Privacy Policy 28.10.2020

38 Degrees Ltd. (Company No. 6642193) is committed to safeguarding your privacy. At all times we aim to respect any personal data you share with us, or that we receive from other organisations, and keep it safe. This Privacy Policy (“Policy”) sets out our data collection and processing practices and your options regarding the ways in which your personal information is used.

This Policy contains important information about your personal rights to privacy. Please read it carefully to understand how we use your personal data. We may update this Policy from time to time without notice to you, so please check it regularly.

The provision of your personal data to us is voluntary. However, without providing us with your personal data, you will be unable to (as appropriate) sign a campaign, start a campaign, make a donation or purchase items via our online shop, apply for employment with us or apply to volunteer with us.

1. We collect information about you:

(1) When you give it to us DIRECTLY

You may give us your personal data in order to start a campaign, sign a campaign, when you share information about a campaign from our website on Facebook, Snapchat, Twitter and/or via email, when you answer one of our surveys or questionnaires, when you apply for employment with us, when you apply to volunteer with us, when you upload a video through our website, when you contact us by phone, email or post, when you buy anything from our online shop and/or when you donate money to us.

(2) When you give it to us INDIRECTLY

Your information may be shared with us by others including users of our services, independent event organisers, other fundraising entities, sponsors and supporters of our organisation and services. Your information will also be provided to us when you follow us or otherwise interact with on or via Twitter, when you like and/or join our page on Facebook or interact with us in other ways on or via Facebook or on Snapchat. We also collect personal information when you receive our marketing/ campaign emails (see section 6 below under “Pixel trackers”).

(3) When you give permission to OTHER ORGANISATIONS to share it or it is AVAILABLE PUBLICLY

We may combine information you provide to us with information available from external publicly available sources. Depending on your privacy settings for social media services, we may also access information from those accounts or services. We use this information to gain a better understanding of you and to improve our communications and fundraising activities.

We may also obtain personal information about you under a commercial licence from Experian. Experian collects and combines information from publicly available sources and third parties (such as Royal Mail Postcode Address File – https://www.poweredbypaf.com/). Experian’s privacy notice can be found here 

We also receive some personal information about you when you use social logins (see section 5 below).

(4) When you visit our WEBSITE

We use cookies to identify you when you visit our website and to enable us to personalise your online experience (for example by remembering your log in details). Please refer to our Cookies Policy for details on the way our use of cookies affects your personal data (https://home.38degrees.org.uk/cookies-policy/).

We use the reCAPTCHA service provided by Google. This service allows us to verify that a user is a person rather than a machine in order to prevent forms on our website (such as petitions) from being (ab)used by spam bots (a bot is a computer programme that can interact with systems and can simulate human activity). When you fill in forms on our website, this tool will collect information about your use of the website page, including clicks, mouse movements and your IP address, so that Google can evaluate whether you are a person and not a bot. This information is collected by Google who only provide us with confirmation of whether the user is a real person (but it does not identify a user to us). For more information about Google’s use of information gathered through reCAPTCHA please read their privacy notice here.

2. What information do we collect?

We may collect, store and use the following kinds of personal data:

(1) We will typically hold your name and contact details, including physical address, telephone number, e-mail address, and social media identity. However, we may request other information where it is appropriate and relevant, for example

  • Details of why you have decided to contact us/start/support a campaign;
  • Details of your opinion on a particular issue or campaign;
  • Your bank details or debit/credit card details; or
  • Details of campaigns you have supported, details of topics/areas of interest to you, responses to surveys you have completed;

(2) information about your computer and about your visits to and use of this website including your IP address, geographical location, browser type, referral source, length of visit and number of page views;

(3) information about the services you use, services and products of interest to you or any marketing and/or communication preferences you give; and/or

(4) any other information shared with us as per clause 1

Do we process sensitive personal information?

Applicable law recognises certain categories of personal information as sensitive and therefore requiring more protection, including health information, ethnicity and political opinions. In limited cases, we may collect sensitive personal data about you (for example, when you sign a campaign about a particular political issue or fill in a survey or questionnaire giving your opinion on a particular political issue). We would only collect sensitive personal data (also known as special category data) if there is a clear reason for doing so; and will only do so where applicable law allows.

