Privacy policy

Last Updated on 24 May 2018

Introduction
Naked Heart Foundation believes strongly in protecting the integrity and privacy of personal data gathered from our members and supporters as well as visitors to our websites. For the purposes of the General Data Protection Regulation (GDPR) and any subsequent UK legislation addressing data protection, the Data Controller is Naked Heart Foundation.

This Policy sets out why we collect personal data about individuals and how we use it. It also explains the legal basis for this and the rights you have regarding the way your personal data is used.

We may change this Policy from time to time. If we make any significant changes, we will advertise this on the website or contact you directly with the information. Please check this page occasionally to make sure you are happy with any changes.

If you have any questions about this Policy or concerning your personal data, please contact the data protection agent via e-mail at data@nakedheart.org or by writing to the mailing address below:
Naked Heart Foundation
26 Bloomsbury Street
London WC1B 3QJ
United Kingdom

Exclusion of External Content and Websites From This Policy
This Policy does not extend to external websites linked from or external content embedded in our website. Please check with the organisations that own and/or operate these websites for their policies regarding data privacy, including the use of “cookies”.

What Personal Data Does Naked Heart Foundation Collect?
The type and amount of personal data we collect depends on why you are providing it to us.
The personal data we collect when you make an enquiry may include your name, e-mail address, postal address, and phone number.

If you are a supporter (for example, making a donation, volunteering, registering to fundraise, or signing up for an event), in addition to asking for your name, gender, and contact details (your full postal address, e-mail address, and phone number), we may also ask you for additional information about yourself, such as your reasons for supporting our work; information about your background, such as your educational achievements; your age. If you donate to us and provide your credit/debit card or bank account information, it will be encrypted using SSL technology. We do not store those details on our servers but use third-party credit card processing services.
You are always in control regarding the additional personal data you provide to us and can decline to provide such data.

If the postal contact information you provide to us is incomplete or contains errors, we may use services such as those provided by the Royal Mail to correct your address details in order to enable us to send you information about our work and how you can support us.

We may also collect any personal data provided by you that is contained in or regarding any communication you send to us, whether via e-mail, phone, or post, as may be necessary to enable us to communicate with you better in the future and to record the communication preferences you state to us.
You may not provide us with the personal information of anyone but yourself and any child of whom you are parent or legal guardian.

How We Collect Personal Data
We may collect personal data from you whenever you contact us or have any involvement with us, such as when you do any of the following things:
– Visit our website
– Donate to us or fundraise for us
– Enquire about our activities or services
– Sign up to receive news about our activities
– Volunteer for us
– Take part in our events
– Contact us in any way, including online or via e-mail, phone, SMS, social media, or post

Where We Collect Personal Data From
We collect personal data in the following circumstances:
– You give it to us directly. You may provide personal data when you ask us for information, make a donation, volunteer, attend our events, or contact us for any other reason.
– You give it to us indirectly. Your personal data may be shared with us by other parties, such as fundraising sites like JustGiving, if you are fundraising for us. You should review the applicable organisation’s privacy and other data policies if you have questions about how it processes personal data.
– You have given other organisations permission to share it. Your personal data may be provided to us by other organisations if you have given them your permission to do so. This might, for example, be a charity working with us or might occur when you buy a product or service from a third party. The personal data we receive from other organisations depend on your settings or the option responses you have provided to them.
– You use our website. When you use our website, personal data about you are recorded and stored.
– It is available on social media. Depending on your settings or the privacy policies of social media and messaging services you use (like Facebook, Instagram, or Twitter), you might give us permission to access personal data from those accounts or services.
– It is available from other publicly available sources and we have legitimate interests in collecting and using it.

How Do We Use the Personal Data We Collect?
We will use your personal data in a number of ways, which reflect the legal basis applying to the processing of your data. These may include the following:
– Providing you with the information or services you have asked for
– Processing donations you make, including processing for Gift Aid purposes
– Predicting whether you would be interested in, and contacting you about, donating a particular amount of money to us based on any previous donations you made to us
– Organising volunteer activities you have told us you want to be involved in, like fundraising
– Sending you communications – with your consent – that may be of interest, including marketing information about our services, activities, and campaigns; appeals asking for donations; and information about other fundraising activities and promotions for which we seek support
– When necessary for carrying out our obligations under any contract between us
– Seeking your views on our services or activities so that we can make improvements
– Maintaining our organisational records and ensuring we know how you prefer to be contacted
– Analysing the operation of our website and analysing your website behaviour to improve the website and its usefulness
– Processing job applications

