Find out more
Everybody knows how important the protection of people’s personal data is. The nature of this ever changing World and how data is used (and sometimes abused), has been recognised by the European Union and that includes the United Kingdom. So, from the 25th May, 2018 the new General Data Protection Regulations (GDPR) comes into force through The Data Protection Act, 2018. These build on previous legislation to protect, defend and enhance a person’s rights surrounding their personal data. This Policy and documentation referred to and associated with it, reflect those rights and sets out what personal data we hold and what use we make of your data.
You can find out all about the GDPR by going to The Information Commission’s website; https://ico.org.uk/ and following the link to GDPR.
We here at Make A Donation Limited (MaD) take your privacy and therefore the protection of the personal data you provide to us, very seriously. We never forget it is your data, not ours. That being the case, we can only process and deal with your data in a manner that you have consented to.
We have tried to avoid using anything other than plain English in producing this Policy. However, if there is anything that you do not understand please do not join MaD and/or provide us with your personal data until we have clarified your query to your satisfaction. You can do this by contacting us via .
There are always restrictions, exceptions and details that apply but as a very general summary, the GDPR provides for enhanced protection and control of personal data in that:
- Your data belongs to you;
- You control what we do with your data;
- You have rights regarding the use of your data;
- You can ask for a copy of your data;
- You can update your data or ask us to do so;
- You can ask us to delete your data;
- You can object to processing in certain bases;
- You can ask us to restrict the processing of your data.
WHO ARE WE?
We are Make A Donation Limited, a Company limited by shares and governed by the Laws of England and Wales. The Registered Office of the Company is; 3, Manor Courtyard, Hughenden Avenue, High Wycombe, Buckinghamshire. HP13 5RE. The operational/trading address of the Company is; 3, St. Andrews Court, Wellington Street, Thame, Buckinghamshire. 0X9 3WT. Our telephone number is (01844) 396396. The Company has been given the number 07853867. The Registration Number at the Information Commissioner’s Office is ZA002346.
WHAT WE DO.
We operate an online giving platform through a website. This can be found at: www.make-a-donation.org. We also offer donors the opportunity to benefit from “MaDPoints”, which gives a Donor the potential to receive something back for making a donation through the website. We operate online only. More details are available through the link above.
HOW TO CONTACT OUR DATA PROTECTION OFFICER.
CHANGES TO THIS POLICY
We keep this Policy under review. Updates will appear on our website. We may also notify the changes via email and/or by other media platforms, if you allow us to do so. If you continue to use the site and our services you will have accepted those changes, unless we believe that your consent is necessary to allow those changes to occur, as they relate to your personal data.
WHAT IS PERSONAL DATA?
It is probably sensible to say what personal data actually is. It is: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. So, name, address, gender, email, IP, location, etc. It is very wide and includes manual filing systems too. There are further provisions that relate to “Sensitive Data” such as genetic information. If any of this data is processed, then the GDPR applies to those that are undertaking that processing.
The second element to our holding of personal data is “processing”. This means in very broad terms; the collecting, using, disclosing, retaining or disposing of personal data. There is another element to processing however. It must be done fairly, lawfully and in a transparent manner. The latter means in accordance with applicable legislation, including the GDPR. The former, that we are open and clear as to how we will use those data you provide so you can make an informed decision as to whether you want to provide your data to us and take advantage of all our services.
LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA
In the first instance we should say that you don’t have to give us any personal data. However, if you chose not to then we can’t provide many services to you, such as processing your donation. If you do provide personal data we have to tell you what bases we rely on to hold and process them. You can find more information about this by visiting The Information Commissioner’s website at; https://ico.org.uk/ and following the links to the GDPR and then Lawful Processing. The details of what we do can be found towards the end of this Policy but in summary, we process your data based on the following:
- Performance of a Contract
- Legitimate interest
- Legal obligation
HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We can only retain your personal data so long as we have a legitimate reason to do so or as is required by law. We believe that, in general terms and where we are not required by law to retain those data, to keep personal data for a period of two years from the last date of processing is reasonable to ensure that it is available for our year end. This is of course subject to your rights to ask us to delete your personal data. For details regarding this, please see below. After this period has expired we will delete when the next internal review occurs, which happens every 6 months.
