privacy policy

We use your personal information for the purposes set out in this policy, which include:

to provide support

We support socially and economically vulnerable communities in the former Soviet Union and Eastern Europe in a number of ways, including via humanitarian aid, cultural heritage projects and community capacity building. We may, with your consent, process information about your health where this is relevant to our support. You can always withdraw your consent by contacting us at any time. Please see the relevant sections of how we use your personal information for further information.

marketing

We will only send you emails and post where you have consented to this; and will not send you marketing if you have asked us not to. To withdraw your consent or opt-out from receiving marketing at any time please contact us. Please see direct marketing for further information.

philanthropy

We research, and profile potential or existing high value donors, to allow us to identify and engage with suitable high value donors. This allows us to focus our fundraising resources, and to ensure that our requests for support are tailored to each individual, ultimately helping us to maximise the efficiency of our fundraising. If you would prefer that we do not carry out this type of analysis, please contact us. Please see high value donors for further information.

online advertising

We promote our aims and activities online, including via platforms such as Facebook. We may ask a platform to show our adverts to a particular group of individuals, and may also use data purchased from third parties to identify relevant audiences for our adverts. We may also track when individuals click on our adverts. We never use special category personal data (e.g. health data) to target individuals. Please see online advertising for further information.

For information about the other purposes for which we process personal information, please see how we use your personal information.

If you have questions about this Privacy Policy, or if you would like to exercise any of your privacy rights, please contact us by email at [email protected], or write to our Operations Manager in writing at The Studio, 60 Glencoe Road, Bushey WD23 3DS.

Usually, The Together Plan will be the ‘controller’ of your personal information. This means that we are responsible for deciding how your personal information is used, and ensuring that it is used in compliance with applicable data protection law (in conjunction with other parties, where applicable).

links

The Together Plan website may include links to other sites, not owned or managed by us. We cannot be held responsible for the privacy of information collected by websites not managed by us.

changes to this policy

We may change our privacy policy from time to time so please check back periodically. This Privacy Policy was last updated in July 2022.

Personal information is any information that can be used to identify you. For example, it can include information such as your name, date of birth, email address, postal address, telephone number, IP address, credit/debit card details, CCTV footage, and information relating to your health and personal circumstances.

Data protection law recognises that certain categories of personal information are more sensitive. These are known as ‘special category data’ and include information relating to health, race, ethnic origin, political opinions, religious beliefs, trade union membership, genetics, biometrics (where used for ID purposes), sex life and sexual orientation.

Personal data relating to criminal convictions and offences (including allegations of the same) is also subject to extra safeguards.

We may collect personal information when:

• you give it to us, or we collect it from you, directly – for example, when you sign up for one of our events or donate to us, and where you visit our websites or open our emails (with your consent where necessary: please see cookies and similar technologies);
• you give permission to other parties to share it with us – for example, when you have told an event organiser such as JW3 that you would like to hear from us, or where a friend, family member or legal representative has contacted us on your behalf; or
• your information is available publicly, for example, from Companies House, or, depending on your privacy settings, from social media and messaging services such as Facebook, YouTube etc

When we ask you to provide personal information to us on a mandatory basis, we will inform you of this at the time of collection and in the event that particular information is required by the contract or statute this will be indicated. We will also explain the consequences of any failure to provide any mandatory information: for example, failure to provide us with your contact details will mean that we cannot contact you, and failure to provide us with your payment details will mean that we cannot complete a transaction.

Apart from personal information relating to yourself, you may also provide us with the personal information of third parties, such as when you contact us on behalf of, or about, friends and family, or send us photographs including other people. Before you provide such third party personal information to us you must make sure that these third parties are aware that you will provide such data and of how it will be used by us, as detailed in this Privacy Policy.

You have a number of rights in relation to your personal information. You should note that these rights are not absolute, so we do not always need to comply with your requests, but we will make sure we explain our reasons to you if this is the case.

To exercise any of your rights, please contact us.

We may ask you to provide additional information to prove your identity, for example, to provide a copy of an identification document, before we allow you to exercise a right. This is for your security: we consider that we have a legitimate interest in ensuring that we only allow the correct individuals to exercise the rights to which they are entitled. This is for your security, and aims to prevent fraudsters from accessing the information we hold about you.

We will respond to any such request within 1 month. If we refuse a request, we will explain our reasons and let you know how you can challenge our decision.

If you are unhappy with how we’ve dealt with your request or used your data please tell us so we can sort it out. However, if you are still unhappy you have the right to complain to the Information Commissioner’s Office (ICO). The ICO can investigate your claim and take action against anyone who has misused personal information. Please visit https://ico.org.uk/make-a-complaint/ or call the ICO helpline on 0303 123 1113 for further information.

You have the right to be informed about the collection and use of your personal information, and we are also required to ensure that we are transparent about how we use your personal information.

This Privacy Policy explains how we process your personal information.

You have the right to ask us to confirm whether we process any of your personal information, and to provide access to any personal information we do hold about you.

We aim to ensure that all personal information is correct. If any of the information that you have provided us with changes, for example if you change your email address, please do contact us so that we can keep our records up to date. We will update your records as soon as possible and in any event within one month.

You have a right to require us to correct any information about you that is inaccurate, and you may also ask us to remove information which is inaccurate or to complete information which is incomplete. We may seek to verify the accuracy of the personal information before rectifying it, and in some circumstances we will need to keep a copy of the inaccurate data (for example, if we need to keep an audit trail).

