or Membership strategy work

Storing your information

The personal data that we hold about you will only be processed and stored within the United Kingdom/European Economic Area. We may transfer your personal data outside the European Economic Area (EEA). If we do so we will take all steps reasonably necessary to ensure that your personal data receives an adequate level of protection and is treated in a way consistent with EU and UK laws on data protection.

We will only retain your personal data for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting obligations.  For example, we may need to retain some of your personal data for 6 years after you have made a purchase from us for legal reasons.

Unless we inform you otherwise (or you request that we erase your personal data) we will retain your personal data for as long as you continue to be an individual or corporate member of The Institute of Legacy Management or to attend our training courses. If you cease to be a member for 6 years then we will delete your information. In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Keeping your information secure

All information that you provide to us is stored on secure servers. We have put in place appropriate measures to protect the security of your information.

The transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of the information transmitted to our site and you acknowledge that any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access or inadvertent disclosure.

You are responsible for keeping confidential any passwords that you have to access our services. Please do not share your password(s) with anyone else

All online payment transactions are undertaken by third party provider Sage Pay. They are subject to their own security policy which you can read at

We do not collect or store credit and debit card information for online transactions. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Your rights

You have the right under data protection laws to access information held about you, subject to certain conditions, and to request its rectification or deletion.

You can see, review and change most of your personal data or ask us to stop using your personal data by contacting may mean that we can no longer provide you with some or all of our services.

Your rights in connection with your personal data

By law you have the right to:

  • Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction or erasure of your personal data (unless we have the legal right to retain it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
  • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal data to another party.

You should be aware that if you ask us to stop processing your personal data in a certain way or erase your personal data, and this type of processing or data is needed to facilitate your membership or your use of our services you may not be able to use them as you did before. This does not include your right to object to direct marketing, which can be exercised at any time without restriction.

If you want to exercise any of the above rights, please contact us at Cumberland Court, 80 Mount Street, Nottingham, NG1 6HH or by emailing us at

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data are not disclosed to any person who has no right to receive it.

8. Other websites

Our website contains links to other website. This privacy policy only applies to this website so when you link to other websites you should read their own privacy policies.

9. Cookies

Our website uses cookies – small text files that are placed on your machine to help the site provide a better user experience. In general, cookies are used to retain user preferences, store information for things like shopping carts, and provide anonymised tracking data to third party applications like Google Analytics.

By using the site you accept the use of cookies. If you disable cookies in your browser the website will cease to function correctly.

10. Changes to this privacy policy

We keep our privacy policy under regular review and will post any updates on this webpage. This privacy policy was last updated Friday 30th June 2018.

11. How to contact us and complaints

The Institute of Legacy Management is a company registered in England and Wales under company number 4340249 whose registered office is at Cumberland Court, 80 Mount Street, Nottingham, NG1 6HH is the data controller in respect of your personal data.

If you have any questions about this privacy policy or how we handle your personal data please contact us at Cumberland Court, 80 Mount Street, Nottingham, NG1 6HH or email

If for any reason you are not happy with the way that we have handled your personal data, please contact us at Cumberland Court, 80 Mount Street, Nottingham, NG1 6HH or email

If you are still not happy, you have the right to make a make a complaint to the Information Commissioner’s Office see: