PRIVACY POLICY

We have updated our Privacy Policy in accordance with the GDPR.

Taking Pictures, Changing Lives (“Taking Pictures, Changing Lives”, “we”, “us”, “our”) is committed to protecting your privacy and this Privacy Notice sets out what personal data we collect, how we collect it, what we use it for and who we share it with.

By “personal data” we mean information about you which could identify you such as your name and contact details, your donation history to us, and also information about your connection with and interest in our work (e.g. ‘introduced to us by John Smith’ or ‘born in Kenya’ or ‘invited us to speak at his event’ or ‘went on trip to Uganda'). This is so that we can send you relevant updates and invite you to relevant events. Personal data does not include data where you can no longer be identified from it such as anonymised aggregate data.

For the purposes of data protection legislation, Taking Pictures, Changing Lives is considered the “data controller” of personal data processed in connection with this Privacy Notice. This means that we are responsible for deciding how we hold and use personal data about you.

Our address is Taking Pictures, Changing Lives Foundation, ℅ GivingWorks, 65 Leadenhall St, London EC3A 2AD. Should you have any questions about this Privacy Notice you can contact us at the above address.

This Privacy Notice applies to personal data about you that we collect, use and otherwise process when you visit our website, attend an event, are introduced to us by an existing supporter or otherwise share your data with us. We may provide supplemental privacy notices on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your personal data. Those supplemental notices should be read together with this Privacy Notice.

What information do we collect about you and what do we use it for?

The types of personal data about you we may collect, store and use are set out in the table below and in each case we have specified what we use it for and our ‘lawful basis’ for processing it. The law specifies certain ‘lawful bases’ under which we are allowed to use your personal data. Most commonly, we will rely on one or more of the following lawful bases for processing your personal data:

Where we need to perform the contract we have entered into with you
Where we need to comply with a legal obligation
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
Where you have consented to us doing so

  
      Description
      Why is the data
        held and what is it
      used for
      Basis for
      processing data
      Who holds the data
        and who can
      access it?
      What security
        controls are in
      place?
    

      Supporter name
        and email address in Mailchimp
      Sharing our stories,
        reports, event
      invitations etc
      Consent. Direct Marketing is defined
        by the ICO as any
        material which
      promotes the aims and objectives of
      the organisation
      and direct
      marketing by email
      always requires
      consent, under
      ePrivacy laws.
      Only Taking
        Pictures,
        Changing Lives
      employees can access
      data, using
      login/password.
      All Taking Pictures, Changing Lives
        users have own
        accounts with
        unique password.
      
        

        

        Mailchimp holds all
      data securely with
      high levels of
      security protection.
    

      Donor/ Supporter
        contact info and
        donation history,
        also in Mailchimp
      (used as our CRM).
      So that we can
        thank, report back
        to and engage with
        supporters
        appropriately, eg
        sending literature,
        event or meeting
        invitations and
        fundraising appeals.
        We will also add
        some ‘leads ’and
        ‘contacts’ to
        Mailchimp if they are
        introduced to us by
        an existing
        supporters, but we
        do not add them to
        bulk email
        campaigns without
        consent. We would
        only send them
      personal messages.
      Legitimate interest.
        We believe our
        supporters would
        reasonably expect
        us to keep records
        of their engagement
        with us, send them
        reports, thanks or
        new appeals. We
        also believe a
        person (including a
        Trust, Foundation or
        Corporate) would
        reasonably expect
        to be emailed
        personally (not
        Direct Marketing)
        after (for example)
        making a gift or
        attending an event.
        We do not believe
        this infringes their
        interests, rights or
      freedoms.
      Only Taking
        Pictures, Changing
        Lives employees
        can access
        data, using
        login/password.
        Occasionally
        consultants or
        volunteers might be
        given access to our
        CRM for a specific
        purpose but only
        after signing the
        Data Protection
        Policy and their
        account would be
        disabled after
        terminating the
      contract.
      All Taking Pictures, Changing Lives
        users have own
        accounts with
        unique password. 

        

        Mailchimp holds all
        data securely with
        high levels of
      security protection.
    

      Brief notes of
        subject’s
        relationship with
        Taking Pictures,
      Changing Lives
      So that we can
        engage with our
        supporters
      appropriately.
      As above
      As above
      As above
    

      Google Suite -
        supporter / contact
        names and email
        addresses will be in
        our Gmail accounts
        and in some docs
      on the GDrive
      We use Gmail for
        emailing supporters,
        partners, potential
        supporters etc. We
        store copies of
        thank you letters,
        grant application
        letters, reports etc
        in the Drive which
        will inevitably
        contain some
        personal contact
      details / data.
      Legitimate interest.
        We believe people
        understand that we
        may email them
        personally when we
        have reason to
        believe they are
        interested in our
        work (NB not via
        DM campaigns but
        personally). We also
        believe people
        understand that
        correspondence,
        reports etc are
        often archived
      electronically.
      As above
      All Taking Pictures, Changing Lives
        users have own
        accounts with
        unique password.
        Google holds all
        data securely with
        high levels of
      security protection.
    

Please note that we may use your personal data without your knowledge or consent, in compliance with the above rules, if we are required by law to do so or if we reasonably believe that it is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, a court order or other legal process.

What if you do not provide the personal data we request?

If you do not provide us with certain information when requested, we will not be able to keep you updated on our work, invite you to events etc.

