1. Introduction

Alexandra Rose Charity Privacy Policy

This website - www.alexandrarose.org.uk – is owned by Alexandra Rose Charity (referred to here as ARC or “we”) whose registered office is Suite 5B, The Oast House, 5 Mead Lane, Farnham, Surrey, GU9 7DY, Great Britain. ARC is registered with the Charity Commission for England & Wales – Charity Number 211535.

This policy explains how we collect, manage, process & protect the personal data of ‘users’ – i.e. supporters, visitors to our website and other members of the general public who may share data with us. By using our website, you are agreeing to be bound by the terms of this policy.

Our website is designed to provide information on our projects and services, and to provide users with opportunities to contact us and/or support the work of Alexandra Rose Charity through donations and signing up to receive communications from us.

ARC takes your privacy very seriously. The policies and procedures we have in place are to protect the integrity and confidentiality of personal data, to comply with data protection legislation including the EU General Data Protection Regulation (GDPR) from 25th May 2018.

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.

2. Legitimate Interests

Under GDPR, we have determined that the lawful basis for ARC processing users’ personal data is primarily ‘Legitimate Interests’. Broadly speaking, Legitimate Interests means that we can process personal information of users if we have a genuine and legitimate reason and we are not harming any of their rights and interests.

In practice, this means that when you provide your personal information to us, we process your data as part of our legitimate business interests to carry out our charitable mission & purposes, including tackling poverty and diet related ill-health, strengthening local markets, helping to build more sustainable local food economies, raising awareness, fundraising and the proper administration of our website and business.

We also carefully consider your interests as a user and the impact of ARC processing your personal data, including how you benefit from engaging with ARC, how important those benefits are and if the processing of your personal data is necessary, proportionate and reasonable.

Our balanced assessment is that processing the personal data of users is necessary, proportionate & reasonable, and is clearly in the interests of ARC for its charitable purposes. We believe that it is also in the interests of users who are seeking to engage with us and find out more about what we do, some of whom may want the opportunity to support us financially.

3. What types of personal data do we collect?

The type and amount of information we collect depends on why you are providing it. Some examples are as follows:

  • your full name and your title and/or gender;

  • birth date or alternatively a relevant age range;

  • postal address, telephone number and email address;

  • records of your correspondence with us;

  • bank, credit card or other payment details (if you purchase from us or donate to us);

  • donation and gift aid details (if you donate to us);

  • information you enter into our website and details of how you use the website (more

    details can be found in our cookie policy below);

  • dietary, accessibility, and mobility information (e.g. if you are signing up to attend one

    of our events or you require information in a different format)

  • photographs and digital images of individuals

    We may also collect, hold and process other personal data where it is appropriate and relevant, for example:

  • details of why you have decided to support/contact us and how you may have heard about us and the work that we do;

  • details of how you would like to be involved and what you intend to do with the information we provide;

  • personal data about you that will enable us to be more precise in what we send you or how we approach you.

    4. How and why do we use personal data?

    We will use your personal data to:

  • keep a record of our relationship with you;

  • improve how we communicate with you;

  • keep in contact with you in the ways that you have requested or agreed to;

  • provide you with the information you have requested from us, including such things as

    project information, specific events that we run, responding to your enquiries and

    requests to tell you about our work and our fundraising;

  • provide you with other information which we feel may interest you. This may include

    newsletters, updates, information in relation to fundraising campaigns, voluntary surveys or questionnaires for you to complete and details of events we think you may be interested in attending;

  • administer and process payments you make for charitable donations;

  • provide you with information about carefully selected third party events, products,

    campaigns and competitions, where we are permitted to do so;

  • analyse and understand how people use our website so we can improve the experience

    for users and reflect preferences & previous interactions;

  • notify you about changes to our services, activities & policies;

  • carry out any obligations or provide you with any other services, functionality or

    content which you specifically request or agree to;

  • comply with applicable laws and regulations and requests from statutory agencies

    including for such purposes as health and safety; the detection and prevention of crime and safeguarding;

Alexandra Rose Charity does not use personal data for automated decision-making.