If we do update inaccurate information, we will inform relevant third parties with whom we have shared your data so they may update their own records.

In some situations, you have a right to obtain your personal information from us in a structured, commonly used and machine-readable format and reuse it for your own purposes, perhaps for another service, without hindering the usability of the data. This includes the right to require us, where technically feasible, to pass on information we obtained from you to another data controller.

This right applies when we are relying on your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the lawful ground for processing, and we are carrying out processing by automated means.

You have the right to require us to erase your personal information in certain circumstances, for example:

• where it is no longer necessary for us to continue holding or processing your personal information for a particular purpose;
• if you withdraw your consent to certain processing (in relation to which we rely upon your consent as a lawful basis); or
• if you have objected to processing in relation to which we rely upon our legitimate interests, and we have no overriding interest or that personal information is processed for direct marketing purposes (and this includes profiling to the extent that it is related to such direct marketing).

This right is not absolute: for example, we do not have to delete your data if we need to continue processing this information to comply with our legal obligations, or for the establishment, exercise or defence of legal claims. We may also need to keep some information about you in order to, for example, comply with an instruction not to contact you again.

You have a right to ask us to restrict our processing of your information if:

• you contest its accuracy and we need to verify whether it is accurate;
• the processing is unlawful and you ask us to restrict use of it instead of erasing it;
• we no longer need the information for processing, but you need it to establish or defend legal claims;
• you have objected to processing of your information being necessary for the performance of a task carried out in the public interest, or for the purposes of our legitimate interests. The restriction would apply while we carry out a balancing act between your rights and our legitimate interests. If you exercise your right to restrict processing, we would still need to process your information for exercising or defending legal claims, protecting the rights of another person or for public interest reasons.

This is an alternative right to the right to be forgotten and it is not an absolute right.

If we rely on consent as the legal basis for processing (see how we use your personal information) you can withdraw your consent to that purpose of processing, and we will stop that particular processing.

However, we may still continue to use the same data for other purposes: for example, you withdraw your consent to receipt of direct electronic marketing from us, and also make a complaint, we may rely on our legitimate interests to process your personal information in order to investigate that complaint.

You have the right to object to: processing that is based on legitimate interests or performance of a task in the public interest (including profiling); direct marketing (including profiling for the purposes of direct marketing) and processing for the purposes of scientific, statistical or historical research.

We must comply with any request to stop processing for the purposes of direct marketing. The right to object is not absolute in relation to processing for legitimate interests and research purposes.

If you would prefer us not to profile you for the purposes of targeting or tailoring our fundraising efforts, please contact us.

We very rarely process any Criminal Offence Data, and we only process this type of data where we have a clear legal basis to do so under UK data protection law. This is usually where the processing in question is necessary for the purposes of preventing or detecting unlawful acts.

For example, we might process such data:

• if we had a recording of a theft captured on CCTV cameras at one of our premises which we needed to share with the police; or
• to allow us to investigate, and if appropriate bring prosecutions against, persons using The Together Plan brand to carry out fraudulent fundraising supposedly on our behalf.

We and our partners collect and process your personal information for various business purposes, in accordance with applicable laws. It may occasionally be used for purposes not obvious to you where the circumstances warrant such use (e.g. in investigations).

UK data protection laws require us to have a specific lawful basis for each purpose for which we process your personal information. We explain these purposes and the corresponding lawful basis in the section on How we use your data.

We generally process your personal information on one of the following bases:

• the processing is necessary for our legitimate interests (as identified in the section on How we use your data), except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal information;
• we have obtained your consent to use your personal data for the stated purpose;
• the processing is necessary for compliance with a legal obligation. to which we are subject; or
• the processing is necessary for the performance of a contract. to which you are a party or in order to take steps at your request prior to entering into such a contract.

We may also rely on other bases (for example, where the processing is necessary in the performance of a task carried out in the public interest, or where the processing is necessary in order to protect your vital interests or those of another person) on an exceptional basis, if none of the above conditions apply.

We collect special category data (usually health data) from our volunteers mainly so that we can ensure we are supporting our volunteer team as best as possible.

In order to process any special category data, we need to ensure that we have a particular reason to do so, in addition to the general lawful bases set out above. This reason needs to relate to one of the additional lawful bases for processing set out under UK data protection laws.

We generally process your special category data only:

• with your explicit consent; or
• where you have ‘manifestly made public’ this information.

However, we may also rely on other bases where neither of the above apply, including but not limited to where the processing is needed for legal claims, is necessary for substantial public interests (as set out in UK data protection law), is necessary for reasons of public interest in the area of public health, or exceptionally, where the processing is needed to protect your life or the life of another.

profiling

profiling

Profiling means gathering information about an individual or a group of individuals and analysing their characteristics or behaviour patterns in order to place them in a certain category or group, and/or to make predictions or assessments about their ability to perform a task, their interests or likely behaviour.

We believe that we have a legitimate interest in profiling supporters and potential supporters as explained below. Profiling allows us to understand our supporters better, so we can send you information that you are interested in and is relevant to you, and predict how you might be able to help us in the future, to make sure we don’t send marketing to vulnerable individuals, and to raise more funds, sooner, and more cost-effectively, than we otherwise would. It allows us to be more efficient with our resources, which donors consistently tell us is a priority for them, and to assess and improve our services more generally.

