Privacy Policy 29.03.2021

Privacy Policy 29.03.2021

38 Degrees Ltd. (Company No. 6642193) aims to respect any personal information you share with us, or that we receive from other organisations, and keep it safe. This Policy explains how we collect and use your personal information. For the purposes of the information you share with us, we are the data controller.

This Policy contains important information about your personal information and privacy. Please read it carefully.

You do not have to provide us with your personal information. However, you will need to provide some personal information if you would like to sign a campaign, start a campaign, make a donation or purchase items via our online shop, apply for employment with us or apply to volunteer with us.

Index

How we collect your personal information
What personal information we collect
How and why we use your personal information
Signing a campaign
Logging into 38 Degrees with your social media account
Understanding our membership (including creating profiles and modelling)
Social media marketing
Member surveys
Communications, fundraising and marketing
Members of parliament
Donations and other payments
Children’s data
Security of and access to your personal information
Your rights
Our lawful basis
How long we keep your personal information
Sharing your information
International transfers
Changes to this policy
Contact us

1. How we collect your personal information

We collect information about you:

(1) When you give it to us DIRECTLY
For example, you give us your personal information when you:

start a campaign
sign a campaign
share information about a campaign from our website on Facebook, Snapchat, Twitter and/or via email
answer one of our surveys or questionnaires
apply for employment with us/apply to volunteer with us
upload a video through our website
contact us by phone, email or post
buy anything from our online shop and/or when you donate money to us.

(2) When you give it to us INDIRECTLY
Your information may be shared with us by others including other users of our services, independent event organisers, other fundraising entities, sponsors and supporters of our organisation and services. Your information will also be provided to us when you follow us or otherwise interact with on or via Twitter, when you like and/or join our page on Facebook or interact with us in other ways on or via Facebook or on Snapchat. We also collect limited personal information when you receive our marketing/ campaign emails (see below under “Pixel trackers”).

(3) When you give permission to OTHER ORGANISATIONS to share it or it is AVAILABLE PUBLICLY
We may combine information you provide to us with information available from external publicly available sources. Depending on your privacy settings for social media services, we may also access information from those accounts or services. We use this information to gain a better understanding of you and to improve our communications and fundraising activities.

We may also obtain personal information about you under a commercial licence from Experian. Experian collects and combines information from publicly available sources and third parties (such as Royal Mail Postcode Address File). Experian’s privacy notice can be found here

We also receive some personal information about you when you use social logins (see section 5 below).

(4) When you visit our WEBSITE
We use cookies to identify you when you visit our website and to enable us to personalise your online experience (for example by remembering your log in details). Please see our Cookies Policy for more information.

We also use the reCAPTCHA service provided by Google. This allows us to verify that a user is a person rather than a machine in order to prevent forms on our website (such as petitions) from being (ab)used by spam bots (a bot is a computer programme that can interact with systems and can simulate human activity). When you fill in forms on our website, reCAPTCHA will collect information about your use of the website page, including clicks, mouse movements and your IP address, so that it can determine whether you are a person and not a bot. This information is collected by Google who only provide us with confirmation of whether the user is a real person (but does not identify a user to us). For more information about Google’s use of information gathered through reCAPTCHA please read their privacy notice here.

Pixel trackers

We use ‘pixel trackers’ (including trackers provided by MailJet) to provide us with insights about the way you interact with our emails, so we can learn about the effectiveness of our communications. For example, these tools tell us when and if you open an email from 38 Degrees and whether you click on a link within the email. This is useful because it allows us to decide what kind of content you and our other members are interested in receiving.

We may then change the type of emails we send to you and our membership, or stop sending you emails at all if it seems you are no longer interested to hear from us.

These tools also protect our communications from being incorrectly flagged as ‘spam’ by email providers.

If you use an email client that allows it, you can ‘block’ pixels by changing your settings to block images being loaded by default.

2. What personal information we collect?

We may collect, store and use the following kinds of personal information:

(1) Your name and contact details, including address, telephone number, e-mail address, and social media identity. We may ask for other information where it is appropriate and relevant, for example

Details of why you have decided to contact us/start/support a campaign;
Details of your opinion on a particular issue or campaign;
Your bank details or debit/credit card details; or
Details of campaigns you have supported, details of topics/areas of interest to you, responses to surveys you have completed;

(2) information about your computer and about your visits to and use of this website including your IP address, geographical location, browser type, referral source, length of visit and number of page views;

(3) information about the 38 Degrees services you use (e.g. campaigns you support), services and products of interest to you or any marketing and/or communication preferences you give; and/or

(4) any other information shared with us as per clause 1

Do we process sensitive personal information?

