1. Who are we?
The Association of Charitable Foundations (ACF) is a registered charity (charity no. 1105412) and a registered company (company no. 5190466). Our subsidiary trading company is ACF Conferences and Seminars Ltd (company no. 3902450). ACF is registered with the Information Commissioner’s Office (ICO) with registration number Z9332941.
When we refer to “we” or “us” in this privacy notice, we mean ACF and/or ACF Conferences and Seminars Ltd
2. Contact us
If you have any questions about this privacy notice or about how we use your personal data, please contact us:
by email at [email protected]
by telephone on 020 7255 4499
by post at ACF, Toynbee Hall, 28 Commercial Street, London E1 6LS
If we are unable to resolve any issues you may have, or you would like to make a further complaint, you can contact the ICO (www.ico.org.uk).
When a charitable foundation applies to become a member of ACF, we ask for details of a primary contact person at the organisation (including their name, job title, and contact telephone number).
We use this personal data to keep in touch with the primary contact about the application.
We always keep details of a primary contact person at each member organisation. If the primary contact leaves, we will ask for details of a replacement primary contact. We send service emails to the primary contact. Service emails include:
- membership administrative information, such as notification of when the organisation’s membership subscription is due to expire and renewal information; and
- notice of our AGM.
You cannot opt-out of receiving service emails as they contain important information about your membership of ACF.
We also send regular membership information and updates to the primary contact by email, and to any other individuals at the member organisation who choose to receive mailings, including:
- Funders’ News monthly member newsletter;
- quarterly membership benefits update;
- events bulletin and information about events, including our annual conference;
- information about ACF networks and invitations to (and reminders for) network meetings;
- policy briefings, report launches, and news updates;
- requests to take part in surveys, focus groups, consultations or other market research.
If you choose to participate in one of our networks or policy forums, we will also send you emails with information relating to those groups.
You can opt-out of receiving membership information and updates at any time by clicking the ‘unsubscribe’ link in the email. You can also change your communications preferences in your member area on our website www.acf.org.uk or contact [email protected].
If you get in touch with us to enquire about your organisation becoming a member of ACF, we will ask for your contact details so that we can keep in touch with you. We may send emails relating to the work we are doing, events that are coming up, and membership of ACF.
If you work at a charitable organisation that we think might be interested in becoming a member of ACF, we may email you to let you know about the work that we do and our membership benefits. We use publicly available sources to find your contact details, such as your organisation’s website.
If your organisation ceases to be an ACF member, we will continue to keep in touch with you to let you know about our events, publications, and membership offers. You can unsubscribe from these emails at any time by clicking the ‘unsubscribe’ link in the email or by sending an email to [email protected].
If you sign up to attend one of our events, we will ask you to give us your contact details. Depending on the type of event, we may also ask you to let us know if you have any access or dietary requirements.
Sometimes, we receive your personal data from a third party, for example, if you sign up to an event that we are hosting jointly with another organisation.
We use this personal data to register you for the event, to send you email confirmation of registration, and to send event reminders and event information to you. We may share this personal data with third parties (such as the venue we are using for the event or any third-party hosting the event with us) in order to make arrangements for you to attend the event and to admit you to the event.
We include information about attendees in our event participant packs. We will usually include your name, your job title, and the organisation that you work for. Please let us know if you do not want us to include your details in event participant packs.
We sometimes take photographs and videos at our events for use on our website, social media accounts, and other ACF publications. We will always let you know if we are filming or taking photographs and you can speak to any ACF representative at the event if you have questions or concerns.
After the event we will usually send you a follow-up email, which may include materials from the event (such as a copy of the presentations or papers) and a request for feedback about the event.
We will continue to keep in touch with you by email to let you know about future events that we think you might be interested in. You can unsubscribe at any time by clicking the ‘unsubscribe’ link in the email or by sending an email to [email protected]
5. Our websites
We collect information about you when you visit our websites:
technical data such as your internet protocol (IP) address, your login data, browser type and version, operating system, and other technology on the devices you use to access the website;
profile data such as your username and password; and
usage data, including information about how you use the website.
We also collect personal data via our websites if you fill out a form on the site, follow a link on the site to complete a survey (e.g. when you take our Stronger Foundations self-assessment via Survey Monkey), or submit an application through the site.
Our websites are not intended for children and we do not knowingly collect data relating to children.
