Customer Privacy Notice


The Access Card (and the free registration schemes we operate) works by Nimbus providing a centralised assessment of a disabled person’s evidenced needs whereby we translate detailed personal information into a set of symbols that represent their access requirements. This enables disabled people to quickly and discreetly communicate their needs when visiting a venue.

Nimbus does not share any detailed personal information. Nimbus only enables you to share the symbolic information available as Access Card icons to authorised third parties as outlined in this document.

A little about us…

We are a well-established Social Enterprise which started in 2006, we are run by disabled people for disabled people. In addition to promoting equality and accessibility, we are wholly committed to ensuring that your personal data is treated appropriately and that your privacy rights are respected.

We are a registered Data Controller with the Information Commissioner, our registration number is ZA020704

Your Privacy matters to us

We appreciate the trust you place in us when sharing your personal data, the security of your data is very important to us. In this notice, we will explain how we collect, use, and protect your personal data. We will also provide information on what rights you have with regard to your personal data and how you can exercise those rights.

We appreciate that the world of data protection can seem a little complicated, so we will try to explain things in a simple and straightforward way.

We collect information from:

  • You, when you provide it directly to us either as a new or returning customer 
  • A guardian or appointed representative 
  • Online enquiries via our website and google ads 

What information we collect:

  • Contact details (such as name, address, phone, email) 
  • Health & disability information (such as details of conditions, capacity, accessibility needs)
  • Contact information & legal status of representatives & guardians where appropriate
  • Call recordings, apart from where payment is taken over a call
  • Optional: Demographic information – such as age, gender, ethnicity etc.
  • Optional: Leisure, tourism and event preferences to tailor updates 
  • Payment information and transaction details is taken through our website/app via Stripe
  • Enquiries about services and products 
  • Any concerns you may have

We will use your personal data to:

  • Process your application & assess your suitability for an Access Card – in accordance with our terms & conditions
  • Produce and provide your access card
  • Notify you of changes, expirations, cancellations in regard to your access card
  • Promote services and products in line with your leisure, tourism and event preferences
  • Manage the information and keep it secure & up to date  
  • Process payments and invoices 
  • Record & review calls and wider correspondence for training and monitoring purposes
  • Identify the most appropriate services and opportunities for you
  • Assist with your applications and registrations for third parties, such as venues and events, where you choose us to
  • Process payments and transactions 
  • Comply with our legal obligations 

Do we have a basis in law to process your information?

We largely process your personal data in accordance with our contractual obligations.

We also process personal information in accordance with our ‘legitimate interests’ this includes considering benefits to the customer and our company…but don’t worry, we respect your privacy rights to ensure that the benefits pass privacy tests before using personal information in this way!

Where it’s appropriate to do so, we will ask for your consent to ensure we are clear on your choices.

We always need to follow the law so there may be some cases where we are legally required to share information with statutory partners & Ombudsman – these are official Organisations like the Police. We’ll tell you more about this in the ‘who we share information with’ section. We have numerous legal obligations, including but not limited to, those that are stipulated under the following laws:

  • The Data Protection Act 2018
  • The UK General Data Protection Regulations
  • The Privacy & Electronic Communications Regulations 
  • The Human Rights Act 1998
  • The Equality Act 2010
  • The Consumer Rights Act 2015
  • The Safeguarding Vulnerable Groups Act 2006

Can you opt-out?

Of course! Wherever we have used your information in line with legitimate interests and consent you will usually be able to opt-out by emailing

There may be some cases where we have to hang on to some information – we explain this in the ‘information we keep’ section.

Who we share information with:

Statutory partners for investigations and audits such as the Police, the Information Commissioner and so on.

Subcontracted organisations & individuals that we formally engaged in the development and hosting of our systems. 

Courts and Tribunals where necessary.

Where appropriate, within the Access Card app, we promote details of our trusted partners’ offers, services and products. 

In limited circumstances we may share information with a local authority for example we currently work with Croydon City Council for the disabled children’s registration scheme. 

Any third-party ticket sites are authorised to validate your access information via an API. This is only possible by authorised providers, and to do so you must provide them with your forename, surname and card ID. This acts as consent for them to pull your Access Card data into their system

With the correct information, the additional information we share back to the provider is your face photograph (for validation purposes), and your allotted access symbols (all of which are shown on the physical Access Card).

International Transfers 

We are committed to ensuring that any international transfer complies with UK Data Protection Legislation. In most cases, it will be necessary for us to implement the appropriate contractual safeguards prior to transferring such data.

We note that customers can sign up to our services from anywhere in the world. Customers can also opt to share their own data with overseas leisure and tourism providers such as Disneyland Paris.

Your rights for personal data:

  • ask for a copy of the personal data we hold about you. Assuming your request is reasonable, we will provide a copy of all the personal data we hold about you and you can check that we’re processing it lawfully
  • ask us to correct the personal data that we hold about you
  • ask us to delete your personal data. This one’s a little tricky! If, for some reason, we still hold your data, but without good reason, at your request we’ll delete it, there may be certain reasons why we need to hold on to information but we will explain these
  • object to us processing your personal data. This applies where we’re relying on a “legitimate interest” of ours or a third party, and you have a situation which makes you want to object to us processing your data.
  • ask for the restriction of the processing of your personal data. This means you can ask us to suspend the processing of personal data about you
  • ask for the transfer of your personal data to you or another data controller if the processing is based on consent or contract – and you provided that information to us
  • withdraw consent for processing – we’ve mentioned this above in the ‘can you opt out?’ section
  • Right to prevent automatic decisions – you have the right to challenge a decision that affects you that has been made automatically. We don’t make automatic decisions, we carefully reach decisions about you and your information 

Information we keep:

We keep your personal data for as long as we have to and always do this in line with data protection laws. We don’t want to keep your data any longer than we need to! 