The law recognises certain types of personal information as sensitive and requiring more protection, including health information, ethnicity and political opinions. This is known as ‘special category’ information. In limited cases, we may collect special category information about you because it is relevant to the particular campaign or survey in which you are participating. We will generally only collect special category data where we have your explicit consent.

We may also use certain special category information you provide us in surveys, such as your ethnicity or political opinions, to understand demographic trends in our membership and to help us monitor and address inequalities. For example, we may use this information to determine that certain groups are not being reached by our campaigns/ that our campaigns may not be relevant to particular groups – this information could help us to address our content and priorities so that they are more relevant to such groups, to address inequalities. Again, we will generally seek your explicit consent before collecting this information for these purposes.

It may also be necessary for us to process special category information for purposes in the substantial public interest like the prevention or detection of a crime or safeguarding children or adults who are at risk. We may also process information which relates to potentially criminal activity for the same purposes.

If you are applying to us for employment we may carry out checks to ensure that you are suitable to work with our members. In the event this involves processing information relating to criminal investigations or convictions then we will be relying on the substantial public interest condition relating to the safeguarding of children or adults who are at risk, described above.

3. How and why will we use your personal data?

We use your personal information to:

Enable you to use and/or learn about all of the services we offer;
Send you information about our work, campaigns, organisations and any other information, products or services that we provide (this will not be done without your consent);
Send you member surveys (see section 8 below) including for the purpose of conducting member research/insights and profiling (see section 6 below);
Provide you with the services, products or information you have requested;
Improve your browsing experience by personalising your interaction with our website;
Handle the administration of any donation or other payment you make via credit/debit card, cheque, standing order or BACS transfer;
Collect payments from you and send statements and/or receipts to you;
Handle the administration of your employment and/or volunteering application;
Conduct research into the impact of our campaigns;
Deal with enquiries and complaints made by or about you relating to the website or us in general;
Make campaign submissions to third parties, where you have signed the campaign and the third party is a target of the campaign;
Incorporate your personal data into our promotional activities but only with your consent; and/or
Audit and/or administer our accounts.

4. Signing a campaign

When you sign any campaign on our website, we ask for some personal information. We will take reasonable steps thereafter to ensure that your personal information remains accurate and up to date. You do not need to set up an account with us to sign a campaign.

Campaigns indicate your public support for an issue or cause. Please be aware that when you sign a campaign on Campaigns by You:

your name, post code and (if you have supplied it) your mobile phone number will be made available to the creator of the campaign;
the creator of the campaign may ‘export’ the campaign, together with any information you have posted on our website in connection with the campaign (which could include your name, post code, phone number and comments), and send it to the individual or organisation being petitioned and/or otherwise publish, broadcast, communicate and display publicly your involvement in the campaign.

You can submit a video in support of a campaign using our online video recording tool. If you do, we will ask for your consent to our use of your video. We share these videos with third parties relevant to the campaign (such as MPs), and we may also use your video for our own marketing purposes. When we refer to our own marketing purposes, we mean the use of your video to promote (i) a campaign that may be different to the one you have made a video to support, (ii) engagement in starting petitions generally, or (iii) the activities of 38 Degrees in general. You can always withdraw your consent to our use of your videos by contacting us using the details below.

5. Logging into 38 Degrees with your social media account

When you create a petition on our website we ask you to register for an account. You can register with us directly, or you can log-in using your Google or Facebook account, if you have one. If you log in using Google or Facebook, the third party platform (either Google or Facebook) will share some of your basic account information with us – your name, email address and profile picture (if you have one). We use this personal information to identify you when you log-in and allow you to access your account.

If you log in via Facebook or Google, we’ll still ask for your phone number and postcode. We ask for this information in case our staff team need to contact you to support with your petition and so that we can potentially promote your petition locally (according to your postcode).

You do not have to use social log-ins – if you prefer, you can always register or log-in directly with 38 Degrees. You can also un-link your Google or Facebook account from your 38 Degrees account at any time by updating your settings preferences with Google or Facebook:

Click here to read how to un-link your account from Google.
You can un-link your account from Facebook by navigating to the ‘Apps’ section in your Facebook account settings and updating preferences in ‘Logged in with Facebook’.

6. Understanding our membership (including creating ‘profiles’ and ‘modelling’)

We refer to anyone who has taken an action with 38 Degrees (e.g. signed a petition, taken a survey, donated, etc) as a ‘member’. You can only be a member if you reside in the UK, which we confirm by asking you to verify your postcode.