If you have given us your explicit consent, we may use certain sensitive personal data you provide us in surveys (such as your ethnicity and/or political opinions) to understand demographic trends in our membership and to help us monitor and address inequalities. For example, we may use this information to determine that certain groups are not being reached by our campaigns/ that our campaigns may not be relevant to particular groups – this information could help us to address our content and priorities so that they are more relevant to such groups, to address inequalities.

3. How and why will we use your personal data?

Personal data, however provided to us, will be used for the purposes specified in this Policy or in relevant parts of the website.

We may use your personal information to:

  • Enable you to use and/or learn about all of the services we offer;
  • Send you information about our work, campaigns, organisations and any other information, products or services that we provide (this will not be done without your consent);
  • Send you member surveys (see section 7 below) including for the purpose of conducting member research/insights and profiling (see section 6 below);
  • Provide you with the services, products or information you have requested;
  • Improve your browsing experience by personalising your interaction with our website;
  • Handle the administration of any donation or other payment you make via credit/debit card, cheque, standing order or BACS transfer;
  • Collect payments from you and send statements and/or receipts to you;
  • Handle the administration of your employment and/or volunteering application;
  • Conduct research into the impact of our campaigns;
  • Deal with enquiries and complaints made by or about you relating to the website or us in general;
  • Make campaign submissions to third parties, where you have signed the campaign and the third party is a target of the campaign;
  • Incorporate your personal data into our promotional activities but only with your consent; and/or
  • Audit and/or administer our accounts. 

4. Signing a campaign

4.1 If you would like to sign any campaign on our website, you must provide us with personal information. We will take reasonable steps thereafter to ensure that your personal information remains accurate and up to date. You do not need to set up an account with us to sign a campaign.

4.2 Please be aware that when you sign a campaign on Campaigns by You:

4.2.1 your name, post code and (if you have supplied it) your mobile phone number will be made available to the creator of the campaign;

4.2.2 the creator of the campaign may export the campaign, together with any information you have posted on our website in connection with the campaign (which could include your name, post code, phone number and comments), and provide the campaign to the individual or organisation being petitioned and/or otherwise publish, broadcast, communicate and display publicly your involvement in the campaign.

You may submit a video in support of a campaign using our online video recording tool.  When you choose to do this, we will obtain your consent to our use of your video. We will share such videos with third parties relevant to the campaign (such as MPs) who will separately be controllers and we may also use your videos for our own marketing purposes. When we refer to our own marketing purposes, we mean the use of your video to promote (i) a campaign that may be different to the one you have made a video to support, (ii) engagement in starting petitions, or (iii) the activities of 38 Degrees in general. You always have the right to withdraw your consent to our use of your videos.

5. Social log-ins

When you create a petition on our website we ask you to register for an account. You can register or log-in to your 38 Degrees account using your Google or Facebook account, if you have one. When you do so, the third party platform (either Google or Facebook) will share some of your basic account information with us – such as your name, email address and profile picture. We use this personal information to identify you when you log-in and allow you to access your account.

Once you’ve linked your Facebook or Google account to log in, we’ll also ask for your phone number and postcode to complete your registration with 38 Degrees. We ask for this information in case our staff team need to contact you to support with your petition and so that we can potentially promote your petition locally.

We do not require you to use social log-ins – if you prefer, you can always register or log-in directly with 38 Degrees. You can also un-link your Google or Facebook account from your 38 Degrees account by updating your settings preferences with Google or Facebook:

  • Click here to read how to un-link your account from Google.
  • You can un-link your account from Facebook by navigating to the ‘Apps’ section in your Facebook account settings and updating preferences in ‘Logged in with Facebook’.

6. Member Insights 

In order to better understand our members, 38 Degrees undertakes certain data analysis work, involving profiling individuals, to obtain insights into the demographics and interests of our membership. Our aims are:

(a) at an individual level, improving our communications and interactions with you (so that they are more targeted and relevant); and

(b) at a membership level, understanding our membership so that we can improve the membership journey, focus our resources on areas of interest to our members, and understand areas in which our membership may be underrepresented, in order to improve our reach.

‘Profiling’ in this context means gathering information about members and analysing their characteristics and behaviour patterns to place them in a certain category to help inform the above insights work. It can involve processing personal information using predictions about people, based on the qualities of others who appear similar (in other words, identifying ‘personas’ or categories of typical 38 Degrees members).

To do this, we may combine the personal information we obtain:

  • Directly from you, including when you complete member surveys (see section 7 below) – including demographic and attitudinal information.
  • From public sources.
  • From third parties such as Experian.

