Privacy Policy 29.03.2021
38 Degrees Ltd. (Company No. 6642193) aims to respect any personal information you share with us, or that we receive from other organisations, and keep it safe. This Policy explains how we collect and use your personal information. For the purposes of the information you share with us, we are the data controller.
This Policy contains important information about your personal information and privacy. Please read it carefully.
You do not have to provide us with your personal information. However, you will need to provide some personal information if you would like to sign a campaign, start a campaign, make a donation or purchase items via our online shop, apply for employment with us or apply to volunteer with us.
Index
1. How we collect your personal information
We collect information about you:
(1) When you give it to us DIRECTLY
For example, you give us your personal information when you:
(2) When you give it to us INDIRECTLY
Your information may be shared with us by others including other users of our services, independent event organisers, other fundraising entities, sponsors and supporters of our organisation and services. Your information will also be provided to us when you follow us or otherwise interact with on or via Twitter, when you like and/or join our page on Facebook or interact with us in other ways on or via Facebook or on Snapchat. We also collect limited personal information when you receive our marketing/ campaign emails (see below under “Pixel trackers”).
(3) When you give permission to OTHER ORGANISATIONS to share it or it is AVAILABLE PUBLICLY
We may combine information you provide to us with information available from external publicly available sources. Depending on your privacy settings for social media services, we may also access information from those accounts or services. We use this information to gain a better understanding of you and to improve our communications and fundraising activities.
We may also obtain personal information about you under a commercial licence from Experian. Experian collects and combines information from publicly available sources and third parties (such as Royal Mail Postcode Address File). Experian’s privacy notice can be found here
We also receive some personal information about you when you use social logins (see section 5 below).
(4) When you visit our WEBSITE
We use cookies to identify you when you visit our website and to enable us to personalise your online experience (for example by remembering your log in details). Please see our Cookies Policy for more information.
We also use the reCAPTCHA service provided by Google. This allows us to verify that a user is a person rather than a machine in order to prevent forms on our website (such as petitions) from being (ab)used by spam bots (a bot is a computer programme that can interact with systems and can simulate human activity). When you fill in forms on our website, reCAPTCHA will collect information about your use of the website page, including clicks, mouse movements and your IP address, so that it can determine whether you are a person and not a bot. This information is collected by Google who only provide us with confirmation of whether the user is a real person (but does not identify a user to us). For more information about Google’s use of information gathered through reCAPTCHA please read their privacy notice here.
Pixel trackers
We use ‘pixel trackers’ (including trackers provided by MailJet) to provide us with insights about the way you interact with our emails, so we can learn about the effectiveness of our communications. For example, these tools tell us when and if you open an email from 38 Degrees and whether you click on a link within the email. This is useful because it allows us to decide what kind of content you and our other members are interested in receiving.
We may then change the type of emails we send to you and our membership, or stop sending you emails at all if it seems you are no longer interested to hear from us.
These tools also protect our communications from being incorrectly flagged as ‘spam’ by email providers.
If you use an email client that allows it, you can ‘block’ pixels by changing your settings to block images being loaded by default.
2. What personal information we collect?
We may collect, store and use the following kinds of personal information:
(1) Your name and contact details, including address, telephone number, e-mail address, and social media identity. We may ask for other information where it is appropriate and relevant, for example
(2) information about your computer and about your visits to and use of this website including your IP address, geographical location, browser type, referral source, length of visit and number of page views;
(3) information about the 38 Degrees services you use (e.g. campaigns you support), services and products of interest to you or any marketing and/or communication preferences you give; and/or
(4) any other information shared with us as per clause 1
Do we process sensitive personal information?
The law recognises certain types of personal information as sensitive and requiring more protection, including health information, ethnicity and political opinions. This is known as ‘special category’ information. In limited cases, we may collect special category information about you because it is relevant to the particular campaign or survey in which you are participating. We will generally only collect special category data where we have your explicit consent.
We may also use certain special category information you provide us in surveys, such as your ethnicity or political opinions, to understand demographic trends in our membership and to help us monitor and address inequalities. For example, we may use this information to determine that certain groups are not being reached by our campaigns/ that our campaigns may not be relevant to particular groups – this information could help us to address our content and priorities so that they are more relevant to such groups, to address inequalities. Again, we will generally seek your explicit consent before collecting this information for these purposes.
It may also be necessary for us to process special category information for purposes in the substantial public interest like the prevention or detection of a crime or safeguarding children or adults who are at risk. We may also process information which relates to potentially criminal activity for the same purposes.