We store information securely, we mainly keep this digitally on our protected devices, we may also keep paper records for a certain period of time but don’t worry we’ll keep these secure as well. 

For more information please refer to our customer retention schedule below.

Have some privacy concerns or questions?

We care so much about privacy that we have got a helping hand from some data protection experts, Midland Data Protection act as our registered Data Protection Officer. 

You can email:

Or call: 0330 808 5108

Or write to: 12 Pride Point Drive, Pride Park, Derby DE24 8BX

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO):

  • By post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • By phone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Alternatively, visit or email 

Cookies Policy

We do not set any cookies on our websites ( or In our Access Card app, we set one session cookie containing a randomised number that is used to keep the user logged in after closing the app.

Nimbus Disability, CredAbility & Access Card – Retention Schedule

All Information must be kept in accordance with this retention schedule. In the event that employees identify any discrepancies or areas which are not covered by this retention schedule this should be promptly reported to the Data Protection Officer for review. 

Retention Schedule

Customer records 
A1General enquiries around services and products6 years from last contact Limitation Act 1980
A2Complaints and incident records6 years from last contact Limitation Act 1980 
A3Data Protection Requests and correspondence 6 years from last contact Limitation Act 1980
A4Application for access cardFor the life of the application, 6 years from expiry/cancellation of card or non-eligibility decision Terms & Conditions, Limitation Act 1980
A5Distribution lists/ Contact databases 2 years from last contact Data may be deleted if an individual has opted out or if a valid request to object/erase or restrict has been received.Business Need Data Protection Act 2018ICO Guidance 
A6 Customer feedback and surveys(where not a complaint)2 years from last contact Data may be deleted if an individual has opted out or if a valid request to object/erase or restrict has been received.Business need Data Protection Act 2018ICO Guidance
A7Marketing records 6 years from last useLimitation Act 2018Privacy and Electronic Communications Regulations Data Protection Act 2018
A8Call recording 6 months from creation of the record Unless the record relates to an incident or complaint in which case the relevant period retention will applyBusiness need 

Corporate Records 
B1 Audit records 6 years from conclusion of audit/issue of audit reportBusiness need & applicable legislation/standards, which may include:Financial regulations Data protection laws/cyber security standards Payment card industry standards Equality legislation 
B2Policies, Procedures and contracts 6 years from expiry Limitation Act 1980
B3Payment information & financial transactions 6 years from transaction Limitation Act 1980
B4Corporation records The lifetime of the company

Company laws and financial regulations 
B5Company accounting records – excluding payroll records3 years Section 221 of the Companies Act 1985 as modified by the Companies Acts 1989 and 2006
Employment records 
C1 Disciplinary Management of staff conduct  Records of formal disciplinary actions in employee files. Retain both paper and electronic for review 6 years after last action Employment legislation Limitation Act 1980The National Archives Retention Scheduling: Employee Personnel Records 
C2Grievances Management of staff grievances.  Records of formal grievances in employee files. Retain both paper and electronic for review 6 years after last action  Employment legislation Limitation Act 1980The National Archives Retention Scheduling: Employee Personnel Records 
C3Staff Health and Safety  Individual health records: Retain until employee aged 100   Examination, testing, monitoring and control records: Review 5 years after last action  Accident books and ill health reports: Destroy 3 years after closure  Training, guidance and instructions: Review 3 years from date superseded   The National Archives Retention Scheduling: Employee Personnel Records, The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and Limitation Act 1980  
C4Occupational Health   Procedures, schedule and forms for the management of occupational health services. Occupational health records relating to an individual should be stored on their employee file.  Medicals: Retain until employee aged 100    Procedures, events, employee assistance schemes: 7 years from date superseded     Schedules: Destroy 3 years from the end of the financial year to which the records relate.  The National Archives Retention Scheduling: Employee Personnel RecordsBest Practice Employment legislation Limitation Act 1980
C5Trade Union Agreements  10 years after agreement is not effective  Best practice Employment legislation Limitation Act 1980
C6Employee Files Retain until employee age 100   Employment legislation Limitation Act 1980The National Archives Retention Scheduling: Employee Personnel Records 
C7Records of recruitment exercisesRecruitment exercises: Review 6 months from end of recruitment exercise    Application forms: Destroy after 6 months  Employment legislation Limitation Act 1980The National Archives Retention Scheduling: Employee Personnel Records 
C8Conditions of employmentReview 6 years after date superseded Employment legislation Limitation Act 1980The National Archives Retention Scheduling: Employee Personnel Records 
C9Payroll Administration  Salary ledger records: Review 6 years from the end of the financial year to which they relate    Payroll sheets: Review 2 years from the end of the financial year to which they relate   Individual employees personal payroll history: Retain until employee aged 100  Employment legislation Limitation Act 1980The National Archives Retention Scheduling: Employee Personnel Records 
C10Pensions Administration  Retain until employee aged 100 Employment legislation Limitation Act 1980The National Archives Retention Scheduling: Employee Personnel Records Best Practice adopted by Governmental Agencies  
C11First Aid Training records 6 years after employment.Health and Safety (First Aid) Regulations 1981.Employment legislation Limitation Act 1980
C12Fire warden training6 years after employment.Statutory authority: Fire Precautions (Workplace) Regulations 1997.Employment legislation Limitation Act 1980
C13Maternity/Paternity Records 6 years after the end of the tax year in which the maternity/paternity period ends.The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended, Maternity & Parental Leave Regulations 1999.Employment legislation Limitation Act 1980
C14Medical / Self Certificates – unrelated to industrial injury.6 Years Limitation Act 1890
C15Internal Communication channels1 month Business need – internal comms should not be used to document official business decisions or discuss personal data relating to employees or customers