1.1 We are committed to safeguarding the privacy of our website visitors, service users, individual customers and customer personnel.
1.2 This policy applies where we are acting as a data controller with respect to the personal data of such persons; in other words, where we determine the purposes and means of the processing of that personal data.
1.3 Our website incorporates privacy controls under your control that will affect how we will process your personal data with regard to direct marketing. You may choose to subscribe to email marketing from us by completing a form. If you make a donation via our website, you can also choose whether or not to receive direct marketing.
1.4 In this policy, “we”, “us” and “our” refer to the Kurikindi Foundation. For more information about us, see Section 14.
2.1 This document was created using a template from Docular. https://seqlegal.com/free-legal-documents/privacy-policy
3.1 In this section (3) we have set out the general categories of personal data that we process.
3.2 We may process data enabling us to get in touch with you (“contact data“). The contact data may include your name, email address, telephone number, postal address and/or social media account identifiers. You are the source of the contact data. This data is stored inside our CRM/email marketing platform, meeting GDPR requirements.
3.3 We may process information relating to any donation you make to us through our website (“transaction data“). The transaction data may include your name, your contact details, the date of the donation, the donation method used, the donation amount, and whether or not your donation is eligible for GiftAid. This data is stored inside our accounting software platform, meeting GDPR requirements. To protect your payment card information and in order for us to accept payments in a manner compliant with the Payment Card Industry Data Security Standard (PCI DSS), we have no access whatsoever to your payment card details. Via a secure, direct integration with the charities payment platform LoveGiving.com, the processing, transmission and storage of your card data will be carried-out by the payment processor Stripe, who is a certified PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.
3.4 We may process information contained in or relating to any communication that you send to us or that we send to you (“communication data“) about our service, such as via email correspondence. The communication data may include the communication content and metadata associated with the communication. When a communication webform is used by you on our website, it will generate the metadata associated with the communications made. This data will be stored inside our CRM/email marketing platform, meeting GDPR requirements.
3.5 We may process data about your use of our website and services (“usage data“). The usage data we process that may personally identify you is as follows:
(a) Like all web-hosting services, our hosting service Hostinger automatically makes a record of your IP address every time you visit our site, to which we have access. This is held for 30 days before being automatically deleted. This is held so that:
We do not use this information for any purpose other than to investigate issues of security. Generally, this information will never be used by us to identify anyone. Other non-personal data that is automatically collected by Hostinger may include: geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of the use of our service by visitors.
(b) Our email marketing platform, Brevo, may maintain a record of:
Some of the information stored in our accounting software, ExpensePlus, regarding donations that you have made, may also be securely transferred to Brevo in order to consolidate data in one place.
In line with GDPR, we will respect any request from you to access, correct, delete, or restrict your data, or to opt out of marketing communications.
(c)We use the Cloudflare Turnstile CAPTCHA service on our subscription forms. Turnstile is a UK-GDPR compliant pro-privacy tool that allows us to distinguish whether website traffic originates from a human or a bot, for the purpose of securing our website against malicious traffic. It does this by providing a human-solvable “challenge” to the user of a form. Turnstile processes your IP address as part of making its determinations. In line with GDPR, this data is held temporarily in a Customer Log to which we have access for 30 days. We will not use this information for any purpose other than to investigate issues of security. Generally, this information will never be used by us to identify anyone. Other non-personal data that is automatically collected by Turnstile may include: the number of challenges issued, the Challenge Solve Rate (CSR) and traffic metrics.
(d)We do not currently use any data analytics software or cookies to enable us to track visitors’ use of our website. For this reason, our website does not use a cookie consent banner. Should cookies be installed at a later date, so will a cookie consent banner. (See Section 9 for more details.)
4.1 In this section (4), we have set out the purposes for which we may process personal data and the legal bases of the processing.
4.2 Operations – We may process your personal data for the purposes of operating our website, processing and fulfilling orders, providing our services, supplying our goods, generating invoices, bills and other payment-related documentation, and credit control. The legal basis for this processing is our legitimate interests, namely the proper administration of our website, services and charitable business.
4.3 Publications – We may process transaction and other accounting data for the purposes of publishing such data on our website or elsewhere, notably in our publicly-available annual accounts. In such cases, all data will be aggregated and no single donor will be identifiable. The legal basis for this processing is our legitimate interest, namely meeting our statutory requirements within charity legislation (such as those stipulated by the Charity Commission).
4.4 Relationships and communications – We may process contact data, transaction data and/or communication data for the purposes of managing our relationships, communicating with you (excluding communicating for the purposes of direct marketing) by email, SMS, post, fax and/or telephone, providing support services and complaint handling. The legal basis for this processing is our legitimate interests, namely communications with our website visitors, service users, subscribers, donors, individual customers and customer personnel; the maintenance of relationships, and the proper administration of our website, services and charitable business.