If you are applying to us for employment we may carry out checks to ensure that you are suitable to work with our members. In the event this involves processing information relating to criminal investigations or convictions then we will be relying on the substantial public interest condition relating to the safeguarding of children or adults who are at risk, described above.
3. How and why will we use your personal data?
We use your personal information to:
4. Signing a campaign
When you sign any campaign on our website, we ask for some personal information. We will take reasonable steps thereafter to ensure that your personal information remains accurate and up to date. You do not need to set up an account with us to sign a campaign.
Campaigns indicate your public support for an issue or cause. Please be aware that when you sign a campaign on Campaigns by You:
You can submit a video in support of a campaign using our online video recording tool. If you do, we will ask for your consent to our use of your video. We share these videos with third parties relevant to the campaign (such as MPs), and we may also use your video for our own marketing purposes. When we refer to our own marketing purposes, we mean the use of your video to promote (i) a campaign that may be different to the one you have made a video to support, (ii) engagement in starting petitions generally, or (iii) the activities of 38 Degrees in general. You can always withdraw your consent to our use of your videos by contacting us using the details below.
5. Logging into 38 Degrees with your social media account
When you create a petition on our website we ask you to register for an account. You can register with us directly, or you can log-in using your Google or Facebook account, if you have one. If you log in using Google or Facebook, the third party platform (either Google or Facebook) will share some of your basic account information with us – your name, email address and profile picture (if you have one). We use this personal information to identify you when you log-in and allow you to access your account.
If you log in via Facebook or Google, we’ll still ask for your phone number and postcode. We ask for this information in case our staff team need to contact you to support with your petition and so that we can potentially promote your petition locally (according to your postcode).
You do not have to use social log-ins – if you prefer, you can always register or log-in directly with 38 Degrees. You can also un-link your Google or Facebook account from your 38 Degrees account at any time by updating your settings preferences with Google or Facebook:
6. Understanding our membership (including creating ‘profiles’ and ‘modelling’)
We refer to anyone who has taken an action with 38 Degrees (e.g. signed a petition, taken a survey, donated, etc) as a ‘member’. You can only be a member if you reside in the UK, which we confirm by asking you to verify your postcode.
In order to better understand our members and our membership, 38 Degrees collects information about members’ interests and demographics, and gathers this information to create ‘profiles’ of individual members and groups of members. Our aims are:
(a) at an individual level, improving our communications and interactions with you (so that they are more targeted and relevant); and
(b) at a membership / group level, understanding the types of people who typically make up our membership so that we can improve the membership journey, focus our resources on areas of interest to our members, and recognise groups which may be under-represented in our membership, in order to improve our reach.
‘Profiling’ in this context means gathering information about members and analysing their characteristics and behaviour patterns to place them in a certain category to help inform the above insights work. It can involve processing personal information using predictions about people, based on the qualities of others who appear similar (in other words, identifying ‘personas’ or categories of typical 38 Degrees members).
To do this, we may combine the personal information we obtain:
We may keep this information in anonymous/ aggregated form (so that it does not identify you) and share that statistical information with key decision makers – for example, to tell MPs that hundreds of 38 Degrees members in their constituency are nurses.
We rely on our legitimate interests to undertake data processing for these purposes (see section 15 below). If we use your sensitive personal information (see section 2 above) for these purposes, we will ask for your explicit consent where necessary or rely on other conditions under data protection law.
Additionally, we gather information about the way members respond to communications we have sent. Using a process we call ‘modelling sends’, we analyse past actions and behaviour of members. By comparing those members with other members we can predict what actions the other members are likely to take. Using this understanding of how likely someone is to take an action, we can send the email to people who are most likely to be interested, rather than sending it to everyone on our email list. This helps us to maximise the effectiveness of the communications we send out. We rely on our legitimate interests to undertake data processing for these purposes (see section 15 below).
We may use third parties, such as data analysts, to help us with this type of research and profiling. We will have contracts with them which require them to keep any personal information secure.
You can choose to opt-out of the processing detailed in this section, which will include both 38 Degrees’ profiling (which will mean we won’t assign you a ‘profile’ nor will we obtain personal information about you under a commercial licence from Experian), as well as ‘modelling’ sends. If you would like to opt-out, or if you have any questions about this processing, please email us on dataprotection@38degrees.org.uk.
7. Social media marketing (including Facebook and Snapchat)
We use Facebook and/ or Snapchat’s Custom Audience and Lookalike Audience programs, which are tools which allow us to show adverts to individuals when they visit Facebook or Snapchat. To do this, we send your email address to Facebook/Snapchat so they can determine whether you have an account with them. Our adverts may then appear in your feed. Some of your personal information is sent in an encrypted format that is deleted by Facebook/ Snapchat (a) if it does not match with an account or (b) after they confirm you are a registered account holder.
