Gratitude (also known as Gratitude Global and Gratitude App Ltd) is committed to protecting the privacy and the lawful processing of your personal data. Our data processing is in accordance with the General Data Protection Regulation (EU GDPR), Data Protection, Privacy and Electronic Communication Regulation 2019 (UK GDPR), the Data Protection Act 2018 and any other data protection legislation that may be appropriate.
This privacy notice explains the types of personal data we may collect about you when you interact with us. It also explains how we uphold your rights and how we store and handle your data and keep it safe.
“Personal data” is information relating to you as a living, identifiable individual.
“Processing” your data includes various operations that may be carried out on your data, including collecting, sharing, organising, disclosing, storing and deleting it.
The law requires us to:
• Process your data in a lawful, fair and transparent way
• Only collect your data for explicit and legitimate purposes
• Only collect data that is relevant, and limited to the purpose(s) we have told you about
• Ensure that your data is accurate and up to date
• Ensure that your data is only kept as long as necessary for the purpose(s) we have told you about
• Ensure that appropriate security measures are used to protect your data.
This notice is designed to answer any questions you have but if you have a query, please do contact us.
It is likely that we will need to update this privacy notice from time to time, and you are welcome to come back and check this at any time or contact us by any of the means shown below.
The law states that we must be accountable for the principles of data protection as explained in Article 5 of the UK GDPR. We are therefore required to regularly review our data protection policies, procedures and staff guidance. This helps us to ensure we continue to comply with the law and that our intended processing is both clearly explained, necessary and absolutely transparent. Where we rely on consent, we ensure it is gathered in accordance with the law. When we rely on other conditions, we consider the rights of others before we proceed.
We assess the risks we may, from time to time create, when processing data to ensure we uphold the rights and freedoms of every individual. This is especially true when we process data in a new way.
We only share data where we have a defined purpose to do so and a data sharing agreement is in place. International transfers are safeguarded with standard contractual clauses where necessary.
We keep extensive records of our processing. For example, activity and incident logs measure our compliance and help us to identify any weaknesses in our procedures. We actively consider the opinion and advice of others both here, in the EU and beyond. We monitor case law and the guidance of the Information Commissioner’s Office (ICO). We have appointed a third party data protection specialist who are experts in data protection law and are experienced in the third sector. We positively welcome enquires from the public concerning their personal information.
To ensure we protect personal information we constantly review our security measures, both technical and physical and have instigated appropriate safeguards. These include regularly training our staff.
We have appointed an identifiable ‘accountable person’ to oversee our processing. We are registered with the ICO as a data controller and have a clear breach reporting policy. Further detail concerning this can be found in this notice.
What are our lawful bases for processing your data
The law on data protection sets out a number of different reasons or conditions for which an organisation may collect and process your personal data. When collecting information that may identify you, we will always make clear to you what data is necessary for each purpose we have identified. Most commonly, we will process your data on the following lawful grounds:
In specific situations, we can collect and process your data with your consent.
This may include when you agree to receive an email about ways you can become a supporter or to receive information from us about other ways to help us, or when you make an enquiry about products that we sell to raise money for our cause. To protect you further, we make sure we adhere to the particular rules concerning electronic communications sent by email or text.
If you have not engaged with us for more than 3 years, you will be flagged as inactive and we will contact you to ask whether you want us to keep your data or not. Unless you reply to say ‘yes’, we will delete or anonymise your personal data. However, we assume that past and present supporters and customers might reasonably expect to continue receiving information unless they have indicated otherwise.
On very rare occasions we may process your data without your consent. This will only be if you are at risk and therefore in your best interest. If you are concerned about this, please get in touch.
In certain circumstances, we need your personal data to comply with our contractual obligations. This might include that you may have pledged or where you purchase a product from Gratitude, entered a competition etc.
If the law requires it, we may need to collect and process your data.
In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected when we pursue our aims and objectives as an organisation, and which does not materially impact your rights, freedom or interests. We have completed a risk assessment to measure any possible negative impact on our supporters when we use this condition.
We may also use your data, typically in an emergency, where this is necessary to protect your vital interests, or someone else’s vital interests. In a small number of cases where other lawful bases do not apply, we will process your data on this basis with or without your consent.
Special category data
Special categories of particularly sensitive personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data. We do not aim to collect and process special category data, but we acknowledge it may be revealed to us. Gratitude will document all incidents of its processing of special category data in our data protection incident register and if it is required, the processing will be supported by additional documentation such as an appropriate policy document.
For your information, the special categories of personal data consist of data that reveals:
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union memberships
• Genetic data
• Biometric data (eg fingerprints)
• Data concerning health
• Data concerning someone’s sex life or sexual orientation.
We may process special categories of personal data in the following circumstances:
• With your explicit written consent
• Where it is necessary in the substantial public interest, and further conditions are met
• Where the processing is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards for your fundamental rights and interests specified in law
• Where there is a legal obligation.
Further legal controls apply to data relating to criminal convictions and allegations of criminal activity.
When we collect your personal data?
These occasions will include, but are not limited to:
• When you support us by giving a donation
• When you buy a product from us that supports our cause
• When you are a staff member of Gratitude
• When you are a volunteer of Gratitude or its associate organisations
• When you are employed by Gratitude as a contractor
• When you visit our offices or an event we may organise
• When you communicate or engage with Gratitude by letter, email or other means, including social media
• When you access or engage with any of the websites we host.