Please see the section on online advertising for information about how your personal data may be used in this context.

If you would prefer us not to use your personal data in this way, please contact our Operations Manager in writing at The Studio, 60 Glencoe Road, Bushey, WD23 3DS, or by email at [email protected]

building a profile

In order to create a profile for you, we (or our trusted service providers) may use the information which you give us and which we collect from external resources, such as social media, including information that is publicly available about you. We may also combine your information with data already held internally by The Together Plan.

This information may include:

• Information you give us / we collect from you such as name, age, gender, address, donation history, the events, campaigns and products you have engaged with, the results of any surveys you have completed for us, your volunteering status and any previous segmentation; and
• Information from external sources such as age, property prices and average earnings where you live, your job, directorships, your financial circumstances, networks, any previous donations you have made, your philanthropic interests (trusteeships and/or support to other charities), and your estimated wealth.

segmentation

We use, and may engage independent companies to use, software tools and predictive analytics to help us analyse who is most likely to donate to us and to more accurately target our engagement with you. These tools use data we already hold on you, but may also obtain data from external sources, such as GI, YouGov or Experian, to help with this assessment.

We may also use this information to help us determine whether and in what ways you might be interested in getting involved in our other fundraising activities.

Profiling allows us to understand the background of the people who support us and use our services and helps us to:

• ensure communications are relevant and timely, and to provide an improved experience to our supporters, for example, to send information about campaigns and events in your area (with your consent, where required);
• find potential new supporters and invite them to be involved in supporting our cause;
• determine whether and in what ways you might be interested in getting involved in our other fundraising activities;
• better tailor our services to our supporters, for example by sending tailored communications which may be of interest to you, and making appropriate requests to supporters who may be able and willing to give more than they already do; and
• to exclude people who may be vulnerable from marketing, for example, people living in care homes and minors (under 18s).

high value donors

We, like many other charities, carry out research in order to engage with suitable high value donors. This helps us identify people who have an interest in our cause and could potentially make a substantial donation.

We process personal information on existing and potential high value donors to help us preserve the past to build a better tomorrow. We can achieve this aim by increasing the number of people we engage with who have the capacity to give £10,000 or more to us in a single donation.

Researching potential high value donors enables us to focus our fundraising resources whilst ensuring that our requests for support are tailored to each individual. Our personalised approach helps us to provide the best possible donor experience that is aligned with an individual’s interests and capacity to give.

If you would prefer us not to profile you as explained below, please contact our Operations Manager in writing at The Together Plan, The Studio, 60 Glencoe Road, Bushey, WD23 3DS, or by email at [email protected]

identifying potential high value donors

We identify potential high value donors by:

• Carrying out research on donors who have given £1,000 or more to us.
• Asking our existing high value donors to give again.
• Inviting potential high value donors to attend our supporter events as a way of engaging them with us. We also identify potential new donors by researching event attendees who were previously unknown to us.
• Researching people who have not given to us in the past but who we believe may have a connection to our cause and have the capacity to give at a high level.
• Asking our donors and influencers to open up their networks to us.
• Asking our donors and influencers to introduce us to potential donors we have identified through our research and that they have a link to.

Our initial research is undocumented and involves some basic checks looking at publicly available information, e.g. using Google, a public LinkedIn profile and Zoopla.

We do not process health (or other special category) data at this stage, unless the individual in question has manifestly put it in the public domain (e.g. have themselves given interviews to media outlets or published articles/ public blog posts revealing this information). Fundraising teams do not have access to any information confidentially given to a The Together Plan staff member and we never use this information in any research into potential high value donors.

creating Research Profiles

If our initial research is promising, or if someone has donated £10,000 or more to us, we will create a research profile of the individual using information sources such as BoardEx, Companies House, Who’s Who, The Charity Commission, JustGiving and Twitter.

We also use these information sources to identify potential new donors who have previously given at a high level and may have an interest in our cause (e.g. we would search for someone who would be a good fit at a ‘Jewish Heritage’ event being hosted in Manchester). If we discover that someone in our network knows a potential donor that we have identified, we might ask them to facilitate an introduction.

We sometimes ask existing supporters whether they would be prepared to open their networks up to us. An existing supporter may tell us about an individual previously unknown to us and facilitate an introduction. In this scenario we would advise our existing supporter about our data responsibilities and ask them to ensure that the individual in question is happy for an introduction to take place. Following the introduction, we would direct the individual to this privacy policy and ask them to confirm how they would like to hear from us.

In the two scenarios above, we may create a research profile on someone who we have never had any contact with before. In this case, we plan to make contact within 90 days to tell the person about this privacy policy. If we attempt to make contact but are unable to do so, we will try again within the next 90 days and delete the research profile if we are still unsuccessful.

After we’ve created a research profile, we score potential donors under each of the following headings:

• Ability
• Interest
• Connections

These scores are an estimation of an individual’s capacity to give to us, their interest in giving to us and any links they have to our cause. This helps us to prioritise our resources and develop more relevant funding proposals as we seek to generate support for our important work.

lawful basis for processing

We rely on legitimate interests as our lawful basis for identifying, researching, and otherwise processing the personal data of our potential high value donors as set out above.