We may analyse this information in anonymous/ aggregated form (so that it does not identify you) and share that analysis with key decisions makers – for example, to tell MPs that hundreds of 38 Degrees members in their constituency are nurses.

We rely on our legitimate interests to undertake data processing for these purposes (see section 14 below). If we use your special category data (see section 2 above) for these purposes, we will obtain your explicit consent where necessary or rely on other conditions under applicable data protection law.

We may use third parties, such as data analysts, to assist us with undertaking this type of research and profiling.

Social media marketing (including Facebook and Snapchat)

We may use some of your personal information to participate in Facebook and/ or Snapchat’s Custom Audience and Lookalike Audience programs, which enable us to display adverts to both existing and prospective supporters when they visit Facebook or Snapchat. We may provide your email address to Facebook and/ or Snapchat so they can determine whether you are a registered account holder with them. Our adverts may then appear when you access their platforms. Some of your data is sent in an encrypted format that is deleted by Facebook/ Snapchat (a) if it does not match with an account or (b) after they confirm you are a registered account holder.

For more detailed information please see https://www.facebook.com/business/help/744354708981227 and Facebook’s data policy at https://en-gb.facebook.com/policy.php.

We also use Snapchat’s ‘Snap Pixel’. This is a tool which lets us know if individuals have visited our website through Snapchat, so that we can measure members’ engagement with us through Snapchat and whether our use of Snapchat is effective. We use a ‘pixel’ on our website to do this, which is similar to a ‘cookie’ – please see our cookies notice here for more information.

You can read Snapchat’s privacy notice here.

If you do not want us to share your email address with Facebook or Snapchat (even in encrypted form), then you can ask us not to by contacting us at dataprotection@38degrees.org.uk. Please be aware that, if you are a Facebook or Snapchat user, you may still see advertisements about 38 Degrees in your feed even if we do not share your personal data with Facebook or Snapchat. You can control what ads you see via your ad settings within Facebook and Snapchat; we have no control over this.

Google Analytics

We may use some of your personal information to analyse our digital performance, for example to see how our website can be improved to help us achieve the purposes set out in section 14 below, to record how you are using our website or to assess the popularity of marketing campaigns.

For more information on how we use your personal information in relation to Google Analytics, please view our cookie policy by clicking this link https://home.38degrees.org.uk/cookies-policy/.

You can opt-out of the collection of information for such purposes here: http://www.aboutads.info/choices.

Pixel trackers

We use ‘pixel trackers’ (including trackers provided by MailJet) to provide us with insights about the way you interact with our emails, so we can learn about the effectiveness of our communications. For example, these tools tell us when and if you open an email from 38 Degrees and whether you click on a link within the email. This is useful because it allows us to decide what kind of content you and our other members are interested in receiving.

We may then change the type of emails we send to you and our membership, or stop sending you emails at all if it seems you are no longer interested to hear from us. 

These tools also protect our communications from being incorrectly flagged as ‘spam’ by email providers.

If you use an email client that allows it, you can ‘block’ pixels by changing your settings to block images being loaded by default.

7. Member surveys

From time to time (and in accordance with section 8 below) we may contact you (if you are a member) to ask you to complete surveys.

Your participation in surveys is entirely voluntary and you do not need to provide us with any personal information you do not want to. We may ask you questions about your background, behaviours, and attitudes. We will then use this personal information for the purposes set out in this Policy, including to understand our membership better as explained in section 6 above.

This includes improving our ability to send you more relevant communications. For example, if you tell us, in response to a survey, that you work in the NHS, we may send you information about campaigns specific to issues affecting NHS staff.

8. Communications, fundraising and marketing

Where you have provided us with your physical address, we may contact you by post; and where you have provided appropriate consent, also by telephone and e-mail, with targeted communications to let you know about our events and/or activities that we consider may be of particular interest; about the work of 38 Degrees; and to ask for donations or other support (or to conduct member surveys – see section 7 above).

We may in the future communicate with you via focus groups, which may include online communications with you, and we may use other online messaging platforms such as WhatsApp.

In particular, where you have provided appropriate consent after signing a campaign, we will send you messages from the creator of the campaign you have signed and from us in relation to other campaigns which are being run by 38 Degrees.

You can choose to stop receiving such communications from us and our trusted partners at any time by clicking the “unsubscribe” link at the bottom of our emails.