4.5 Direct marketing – We may process contact, transaction and/or usage data for the purposes of creating, targeting and sending direct marketing communications by email, SMS, post and making contact by telephone for marketing-related purposes. The legal basis for this processing is our legitimate interests, namely promoting our charitable business and communicating information, marketing messages and offers to our website visitors, subscribers, donors and service users.
4.6 Research and analysis – We may process usage data and transaction data for the purposes of researching and analysing the use of our website and services, as well as researching and analysing other interactions with our charitable business. The legal basis for this processing is our legitimate interests, namely monitoring, supporting, improving and securing our website, services and general business.
4.7 Record keeping – We may process your personal data for the purposes of creating and maintaining our databases, back-up copies of our databases and our business records generally. The legal basis for this processing is our legitimate interests, namely ensuring that we have access to all the information we need to properly and efficiently run our charitable business in accordance with this policy and the law.
4.8 Security – We may process your personal data for the purposes of security and the prevention of fraud and other criminal activity. The legal basis of this processing is our legitimate interests, namely the protection of our website, services and charitable business, and the protection of others.
4.9 Insurance and risk management – We may process your personal data where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks and/or obtaining professional advice. The legal basis for this processing is our legitimate interests, namely the proper protection of our charitable business against risks.
4.10 Legal claims – We may process your personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.
4.11 Legal compliance and vital interests – We may also process your personal data where such processing is necessary for compliance with a legal obligation to which we are subject or in order to protect your vital interests or the vital interests of another natural person.
5.1 We may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice.
5.2 Your personal data (contact, transactional and communication) will be held securely within our CRM database provided by Brevo.com, which meets ISO 27001:2013 certification and operates within GDPR regulations. For more information, please visit: brevo.com/features/data-security. Our website is published using WordPress. Personal data used for direct marketing and communications purposes will be synchronized between Brevo and WordPress using the Brevo WordPress plugin. WordPress also adheres to the requirements of UK GDPR. We will also synchronise personal data between ExpensePlus (see below) and Brevo. Brevo will also provide us with analytics on our direct marketing (such as emails opened and links in emails clicked).
5.3 Financial transactions relating to donations made via our website will be handled by our payment services provider, Stripe. We also use Stripe for analytics and other business services. Our online donation form is hosted externally to our website by LoveGiving.com, an online donation platform provided by and integrated with our accounting software, ExpensePlus. LoveGiving is integrated with Stripe to collect donor payment information and securely transmits this data to Stripe without it passing through our servers, so we never hold your payment information. The personal data Stripe collects and processes includes identifying information about the devices that connect to its services. Stripe uses this information to operate and improve the services it provides to us, including for fraud detection and prevention. We will share transaction data we hold with our payment services providers only to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds. You can find further information on the processing policies and practices of Stripe at: www.stripe.com/gb/privacy#1-personal-data-that-we-collect-and-how-we-use-and-share-it.
5.4 In addition to the specific disclosures of personal data set out in this section (Section 5), we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise, or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
5.5 Below are the named third-party sub-processors that we use in order to provide our service to you:
6.1 In this section (6), we provide information about the circumstances in which your personal data may be transferred to a third country under UK GDPR.
6.2 We hold all your personal data on systems that use host servers based within the UK or the European Economic Area (EEA), with the exception of Cloudflare Turnstile whose data centres are in the USA (please see 3.5 above).
Third-Party Service Provider | Server Location |
Hostinger | United Kingdom |
Brevo | EEA |
ExpensePlus | United Kingdom |
LoveGiving (Stripe) | UK or Ireland |
Cloudflare Turnstile | United States |
Where our providers, suppliers and subcontractors have server locations in the UK or EEA, we may permit those providers to transfer your personal data from the EEA to the UK and process that personal data in the UK for the purposes set out in this policy, during any period with respect to which the UK is not treated as a third country under EU data protection law or benefits from an adequacy decision under EU data protection law. We may also permit those providers to transfer your personal data from the UK to the EEA and process that personal data in the EEA for the purposes set out in this policy, during any period with respect to which EEA states are not treated as third countries under UK data protection law or benefit from adequacy regulations under UK data protection law.
6.3 When you make a donation via our online donation page at LoveGiving.com, your payment will be handled by our payment services provider, Stripe. If you are based in the EEA, the primary entities responsible for processing your personal data are Stripe Technology Europe Limited and Stripe Payments Europe, Limited (SPEL), both of which process your personal data in Ireland. If you are based in the UK or Switzerland, the primary entities responsible for processing your personal data are Stripe Payments UK, Ltd, which process your personal data in the UK, and Stripe Payments Europe, Limited (SPEL), which process your personal data in Ireland. For more information, please see www.stripe.com/gb/legal/privacy-center.