In order to better understand our members and our membership, 38 Degrees collects information about members’ interests and demographics, and gathers this information to create ‘profiles’ of individual members and groups of members. Our aims are:

(a) at an individual level, improving our communications and interactions with you (so that they are more targeted and relevant); and

(b) at a membership / group level, understanding the types of people who typically make up our membership so that we can improve the membership journey, focus our resources on areas of interest to our members, and recognise groups which may be under-represented in our membership, in order to improve our reach.

‘Profiling’ in this context means gathering information about members and analysing their characteristics and behaviour patterns to place them in a certain category to help inform the above insights work. It can involve processing personal information using predictions about people, based on the qualities of others who appear similar (in other words, identifying ‘personas’ or categories of typical 38 Degrees members).

To do this, we may combine the personal information we obtain:

Directly from you, including when you complete member surveys (see section 8 below) – including demographic and attitudinal information.
From public sources.
From third parties such as Experian.

We may keep this information in anonymous/ aggregated form (so that it does not identify you) and share that statistical information with key decision makers – for example, to tell MPs that hundreds of 38 Degrees members in their constituency are nurses.

We rely on our legitimate interests to undertake data processing for these purposes (see section 15 below). If we use your sensitive personal information (see section 2 above) for these purposes, we will ask for your explicit consent where necessary or rely on other conditions under data protection law.

Additionally, we gather information about the way members respond to communications we have sent. Using a process we call ‘modelling sends’, we analyse past actions and behaviour of members. By comparing those members with other members we can predict what actions the other members are likely to take. Using this understanding of how likely someone is to take an action, we can send the email to people who are most likely to be interested, rather than sending it to everyone on our email list. This helps us to maximise the effectiveness of the communications we send out. We rely on our legitimate interests to undertake data processing for these purposes (see section 15 below).

We may use third parties, such as data analysts, to help us with this type of research and profiling. We will have contracts with them which require them to keep any personal information secure.

You can choose to opt-out of the processing detailed in this section, which will include both 38 Degrees’ profiling (which will mean we won’t assign you a ‘profile’ nor will we obtain personal information about you under a commercial licence from Experian), as well as ‘modelling’ sends. If you would like to opt-out, or if you have any questions about this processing, please email us on dataprotection@38degrees.org.uk.

7. Social media marketing (including Facebook and Snapchat)

We use Facebook and/ or Snapchat’s Custom Audience and Lookalike Audience programs, which are tools which allow us to show adverts to individuals when they visit Facebook or Snapchat. To do this, we send your email address to Facebook/Snapchat so they can determine whether you have an account with them. Our adverts may then appear in your feed. Some of your personal information is sent in an encrypted format that is deleted by Facebook/ Snapchat (a) if it does not match with an account or (b) after they confirm you are a registered account holder.

For more detailed information please see Facebook’s guidance here and here.

We also use Snapchat’s ‘Snap Pixel’. This is a tool which lets us know if individuals have visited our website via Snapchat, so that we can tell whether our use of Snapchat is effective. We use a ‘pixel’ on our website to do this, which is similar to a ‘cookie’ – please see our cookies notice here for more information.

You can read Snapchat’s privacy notice here.

Opting out of this marketing activity

If you do not want us to share your email address with Facebook or Snapchat (even in encrypted form), then you can ask us not to by contacting us at dataprotection@38degrees.org.uk. Please be aware that, if you are a Facebook or Snapchat user, you may still see advertisements about 38 Degrees in your feed even if we do not share your personal information with Facebook or Snapchat (because not all of our marketing will be targeted). You can control what ads you see via your ad settings within Facebook and Snapchat.

8. Member surveys

From time to time (and in accordance with section 9 below) we may contact you (if you are a member) to ask you to complete surveys.

Your participation in surveys is entirely voluntary and you do not need to provide us with any personal information you do not want to. We may ask you questions about your background, behaviours, and attitudes. We will then use this personal information for the purposes set out in this Policy, including to understand our membership better as explained in section 6 above.

This includes improving our ability to send you more relevant communications. For example, if you tell us, in response to a survey, that you work in the NHS, we may send you information about campaigns specific to issues affecting NHS staff.

9. Communications, fundraising and marketing

If you have provided us with your physical address, we may contact you by post; and where you have given appropriate consent, also by telephone and e-mail, with targeted communications to let you know about our events and/or activities that we consider may be of particular interest; about the work of 38 Degrees; and to ask for donations or other support (or to conduct member surveys – see section 8 above).

In the future we may communicate with you via focus groups, which may include online communications with you, and we may use other online messaging platforms such as WhatsApp.