5. How do we collect personal data?

We may collect information from you whenever you contact us or have any involvement with us, for example when you:

  • visit our website (see Use of Cookies section below);

  • donate to us or fundraise for us;

  • enquire about our activities;

  • apply for a job with us;

  • sign up to receive news about our activities;

  • post content onto our website/social media sites;

  • volunteer for us in any capacity, including becoming a Trustee;

  • take part in our events;

  • contact us in any way including online, email, phone, SMS, social media or post.

6. Children under the age of 16

We do not knowingly collect personal data from children under the age of 16 via our website. If you are under the age of 16, please do not submit any personal data through our website. We encourage parents and legal guardians to monitor their children’s internet usage and to help enforce our privacy policy by instructing their children never to provide personal data without their permission. If you have reason to believe that a child under the age of 16 has provided personal data to us, please email us at [email protected] and we will endeavour to delete the information from our systems.

We have the parental or guardian permission for the use of any photographs of children on our website and in other online and print publicity materials.

7. Use of Cookies

A cookie is a small data text file, which a website stores on the user’s computer hard drive (if the user’s internet browser permits) that can later be retrieved to identify the user to the website operator. Cookies enable the service provider to identify, authenticate and maintain information about the way visitors use websites. For more detailed guidance about Cookies and how to control or delete them, you can visit www.aboutcookies.org

By accessing our website you are agreeing to the way information is collected and used, as described within this policy. In return, Alexandra Rose Charity gives the commitment that we will use the personal data you provide only in ways that are compatible with the policy. Every time you log on to our website your IP (Internet Protocol) address registers on our servers. Your IP address reveals no information other than the number assigned to your device. We do not use this technology to get any personal data against your knowledge or free will; nor do we use it for any purpose other than to help us monitor traffic on our website, or (in case of criminal activity or misuse of our information) to cooperate with law enforcement.

The list below describes the cookies we use on our website and what we use them for. Currently we operate on the understanding of ‘implied consent' which means that we assume you are happy with this usage. If you are not happy, then you should either not use our website, or you should delete the cookies having visited the website, or you should browse our website using your internet browser's anonymous usage setting.

First Party Cookies

These are cookies that are set by our website directly. We use Google Analytics to collect information about visitor usage of our website. Google Analytics stores information about what pages you visit, how long you are on our website, how you got here and what you click on. This analytics data is collected via a JavaScript tag in the pages of our website and is not tied to personally identifiable information, so cannot be used to identify who you are. You can find out more about Google's position on privacy and its analytics service by clicking here: (https://support.google.com/analytics/answer/6004245?hl=en-GB)

Third Party Cookies

These are cookies set on your device by external websites whose services are used on our website. Cookies of this type are the sharing buttons across our website that allows visitors to share content onto social networks - currently LinkedIn, Twitter and Facebook, although other networks may be added in future. In order to implement these buttons, and connect them to the relevant social networks and external websites, there are scripts from domains outside of our website. You should be aware that these websites are likely to be collecting information about what you are doing all around the internet, including on our website. You can check the respective policies of each of these websites to see how exactly they use your information and to find out how to opt out, or delete, such information.

8. Rights for individuals under GDPR

  • The right to be informed – ARC has an obligation to provide ‘fair processing information’, typically through a Privacy Notice such as this document. This is about ARC being transparent about how we use people's personal data.

  • The right of access – ARC will provide, on request by an individual, a copy of the personal data ARC holds about them free of charge. This is called a ‘subject access request’ and ARC will respond as soon as we possibly can, but at the latest within one month of receipt of a request.

  • The right to rectification - Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.