When we decide that we should delete personal data we do so without notifying the person concerned. Of course, if people wish us to retain their personal data for ever, we will do so but a person must opt-in by emailing to .
DELETING YOUR PERSONAL DATA.
At any time you can contact us and ask us to delete your personal data. Simply contact; . However, if you do then you will not be able to take advantage of all our services. As examples; you will not be able to participate in MaDPoints, because we need to pass your details to the voucher supplier nor will you be able to make donations, as we need your personal data to process payments through our payment partners. Further, where we have any non-commercial reason to retain your details (for example we are legally required to do so) then we will do so BUT those details and data will not be processed except for the purposes for which they are retained. When there is no justifiable reason to retain your details we will delete them completely.
GETTING DETAILS OF YOUR DATA FROM US.
This is called a Subject Access Request or a SAR. It means that you can ask us what data we hold and process, which directly relates to you (obviously we can’t provide you with other people’s personal data). You are entitled to a copy of whatever we have. If you are a parent and asking for details of your child, we may contact you by telephone and/or post and ask you to verify your identity. To make a SAR we hope we have made the process simple; you email your request to us and we have to reply as quickly as possible, but in any event, within a month. You should use the address; . Alternatively you can send a request by post. If you do so, the request will have deemed to have arrived two working days after the date of posting. You must use our trading address. You must mark all requests clearly SUBJECT ACCESS either in the “Subject” box of the email or at the head of the letter. All we need is your full name and post code, oh and please confirm if there are two people of the same name at the property and whether the request is for one or all. Finally, requests are free unless the amount of data to be supplied and/or investigated is beyond what we would reasonably expect to produce or look at, or multiple requests are or have been made (multiple means more than two).
If you wish to change any of your personal information, you can do so via your account on the website. If for some reason this is not possible, then you can contact us to do it. We will however, have to verify your identity in case somebody else is posing as you. This we will do by one or a combination of; email, telephone and post using the data we retain on our records supplied by you. In the event that you find that data has been changed but not by you, please contact us immediately at putting “POTENTIAL FRAUD” in the “Subject” box.
Of course a Donor can give without their details being disclosed. However, we will still collect those data provided and the person who you donate to and the ultimate recipient of that donation will receive your name and email address. There is nothing that we can do about this. If you want to donate completely anonymously please do not use MaD.
WHAT DATA DO WE COLLECT?
We only get personal data to hold and process if you provide it to us. This could be from you opening an account, using the services we provide, from Social Media when you connect such to us or data that we can infer from your use of our or connected services. That said, you are free to browse the website without providing us with any personal data. All we will collect is your IP address which, by itself and in this context, does not identify you.
When you create an account with MaD or donate you will provide us with personal data. The minimum we require is your name, house number, postcode and email address. We will also ask you for a username and password so you can gain secure access to your account. As with any username and password, for Donors or otherwise, these must not be disclosed to anybody. They will be matched to your personal data but would not be disclosed in a SAR. The alternative is that you provide your details through another source to which you have already provided your details, for example Google. This we will be happy to do, provided that source is one that we recognise.
With the increasing use and popularity of social media in its many forms we have felt it necessary to make the point that MaD can have no responsibility in relation to the use of such processes in whatever form they take. In using social media you are bound by the specific terms and conditions of that business or process and any adverse consequences suffered as a result of the use of such, whatever those consequences may be and whatever loss or damage may be suffered, can never be the liability or responsibility of MaD.
If you sign in through Facebook we will obtain access to your Facebook public profile and email. If you provide permission through your Facebook preference settings we can then obtain access to your “Friends List” but only those that also use MaD.