Our Fundraising and Events team foster long term relationships with our existing and potential donors. However, we are committed to only keeping data on individuals with whom we have an active relationship. We therefore remove the data captured in the ways described above if the existing or potential donor has not interacted with the Fundraising and Events team in the previous 7 full calendar years.

email tracking

When you receive an email from us, we may receive certain information about how you interact with that email.

The information we collect includes the number of times you have opened the email; if you have clicked links in the email; whether you have unsubscribed or marked the email as spam; whether the email has bounced; whether you have shared the information on social media, or forwarded it to friends.

We use this information to assess how successful our email campaigns are; to identify what you are interested in and target further marketing campaigns more accurately; to reduce the frequency with which we contact you if appropriate; and to remove you from our mailing lists where you have asked to unsubscribe.

We use an email service provider called ‘Campaign Monitor’ to do this.

Lawful basis for processing

We consider that we have a legitimate interest in carrying out email engagement tracking as this ensures you do not receive irrelevant or unwanted emails, as well as allowing us to use our resources and fundraise efficiently.

direct marketing

From time to time we may send you communications about our work and how you can help us, for example, information about our campaigns, volunteering, fundraising activities and how you can donate to us. We may also get in touch to tell you about events available in your area. Occasionally, we may include information from partner organisations or organisations who support us in these communications.

• We will only send you marketing information electronically (e.g. by email) if you have specifically agreed to us doing so. We rely on consent for this processing, and you can withdraw your consent at any time by clicking the ‘unsubscribe’ link in any of our messages to you.
• We may send marketing information by post or call you for marketing purposes, unless you have previously opted out or said that you don’t want to be contacted. We rely on legitimate interests for this processing, as we consider that we have a legitimate interest to promote The Together Plan to potential and actual supporters.

You can change your marketing preferences at any time by emailing [email protected] or calling us on 020 3375 0656.

If you ask us to stop sending marketing information we will update our records to stop further mailings as quickly as we can. However, you may still receive further mailings which were already in progress before you asked us to stop.

We use service providers, such as Campaign Monitor to send marketing emails on our behalf.

Please see the section on profiling for further information about how we decide what marketing to send to whom.

operational communications

From time to time we may contact you in relation to specific operational matters. For example, we may contact you about a query or complaint that you have raised, or an order you have made, or to remind you that we will call you back. Depending upon how you have contacted us, we may get in touch via phone, post, email, text message or social media.

We rely on legitimate interest to send you this type of communication, except where we are sending you text messages, in which case we obtain your consent.

We use service providers, such as Campaign Monitor, to send this type of email on our behalf.

online advertising

We advertise on Facebook, Instagram, and Google as well as some other online platforms. We also place adverts on other websites.

There are various ways that you may see our online advertising:

1. Advertising on particular types of websites – for example newspapers and magazines’ websites. This is ‘contextual advertising’ – we buy space on these websites and our adverts are shown based on other content displayed on the page: it is not targeted to particular individuals.
2. Advertising to people signed up with an online platform (such as Facebook or Google) based on what the platform knows about them, e.g. we may ask Facebook to show a particular advert to people interested in running events living around Birmingham, or men aged over 50 living in the North East of England in lower income brackets. We use this method to promote general awareness of The Together Plan, fundraising and information about the important work that we do. In the latter case we do not track individual responders, we keep a tally of how many people clicked through to our information page so we understand whether our advertising is effective. We also do not target individuals based upon any special category personal data (e.g. health data).We also use ‘Saved’ audiences to remember which supporters on Facebook are most likely to respond to our fundraising, campaigning and marketing requests.
3. Cookie based advertising. Advertising cookies (and similar technologies such as tags) can track your activity online. We have advertising cookies on our website: when you visit, you will be offered the option to accept or refuse these. If you accept them, these cookies will record information about how you interact with our websites and this information will then be used to serve you with relevant adverts on other sites such as Facebook or Pinterest based on the content that you have clicked on or interacted with.If you click to accept cookies for advertising, the information stored in these cookies may also be used to: create a ‘lookalike’ or ‘similar audience’ of people with similar interests and characteristics to the group of people who clicked on the same thing; or to send a remarketing message to you about the same thing you clicked on before. This helps us to ensure that our digital advertising campaigns are as cost-effective as possible. We only use this method for our fundraising campaigns. We rely on consent for this processing.Where our web pages use ‘third party’ cookies, such as Facebook cookies, we may act as a ‘joint controller’ with those third parties. Further information about how these third parties process your personal data, including how you can exercise your data subject rights in respect of such third parties, can be found in their respective privacy policies.

We track people’s interactions with our adverts so that we know when an individual has clicked on an advert. This allows us to measure the effectiveness of our campaigns, and also in some cases (as explained above) to make sure you see more adverts which are relevant to you.

Save where stated above, we rely on legitimate interests for this processing as we believe that we have a legitimate interest in identifying the most appropriate target audience for our advertising content, as this helps us to fundraise and to raise awareness of our work and ongoing projects more effectively and efficiently.

We have a strict policy for approving cookies and similar technologies, and will never permit cookies that collect any special category information. We do not share special category data with external companies such as ad tech providers or media brokers for targeted digital advertising purposes.

For more information on our use of cookies please see cookies and similar technologies and Our use of Cookies

journalists

We keep a database of journalists, which includes contact details and employers.