Our Legal Basis for Processing Your Personal Data
The use of your personal data for the purposes set out above is lawful because one or more of the following applies:
– Where you have provided us with personal data for the purpose of requesting information or requesting that we carry out a service for you, we will proceed on the basis that you have given consent to us using the data for that purpose, based on the way that you provided us with the data. You may withdraw consent at any time by e-mailing us at data@nakedheart.org. This will not affect the lawfulness of the processing of your personal data prior to your withdrawal of consent being received and acted upon.
– It is necessary for us to hold and use your personal data so that we can carry out our obligations under a contract entered into with you or to take steps you ask us to take prior to entering into a contract.
– It is necessary to comply with our legal obligations, such as processing pursuant to a UK law or a court order.
– Where the purpose of our processing is the provision of information or services to you, we may also rely on the fact that it is necessary for your legitimate interests that we provide the information or service requested, and given that you have made the request, we would presume that there is no prejudice to you in our fulfilment of your request.
– We have identified some other legitimate interest in using the personal data.
If you want to contact us about your marketing preferences, please e-mail data@nakedheart.org.
How Long Will Naked Heart Foundation Keep the Personal Data It Has Collected?
We will hold your personal data for as long as it is necessary for the relevant activity.

How We Keep Your Personal Data Safe
We are committed to ensuring that personal data is dealt with properly and securely and in accordance with the GDPR and other related legislation. We are also committed to the six data protection principles set forth in the GDPR and ensuring that at all times, anyone dealing with personal data is mindful of an individual’s rights under the law. In furtherance of these commitments, we will do the following:
– Inform individuals as to the purpose of collecting any information from them, as and when we ask for it
– Process and disclose personal data in accordance with the GDPR and other related law
– Be responsible for checking the quality and accuracy of the information
– Regularly review the records held to ensure that information is not held longer than is necessary
– Ensure that when information is authorised for disposal it is done appropriately
– Ensure appropriate security measures to safeguard personal information whether it is held in paper files or on our computer network, and follow the relevant security policy requirements at all times
– Share personal information with others only when it is necessary and legally appropriate to do so
– Set out clear procedures for responding to requests for access to personal information known as subject access requests
– Report any breaches of the GDPR in accordance with the GDPR

We will take reasonable steps to ensure that our team and third party processors will only have access to personal data where it is necessary for them to carry out their duties. Our team and third party processors will be made aware of their duties under the GDPR. We will take all reasonable steps to ensure that all personal information is held securely and is not accessible to unauthorised persons.

How We Protect Your Personal Data
We take reasonable and appropriate administrative, technical, organisational, and physical security and risk-management measures in accordance with applicable laws to ensure that your personal data are adequately protected against accidental or unlawful destruction, damage, loss or alteration, unauthorised or unlawful access, disclosure or misuse, and all other unlawful forms of processing of your personal data in our possession.
Securing personal data is an important aspect of protecting privacy. We apply policies, standards, and supporting security controls at the level appropriate to the risk level and the services provided. In addition, appropriate security controls are communicated to applicable personnel across the organisation in order to support a secure operating environment.

We pay specific attention to the protection of personal data and the risks associated with processing this data.

These measures include the following:
– Physical safeguards: We lock doors and file cabinets, control access to our facility, and apply secure destruction to media containing your personal data.
– Technology safeguards: We use network and information security technology such as anti-virus and endpoint protection software, intrusion detection, and data loss prevention, and we monitor our systems and contractors to ensure that they comply with our security policies.
– Organisational safeguards: Our organisational policies and standards also guide our handling of your personal data. Particular care is given to security and privacy of financial information and sensitive personal information. Access to personal data is strictly controlled and is provided only to those employees and contractors whose specific job duties require access to the data – and only to the extent required. Access is controlled through a number of user identification and authentication methods both internally and via remote access.

Personal Data Breaches
We take reasonable measures to prevent personal data breaches. If these were to occur, we have a process in place to take swift action within our responsibilities. These actions will be consistent with the role we have in relation to the services or processes affected by the breach. In all cases, we will work together with affected parties to minimise effects, to make all notifications and disclosures that are required by applicable law or otherwise warranted, and to take action to prevent future breaches. System monitoring includes prevention of intrusion attempts.