Where Crowdfunding is involved, we use the same processes as are involved with creating a Fundraising Page and all of those processes apply. However, we do reserve the right to request identification evidence in order that the funds can be raised and/or paid over.
HOW DO WE USE YOUR DATA?
We use your personal data to provide our services to you such as setting up an account to raise money or a Crowdfunding Page. We also use it to process donations and to provide Gift Aid information where that is applicable. We also have to undertake other tasks if you are Crowdfunding such as identity checks, credit reference checks and bank account verification.
We intend in the future to offer ways of enhancing your ability to raise money. When we do so we will announce it on the Website and amend this Policy accordingly.
We are always looking to improve MaD. In the future we may, for example, aggregate data or use advertising to develop the Website. When we do so we will announce it on the Website and amend this Policy accordingly.
If you have already joined MaD you will have consented in allowing us to contact you my email. Alternatively, you may have come to this Policy via another, separate link to it. Whichever it is you can stop emails from us, subject to what is said below, by clicking the “Unsubscribe” button which appears on all of our emails. Examples of the types of emails that we send are:
Information that we are required to give you by law.
We have to send these as do all similar platforms. The only way to stop is to delete your account or not join MaD, but this is the same for all giving sites.
Notice that MaD is to be sold or that the whole or part of the business is to be transferred.
We believe that it is important that we contact you in these situations.
Security information relating to the site.
We believe that this is always essential.
Marketing messages directly related to giving, fundraising and other offers.
Again, we consider this to be important.
Those that result from you using the services.
These are automatic and can’t be stopped. However you will only receive them if you use the services.
Information that relates to pages you create or donations you make such as donation notification and fundraising tips.
AUTOMATED DECISION MAKING
At the present time we do not use machine learning or artificial intelligence to make any inferences about some characteristics of our users. All we do use are analytics, see below in the Cookies Policy. However, it is our intention to introduce such in the future to enhance a user’s experience in using our website. When we do we will notify you, either by email if you allow us to do so and/or posting notice on the website giving at least two weeks notice. You will be able to opt out of the automated decision process if you wish.
WHO DO WE DISCLOSE YOUR PERSONAL DATA TO?
Any third party to whom we disclose details in this Country is bound by the GDPR. Please refer to the section entitled: Where Do We Send Your Data, which is below.
If we are required by law to disclose personal data then we must do so and it is not possible for you to opt out of this process. This could be, for example, to HMRC or via an order of a Court. The same is true for any business, whether a giving platform or otherwise.
Also, in the case of an emergency if, for example life is at risk, then we reserve the right to disclose personal data.
If you are a Donor and taking advantage of MaDPoints, then your name and email address will be provided to the voucher provider. Also, a Donor’s details will be provided to the person who is fundraising and/or the organisation to which you donate. As stated above, even if you donate anonymously these details will be supplied to a fundraiser and retained by us although your details will not appear on a public page.
We also provide your personal data to our service providers. These include:
- Banks and other payment providers: we have to supply personal data to secure payment;
- Payment card industry: the personal data we supply helps to prevent fraud;
- Our communications providers: they allow us to deliver emails and other communications;
- Analytical tools: presently Google Analytics;
- IT and internet security: to protect personal data and provide our services;
- Crowdfunding: to the individual or entity raising the funds;
- CRM Package: for business and charity members.
We share your personal data with the organisations who benefit from the donations. These have access to personal data about fundraising pages that directly relate to them. These relate to Donors as mentioned above but also the creator of the page. In the case of Donors, personal data may be necessary to claim Gift Aid.
We may also share your personal data with third parties who host or sponsor events where people are fundraising for that event or are raising money for the same organisation or cause. This is so they know who is raising money for the event and how their efforts are progressing and/or to communicate with the fundraisers to see if there would be mutual benefit through some interaction between them.