We believe the privacy impact on journalists is small and we only use this information to build relationships with journalists who can help us to promote our charitable aims.

We rely upon our legitimate interest in promoting our charitable aims for this purpose.

participating in a fundraising event

When you sign up to participate in one of our fundraising events, (or your team captain signs you up), we will ask you to provide certain information so that we can confirm your place, send you information about the event (and a The Together Plan t-shirt if you requested one!), and claim Gift Aid (if you choose to donate in this manner). We may also ask you for health information, for example whether you have particular dietary or access requirements.

For special events, such as The Together Plan dinners or quizzes, we will be the organiser and the controller. For some events (e.g. challenge events where you are raising sponsorship for us), we may take registrations on behalf of the organiser. When you are registering for these events, we will make it very clear who is the event organiser and if we are sharing the information you provide with the event organiser.

When you pay to enter an event, we may work with payment processors such as Stripe who process your payment on our behalf. We never store your payment details, although we will receive certain information from the payment processors to allow us to match you to your transaction.

If a third party is organising the event, then we will share your details with that third party.

If you have chosen to donate to us through Gift Aid, your full name and home address, and details of your donation will be shared with HMRC: if you do not provide this information, your Gift Aid declaration will be invalid.

Please see the section on payment processing and Gift Aid for further information.

Depending on the event, we may rely on performance of a contract or your consent to process your information to enable you to take part in the event, and to claim Gift Aid. We also rely on explicit consent where you provide us with health information, for example, to allow us to meet any special dietary or access requirements you may have.

We rely on our legitimate interest in raising funds for processing payments and for sending you information about the event.

making a donation

When you make a donation to us, we ask you to provide certain information so that we can process your donation (including setting up a direct debit where you choose to do so), claim Gift Aid (if you choose to donate in this manner), and, if appropriate, add you to our marketing lists (please see the section on direct marketing).

We work with payment processors such as Stripe (for one-off transactions) and GoCardless (for regular direct debit transactions) who process your payment on our behalf. We never store your payment details, although we will receive certain information from the payment processors to allow us to match you to your transaction.

If you have chosen to donate to us through Gift Aid, your full name and home address, and details of your donation will be shared with HMRC: if you do not provide this information, your Gift Aid declaration will be invalid.

We rely on your consent to claim Gift Aid, and on our legitimate interest in raising funds for processing payments. Please see the section on processing payments and Gift Aid for further information.

If you make a donation of above £1,000, we will provide your name to the Fundraising team who may carry out some basic research on you from publicly available sources such as Google, Zoopla and LinkedIn, to determine if your profile is of interest for our Fundraising programme. This research is undocumented, and it does not include searching for sensitive data or on social media platforms. We rely on our legitimate interest in identifying suitable high value donors for this processing activity.

If you make a high value donation, we will conduct additional due diligence on you, and may also profile you as part of our Fundraising programme (unless you have let us know that you would prefer us not to do this). This applies to donors who make donations of above £10,000, as well as for prospects who we are close to contacting for a donation. It also applies to any donor, prospect, volunteer or sponsor where there is a low-level public association with The Together Plan (e.g. where their name is mentioned in our Annual Report, or where the individual is a secondary sponsor of an event). We may also refresh our due diligence for previous givers.

We conduct due diligence because we have a legal obligation to ensure that we are compliant with money laundering law. However, we carry out further due diligence to ensure that there are no reputational or ethical risks associated with the donor or the donation. We consider that we have a legitimate interest in ensuring that our charity is not associated with persons or causes which could affect our reputation or contradict our values.

When and to the extent that we process Criminal Offence Data or Special Category Data, we will usually rely on the fact that you have manifestly made your information available in the public domain, or if you have provided us with your explicit consent to process such data.

becoming a supporter

You can sign up to be a supporter through The Together Plan website. If you sign up to be a supporter, we will add you to our database of supporters and you will be sent information and opportunities to get involved online and offline.

You may also receive information from our services and other ways you can help, including opportunities to donate, volunteer or fundraise (please see direct marketing). We may also send you information about other campaigns that we are involved in through a coalition or as a supportive organisation. However your details will never be shared with third parties.

We rely on your consent to process your information as a campaigner as explained above (to use it as the basis to send you targeted marketing).

When you make a purchase from us via our Archive Services or at an event, The Together Plan will be the controller of your personal data. Where you make a purchase from us via a third party auction site or sales platform (such as eBay or Etsy), The Together Plan will again be a controller of your personal data, but the relevant auction site or sales platform will also be a controller of such data, and you should refer to their privacy policies for information about how they use your personal data.

We ask you to provide certain information so that we can process your payment and deliver your item or service, and also so we can provide customer service. We may, where appropriate, add you to our marketing lists (please see the section on direct marketing).

You may also provide personal information directly to us when you get in touch with us about orders, refunds, complaints, etc.

If you choose to make a Gift Aid donation, then we will share your Gift Aid declaration and the information it contains with HMRC.

We work with payment processors such as Stripe who process your payment on our behalf. We never store your payment details, although we will receive certain information from the payment processors to allow us to match you to your transaction.

Please see the section on payment processing and Gift Aid for further information.

We rely on performance of a contract to process your personal information in order to fulfil your order. We consider that we have a legitimate interest in providing our customers with support, for example to let you know if your order has been delayed.

overview

When you sign up to an event, we collect personal information from you in order to sign you up for and to provide you with information about the event and to evaluate who is signing up for our events and the impact of the events. We may also, if appropriate, add you to our marketing lists (please see the section on direct marketing) so that we can send you information about other events or The Together Plan projects in the future.