9. Donations and other payments

Financial transactions carried out on our website are usually handled through Stripe, Inc. (“Stripe”), a third party payment services provider. We recommend that you read Stripe’s privacy policy (available at https://stripe.com/gb/privacy) prior to effecting any transactions with us. We will provide your personal data to Stripe only to the extent necessary for the purposes of processing payments for transactions you enter into with us. We do not store your financial details.

You may also donate to us using PayPal. If you donate using PayPal, your personal information will be provided to PayPal so they can process your donation. Please see their privacy notice for more information about how they use and retain your personal information: https://www.paypal.com/uk/webapps/mpp/ua/privacy-full.

Alternatively if you set up a direct debit, we will use a provider called SmartDebit to process your regular direct debit payments.

10. Children’s data

We do not knowingly process data of any person under the age of 16. If we come to discover, or have reason to believe, that you are 15 and under and we are holding your personal information, we will delete that information within a reasonable period and withhold our services accordingly.

11. Other disclosures

In addition to the disclosures reasonably necessary for the purposes identified elsewhere in this privacy policy, we will disclose your information to regulatory and/or government bodies and/or law enforcement agencies upon request only when required to do so in order to satisfy legal obligations which are binding on us.

12. Security of and access to your personal data

We endeavour to ensure that there are appropriate and proportionate technical and organisational measures to prevent the loss, destruction, misuse, alteration, unauthorised disclosure or of access to your personal information.

Your information is only accessible by appropriately trained staff, volunteers and contractors.

We may also use agencies and/or suppliers to process data on our behalf. We may also merge or partner with other organisations and in so doing transfer and/or acquire personal data.

Please note that some countries outside of the UK and European Economic Area (EEA) have a lower standard of protection for personal data, including lower security requirements and fewer rights for individuals. We may transfer and/or store personal data collected from you to and/or at a destination outside the UK and/or EEA. Such personal data may be processed by agencies and/or suppliers operating outside the UK and EEA. If we transfer and/or store your personal data outside the UK and EEA we will take reasonable steps to ensure that the recipient implements appropriate measures to protect your personal data.

Otherwise than as set out in this Privacy Policy, we will only ever share your data with your informed consent.

13. Your rights

Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for direct marketing purposes or to be unsubscribed from our email list at any time. You also have the following rights:

(1) Right to be informed – you have the right to be told how your personal information will be used. This Policy and other policies and statements used on our website and in our communications are intended to provide you with a clear and transparent description of how your personal information may be used.

(2) Right of access – you can write to us to ask for confirmation of what information we hold on you and to request a copy of that information. Provided we are satisfied that you are entitled to see the information requested and we have successfully confirmed your identity, we will usually have 30 days to comply.

(3) Right of erasure – you can ask us for your personal information to be deleted from our records. In many cases we would propose to suppress further communications with you, rather than delete it.

(4) Right of rectification – if you believe our records of your personal information are inaccurate, you have the right to ask for those records to be updated.

(5) Right to restrict processing – you have the right to ask for processing of your personal data to be restricted if there is disagreement about its accuracy or legitimate usage.

(6) Right to data portability – to the extent required by applicable data protection laws, where we are processing your personal information (i) under your consent, (ii) because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contact or (iii) by automated means, you may ask us to provide it to you – or another service provider – in a machine-readable format.

To exercise these rights, please send a description of the personal information in question using the contact details in section 19 below. We also have specific pages to unsubscribe from our email list (https://id.38degrees.org.uk/subscriptions/unsubscribe?subscription=1) and to unsubscribe from our text notifications (https://id.38degrees.org.uk/subscriptions/unsubscribe?subscription=2) and push notifications (https://id.38degrees.org.uk/subscriptions/unsubscribe?subscription=3). Where we consider that the information with which you have provided us does not enable us to identify the personal information in question, we reserve the right to ask for (i) personal identification and/or (ii) further information.

Please note that some of these rights only apply in limited circumstances. For more information, we suggest that you consult the Information Commissioner’s Office (“ICO”) guidance – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/ – or please contact us using the details in section 19 below.

You are further entitled to make a complaint about us or the way we have processed your data to the ICO. For further information on how to exercise this right, please see the guidance at https://ico.org.uk/for-the-public/personal-information. The contact details of the ICO can be found here: https://ico.org.uk/global/contact-us/.