Storage of Your Personal Data
The data we collect from you may be stored, with risk-appropriate technical and organisational security measures applied to it, on in-house as well as third-party servers.
While we strive to safeguard your personal data, we cannot guarantee the security of any data you provide, and you provide it at your own risk.

Who Has Access to Your Personal Data?
The following may have access to your personal data:
– Third parties who provide services to or for us – for example, sending mailings, processing donations, or collecting, storing, or processing data – may have access. We select our third-party service providers with care. We provide them with the information that is necessary to provide the relevant service, and we have an agreement in place with each that requires them to operate with the same care regarding data protection as we do.
– Third parties may have access if we run an event in conjunction with them. We will let you know how your data are used when you register for any event.
– Analytics and search engine providers that help us to improve our website and its use may have access.

Because of financial or technical considerations, the personal data you provide to us may be transferred to countries outside the European Economic Area (EEA), which are not subject to the same data protection regulations as those in the UK. We may do this for the purpose of storage within our customer relations management software or other software or for the purpose of data analysis. We meet our obligations under the GDPR by ensuring that such data have the same protection as if they were being held within the EEA. We do this by ensuring that any third parties processing your data outside the EEA either benefit from an adequacy determination for GDPR purposes or, where appropriate, we have entered into a Data Processing Agreement with the third party that contains appropriate safeguards using model European Union clauses.

We may also disclose your personal data if we are required to do so under any legal obligation and may use external data for the purposes of fraud prevention and credit risk reduction or where doing so would not infringe your rights but is necessary and in the public interest.

Other than in these circumstances, we will not share your personal data with other organisations without your consent.

Keeping Your Personal Data Up to Date
We would really appreciate it if you would let us know if your contact details or other personal data change. You can do this by contacting us at data@nakedheart.org or writing to Naked Heart Foundation, 26 Bloomsbury Street, London, WC1B 3QJ, United Kingdom.

Do We Use ‘Cookies’ on Our Websites?
We use “cookies” on some webpages. A “cookie” is a small piece of data that is stored on a visitor’s hard drive but does not itself contain any personal information. Cookies enhance visitors’ experiences by ensuring that they don’t have to log in or provide information each time they revisit a Naked Heart Foundation webpage and by customising content based on their interests. Visitors can configure their browsers to be alerted when a site is attempting to send a cookie and can refuse it, although some pages will not function properly without accepting cookies.

Naked Heart Foundation also uses cookies to administer the website, track visitor movement, and gather broad demographic information for aggregate use.

Your Rights
You have the right to request details regarding the processing activities that we carry out in relation to your personal data. Such requests must be made in writing. To make a request, contact us via e-mail at data@nakedheart.org by writing to Naked Heart Foundation, 26 Bloomsbury Street, London, WC1B 3QJ, United Kingdom.

You also have the following rights:
– The right to access your personal data
– The right to request rectification of data that are inaccurate or out of date
– The right to erasure of your data (known as the “right to be forgotten”)
– The right to object to processing necessary for the purposes of legitimate interests pursued by us
– The right to restrict the way in which we are dealing with and using your data
– The right to request that your data be provided to you in a format that is secure and suitable for re-use (known as the “right to portability”)
– Rights in relation to automated decision-making and profiling, including profiling for marketing purposes
– The right to lodge a complaint with a supervisory authority

All these rights are subject to certain safeguards and limits or exemptions. To exercise any of these rights, contact us in writing at the above e-mail or mailing address. We will process your request without delay and, if appropriate, respond in full no later than one month from our receipt of the request. We may ask for additional information necessary to confirm your identity and process the request before processing the request in full. Requests will be denied in instances where an exemption in the GDPR or another law applies.

Changes to This Privacy Policy
This Policy may be changed from time to time. If we make any significant changes, we will advertise this on our website or contact you directly with the information.

Please check this Policy each time you consider giving your personal information to us.

Do You Have Additional Questions?
If you have any questions about our privacy policy, the personal data we have collected from you, the practices of this site, or your interaction with this website, please contact us via e-mail at data@nakedheart.org by writing to Naked Heart Foundation, 26 Bloomsbury Street, London, WC1B 3QJ, United Kingdom.