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy practices. When you leave our website, we encourage you to read the privacy notice of every website you visit.
6. Non-members and stakeholders
Some of our networks and policy forums are open to non-members, including the Funder Commitment on Climate Change and Funders Collaborative Hub. If you choose to participate, we will send you emails with information relating to those groups or networks. You can opt-out of receiving these emails at any time by clicking the ‘unsubscribe’ link in the email or by contacting [email protected].
As part of our advocacy work on matters of high priority to our members, we keep a record of key contacts at member organisations, political parties, umbrella bodies, think tanks and other relevant stakeholders. We only ever collect this personal data if the person gives it to us directly or if it is publicly available (e.g. the person’s name and email contact details are on the organisation’s website). We use this personal data to send email communications about matters of policy and practice affecting trusts and foundations to people who we think may have a professional interest in those issues.
Our lawful basis for using your personal data
We always have to have a valid reason to use your personal data. This is referred to as our “lawful basis for processing”.
We use the legitimate interests lawful basis for most of our data processing activities. This enables us to use your personal data in ways that you would reasonably expect. We only ever use your personal data in this way if the law says we can and if we are satisfied that our use fits with your privacy rights. Our legitimate interests include:
sending emails to you in connection with your membership application, your membership benefits, or your membership subscription;
sending emails to contacts at member organisations about the networks or policy forums they have joined;
sending emails to people who have signed up to attend events to confirm registration, give them information about the event, and to send post-event information;
using photographs or video footage from our events, for example, on our social media accounts or our websites;
sending emails to non-members who have joined our networks or policy forums;
keeping in touch with business contacts at Charitable Foundations or other interested stakeholders to let them know about the work that we are doing, our events, and membership information;
using replies to surveys or questionnaires for research purposes;
considering and responding to any query or complaint that we receive and keeping a record of correspondence;
ensuring that the content of our websites is presented effectively for you and the device that you use to access the sites; and
for internal operations, including troubleshooting, information analysis and testing.
We sometimes use personal data if it is necessary for us to comply with a legal obligation, for example, to retain financial records for the minimum period required by law, or where it is necessary to perform a contract that we have with you (or to take steps to enter into a contract with you), for example when you pay to attend one of our events.
We will ensure that we have an additional lawful basis if we collect and use any more sensitive “special category personal data” about you. Information that you provide about your access or dietary requirements in connection with an event may include data about your health or your religious or philosophical beliefs. If you choose to give us this information, you consent to us using it for the purposes described in section 4 above. We may also keep a record of special category personal data about stakeholders (e.g. information about someone’s political opinions or trade union membership) if the individual has given us consent or if they have made the information public (e.g. by standing as a member of parliament for a political party). Consent can be withdrawn at any time by contacting [email protected].
7. Data retention
Our current policy is to delete or destroy (to the extent we are able to) the personal data that we hold about you in accordance with the following retention periods:
|Type of personal data
|Standard retention period
|Records relating to membership services
|8 years from the end of the tax year to which the records relate
|Records relevant for accounting and tax purposes
|8 years from the end of the tax year to which the records relate
|Personal data relating to a contract between you and us
|7 years from either the end of the contract or the date you last used our service
|Personal data held on marketing or business development records
|2 years from the last date on which you last interacted with us
|Health and safety records
|Not less than 10 years
|Information about access or dietary requirements provided in connection with an event.
|No longer than 2 weeks after the event.
For any category of personal data not specifically mentioned in the table above, and unless otherwise required by law, our standard retention period for will be 7 years from the date of receipt by us of your personal data.
Our standard data retention periods may be extended, for example, if we reasonably believe that the personal data will be needed in connection with a legal claim or an investigation.
8. Sharing your personal data
We may share your personal data with third parties, where we are satisfied that it is fair and lawful to do so. For example:
if we are hosting an event jointly with a third party or if we are using an external venue to host an event and we need to share some personal data with them to register your place at the event or to admit you to the event;
when we use a third party to provide technical support to us, such as a payment provider or bulk mailing service;
if we are under a duty to disclose or share your personal data in order to comply with a legal obligation (for example, if required to do so by a court order or for the purposes of prevention of fraud or other crime);
where we need to share your personal data with a regulator, for example, making returns to HMRC or reports to the Charity Commission;
in order to enforce any applicable terms and conditions or agreements;
to protect our rights, property and safety (or the rights, property and safety of our users or any other third parties) for example, sharing information for the purposes of fraud protection and credit risk reduction;
when we need to share personal data with our professional advisers, for example, our accountants, auditors, bankers, insurers and lawyers;
as part of any transfer, reorganisation or merger of parts of our organisation or our assets.