If we are using an independent events organiser, we will share your information with them. It will be clear when you sign up who this events organiser will be. Your name will be shared with the venue to allow them to identify which visitors are part of our event.

third party companies

We sometimes use third party company event registration tools (e.g. Eventbrite), and online survey tools such as SurveyMonkey. Please check their privacy terms and conditions as some, such as Eventbrite, also collect certain information for their own purposes (such as their own marketing), and The Together Plan does not have control over this. Please contact us if you would like more information regarding events-related third parties.

We usually rely on performance of a contract to book you onto the event and to provide you with the details that you need to prepare for the event (unless there is no contract with you in which case we rely on our legitimate interests in increasing knowledge about the services we provide, or your consent). We rely on legitimate interests to evaluate who is participating in the event, and to assess the impact we are having, as it is important to us to understand how we can provide the best service possible.

We may also collect information about access and learning needs, and where an event involves food, any dietary requirements. This may involve us collecting and processing special category data, for example, if you tell us you have an allergy, or a health condition which requires us to make special arrangements. Where we process this type of information we rely on your explicit consent.

answering your queries and handling your complaints

When you contact us, whether by telephone, email, post or social media, with a query or a complaint, we will collect certain personal information from you (including contact details and why you are calling).

We use this information to provide you with advice and support, to find out the answer to your query (if we don’t already know), or to investigate your complaint (as appropriate), and also to create a record on our systems so that we have this available if you contact us again, and so we can follow up in relation to any outstanding issues.

We will usually rely upon our legitimate interests for these purposes: we believe that we have a legitimate interest in preserving cultural heritage (our core aim), including by raising awareness about cultural heritage, and in ensuring that any queries and complaints are quickly and appropriately dealt with as this is important for maintaining our reputation, which is important if we are to continue working with communities.

If you are calling us about a paid service (e.g. the Archive Service) or regarding a purchase from one of our third party auction sites or sales platforms, we may rely upon performance of a contract in some situations – for example, where we need to process your personal data to arrange the delivery of a product you have ordered. Please see the section on when you purchase from us online for further information.

overview

We have various websites and online resources, including The Together Plan website and other websites hosting blogs, recipes and more.

We may collect your personal information when you interact with our social media, including, with your consent where appropriate, automatically via the use of cookies and similar technologies. Please see below for more detailed information..

• When contributing to a discussion or engaging with us on social media, we strongly recommend you avoid sharing any information that can be used to identify you (such as your name, age, address, name of employer). We are not responsible for the privacy of any information that you post on social media or anywhere else on the internet.

referring to us online / on social media

We also scan social media and the internet for comments about us to find out what people are saying about our work and other questions of importance for us, which allows us to assess our effectiveness and to improve how we work (‘social listening’). We may use automated tools to detect such comments.

We conduct this type of research to better assess whether individuals consider that our services are relevant and effective. We find that people can be more candid on social media / online than in focus groups. We never use the results of such research to market to individuals.

We rely on our legitimate interests for this processing: we consider that we have a legitimate interest in ensuring that our services are relevant and efficient, and ultimately that the money we raise is used most effectively to preserve the past to build a better tomorrow.

Where special category data (usually health data) is concerned, we rely on the fact that this information has been manifestly made public by the individuals in question. We consider the privacy impact on individuals to be small.

interacting with our social media

We operate various social media accounts across multiple platforms (Facebook, Twitter, Instagram etc) in order to draw attention to our various services and events. When you interact with our social media (for example, by liking or sharing our content, or by becoming a member and/ or posting on one of our groups), we may collect personal information from you including your username, as well as any posts you make on our platforms. We may also moderate (or use a third party to moderate) your posts: this will be carried out to ensure that content is in line with our relevant terms and conditions (where applicable).

We rely on our legitimate interests for this processing as we consider that we have a legitimate interest in ensuring that our services are relevant and operating efficiently. To the extent that you choose to share any special category data in a post, such as health data, we rely on the fact that you have manifestly made public this information. When you message us privately we collect an explicit consent for our processing of special categories of data and provide you with a link to our privacy platform.

Where you post personal information on our page or on one of our public groups, your information is publicly accessible. Such information can be viewed online and collected by third parties. We are not responsible for the use of information by such third parties. When contributing to a discussion we therefore strongly recommend you avoid sharing any information that can be used to identify you (such as your name, age, address, name of employer).

Please note that the relevant platform will also act as a controller in relation to information you post on Facebook: please see their privacy policy for information about their use of your personal information. For example, Facebook’s privacy policy is available at https://en-gb.facebook.com/policy.php

Sometimes we will pay the social media platform to promote our online posts further. We do this in line with our approach to online advertising.

Donations on Social Media

Facebook and other social media platforms offer their subscribers the opportunity to donate to charity. If you create a fundraiser for The Together Plan and your profile is public, we may use this information in order to suggest ways to contact us about your fundraising and (where privacy settings allow) post a public thank you message. If you make a public donation through a social media platform, we may collect this information, upon request from the fundraiser, in order to send you a thank you message.