  • The right to erasure - This also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the entire deletion or removal of all personal data where there is no compelling reason for its continued processing. The right to erasure does not provide an absolute ‘right to be forgotten’, but individuals have a right to have personal data erased and to prevent processing in specific circumstances:

    • -  Wherethepersonaldataisnolongernecessaryinrelationtothepurposefor which it was originally collected/processed.

    • -  Whentheindividualwithdrawsconsent.

    • -  When the individual objects to the processing and there is no overriding

      legitimate interest for continuing the processing.

  • The right to restrict processing - Individuals have a right to ‘block’ or suppress

    processing of personal data. When processing is restricted, ARC is permitted to store the personal data, but not further process it. ARC can retain just enough information about the individual to ensure that the restriction is respected in future.

  • The right to object - Individuals have the right to object to direct marketing (including profiling) and processing for purposes of historical research and statistics. The GDPR defines "profiling" as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict their economic situation, health, personal preferences, reliability, behaviour, location or movements.

Rights in relation to automated decision making and profiling - The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.

Please note, the Right to data portability under GDPR does not apply when Legitimate Interests is used as the lawful basis for data processing.

To contact ARC about exercising any of these rights, e.g. to make a subject access request or to rectify personal data that is inaccurate or incomplete, please email [email protected] To find out more about your rights you can also visit https://ico.org.uk/for-the-public/

9. Mailing Lists and our Newsletter

You can subscribe to ARC’s mailing list by providing us with your contact details via our website. If you choose to receive electronic communications from ARC (such as newsletters and fundraising information by email), then we will need your consent to communicate with you in this way. This is because such communications may be deemed to be ‘marketing’ for which your explicit consent would be required under the Privacy and Electronic Communications Regulations (PECR), which sit alongside the GDPR.

The sign-up section of our website contains all the necessary information regarding consent and opting in to receive electronic communications. ARC only uses email addresses to send relevant information. We do not pass on personal data to third parties unconnected with ARC. We use MailChimp to manage our mailing list, and recipients can unsubscribe at any time simply by clicking the link at the foot of ARC’s emails or by emailing [email protected]

10. Disclosure and Transfer of Your Personal Data

We do not sell, rent or otherwise disclose personal data with any other parties other than as set out in this Privacy Policy. We may, in certain circumstances, receive your details from online charitable giving platforms in accordance with a particular platform’s privacy policy – e.g. where you donate to us through an online platform, they may then give us your address so that we can write to you, say thank you and keep you informed of our work.

We store your data securely and in line with data protection law. Legislation does however permit certain disclosures without consent when the information is requested for one or more of the following purposes:

  • To safeguard national security;

  • Prevention or detection of crime including the apprehension or prosecution of offenders;

  • Assessment or collection of tax duty;

  • Discharge of regulatory functions (includes health, safety and welfare of persons at work);

  • To prevent serious harm to a third party;

  • To protect the vital interests of the individual, this refers to life and death situations.
    All requests to provide personal data for one of the above reasons will be specifically authorised

    by ARC’s Business Administrator.

    11. Data transfer to countries outside of the European Union

    For our mailing list, MailChimp’s servers are located in the USA, adhering to the EU-U.S. Privacy Shield Framework. We also use Microsoft Office 365 & SharePoint using only UK/EU servers.

12. Other Privacy Policies

ARC has separate privacy policies covering project-specific apps & information systems for processing the data of Rose Voucher Project service users and traders. These can be viewed by following the links below:

Service users - https://voucher-store.alexandrarose.org.uk/privacy_policy.html

Traders -  https://voucher.alexandrarose.org.uk/privacy-policy

13. Notification of Changes to this Privacy Policy

This policy was last updated in May 2018. If we make any changes to our privacy policy, the new version will be posted on our website, and we will also notify users who subscribe to our mailing list. We may change, modify, add or remove portions of our privacy policy at any time, and any changes will become effective immediately upon being posted on our site unless we state otherwise. We therefore suggest you check this Privacy Policy periodically.