For more detailed information please see Facebook’s guidance here and here.
We also use Snapchat’s ‘Snap Pixel’. This is a tool which lets us know if individuals have visited our website via Snapchat, so that we can tell whether our use of Snapchat is effective. We use a ‘pixel’ on our website to do this, which is similar to a ‘cookie’ – please see our cookies notice here for more information.
You can read Snapchat’s privacy notice here.
Opting out of this marketing activity
If you do not want us to share your email address with Facebook or Snapchat (even in encrypted form), then you can ask us not to by contacting us at dataprotection@38degrees.org.uk. Please be aware that, if you are a Facebook or Snapchat user, you may still see advertisements about 38 Degrees in your feed even if we do not share your personal information with Facebook or Snapchat (because not all of our marketing will be targeted). You can control what ads you see via your ad settings within Facebook and Snapchat.
8. Member surveys
From time to time (and in accordance with section 9 below) we may contact you (if you are a member) to ask you to complete surveys.
Your participation in surveys is entirely voluntary and you do not need to provide us with any personal information you do not want to. We may ask you questions about your background, behaviours, and attitudes. We will then use this personal information for the purposes set out in this Policy, including to understand our membership better as explained in section 6 above.
This includes improving our ability to send you more relevant communications. For example, if you tell us, in response to a survey, that you work in the NHS, we may send you information about campaigns specific to issues affecting NHS staff.
9. Communications, fundraising and marketing
If you have provided us with your physical address, we may contact you by post; and where you have given appropriate consent, also by telephone and e-mail, with targeted communications to let you know about our events and/or activities that we consider may be of particular interest; about the work of 38 Degrees; and to ask for donations or other support (or to conduct member surveys – see section 8 above).
In the future we may communicate with you via focus groups, which may include online communications with you, and we may use other online messaging platforms such as WhatsApp.
In particular, if you have provided consent after signing a campaign, we will send you messages from the creator of the campaign you have signed and from us in relation to other campaigns which are being run by 38 Degrees.
You can choose to stop receiving such emails from us and our trusted partners at any time by clicking the “unsubscribe” link at the bottom of our emails, or by contacting us using the details below. Or, if you’d like to opt-out of hearing from us by post, please email nopost@38degrees.org.uk or dataprotection@38degrees.org.uk
10. Members of Parliament
We collect and use some information in relation to MPs. This includes the following
We use MPs’ contact information to ask them questions, send them briefing notes on issues for which we are campaigning and to allow members of the public to contact them through our systems.
We use information about how MPs vote and their political positions to create rankings and leader-boards.
We rely on our legitimate interests to undertake data processing for these purposes (see section 15 below)
11. Donations and other payments
Financial transactions carried out on our website are usually handled through Stripe, Inc. (“Stripe”), a payment services provider. We recommend that you read Stripe’s privacy policy before making any payments to us. We will provide your personal information to Stripe only to the extent necessary to process payments. We do not store your financial details.
You can also donate to us using PayPal. If you donate using PayPal, your personal information will be provided to PayPal so they can process your donation. Please see their privacy notice for more information.
Alternatively if you set up a direct debit, we use a provider called SmartDebit to process your regular direct debit payments.
12. Children’s data
We do not knowingly process data of any person under the age of 16. If we come to discover, or have reason to believe, that you are 15 and under and we are holding your personal information, we will delete that information within a reasonable period and withhold our services accordingly.
13. Security of and access to your personal information
We aim to ensure that there are appropriate and proportionate technical and organisational measures to protect your personal information from loss, destruction, misuse, alteration, or unauthorised disclosure or access.
Your information is only accessible in 38 Degrees by appropriately trained staff, volunteers and contractors.
We also use agencies and/or suppliers to process data on our behalf. We may also merge or partner with other organisations and in so doing transfer your personal information to a successor organisation.
Please note that some countries outside of the UK have a lower standard of protection for personal information, including lower security requirements and fewer rights for individuals. We may transfer and/or store your personal information to a destination outside the UK. If we transfer and/or store your personal information outside the UK which does not provide adequate protection we will take reasonable steps to ensure that the recipient implements appropriate measures to protect your personal information, such as requiring the recipient to enter into standard contracts approved by the UK Government for this purpose.
In addition to the disclosures reasonably necessary for the purposes identified elsewhere in this policy, we may disclose your information to regulatory and/or government bodies and/or law enforcement agencies. But only if we need to do so to satisfy a legal obligation.