In particular, if you have provided consent after signing a campaign, we will send you messages from the creator of the campaign you have signed and from us in relation to other campaigns which are being run by 38 Degrees.

You can choose to stop receiving such emails from us and our trusted partners at any time by clicking the “unsubscribe” link at the bottom of our emails, or by contacting us using the details below. Or, if you’d like to opt-out of hearing from us by post, please email nopost@38degrees.org.uk or dataprotection@38degrees.org.uk

10. Members of Parliament

We collect and use some information in relation to MPs. This includes the following

Information from publicly available sources regarding MPs’ voting history.
Contact details.
Information from members of the public about how MPs have responded to issues they have raised.
Information provided to us directly from MPs clarifying their positions in relation to specific issues.

We use MPs’ contact information to ask them questions, send them briefing notes on issues for which we are campaigning and to allow members of the public to contact them through our systems.

We use information about how MPs vote and their political positions to create rankings and leader-boards.

We rely on our legitimate interests to undertake data processing for these purposes (see section 15 below)

11. Donations and other payments

Financial transactions carried out on our website are usually handled through Stripe, Inc. (“Stripe”), a payment services provider. We recommend that you read Stripe’s privacy policy before making any payments to us. We will provide your personal information to Stripe only to the extent necessary to process payments. We do not store your financial details.

You can also donate to us using PayPal. If you donate using PayPal, your personal information will be provided to PayPal so they can process your donation. Please see their privacy notice for more information.

Alternatively if you set up a direct debit, we use a provider called SmartDebit to process your regular direct debit payments.

12. Children’s data

We do not knowingly process data of any person under the age of 16. If we come to discover, or have reason to believe, that you are 15 and under and we are holding your personal information, we will delete that information within a reasonable period and withhold our services accordingly.

13. Security of and access to your personal information

We aim to ensure that there are appropriate and proportionate technical and organisational measures to protect your personal information from loss, destruction, misuse, alteration, or unauthorised disclosure or access.

Your information is only accessible in 38 Degrees by appropriately trained staff, volunteers and contractors.

We also use agencies and/or suppliers to process data on our behalf. We may also merge or partner with other organisations and in so doing transfer your personal information to a successor organisation.

Please note that some countries outside of the UK have a lower standard of protection for personal information, including lower security requirements and fewer rights for individuals. We may transfer and/or store your personal information to a destination outside the UK. If we transfer and/or store your personal information outside the UK which does not provide adequate protection we will take reasonable steps to ensure that the recipient implements appropriate measures to protect your personal information, such as requiring the recipient to enter into standard contracts approved by the UK Government for this purpose.

In addition to the disclosures reasonably necessary for the purposes identified elsewhere in this policy, we may disclose your information to regulatory and/or government bodies and/or law enforcement agencies. But only if we need to do so to satisfy a legal obligation.

14. Your rights

If we rely on your consent to use your personal information for a specific purpose, you can withdraw that consent at any time. This includes the right to ask us to stop using your personal information for direct marketing purposes or to be unsubscribed from our email list at any time. You also have the following rights:

To access your personal information – you can write to us to ask for confirmation of what information we hold on you and to request a copy of that information. Provided we are satisfied that you are entitled to see the information requested and we have successfully confirmed your identity, we will usually have one month to comply.
Erasure of your personal information – you can ask us for your personal information to be deleted from our records. In many cases we would propose to suppress further communications with you, rather than delete it.
To correct your personal information – if you believe our records of your personal information are inaccurate, you have the right to ask for those records to be updated.
To ask us to restrict our use of your personal information – you have the right to ask for processing of your personal information to be restricted if there is disagreement about its accuracy or legitimate usage.
To have your data ‘ported’ – to the extent required by applicable laws, where we are processing your personal information (i) under your consent, (ii) to perform a contract with you and (iii) by automated means, you may ask us to provide it to you – or another service provider – in a machine-readable format.

To exercise these rights, please send a description of the personal information in question using the contact details in section 20 below. We also have a specific page (linked here) where you can unsubscribe from our email list

We might need to ask for (i) personal identification and/or (ii) further information before we can respond to your request. Please note that some of these rights only apply in limited circumstances.

You can also make a complaint about us or the way we have processed your personal information to the Information Commissioner’s Office. The contact details of the ICO can be found here.

15. Our lawful basis

We are required to have one or more lawful grounds to process your personal information. The following four are most relevant to us:

(1) Consent

We will ask for your consent to use your information to send you electronic communications such as newsletters and marketing and fundraising emails, for targeted advertising and profiling, and if you ever share sensitive personal information with us.