Change of purpose

We will only use your personal data for the purposes for which we collected it (as identified above in the What we use this data for column), unless we reasonably consider that we need to use it for another reason which is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

In addition to the personal information that you submit to us, we may collect aggregated data generated by our systems and third parties (Google Analytics) to assess site usage and performance. This type of data and analysis does not track or store any personally identifiable data and is collected using the following technologies:

Web Server Logs - Our web servers may collect certain information such as IP address, pages visited, time of visits, and referring website.

Cookies - Cookies are simple text files stored by your web browser that provide a method of distinguishing among donors and visitors to the website. Taking Pictures, Changing Lives uses cookies to identify your browser as you visit pages on the Taking Pictures, Changing Lives website - www.changinglives.photo.

How do we use cookies?

Please read our cookie policy.

How do we collect this information?

We typically collect personal data about you when you sign up to our mailing list (name, email address), make a one-off or regular gift (name, contact details, bank details if you choose to give via direct debit or standing order), attend an event (name, email address) or are introduced to us by an existing supporter.

In addition, we may receive personal information about you from third parties, such as StartSomeGood.com if you choose to make a donation using these platforms.

With whom will we share your information?

We may share your personal data with third parties where this is required by law, where it is necessary to perform our contract with you, or where we have another legitimate interest in doing so.

We will need to share your personal data with others including (for example):

Event venues which require a guest list, food allergy information etc
Your data may be held electronically by Mailchimp (our email-list and donor database provider), FreeAgent (our accounting software provider), Google (our email provider and also used for storing our electronic documents and archives), Slack (our instant messaging service) and Santander bank (our bank),

All our third-party service providers are expected to take appropriate security measures to protect your personal data in line with our policies.

We may need to share your personal data with a regulator or to otherwise comply with the law or a judicial process. We may disclose your personal data if we are required by law to do so or if we reasonably believe that disclosure is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, a court order or other legal process.

Some of the third party platforms we use eg Google, Mailchimp are headquartered in the USA and thus your data, held on their servers, may be deemed to be transferred to the USA. There is no adequacy decision by the European Commission in respect of the USA which means it is not deemed to provide an adequate level of protection for your personal data.

However, to ensure that your personal data does receive an adequate level of protection we have ensured that all of these third parties have clauses in their privacy policies or terms and conditions committing themselves to ensure that your personal data is treated in a way that is consistent with and which respects the EU and UK laws on data protection. If we become aware of a data breach, we will report it in accordance with the regulations.

How long will we retain your information?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.

If you are on our mailing list (Mailchimp), we would keep your data on Mailchimp until you unsubscribe or otherwise request to be removed from the list. We may periodically ‘clean’ the mailing list of email addresses which ‘bounce back’ or subscribers who have not opened an email from us for a long time, in which case your data might be removed from the list as we would assume you were no longer interested in hearing from us. Of course you could re-subscribe at any time.

If you are a donor to Taking Pictures, Changing Lives or have been invited to one of our events, we may keep your data on Mailchimp (our CRM) indefinitely, even if you stop giving, because we use it for statistical analysis which guides our strategic decisions (eg which events have been best attended, what trends can we see in regular giving, which part of the country do most of our supporters come from etc - this helps us work out where to invest our limited fundraising resources). However, if you request to be removed from the CRM, of course we would do so. We would also cease sending you updates about our work if you requested / opted-out. If you had not made a gift for several years, we may assume that you are no longer interested and cease sending you updates etc even if you have not opted out.

Your rights in relation to your information

It is important that the personal data we hold about you is accurate and current. Please let us know if your personal data changes during your relationship with us.

You have rights as an individual which you can exercise in relation to the information we hold about you under certain circumstances. These rights are to:

Request access to your personal data (commonly known as a “data subject access request”) and request certain information in relation to its processing
Request rectification of your personal data
Request the erasure of your personal data
Request the restriction of processing of your personal data
Object to the processing of your personal data
Request the transfer of your personal data to another party.

If you want to exercise one of these rights please contact us (contact details above).

You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

Fees

You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Right to withdraw consent

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us (contact details above). Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) you originally agreed to unless we now have an alternative legal basis for doing so.

Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will make an updated copy of such privacy notice available on our website and notify you when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.

Links

Our website may contain links to other Web sites. Please note that when you click on one of these links, you are entering another site that is governed by that site’s privacy policy.

IT Security

As so much of the data Taking Pictures, Changing Lives holds is held electronically, it is important to ensure that it is held securely. Taking Pictures, Changing Lives staff all use their own personal Mac laptops for work and inevitably travel with them. Staff also access Gmail emails on their phones and this IT security policy applies to all devices used for work. All staff must (source):

Update your operating system and applications regularly
Keep your computer firewall switched on
Ensure your phone is also protected against malware
Store work files in the Googledrive which is protected and backed up by Google
Don’t use an administrator account on your computer for everyday use - use your own log in details
Make sure your computer and phone logs out automatically after 15 minutes maximum and requires a password to log back in
Do not set any applications (Gmail, Mailchimp etc) to open automatically - ensure you key in the password every time
Change default passwords and PINs on computers, phones and all network devices
Don’t share your password with other people or disclose it to anyone else
Don’t write down PINs and passwords next to computers and phones
Use strong passwords - at least three of upper and lower case letters, numbers and symbols, at least 8 characters long, change them regularly, and don’t use the same passwords repeatedly
Be wary of fake websites and phishing emails
Don’t click on links in emails or social media
Don’t disclose passwords and other confidential information unless you are sure you are on a legitimate website
Don’t use pirated software
Take particular care of your computer and mobile devices when travelling.

If you have any questions, concerns, requests, or comments about privacy, you can contact us by email at: hello@changinglives.photo

Effective: 20 March 2024