International Refugee Trust Privacy Statement, effective as of 29 January 2019

This Privacy Statement describes our privacy practices. Please read this Privacy Statement carefully to learn how we collect, use, share and otherwise process information relating to individuals (‘Personal Data’), and to learn about your rights and choices regarding our processing of your Personal Data. A reference to ‘IRT’, ‘we’, ‘us’, or the ‘Charity’ is a reference to International Refugee Trust.

  1. Who we are

The International Refugee Trust raises money to help improve the lives of refugees, internally displaced people and returnees around the world. We are a registered charity in England and Wales (registered charity number 802450). Our company number is 02505284 and our registered office is at 11 Heathfield Terrace, Chiswick, London W4 4JE.

 The International Refugee Trust is the controller of your Personal Data and is responsible for its processing, unless expressly specified otherwise in our full Privacy Statement. Please see the ‘Contacting Us’ section, below, for our contact information.

  1. Processing activities covered

 This Privacy Statement applies to the processing of Personal Data collected by us when you:

  • Visit our website that displays or links to this Privacy Statement;
  • Enquire about our services;
  • Donate to the Charity;
  • Register for an event;
  • Engage with our branded social media pages;
  • Voluntarily give us your personal information;
  • Apply for a Charity grant for projects; and
  • Subscribe to receive our email newsletters and appeals

Our website may contain links to other websites, applications and services maintained by third parties. The information practices of such other services, or of social media networks that host our branded social media pages, are governed by third parties’ privacy statements, which we encourage you to review to better understand those third parties’ privacy practices.

  1. What Personal Data do we collect?

Personal Data we collect directly from you

The Personal Data that we collect directly from you includes the following:

  • If you express an interest in obtaining additional information about our services, request customer support, use our ‘Contact Us’ or similar features, or sign up to our email marketing, we may require that you provide to us your contact information, such as your name, email address, postal address, or phone number;
  • If you make donations via our websites, we may require that you provide to us your financial and billing information, such as billing name and address, credit card number or bank account information and in some instances a declaration from you stating whether you are a UK taxpayer so that we can claim Gift Aid;
  • If you use and interact with our websites, we automatically collect log files and other information about your device and your usage of our websites through cookies, web beacons or similar technologies, such as Internet Protocol (IP) addresses or other identifiers, which may qualify as Personal Data (please see the ‘Website Tracking’ section, below); and
  • If you apply for employment, trustee membership, or association as a volunteer, supporter, or fundraiser.

If you believe that your Personal Data has been provided to us improperly, or to otherwise exercise your rights relating to your Personal Data, please contact us by using the information in the ‘Contacting Us’ section, below.

Personal Data we collect from other sources

We may also collect information about you from other sources and combine this information with Personal Data provided by you. This helps us to update, expand and analyse our records, identify new customers and create more tailored advertising to provide services that may be of interest to you. We collect Personal Data from the following sources:

Social media profiles, LinkedIn URLs, the Government Services and Information website, and custom profiles, for purposes of targeted advertising, delivering relevant email content, event promotion and profiling.

Payment Information

Donations made to IRT can be made via credit or debit card payments, standing orders, Charity Aid Foundation (CAF) vouchers, cash, and cheques as well as online giving platforms such as JustGiving and Virgin Money Giving.

We ensure that all payment or donations are carried out securely and in accordance with the Payment Card Industry Security Standard (PCI DSS). For more information about these standards, please visit https://www.pcisecuritystandards.org/.

In addition to keeping your payment information safe during the payment process, we will:

  • not store your credit card or debit card details;
  • securely destroy all card details and validation codes once the payment or donation process is complete;
  • immediately delete any emails received that contain any credit card or debit card details; and
  • only allow authorised staff to process payments and access payment details.

To process donations made through our website, we use a third party called Stripe Payments Europe Ltd (‘Stripe’).

Stripe may use, retain and disclose your personal information and credit card details for this purpose as set out in their privacy policy which can be found by visiting https://stripe.com/gb/privacy. They may also transfer your data outside of the European Economic Area (EEA) and where such transfers may occur, we will ensure that your data is adequately protected. As per their Privacy Statement, Stripe comply with applicable laws to provide an adequate level of data protection for the transfer of your Personal Data to the US.

  1. Website Tracking

Our website uses cookies to help them work well and to find out how people are using our website.

For all areas of our website which collect personal information, we use a secure server which can be identified with the URL starting with https://. Although we cannot 100% guarantee the security of any information you give us, we do enforce strict procedures and security features to protect your information and prevent unauthorised access.

We use cookies and spotlight tags to help track the success of our online advertising and monitor how people use our website. We use MailChimp (web beacon technology) to monitor the success of different email communications. For more information, please visit https://mailchimp.com/legal/cookies/. We use Google Analytics for our web analytics.

With both cookies and spotlight tags, the information we collect is anonymous and does not personally identify you. Occasionally we gather information such as pages most visited to help improve our website and activities.