Whenever we share your personal data with a third party we will take steps to ensure that your privacy rights continue to be protected.
We have in place security measures to safeguard your personal data and to protect against unlawful access and accidental loss or damage:
our servers are protected by hardware and software firewalls;
our information storage facilities are in secure locations;
we encrypt all information stored on our server with an industry standard encryption method that encrypts the information between your device and our server so that, if your network is insecure, no information is passed in a format that could easily be deciphered;
we regularly back up and encrypt all of the data that we hold;
we dispose of personal data securely;
our employees are aware of their privacy and information security obligations; and
we take steps to ensure that employees of third parties working on our behalf are aware of their data protection obligations.
The transmission of information via the internet is never completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted to our websites.
10. Transferring your personal data outside the UK
Some service providers that we work with transfer personal data to countries outside the UK.
Depending on which of our services you use, this could include:
Advanced Solutions International (Europe) Limited (ASI) who provide the iMIS software that we use for our customer relationship management (CRM) database — ASI staff in Australia and the US may access personal data stored in our CRM in the UK from time to time (for example, to provide out-of-hours technical support).
Mailchimp — when we use Mailchimp for bulk mailing, email recipients’ personal data will be transferred to Mailchimp’s servers located outside the UK, including in the US.
Survey Monkey — when we use Survey Monkey for feedback surveys or questionnaires, any personal data that you provide in your response to the survey will be stored by Survey Monkey on their servers in the US.
Whenever we transfer (or permit the transfer of) your personal data to a country outside the UK, we put measures in place to protect your data. If the level of data protection in the other country is lower than in the UK, we put in place a binding legal agreement with the recipient of your personal data to ensure that it continues to be protected (most commonly, the UK Standard Contractual Clauses).
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer. Cookies contain information that is transferred to your computer's hard drive.
Our websites use the following types of cookies:
strictly necessary cookies — cookies required for the operation of our website (for example, cookies that enable you to log into secure areas of our website);
analytical or performance cookies — cookies which allow us to recognise and count the number of visitors to our websites and to see how visitors use the sites. These cookies help us to improve the way our websites work, for example, by ensuring that users are finding what they are looking for;
functionality cookies — cookies that recognise you when you return to our websites. This enables us to personalise our content for you, greet you by name and remember your preferences;
targeting cookies — cookies that record your visit to our websites, the pages you have visited and the links you have followed. We use this information to make our website and the advertising displayed on it more relevant to your interests.
You can set your cookie preferences by adjusting the settings in your web browser (the “Help” menu in the toolbar of most web browsers will tell you how to change your browser’s cookie settings or to disable cookies altogether). If you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our sites.
12. Your privacy rights
You have the right to:
- Request access to your personal data (commonly known as a subject access request). This
enables you to receive a copy of the personal data we hold about you and to check that we
are using it fairly and lawfully.
- Ask us to correct personal data that we hold about you which is incorrect, incomplete or
inaccurate. Please let us know as soon as possible if your personal details change.
In certain circumstances, you also have the right to:
- Ask us to erase your personal data from our files and systems where there is no good
reason for us continuing to hold it.
- Object to us using your personal data to further our legitimate interests (or those of a third
party) or where we are using your personal data for marketing purposes.
- Ask us to restrict or suspend the use of your personal data, for example, if you want us to
establish its accuracy or our reasons for using it.
- Ask us to transfer your personal data to another person or organisation.
You also have rights in relation to any automated decision making which has a legal effect or otherwise significantly affects you. At this time, we do not make any decisions based solely on automated processing (including profiling), which significantly you.
If we have asked for your consent to use your personal data, you will always have the right to withdraw your consent.
If you wish to exercise any of these rights, please get in touch with us using the contact details in section 2.
We will endeavour to respond to requests without delay and within the timescales set by the data protection legislation. We may contact you to ask you for further information in relation to your request to speed up our response.
We may also sometimes need to request further information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
13. Changes to this privacy notice
We will post details of any changes to our policy on our website to help ensure you are always aware of the information we collect, how we use it, and in what circumstances, if any, we share it with other parties.