6.4 Our website is published using WordPress and Hostinger provides our website hosting. The servers of Hostinger we use are located in the UK. WordPress and Hostinger adhere to the requirements of UK GDPR. Our webform functionality is provided by the Brevo WordPress plugin. Personal data used for direct marketing and communications purposes will also be synchronized between Brevo and WordPress using the Brevo WordPress plugin.
6.5 Hostinger offers an analytics service by which we can review activity on our website in the form of statistics. This data is processed anonymously. This data enables us to identify, amongst other factors, the number of unique visits we have had to our website, the originating country of each visit, the device visitors use, the total number of full pages that have been viewed, the total load of bandwidth that was consumed based on the ratio of website requests. This data is used only for monitoring and review purposes by our immediate charity team. We may publish an anonymous overview of our website’s annual use in our publicly-available charity annual report. For full information on Hostinger analytics, please see: www.support.hostinger.com/en/articles/5650167-how-to-use-the-analytics-section-on-hpanel
6.6 The competent data protection authorities have made an adequacy determination with respect to the data protection laws of the UK and EEA. Transfers between each of these countries or regions will be protected by appropriate safeguards, namely the fulfilment of the:
As stated by the UK Information Commissioner’s Office (ICO):
“The provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR. In practice, there is little change to the core data protection principles, rights and obligations … On 28 June 2021 the EU Commission adopted decisions on the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED). In both cases, the European Commission has found the UK to be adequate … ‘Adequacy’ is a term the EU uses to describe [the UK] as having an “essentially equivalent” level of data protection to the EU. This means data can continue to flow freely from the EU to the UK, in the majority of cases.”
For more information, please see: www.ico.org.uk/for-organisations/data-protection-and-the-eu/overview-data-protection-and-the-eu
7.1 This section (7) sets out our data retention policies and procedures, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.
7.2 Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
7.3 We will retain your personal data as follows:
(a) contact data will be retained for a maximum period of three years, following the financial year from the date of the last active response we had from you (e.g. you opening a subscription email; you responding to an email)
(b) all transaction data (including cash books, invoices, receipts and Gift Aid records) will be retained for a maximum period of six years, following the financial year in which the transaction was made, in line with HMRC regulations
(c) communication data will be retained for a maximum period of five years following the date of the communication in question, unless the nature of the communication requires that the data is held longer
(d) communication or other data that becomes part of a record concerning the safeguarding of a child will be kept until the child is 25 years old. Any communication or other data that becomes part of a record regarding concerns raised about an adult’s behaviour around children or vulnerable people, will be retained until the adult reaches normal pension age or for 10 years – whichever is longer
(e) usage data will be retained for a maximum period of three years, following the financial year from the date of the last active response we had from you (e.g. you opening a subscription email; you responding to an email), after which it will be deleted or anonymised and kept for statistical and service planning.
7.4 Notwithstanding the other provisions of this section (7), we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
8.1 In this section (8), we have listed the rights that you have under data protection law.
8.2 Your principal rights under data protection law are:
(a) the right to access – you can ask for copies of your personal data
(b) the right to rectification – you can ask us to rectify inaccurate personal data and to complete incomplete personal data
(c) the right to erasure – you can ask us to erase your personal data
(d) the right to restrict processing – you can ask us to restrict the processing of your personal data
(e) the right to object to processing – you can object to the processing of your personal data
(f) the right to data portability – you can ask that we transfer your personal data to another organisation or to you
(g) the right to complain to a supervisory authority – you can complain about our processing of your personal data
(h) the right to withdraw consent – to the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent
8.3 These rights are subject to certain limitations and exceptions. You can learn more about the rights of data subjects by visiting www.ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
8.4 You may exercise any of your rights in relation to your personal data by written notice to us, using the contact details set out below.
9.1 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to your web browser and is stored by your browser. The identifier is then sent back to the server each time the browser requests a page from the server.
9.2 Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
9.3 Cookies may not contain any information that personally identifies a user, but personal data that we store about you may be linked to the information stored in and obtained from cookies.
10.1 Our website only currently uses strictly necessary cookies to enable basic website functionality. These cookies do not collect personal information and therefore do not require visitor consent under GDPR.
11.1 Our service providers do not use cookies that are stored on your computer when you visit our website.
12.1 We may update this policy from time to time by publishing a new version on our website.
12.2 You should check this page occasionally to ensure you remain satisfied with any changes to this policy.
12.3 We may notify you of significant changes to this policy.
13.1 This website is owned and operated by the Kurikindi Foundation.
13.2 We are registered as a Charitable Incorporated Organisation (CIO) in England and Wales under registration number 1192677 and our registered office is at 23 Montpelier Court, Montpelier Road, London, W5 2QN.
Please note our office is closed to the general public.
13.3 You can contact us by:
(a) post, at the address given above
(b) email at [email protected]
Kurikindi Foundation © Charity Reg. No. 1192677