1.1 We are Mary’s Meals (company registration number SC265941 and charity number SC022140). We operate as Mary’s Meals UK and we have our registered office at Craig Lodge, Dalmally, Argyll, PA33 1AR ("we", "us" or "our"). We are committed to protecting and respecting your privacy.
1.3 For the purpose of the Data Protection Act 2018, (the "DPA") and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, (the "EU GDPR"), and the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR"), we are the data controllers and are located at Claremont Centre, Unit 6, 39 Durham St, Glasgow G41 1BS.
1.4 We comply with the DPA and the GDPR in respect of the collection, holding, storage, use, and processing of personal data about our supporters (such personal data is held in both manual and electronic records).
2. Personal data that we collect
2.1 Personal data
(a) We collect and use the following types of personal data about our supporters:
(i) personal information such as
- Postal address;
- Phone numbers (home, work and mobiles as applicable);
- Email address(es);
- Contact preferences;
- Information given when registering to use or completing forms on our website;
- Information on donations made;
- Information that our supporters give us – for example when making donations, such as bank account details for setting up regular direct debits, credit card details for processing credit card payments, employer details for processing a payroll gift, or taxpayer status for gift aid purposes;
- Information given when using our website;
- Information about a supporter’s employment, relationship to Mary’s Meals, or philanthropic interests;
- Information given when taking part in Mary’s Meals’ social media functions or on our website.
(ii) the marketing preferences of our supporters and whether and when consent to receive marketing communications has been given or withdrawn.
(iii) correspondence between supporters and ourselves (whether by telephone, e-mail or otherwise).
(b) We also collect and use certain technical information about our supporters’ visits to our website which may include, for example, internet protocol (IP) addresses, login information, browser type and version, pages accessed, files downloaded, full Uniform Resource Locators (URLs), clickstream to, through and from the website (including date and time), products viewed or searched for, page response times, download errors, length of visits to certain pages and page interaction information (such as scrolling, clicks and mouse-overs).
(c) We collect the personal information set out above directly from supporters. We may also collect this information indirectly, such as via third party fundraising platforms, such as Just Giving or events organisers; or from publicly available information such as print and media articles, charity websites and annual reports, corporate websites, public social media accounts, Companies House, financial sanctions, or counter-terrorism lists held by the UK government, or the Charity Commission. We only use publicly available, reputable sources, where someone would reasonably expect their information may be read by the public.
(d) Supporters don’t have to disclose personal data to us to browse the website or to use our social media sites, but supporters do need to provide us with certain personal data in order for us to provide them with certain services.
(e) The safety of children is very important to us. We do not knowingly collect the personal data of those who are under 16 years old without the consent of their parent or guardian. If you are under 16 please call us on 0800 698 1212 for further information.
4. How we use personal data
- Providing supporters with the products, services and information that they ask us for.
- Corresponding with supporters and recording any relevant communications.
- Sending fundraising and marketing information to our supporters.
- Keeping records of donations made and actions taken by our supporters.
- Claiming gift aid on donations.
- Analysing data so that we can identify supporters and tailor our activities so we can contact supporters in the most appropriate way, with the most relevant products and information, to provide a better experience.
- For the purposes of due diligence checks, fraud and credit risk reduction.
- Supporting volunteers.
- Recording campaigning activities by supporters.
- Performing our obligations under any contracts that we enter into with supporters.
- Telling supporters about changes to our services.
- Ensuring that content from our website is presented effectively for supporters and for their computers.
- Administering our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.
- Improving our website to ensure that content is presented most effectively for supporters and their computers.
- Allowing supporters to choose to take part in interactive features of our services.
- Keeping our website safe and secure.
- We may use information which we hold about you to show you relevant advertising on third party sites (e.g. Facebook, Google, Instagram, Twitter). This could involve showing you an advertising message where we know you have a Mary's Meals account and/or have interacted with our website.
We use direct marketing to let you know about our work and how your support makes a difference, and to ask for other support. We'll send you direct marketing by post unless you indicate that you don't want to hear from us this way. We send these communications on the basis of it being within our legitimate interests to do so or if you've consented to receive this. We'll also send you direct marketing by e-mail, SMS and phone if you've consented to hear from us this way. We'll always respect your preferences and endeavour to send you information that you’ll find interesting, in the format you prefer.
We may use additional external sources of data to increase and enhance the information we hold about you, to tailor our activities, identify potential significant donors or volunteer fundraisers, and potentially to make decisions on the acceptance of donations. This information may also be used to better understand charitable interests, capacity for philanthropic support, connection to our work, and for due diligence purposes.
4.2 We will only retain your personal information for as long as required to fulfil the purposes set out above, where it is required for legal, tax or accounting purposes, or where we notify you otherwise. If you object to the retention of your data, see the ‘individuals’ rights’ section below.
5. How we share personal data
5.1 We will share supporters’ personal data with Mary’s Meals International Organisation (company registration number SC488380 and charity number SC045223), which has its registered office at Craig Lodge, Dalmally, Argyll PA33 1AR ("MMI") in their role as the provider of the Mary’s Meals supporter database platform. MMI will only access personal records of supporters if requested to do so by us, to assist us in the delivery of our services. Beyond this, we will only share supporters’ personal data if:
(a) we or MMI are working with partners whom we or MMI have carefully selected to carry out work on our behalf, such as service providers and sub-contractors (for example, IT services providers and providers of technical, payment and delivery services) to perform any contract we or MMI enter into with them. The kind of work we or MMI may ask them to do includes processing, packaging, mailing and delivering purchases, answering questions about us and any services we provide, carrying out research or analysis to assist us in our mission and processing credit card payments.