14. Your rights
If we rely on your consent to use your personal information for a specific purpose, you can withdraw that consent at any time. This includes the right to ask us to stop using your personal information for direct marketing purposes or to be unsubscribed from our email list at any time. You also have the following rights:
To exercise these rights, please send a description of the personal information in question using the contact details in section 20 below. We also have a specific page (linked here) where you can unsubscribe from our email list
We might need to ask for (i) personal identification and/or (ii) further information before we can respond to your request. Please note that some of these rights only apply in limited circumstances.
You can also make a complaint about us or the way we have processed your personal information to the Information Commissioner’s Office. The contact details of the ICO can be found here.
15. Our lawful basis
We are required to have one or more lawful grounds to process your personal information. The following four are most relevant to us:
(1) Consent
We will ask for your consent to use your information to send you electronic communications such as newsletters and marketing and fundraising emails, for targeted advertising and profiling, and if you ever share sensitive personal information with us.
(2) Contractual relationships
Most of our interactions with subscribers and website users are voluntary and not contractual. However, sometimes it will be necessary to use personal information so that we can enter contractual relationships with people. For example, if you apply for employment or to volunteer with us, or if you purchase something via our online shop.
(3) Legal obligations
Sometimes we will be obliged to process your personal information due to legal obligations which are binding on us. We will only ever do so when necessary.
(4) Legitimate interests
The law allows organisations to use personal information if it is reasonably necessary for legitimate activities, and as long as its use is fair, balanced and does not unduly impact individuals’ rights.
We will rely on this ground to process your personal data when it is not practical or appropriate to ask for consent. Our legitimate interests are as follows:
A. Achieving our purposes
These include (but are not limited to) promoting any philanthropic or benevolent purpose including without limitation to ensure the views and values of the world’s people shape global decisions
B. Governance
C. Publicity and income generation
D. Operational Management
E. Purely administrative purposes
F. Financial Management and control
When we use your personal information, we will consider if it is fair and balanced to do so and if it is within your reasonable expectations. We will balance your rights and our legitimate interests to ensure that we use your personal information in ways that are not unduly intrusive or unfair in other ways.
16. How long we keep your personal information
In general, unless still required in connection with the purpose(s) for which it was collected and/or is processed, we remove your personal information from our records six years after the date it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure, we will remove it from our records at the relevant time.
If you ask us to stop sending you direct marketing/fundraising/other electronic communications, we will keep your name on our internal suppression list to ensure that you are not contacted again.
Additionally, if you donate by direct debit, your personal information may be retained by the provider we use, SmartDebit, for as long as SmartDebit is liable under any compensation award scheme e.g. the Direct Debit Guarantee.
17. Sharing your information
We use third-party service providers to assist us in delivering our services. Where necessary, we will share your personal information with those service providers. This will always be governed by a contract with the relevant service provider which prevents them from using your information in any way which goes beyond our purposes, as stated in this Privacy Policy. We share that information based on our legitimate interests in delivering our services to members.
We may also share your personal information with third parties such as public authorities where we have a legal obligation to do so or where it is necessary for reasons of substantial public interest such as the prevention or detection of a crime.
Where you have consented, we may also share your personal information for the purposes of making campaign submissions to third parties or for the purposes of our promotional activities.
We may also share your personal information for the purposes of social media marketing (see section 7 above).
18. International transfers
We may transfer your personal information to our third-party service providers based outside the UK. Where this is the case, we will only transfer your information to territories where the level of protection has been deemed to be adequate for the purposes of transferring personal information from the UK by way of an ‘Adequacy Decision’ or other international accord, or where we have executed the EU or UK Standard Contractual Clauses with the service provider who is receiving the information. Those Standard Contractual Clauses ensure that the personal information we transfer has an equivalent level of protection to that which is available in the UK. We can provide a copy of those safeguards upon request.
19. Changes to this policy
We keep this Policy under regular review and will sometimes update it by posting an updated version on our website, to reflect changes in the law or in our practices. We recommend that you check this Policy occasionally to ensure you remain happy with it. Where reasonably possible, we will notify you of significant changes to our privacy policy by email.
20. Contact us
For queries relating to how we use your data you can contact our Data Protection Team at dataprotection@38degrees.org.uk and/or our wider team at emailtheteam@38degrees.org.uk or by writing to us at the following address:
The Data Protection Team
38 Degrees
First Floor
10 Queen Street Place
London
EC4R 1BE
You can also contact our Data Protection Officer at dataprotectionofficer@38degrees.org.uk.
Last updated: 29.03.2021