The personal data supplied to these third parties who host or sponsor events relate to the personal data we hold about the fundraiser. That person’s name, email address, the date the page was created, the target to be raised and how much has been achieved. It is possible that an event would be, for example, sponsored for multiple organisations. In that case we would also supply the name of the organisation to which the fundraiser is working. We do not supply Donor details but some personal data is within the public domain as it is on a fundraising page and put there by the Donor. Consequently those data are available to view. Obviously we cannot control what an individual fundraiser does with the personal data in their possession. That would be a matter between that person and the Donor.
As to Crowdfunding we would disclose to the name of the donator and their email address together with the amount of the donation, in the same way we do for Fundraisers
Finally, if MaD were to be sold or the operational aspects of the business in whole or in part transferred then we would disclose such to a potential purchaser or interested party. This process may ultimately lead to the transfer of the data base but we would ensure that the entity that took control would provide appropriate assurances as to compliance with the GDPR.
WHERE DO WE SEND YOUR PERSONAL DATA?
We store and control your personal data in the United Kingdom. If we send your personal data to anywhere within the European Union (EU), the recipient is bound by the rules set down by the GDPR. If we send those data outside of the EU we have to ensure that the recipient has adequate safe guards in place to protect those data. These can be, for example, specific contract clauses or corporate rules or agreed and stated mechanisms such as exists between the EU and the USA.
We are unable to say what will happen post the United Kingdom leaving the EU. It is likely that, during any transition period, these safe guards will remain in place, but what occurs thereafter and what my happen to your personal data, is unclear. We would review the situation at the time and amend this Policy, if necessary. This issue applies to all businesses based in this Country.
Wherever your personal data is sent, whether it is to a business that provides a voucher, a charity to which a person donates, a bank that processes a transaction, a communications provider or who or whatever, we are not responsible for how that organisation or person processes your those data. The GDPR applies equally to all businesses in the EU and all businesses who deal with the EU and hold data concerning EU nationals have to show that they have adequate measures in place to protect individual’s personal data. Unless we have reason to believe something to the contrary, we are entitled believe that all obligations have been fulfilled and those data are processed lawfully and fairly.
PERSONAL DATA OBTAINED FROM OUR BUSINESS AND CHARITY MEMBERS
A limited company, a PLC and, generally a charity or not for profit organisation is not treated as a person and therefore information identifying it is not personal data.
However, personal data is personal data so it matters not whether it is provided by an individual in their capacity as an individual or via a business, it will simply be treated by MaD as personal data.
If a Business Member (BM) supplies us with personal data then the BM, in doing so confirms to MaD that the BM has the permission and consent of that individual to supply those data. Further, that the person sending the personal data and accessing MaD whether to supply those data or otherwise is authorised to do so.
MaD has obligations in relation to Business Members and this Policy applies to a BM subject to the following: data relating directly to a limited company or plc is not personal data. Individuals that work within such business are covered and the same is true of partnerships and sole traders.
A BM undertakes to comply with its duties and responsibilities under the law and all aspects of the GDPR.
We will collect information about a business to include; the name of the business, email addresses (these may be personal data or not), office address, Registered Office address (if applicable), telephone number, fax number and contact details which may include personal data. Regardless as to whether the information is personal data or not, we will store and process those data with the same care as if it were personal data albeit we are not restricted in the processing of it in the same way that we are with personal data. We use the information to enable a BM to sign in to its account and to facilitate to offer of vouchers under the MaDPoints scheme.
From Charity Members (CM) and this includes all entities that seek to raise money through MaD, we would only expect to be provided with a contact name, an email address for that person and a telephone number. If the CM provides more, then it is done so at the behest of the CM. The CM, in providing such data (or more if more is supplied) is confirming it has the consent of that individual to provide those data.
The CM, when raising funds through MaD, confirms that it is complying with all of its duties and responsibilities under the law and specifically the GDPR.
LEGAL BASES FOR PROCESSING.