Cookies?
A cookie is a small file of letters and numbers that is downloaded onto your computer or mobile device when you access our website. Cookies allow us to distinguish you from other users of the website, helping us to provide you with a good user experience when you browse our website and allowing us to improve our site. Cookies will tell us whether you have visited our site before or whether you are a new visitor. To find out more about cookies and how you can disable them, visit http://www.allaboutcookies.org/.
Spotlight Tags?
A spotlight tag records access to a website as part of online advertising. They allow us to track, measure and report on activities that happen on our website after you see or click an ad. These tags allow us to measure the effectiveness of our online marketing campaigns. These files are provided to us by our ad partner, Google Marketing Platform and for more information please visit https://marketingplatform.google.com/about/enterprise/.
Web Beacons?
A web beacon is an invisible graphic and unlike a cookie is not stored on your computer. When you open an HTML email that we have sent you, this invisible graphic is downloaded from a web server and generates a record showing that the email was opened, how many times it was forwarded (if any) and which links within the email were clicked. For more information, about the service we use to send HTML email campaigns, please visit Mailchimp at https://mailchimp.com/legal/cookies/.
  1. Purposes for which we process Personal Data and the legal bases on which we rely

The Charity uses the following lawful bases for processing your personal information:

  • you have given us consent to process your data;
  • we have a contractual relationship with you;
  • we are legally obliged to process your data; or
  • we believe it is in the legitimate interest of either you as the data subject or us as the Charity to process your data.

The personal information that we hold, use, transfer and process will be done in accordance with the legislation. Should our grounds of processing need to be updated or change, the notice will be updated to reflect these changes.

We collect and process your Personal Data for the purposes and on the legal bases identified in the following:

Under the lawful basis of legal obligation for processing, we collect information as follows:

  • Where the collection is required or authorised by law;
  • To assess your personal information for fraud prevention – a requirement as charities can be targeted for illegal purposes such as money laundering and are therefore required to monitor financial activity and report suspected fraud to the appropriate authorities

Under the lawful basis of consent for processing, we collect your information as follows:

  • To provide you with the service, products, or information about the Charity’s work or the activities that you have requested;
  • For your participation or expressed interest in an event, ensuring you have all the required information;
  • To ask you to help the Charity by raising money on our behalf or donating money to us

Under the lawful basis of legitimate interest for processing, we collect your information:

  • To use your IP address to block disruptive use, record website traffic, or to personalise content based on previous visitor history;
  • To analyse and improve our services regarding fundraising and supporting our Charity;
  • For internal record keeping managing feedback and queries;
  • To process any donation or donations we may receive from you;
  • To administer and monitor grant funding.

Where we need to collect and process Personal Data by law, or under a contract we have entered into with you, and you fail to provide the required Personal Data when requested, we may not be able to perform our contract with you.

  1. Who do we share Personal Data with?

We do not and will not sell or swap your information with any third party for their marketing purposes; however, we may share or receive information in the following ways:

  • With third parties where we are legally required to do so (e.g. the police, a government body such as HMRC or a regulatory body such as the Charity Commission or Fundraising Regulator);
  • With our contracted service providers, who provide services such as IT and system administration and hosting, credit card processing, research and analytics, marketing, and customer support.

All our data processors are carefully selected and are trusted partners of the Charity. All our trusted partners are required to comply with data protections laws and our high standards and are only allowed to process your information in strict compliance with our instructions. We will always make sure appropriate contracts and controls are in place with our trusted partners and we regularly monitor all our partners to ensure their compliance.

For further information on the recipients of your Personal Data, please contact us by using the information in the ‘Contacting Us’ section, below.

We do not share your information for any other purpose.

  1. International transfer of Personal Data

We aim to store all information within the UK or within the European Economic Area (EEA).

In some situations, is it possible that your information may be transferred outside the EEA. This may occur where, for example, one of our trusted partners that is processing information on our behalf has servers located in a country outside the EEA.

If this is the case, we will take appropriate steps to ensure your privacy continues to be protected as outlined in the privacy statement and in line with our legal obligations.

  1. Use by children and young persons

Our website is not directed at children and young persons. We do not knowingly collect Personal Data from children under the age of 16. If you are a parent or guardian and believe your child has provided us with Personal Data without your consent, please contact us by using the information in the ‘Contacting Us’ section, below, and we will take steps to delete such Personal Data from our systems.

  1. How long do we keep your Personal Data?

We may retain your Personal Data for a period consistent with the original purpose of collection (see the ‘Purposes for which we process Personal Data and the legal bases on which we rely’ section, above). We determine the appropriate retention period for Personal Data based on the amount, nature and sensitivity of your Personal Data processed, the potential risk of harm from unauthorised use or disclosure of your Personal Data and whether we can achieve the purposes of the processing through other means, as well as based on applicable legal requirements (such as applicable statutes of limitation).

After expiry of the applicable retention periods, your Personal Data will be deleted. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further use of such data.

For further information on applicable data retention periods, please contact us by using the information in the ‘Contacting Us’ section, below.