We consider that we have a legitimate interest in processing your donation, in contacting you about your fundraising, and in thanking you for any donation that you may make.

cookies and similar technologies

The Together Plan uses cookies (and similar technologies such as tags) on our website to make the website work, give you a more personalised web service, to target our advertising and to analyse the effectiveness of our content (for example, to establish how many people saw or liked certain content) (please see the section on online advertising for further information).

When you first visit our website, we will ask for consent to set any cookies (and to process any personal data collected by these cookies) which are not strictly necessary to make our pages work: you will be able to set your preferences at this stage. Where cookies are strictly necessary, we consider that we have a legitimate interest in processing the personal data they collect, as having a working website is vital to our work preserving cultural heritage.

You can always withdraw your consent by clearing cookies from the cache in your computer and rejecting them next time you visit our site.

We may also use similar technologies to identify when our emails are opened. This allows us to identify whether our marketing campaigns are effective and we consider that we have a legitimate interest in doing so.

For more information about our use of cookies and tags, different types of cookies, the information they collect and further information about how you can control the types of cookies that are placed on your browser, please see our use of Cookies.

becoming a volunteer at The Together Plan

When you visit the Volunteering page on our website, you can apply for volunteering opportunities by submitting a volunteering application form. We will need your name and email address to process your application, and if you agree, we will add you to our marketing database so we can keep in touch. Please see the section on direct marketing for further information.

When you apply for a specific volunteering opportunity via the website or by using hard copy documents, we will collect additional information about you in order to process your application and to allow us to determine whether you are suitable for the role. The information will vary depending on the role but this will always be clear from the application form. Please note that we will ask for references or conduct an ID check for most of our roles, as this helps us to confirm the identity of our volunteers and to build a better understanding of them.

For some roles, we provide specific training: we record attendance at training sessions as we need to make sure that all our volunteers have received appropriate training for any role they are undertaking. We will also record information about your performance of a given role – for example, if you are calling donors, we need to keep records of who you have called and when – and about all volunteering roles you have undertaken in the past. Where necessary for a given role, we may also record the date on which we saw an appropriate background check certificate.

If you are eligible to reclaim expenses associated with your role from us, we will process information about any expenditure, including amount and type of expense, as well as your name and bank account details, in order to determine whether your expenses should be refunded and to make any resultant payments to you.

We consider that it is in our legitimate interests to process your personal data in connection with your volunteering journey with us as described above, as this helps us to effectively preserve the past to build a better tomorrow.

contacting or interacting with The Together Plan

If you are interested in fundraising or volunteering for us and you are under 18, we may need to speak to a parent / guardian instead of, or before, speaking to you, and may need to record your date of birth so we know how old you are.

• 0-12 years old: If you are aged 12 or under, we will need to speak to your parent or guardian regarding your enquiry. We will not process any personal data about you. Any information provided will be recorded under the name of your parent / guardian.
• 13-15 years old: If you are between 13 and 15 years old, you must get your parent/guardian’s permission to contact us – we may need them to confirm this and that they are happy for us to speak with you about your query and to create a record on our database under your name. This record will contain information about your enquiry and may be linked to your parent/guardian’s record. We may ask for and record your date of birth so we know how old you are, and will not send you any marketing or carry out any processing that would require consent.
• 16-17 years old: If you are aged 16-17, then we may need to record your date of birth. We will only send you any marketing or carry out any processing with your consent.

We can talk to your parents over the phone or, if written permission is required, we can send forms by mail or electronically.

contacting us online

If you’re aged 16 or under, please make sure you have your parent/guardian’s permission before you provide any personal information on our websites: however you can always find out more about our projects or ask for online information.

contacting us by phone

All callers to our office line are asked for certain information such as their name and where possible, for anyone calling who is under 18, we would try to link to a parent’s account. However, you can choose not to give us these details and we can always direct you to online information and answer any questions you may have about our work and ongoing projects.

You should be aware that there are certain circumstances where we cannot guarantee confidentiality, for example, where we are subject to a legal obligation under safeguarding law. Please see our safeguarding policy for further information.

payments and donations

If you make a donation directly to The Together Plan, or pay for a service online, we will use a third party such as Stripe to process the payment. These payment processors will receive certain personal data about you (for example, your name, address and card details) to allow them to process your payment, and will provide us with information to allow us to match you to your transaction (which is necessary for our internal accounting, administrative and record keeping purposes). We may also share information with, or receive information from, these payment processors, as required to resolve any technical issues. We never store your payment details.

Where you donate to us via a third party platform such as JustGiving, we may receive certain information about the transaction, such as your name and the amount you have donated.

We have a legal obligation to keep records of transactions for tax purposes, and also to keep records of Gift Aid donations. We have a legitimate interest in being able to accept payments and donations, as this funding is vital to allow us to continue to raise awareness about the preservation of cultural heritage, and also to keep records of donations made to allow us to identify how engaged individuals are, as this allows us to ensure that our fundraising is effective.

We use a variety of payment gateways, including Paypal, Stripe, GoCardless and GiveWP (and, via GiveWP, ApplePay and GooglePay). These gateways may have their own terms and conditions or privacy policies, which they will share with you at the time you make your payment.

Gift Aid

If you choose to donate to us using Gift Aid, we ask you to complete a Gift Aid declaration which includes your name, home address, and a statement that you have paid at least the donation amount in Income Tax or Capital Gains Tax in that tax year and agree to Gift Aid being claimed.