The GDPR requires that MaD specify what the legal basis is, or bases are to justify requesting, receiving, holding and processing personal data. There are six bases and we have to select one or more and inform you of which we rely on, which we have done above. However, we have to supply you with further details of what is involved. You can find out more about the legal bases at; https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
First of all there are two bases we do not rely on. These are; to protect a person’s vital interests and the performance of a task carried out in the public interest or in the exercise a data controller’s official authority. Neither of these are applicable to what we do.
The legal bases we rely on are:
- Consent. This is processing with your consent. Examples of what are included are; sharing information for Gift Aid purposes, sharing your data with organisations for which you raise funds, sharing Donor information under the MaDPoints scheme, linking with your social media accounts and sending emails whether they be promotional or otherwise.
Performance of a Contract. Simply put, this is activity that happens when you request that we perform certain functions for you. We cannot fulfil our obligations unless we process your personal data.
Examples of what would be included here are:
Sign up as a fundraiser or a charity or other fundraising organisation or a Business Member;
Sending emails resulting from signing up as above;
Create a direct debit or other repeating payment;
Share with Twitter or Facebook, to include a badge and that you have made a donation;
Comment on a feed;
Share or forward an email;
Donate to a cause via a fundraising page;
Join a team to raise funds;
Share an update;
Share your page with your giving network;
Create a team page;
Create a page for a business;
Join a business page;
Advertise what vouchers will be offered by a business;
Access the MaDPoints pages; and
Download a voucher.
Legitimate Interests. These can be the interests of MaD or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
Examples of what would be included are:
MaD conducting general and specific internal reporting and analysis;
Sharing personal data about fundraisers with organisations for which that individual is raising money;
Sharing personal data with third party affiliates, companies and event partners;
Sending individuals surveys connected with MaD;
Sending individuals emails about pages they create or donations received;
Sending individuals emails concerning the operation of MaD;
Marketing to other organisations;
Sending targeted marketing by post;
Targeted marketing through advertising MaD places on other websites; and
Automated decision making (but see above)
- Legal Obligation. This is where we have to hold and process personal data in accordance with the law. Examples included are; sending email receipts for your donation, checking for fraud on donations and fundraising, complying with an order of a competent Tribunal whether in the UK or otherwise, complying with statutory obligations and checking the identity of individual Crowdfunders.
COOKIES and TRACKING TECHNOLOGY
Cookies are small files of data that are sent to the hard drive on your computer when you visit a website. You can find more concerning cookies by visiting; www.ico.org.uk and searching “cookies”
Now to be clear a cookie cannot read your hard disk. It can only contain information about you that you supply yourself. What it does contain would be such information as an identification for a user so that we can track the pages that you visit on the site, so that we can track your pattern of usage, use that information to enhance your use of the site and we have a record of what interests you.
Are cookies dangerous? No. They are not programs that can spread viruses for example. All they do for us is to enhance your enjoyment and ease of use of the site and to enable us to analyse your use. Some of the concerns people have stem from the fact that cookies can be found on a hard drive from sites that the owner of that computer has never visited. That is likely to be because the cookies found have been sent by entities that have purchased or acquired personal information. We will not sell your information. You may find a cookie from a Business you take a voucher from or a NfP or Charity that you donate to. You should be able to remove these if you wish and you should also be able to set the limits for the cookies stored on your hard drive if you have modern version of Microsoft Internet Explorer or Netscape. Similarly, you should be able to set your browser to warn you before accepting cookies and refuse the cookie when your browser warns you.
The only cookies and tracking devices we use at present are:
If we decide to use others they will appear here and a box will appear on your screen the next time you log on after amendment. The box will take you directly to the list if you wish to see the new items. If you do not wish us to use them then there will have a button shown for you to click on to bar those new items.
However, if you do not wish us to do so click on the triangle in the bottom left corner of the screen.
All major credit and debit cards accepted Secured by
Make a Donation Ltd. Registered in England & Wales. Company No. 07853867. Registered Office: 3 Manor Courtyard, Hughenden Avenue, High Wycombe, Buckinghamshire HP13 5RE