  1. Your rights relating to your Personal Data

Your rights

You have certain rights relating to your Personal Data, subject to local data protection laws. Depending on the applicable laws and if you are in the EEA, these rights may include:

  • To access your Personal Data held by us (right to access);
  • To be told what we are doing with your Personal Data. This is set out in this Privacy Statement (right to be informed);
  • To rectify inaccurate Personal Data, or ask us to complete information that is incomplete (right to rectification);
  • To erase/delete your Personal Data, to the extent permitted by applicable data protection laws (right to erasure; right to be forgotten);
  • To restrict our processing of your Personal Data, to the extent permitted by law (right to restriction of processing);
  • To transfer your Personal Data to another controller (right to data portability);
  • To object to any processing of your Personal Data carried out based on our legitimate interests (right to object). Where we process your Personal Data for direct marketing purposes or share it with third parties for their own direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection;
  • Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects (‘Automated Decision-Making’). Automated Decision-Making currently does not take place on our website; and
  • To the extent we base the collection, processing and sharing of your Personal Data on your consent, to withdraw your consent at any time, without affecting the lawfulness of the processing based on such consent before its withdrawal.

How to exercise your rights

To exercise your rights, please contact us by using the information in the ‘Contacting Us’ section, below. We try to respond to all legitimate requests within one month and will contact you if we need additional information from you to honour your request.

Your preferences for email marketing communications

If we process your Personal Data for sending you marketing communications, you may manage your receipt of marketing and non-transactional communications from us by clicking on the ‘unsubscribe’ link located on the bottom of our marketing emails.

Additionally, you may unsubscribe by contacting us using the information in the ‘Contacting Us’ section, below. Please note that opting out of marketing communications does not opt you out of receiving important business communications related to your current relationship with us, such as communications about your donations or security information.

 

Postal communications

This is where you receive information about the Charity though your mail box. Postal marketing enables us to contact a wide range of individuals and is an easy way to keep you updated. It allows you to donate and get involved in your own time and which isn’t intrusive to you.

For this reason, we use our legitimate interests to send marketing in this way. This means that we won’t ask you for prior permission to send you marketing by post, but you can always tell us if you no longer wish to receive post.

 

  1. How we secure your Personal Data

We take precautions including organisational, technical and physical measures to help safeguard against the accidental or unlawful destruction, loss, alteration and unauthorised disclosure of, or access to, the Personal Data we process or use.

While we follow generally accepted standards to protect Personal Data, no method of storage or transmission is 100% secure. You are solely responsible for protecting your password, limiting access to your devices and signing out of websites after your sessions. If you have any questions about the security of our websites, please contact us by using the information in the ‘Contacting Us’ section, below.

  1. High Value Fundraising

To enable us to fundraise for high value giving opportunities appropriately and effectivity, we will research individuals and organisations to help us identify suitable major donors, corporate partners, patrons, and trustees.

This research helps us to identify individuals or organisations who have the capacity to make substantial donations, who appear to have an interest in supporting our cause, and who may be able to help us to raise funds through volunteer support for our appeals, events, or partnership opportunities.

Processing of information for High Value Fundraising

We use our legitimate interests to process information for high value fundraising research.

The processing of your information in this way for High Value Fundraising is instrumental in enabling us to support large-scale projects and initiatives that benefit the International Refugee Trust. We appreciate that you expect us to conduct such processing in an efficient and professional manner whilst taking your right to privacy into account.

We will inform you of the processing we undertake when we first contact you and then at further regular intervals throughout the lifetime of our contact with you. To view your rights, please visit the ‘Your rights relating to your Personal Data’ section.

How we undertake research

We are careful to ensure information collated is not excessive or intrusive and is sourced reliably and appropriately. Any research which is undertaken only uses credible, publicly available information; this may include sources such as national and local press, Companies House, Charity Commission, and from social media sites such as LinkedIn. We will only use information where the data has been deliberately made public and we do not collect any sensitive information.

Due Diligence

To comply with our obligations as a Charity, we must also take reasonable and appropriate steps to know who our donors are, particularly where significant sums are donated.

Using Charity Law as a legal basis for processing, we may conduct due diligence to provide assurances that donations and support are from appropriate sources. This is to safeguard our reputation and to help us mitigate any associated risk. We have clearly defined principles that guide how we engage in mutually beneficial relationships with companies, foundations, and individuals. These principles ensure that we raise money legally, safely, and transparently. The nature and extent of due diligence research is proportionate to the fundraising opportunity. Any information we collect for these purposes will only consist of what is necessary for us to meet these requirements and will be process in line with your rights. To view your rights, please visit the ‘Your rights relating to your Personal Data’ section.

  1. Changes to this Privacy Statement

We will update this Privacy Statement from time to time to reflect changes in our practices, technologies, legal requirements and other factors. If we do, we will update the ‘effective date’ at the top of this Privacy Statement. If we make an update, we may provide you with notice prior to the update taking effect, such as by posting a conspicuous notice on our website or by contacting you using the email address you provided.

We encourage you to periodically review this Privacy Statement to stay informed about our collection, processing and sharing of your Personal Data.

  1. Contacting Us

To exercise your rights relating to your Personal Data, or if you have questions regarding our privacy practices, please mail us at:

Database and Office Manager

PO Box 31452

Chiswick

London W4 2FE

We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, and you are in the EEA, you have the right to lodge a complaint with the competent supervisory authority.