Our schools’ educational programme is a vital source of information for children. Generally, we do not process the data of children but acknowledge that occasionally this may occur. For example, when a child contacts us directly for further information. In such instances, we always try to include the parents or guardian. But if this isn’t possible, and to ensure we are transparent in our processing of all individual’s personal data. We will seek permission from a parent/guardian before proceeding. If this is not possible then we will not proceed.
How and why we collect your personal data
When you visit our website, we may collect your IP address, page visited, web browser, any search criteria entered, previous web page visited and other technical information. This information is used solely for web server monitoring and to deliver the best visitor experience. We may use technology such as cookies to make your visit to our website relevant and interesting. With your consent, we may profile you to find out more about you, but in the least most intrusive way. We may use information we collect to display the most interesting content to you on our website we may use data we hold about your previous visits.
We may also collect your social media username if you interact with us through those channels in order to help us respond to your comments, questions and feedback. The data privacy law allows this as part of our legitimate interest in understanding our audience.
For your security, we use all appropriate organisational and technical security controls to safeguard your data. We will only ask for and use your personal data collected for the purpose stated at the point at which it is collected. If we believe your data is no longer needed for this purpose, we will not process your data further.
What are your rights over personal data
You have the right of access to the personal information we may hold about you. This is free of charge and will be supplied to you within one month of your request. However, we cannot always guarantee that this is possible due to certain legal obligations.
You have the right to be informed about the way we collect, share and use your data. Each time we process your data we will provide a straightforward explanation as to why we are processing your data.
You may object to our processing of your personal information if we used it for the purpose of direct marketing or fundraising.
If you have given consent for Gratitude to collect and process your personal data, you have the right to change your mind at any time and to withdraw that consent. Full privacy notices will explain what your data may be used for each time you are asked to share it with us, along with easy to follow instruction on how to opt-out.
You have the right to challenge automated decisions we make about you. You may ask for these to be assessed by contacting us. We currently do not make decisions in this way but may in the future, we’ll keep you updated on this.
You have the right to request a copy of any information about you that Gratitude may hold at any time to check whether it is accurate. To ask for that information, please contact us using the details shown below.
To protect the confidentiality of your information and the interests of Gratitude, we will ask you to verify your identity before proceeding with any request for information. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to request such information.
Sometimes we are required to inform you about certain changes, including updates to this privacy notice and where we have a legal obligation such as a duty of care or safeguarding. These administrative messages will not include any marketing content and do not require prior consent when sent for example by email. This ensures that we are compliant with our legal obligations.
We may use your data to send you survey and feedback requests to help improve the way we communicate in the future. These messages will also not include any marketing and do not require your prior consent. We have a legitimate interest to do so as this helps improve our services and make them more relevant to you. Of course, you are free to opt-out of receiving any of these communications at any time.
Whenever we collect or process your personal data, we will only keep it for as long as is necessary for the purpose for which it was collected. Our procedures monitor retention periods very carefully. Periodic reviews will ensure that retention schedules are followed. At the end of the retention period, your data will either be deleted completely, put beyond use or anonymised. In some cases, personal data will be kept in perpetuity but will be anonymised.
Protecting your data outside of the UK
Occasionally we will need to share your personal data with third parties and suppliers in the European Economic Area (EEA). This area includes all of the 27 European Union countries and others such as Switzerland. Now that the UK is no longer in the EU, special arrangements have been made to ensure safe transfers of data when necessary. These safeguards include the UK recognising all EU countries as ‘adequate’ for the purposes of data protection. Additionally, and only where required, we have put in place standard contractual clauses with all third parties. These agreements protect your personal data and demonstrate how important your data is to us.
Data of international supporters
We welcome support from around the world. If you are not a UK citizen and reside in another country, we will uphold your rights in accordance with your local laws. If you are concerned about this you may enquiry about your rights – please contact our Data Protection Officer. If you wish to report a data protection breach outside of the UK, you may need to contact your local supervisory authority.
Stopping us from using your data in the future
You can stop communications from Gratitude by either: – clicking the unsubscribe link in any email communication that we send you. We will then stop any further emails and will forget your information in line with your rights unless we have a legal obligation to keep it – contacting us using the information below. Write to us at Gratitude Global, 758 Hanworth Road, Whitton, Hounslow, England, TW4 5NU. email at email@example.com.
Remember, some administrative communications for current and past supporters and customers cannot be stopped.
How to complain about processing your data
If you feel that your data has been handled incorrectly, or you are unhappy with the way we have dealt with your query regarding the way we use your personal data, you have the right to complain.
You can contact the ICO which regulates the use of information in the UK in two convenient ways: You can contact them on 0303 123 1113 or via www.ico.org.uk/concerns.
If you are based outside the UK you have the right to complain to the relevant data protection supervisory authority in your country.
Data protection registration
We are registered as a data controller with the UK ICO. Our data protection registration number is ZB240728.
This website is owned and operated by Gratitude App Limited. We are registered with the Companies House, number 13260816, and our registered office is at Gratitude Global, 758 Hanworth Road, Whitton, Hounslow, England, TW4 5NU
If you would like to discuss any aspect of this policy or the way Gratitude processes your information, you can contact us at firstname.lastname@example.org.
By post at Gratitude Global, 758 Hanworth Road, Whitton, Hounslow, England, TW4 5NU