(2) Contractual relationships

Most of our interactions with subscribers and website users are voluntary and not contractual. However, sometimes it will be necessary to use personal information so that we can enter contractual relationships with people. For example, if you apply for employment or to volunteer with us, or if you purchase something via our online shop.

(3) Legal obligations

Sometimes we will be obliged to process your personal information due to legal obligations which are binding on us. We will only ever do so when necessary.

(4) Legitimate interests

The law allows organisations to use personal information if it is reasonably necessary for legitimate activities, and as long as its use is fair, balanced and does not unduly impact individuals’ rights.

We will rely on this ground to process your personal data when it is not practical or appropriate to ask for consent. Our legitimate interests are as follows:

A. Achieving our purposes

These include (but are not limited to) promoting any philanthropic or benevolent purpose including without limitation to ensure the views and values of the world’s people shape global decisions

B. Governance

Internal and external audit for financial or regulatory compliance purposes
Statutory reporting

C. Publicity and income generation

Conventional direct marketing and other forms of marketing, publicity or advertising
Unsolicited commercial or non-commercial messages not sent electronically, including campaigns, newsletters, income generation or charitable fundraising
Analysis, targeting and segmentation to develop and promote or strategy and improve communication efficiency
Personalisation used to tailor and enhance your experience of our communications

D. Operational Management

Recording and monitoring of applicants for employed and volunteer positions for recruitment purposes
Physical security, IT and network security
Maintenance of suppression files
Processing for historical, scientific or statistical purpose

E. Purely administrative purposes

Responding to enquiries
Delivery of requested products or information
Communications designed to administer existing services including administration of campaigns and financial transactions
Thank you communications and receipts
Maintaining a supporter database and suppression lists

F. Financial Management and control

Processing financial transactions and maintaining financial controls
Prevention of fraud, misuse of services, or money laundering
Enforcement of legal claims
Reporting criminal acts and compliance with law enforcement agencies

When we use your personal information, we will consider if it is fair and balanced to do so and if it is within your reasonable expectations. We will balance your rights and our legitimate interests to ensure that we use your personal information in ways that are not unduly intrusive or unfair in other ways.

16. How long we keep your personal information

In general, unless still required in connection with the purpose(s) for which it was collected and/or is processed, we remove your personal information from our records six years after the date it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure, we will remove it from our records at the relevant time.

If you ask us to stop sending you direct marketing/fundraising/other electronic communications, we will keep your name on our internal suppression list to ensure that you are not contacted again.

Additionally, if you donate by direct debit, your personal information may be retained by the provider we use, SmartDebit, for as long as SmartDebit is liable under any compensation award scheme e.g. the Direct Debit Guarantee.

17. Sharing your information

We use third-party service providers to assist us in delivering our services. Where necessary, we will share your personal information with those service providers. This will always be governed by a contract with the relevant service provider which prevents them from using your information in any way which goes beyond our purposes, as stated in this Privacy Policy. We share that information based on our legitimate interests in delivering our services to members.

We may also share your personal information with third parties such as public authorities where we have a legal obligation to do so or where it is necessary for reasons of substantial public interest such as the prevention or detection of a crime.

Where you have consented, we may also share your personal information for the purposes of making campaign submissions to third parties or for the purposes of our promotional activities.

We may also share your personal information for the purposes of social media marketing (see section 7 above).

18. International transfers

We may transfer your personal information to our third-party service providers based outside the UK. Where this is the case, we will only transfer your information to territories where the level of protection has been deemed to be adequate for the purposes of transferring personal information from the UK by way of an ‘Adequacy Decision’ or other international accord, or where we have executed the EU or UK Standard Contractual Clauses with the service provider who is receiving the information. Those Standard Contractual Clauses ensure that the personal information we transfer has an equivalent level of protection to that which is available in the UK. We can provide a copy of those safeguards upon request.

19. Changes to this policy

We keep this Policy under regular review and will sometimes update it by posting an updated version on our website, to reflect changes in the law or in our practices. We recommend that you check this Policy occasionally to ensure you remain happy with it. Where reasonably possible, we will notify you of significant changes to our privacy policy by email.

20. Contact us

For queries relating to how we use your data you can contact our Data Protection Team at dataprotection@38degrees.org.uk and/or our wider team at emailtheteam@38degrees.org.uk or by writing to us at the following address:

The Data Protection Team

38 Degrees
First Floor
10 Queen Street Place
London
EC4R 1BE

You can also contact our Data Protection Officer at dataprotectionofficer@38degrees.org.uk.

Last updated: 29.03.2021