14. Lawful processing

We are required to have one or more lawful grounds to process your personal information. Only 4 of these are relevant to us:

  • Personal information is processed on the basis of a person’s consent
  • Personal information is processed on the basis of a contractual relationship
  • Personal information is processed on the basis of legal obligations 
  • Personal information is processed on the basis of legitimate interests

(1) Consent

We will ask for your consent to use your information to send you electronic communications such as newsletters and marketing and fundraising emails, for targeted advertising and profiling, and if you ever share sensitive personal information with us.

(2) Contractual relationships

Most of our interactions with subscribers and website users are voluntary and not contractual. However, sometimes it will be necessary to process personal information so that we can enter contractual relationships with people. For example, if you apply for employment or to volunteer with us, or if you purchase something via our online shop.

(3) Legal obligations

Sometimes we will be obliged to process your personal information due to legal obligations which are binding on us. We will only ever do so when strictly necessary.

(4) Legitimate interests

Applicable law allows personal information to be collected and used if it is reasonably necessary for our legitimate activities (as long as its use is fair, balanced and does not unduly impact individuals’ rights).

We will rely on this ground to process your personal data when it is not practical or appropriate to ask for consent.

Achieving our purposes

These include (but are not limited to) promoting any philanthropic or benevolent purpose including without limitation to ensure the views and values of the world’s people shape global decisions

Governance

  • Internal and external audit for financial or regulatory compliance purposes
  • Statutory reporting

Publicity and income generation

  • Conventional direct marketing and other forms of marketing, publicity or advertisement
  • Unsolicited commercial or non-commercial messages, including campaigns, newsletters, income generation or charitable fundraising
  • Analysis, targeting and segmentation to develop and promote or strategy and improve communication efficiency
  • Personalisation used to tailor and enhance your experience of our communications

Operational Management

  • Employee and volunteer recording and monitoring for recruitment, safety, performance management or workforce planning purposes
  • Provision and administration of staff benefits such as pensions
  • Physical security, IT and network security
  • Maintenance of suppression files
  • Processing for historical, scientific or statistical purpose

Purely administrative purposes

  • Responding to enquiries
  • Delivery of requested products or information
  • Communications designed to administer existing services including administration of campaigns and financial transactions
  • Thank you communications and receipts
  • Maintaining a supporter database and suppression lists

Financial Management and control

  • Processing financial transactions and maintaining financial controls
  • Prevention of fraud, misuse of services, or money laundering
  • Enforcement of legal claims
  • Reporting criminal acts and compliance with law enforcement agencies

When we use your personal information, we will consider if it is fair and balanced to do so and if it is within your reasonable expectations. We will balance your rights and our legitimate interests to ensure that we use your personal information in ways that are not unduly intrusive or unfair in other ways.

15. Data retention

In general, unless still required in connection with the purpose(s) for which it was collected and/or is processed, we remove your personal information from our records six years after the date it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure, we will remove it from our records at the relevant time.

In the event that you ask us to stop sending you direct marketing/fundraising/other electronic communications, we will keep your name on our internal suppression list to ensure that you are not contacted again.

Additionally, if you donate by direct debit, your personal information may be retained by the provider we use, SmartDebit (https://www.smartdebit.co.uk), for as long as SmartDebit is liable under any compensation award scheme e.g. the Direct Debit Guarantee.

16. Policy amendments

We keep this Privacy Policy under regular review and reserve the right to update from time-to-time by posting an updated version on our website, not least because of changes in applicable law. We recommend that you check this Privacy Policy occasionally to ensure you remain happy with it. We may also notify you of changes to our privacy policy by email.

17. Third party websites

We link our website directly to other sites. This Privacy Policy does not cover external websites and we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any external websites you visit via links on our website.

18. Updating information

You can check the personal data we hold about you, and ask us to update it where necessary, by emailing us at emailtheteam@38degrees.org.uk.

19. Contact

We are not required by law to have a “Data Protection Officer” – however we have a Data Protection Manager.

Please let us know if you have any queries or concerns whatsoever about the way in which your data is being processed by either emailing the Data Protection Manager at dataprotection@38degrees.org.uk and/or our wider team at emailtheteam@38degrees.org.uk or by writing to us at the following address:

The Data Protection Manager

38 Degrees
First Floor
10 Queen Street Place
London
EC4R 1BE

 

Last updated: 28/10/20