We are required by HMRC to collect the information in this form in order to allow us to reclaim Gift Aid on your donation, and are legally obliged to keep a record of all declarations for 6 years.

We rely on your consent to process these Gift Aid declarations.

overview

We may also use your personal information for our own internal purposes. This includes to allow us to manage our IT systems (and to test / develop new systems), for internal training (for example, emails might be used to train our customer services team), to deal with legal claims or other issues, for statistical analysis and research, for security and access control, and for accounting, internal recordkeeping and auditing purposes.

In general, we consider that we have a legitimate interest to ensure that our internal processes are managed efficiently, and to ensure that we have the people, skills and systems in place to allow us to preserve the past to build a better tomorrow (our core aim).

We may also process your personal information where we have a legal obligation to do so, such as for Gift Aid record keeping purposes, or where we consider we have a legitimate interest in, for example, cooperating with law enforcement, regulators or the like.

Some areas we would like to draw your attention to are:

administering a Gift in Will

Where the charity is potentially the beneficiary of a Gift in Will, we will obtain the names and contact details of executors, a copy of the Will, and a grant of probate. We may also obtain contact details and data, including special category data such as health data, relating to other beneficiaries and third parties in order for us to engage in relevant correspondence to secure payment of a gift.

We consider that it is in our legitimate interests to take all steps necessary to ensure the safe receipt and use of the Gift in Will by the charity, in accordance with the donor’s wishes, as this allows us to continue to preserve cultural heritage.

Our Trustees have a legal obligation under the Charities Act 2011 and Trustee Act 2000 to take necessary steps to ensure full payment of Gifts in Wills and to ensure all funds left to The Together Plan are used to support the preservation of cultural heritage.

fraud detection and investigations

We consider that we have a legitimate interest in investigating suspected or alleged frauds, both inside and outside of the organisation. To the extent that such processing involves criminal offence data, we consider that this is necessary in order for preventing or detecting unlawful acts or to comply with regulatory requirements relating to unlawful acts or dishonesty.

Examples include investigations into false fundraising events, stealing collection boxes, interfering with banking (e.g. intercepting cheques or changing bank details), and stealing The Together Plan equipment. Internally, we may also investigate issues such as misuse of The Together Plan credit cards, inflating business expenses, or diverting electronic payments to incorrect bank accounts.

We may report our suspicions, any allegations and/or the results of our internal investigations to the police.

We will never sell your personal information.

However, to ensure that we provide you with the best service possible and that we use our resources as efficiently as possible, we make use of external expertise where appropriate. This involves us sharing your information with our trusted service providers who are authorised to act on our behalf and associated organisations who work on our behalf, or with whom we work with in partnership to deliver and improve our projects, for the purposes set out in this Privacy Policy. This includes organisations who fundraise on our behalf. Some of these organisations act as controllers (for example, banks or the Citizens Advice Bureau) and others as processors who act solely on our instructions (for example, mail service providers).

By way of example, we may:

• ask for your consent to share information in certain situations, for example, if we think that an external entity such as a bank, energy company, another charity or the Citizens’ Advice Bureau may be able to assist you with an issue that you have told us about;
• share your information with payment processors, such as Stripe, to allow you to make a donation, pay for entry to a event, or to pay for a service (e.g. the Archive Service); they will then share certain information about the transaction with us to allow us to keep appropriate financial records and to match you to the transaction (so we know you have paid) – please see processing payments and Gift Aid for further information; and
• share your information with mail service providers and fulfilment companies to allow us to contact you and to fulfil an order you have placed with us.

From time to time, we may also need, or be required, to share your information with law enforcement, public authorities, regulators and/or our professional advisers. We will only do so where we have a clear lawful basis for doing so.

You should be aware that there are certain circumstances where we cannot guarantee confidentiality, for example, where we are subject to a legal obligation under safeguarding law. Please see our safeguarding policy for further information.

For further details about data sharing, please see how we use your personal information.

Those entities with whom we share your information may be located in the EU and elsewhere in the world including the US, India and other countries with more lenient data protection rules than those in the UK. Wherever they are located, we only work with companies we trust to keep your information safe.

We will always seek to ensure that appropriate or suitable safeguards are in place to protect your personal information and that transfer of your personal information is in compliance with applicable data protection laws. We usually rely on standard contractual clauses when transferring personal data to organisations located outside of the United Kingdom.

You can obtain further information, including a copy of the relevant data safeguard where this is documented by contacting us although some details may be redacted for confidentiality reasons.

The Together Plan is committed to protecting the security of the personal information you share with us. In support of this commitment, we have implemented appropriate technical, physical and organisational measures to ensure a level of security appropriate to the risk.

For example, we use strict procedures and security features to prevent unauthorised access to your personal information.

However, although The Together Plan implements security for information on our website, please do remember that information transmission over the internet is inherently insecure, and we cannot guarantee the security of information sent over the internet.

We have a data retention policy which sets out how long we will keep your information for. In some cases the retention periods are governed by law, in other cases by best practice.

Most information will be kept for 3 – 10 years (usually 6 years), but the exact time frame will depend on the nature of the information. Notable exceptions are:

• Powers of attorney will be kept indefinitely in accordance with the Limitation Act 1980.
• We do not keep any card payment information.

If you would like more details about how long we keep your personal information, please contact us.