We and MMI only choose partners we trust and only pass personal data to them where they have undertaken to keep your personal data secure. We do not allow, and we ensure that MMI does not allow, these partners to use your data for their own purposes or disclose it to other third parties and we will take all reasonable care to ensure that such partners keep your data secure; or
(b) we are legally required to do so e.g. by law or by an order of a court of competent jurisdiction.
5.2 We occasionally participate in advertising such as Google’s Remarketing and Facebook’s “Custom Audience” targeting which enables us to display adverts to our existing supporters via Google and Facebook. We provide personal information such as your email address to Google and Facebook to enable them to determine if you are a registered account holder. Our adverts may then appear when you access Google, Facebook and on your Facebook feed. Your data is sent in an encrypted format that is deleted by Google and Facebook if it does not match with a Google or Facebook account.
6. Legal basis for processing personal data
We rely on various legal bases to justify our processing of supporters’ personal data. Further details of these are set out below.
(a) The supporters have given their consent to the processing of their personal data for the specific purposes mentioned above.
(b) The processing is necessary for our legitimate interests. These legitimate interests include processing, packaging, mailing and delivering purchases, answering questions about us and any services we provide, carrying out research or analysis to assist us in our mission and processing credit card payments.
(c) The processing is necessary to perform a contract to which the relevant supporters are parties or to take steps that they have asked us to take before entering into a contract, such as buying a book or a DVD or requesting a free film screening pack about our work.
(d) The processing is necessary for us, as the data controller, to comply with our legal obligations, such as sharing personal data where we are legally required to do so e.g. by law or by an order of a court.
7. Where we transfer and store personal data
7.2 All information that supporters provide to us is stored on our secure servers and/or on the servers of our suppliers who we have engaged to host various IT systems for us. Any payment transactions will be encrypted using TLS technology. Where we have given supporters (or where they have chosen) a password which enables them to access certain parts of our website, they are responsible for keeping this password confidential. We ask them not to share this password with anyone.
7.3 Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect supporters’ personal data, we cannot guarantee the security of data transmitted to our website; any transmission is at supporters’ own risk. Once we have received personal information, we will use strict procedures and security features to try to prevent unauthorised access as far as possible.
7.4 Our mission is to enable people to offer their money, goods, skills, time, or prayer, and through this involvement, provide the most effective help to those suffering the effects of extreme poverty in the world’s poorest communities. We will keep supporters’ information only for as long as they engage with us in any of the above ways, and only as long as we need it:
(a) to administer their relationship with us;
(b) to comply with the law; or
(c) to ensure we do not communicate with supporters who have asked us not to.
To assist us in this process we will review on a regular basis the personal data of supporters that we collect and hold to ensure that such data is only kept for an appropriate length of time.
8. Individuals’ rights
(a) Access. We will confirm to supporters whether or not we are processing and using personal data about them, at their request and, if so, provide them with access to and a copy of such personal data and the other details to which they are entitled.
(b) Rectification. We will correct any inaccurate personal data and complete any incomplete personal data (including by providing a supplementary statement) that we hold about supporters without undue delay at their request.
(c) Prevention of processing likely to cause damage or distress. We will respect our supporters’ rights to require us to cease or not to begin processing their personal data for a specific purpose, or in a specific way, that is likely to cause unwarranted damage or distress, either to the relevant individual or a third party.
(d) Erasure. We will erase personal data concerning a supporter at their request without undue delay in certain circumstances, (for example, among other things, if their personal data is no longer needed for the purposes for which it was collected or otherwise used).
(e) Restriction. We will restrict the processing of supporters’ personal data in certain circumstances (for example, among other things, if they believe that their personal data held by us is inaccurate), if requested by them to do so.
(f) Data portability. We will respect the rights of supporters to receive personal data about them that they have provided to us in a structured, commonly used and machine-readable format and to transmit such personal data to another data controller without hindrance from us in certain circumstances.
(g) Right to object. We will respect the general rights of supporters to object to the processing of their personal data in certain circumstances.
(h) Right to object to marketing. We will respect supporters’ rights regarding use of their personal data for direct marketing purposes. In particular, we will not begin or we will cease processing any personal data of individuals for direct marketing purposes if at any time individuals ask us not to do so. Individuals can stop targeted advertising messages on third party sites by amending their preferences by emailing DataProtection.UK@marysmeals.org
(i) Automated individual decision-making, including profiling. Where requested, we will not make decisions based on automated processing, including profiling and we will ensure that you can always obtain a review by one of our staff members of any automated decisions and are able to express your point of view and contest any such decisions.
We will not make any automated decisions based on sensitive personal information unless we have obtained your explicit consent to do so, or this is otherwise necessary for substantial public interest reasons based on applicable law.
8.2 We will process all personal data in line with supporters’ rights in each case to the extent required by and in accordance with applicable law only (including, without limitation, in accordance with any applicable time limits and requirements regarding fees and charges).
8.3 We will respect supporters’ rights regarding use of their personal data for direct marketing purposes. In particular, we will not begin or we will cease processing any personal data of individuals for direct marketing purposes if at any time a supporter asks us to stop.
9. Contact and complaints
9.3 We are not a ‘public authority’ as defined under the Freedom of Information Act 2000 and we will not therefore respond to requests for information made under that Act.