Definitions
This is AP Foundation’ Privacy Policy. It sets out how we use and look after your personal information.
Specifically, it sets out how we comply with UK data protection law, including:
- The General Data Protection Regulation 2016/679(“GDPR”);
- The Data Protection Act 2018 (the “DPA”); and
- The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).
Who are we?
In this policy, the term “AP Foundation” refers to:
- AP Foundation CIO Limited, a company limited by guarantee (with company number 1188886) – which we refer to as “T5T1”.
If you have any questions about this policy please contact T5T1’s Data Protection Officer at AP Foundation, 277 Gray's Inn Road, London, WC1X 8QF or DPO@apfoundation.co.uk.
When do we process your personal information?
If you fill in our AP Foundation Get Support Online Form, or similar online forms, or call us through our number 0300 365 4533.
For more information on this please see our Giving Information page.
However, there are other circumstances in which we will obtain personal information from you when you use our services or website, or interact with us. For example, when you:
(i) enquire about our activities;
(ii) register on our website;
(iii) subscribe to our e-newsletter;
(iv) volunteer with us;
(v) make a donation to us; or
(vi) otherwise provide us with personal information.
We may also receive information about you from third parties.
In using our services, you might also provide us with information about an offender, potential offender, victim or other person.
Additionally, we run specific lines for partner organisations who are looking to prevent or detect crime in a specific industry or area, such as insurance fraud or immigration (“Bespoke Lines”). We don’t collect your personal details from these lines by default but, if you wish to supply any details about yourself, you can - and that information will be passed on to the relevant partner body. Further details about the recipient organisation(s) may be provided to you when you call us.
We provide additional technical services, such as the Integrity Line, which provides ‘whistle-blowing’ lines for employees to pass on information about wrongdoing at work. These are run on behalf of partner organisations, and as such do not form part of this policy. We would refer you to the privacy policies of those partner organisations for further information.
What information do we collect?
We take steps to ensure that we do not collect your personal information if you use our online forms or call us to report suspected criminal activity, unless you choose to disclose your information to one of our Bespoke Lines or in relation to one of our technical services (such as the Integrity Line - see the exceptions set out above).
When you engage with AP Foundation in other ways, the types of information collected might include names, date of birth, e-mail address, postal address, telephone number and credit/debit card details, and anything else that you tell us. We will also keep records of how you wish to communicate with us.
We may collect additional information for specific purposes, such as health data (e.g. about allergies if you attend an event; about your health if you run a marathon for us, DBS checks as appropriate in connection with a voluntary role).
How do we use it?
There are different reasons why we may use your personal information. In particular:
(i) Campaigning and fundraising
We may use your personal details to update you on upcoming campaigns, fundraising initiatives, events and challenges, and also the results of surveys or polls in which you participated.
We will only send individuals promotional emails (regarded in law as “direct marketing” emails) with their consent. We will record your preferences (for example, we will record that you do not wish to be emailed). Please note that you can also opt out of receiving “direct marketing” at any time by contacting T5T1’s DPO at the contact details above.
If you sign up to attend an event (such as our regional conferences), or to take an action such as running a marathon with us, we will process your details to assist you to attend and get involved. We might collect information about your health (for example, information about allergies). We may also share your personal details with the companies organising the events – such as the London Marathon group, made up of London Marathon Events Limited, The London Marathon Charitable Trust Limited and London & Surrey Cycling Partnership LLP.
(ii) Volunteering and engagement
If you volunteer with us, we will process your personal information in connection with that voluntary role and to support you. If you apply for a job with us, we will process your details for the purpose of managing that job application (including contacting you and, with your permission, contacting your referees). If you take on a job with us, you will be subject to a different privacy notice in that capacity.
We ask volunteers to provide information about their ethnicity, which we use (at a statistical level) for the purpose of ensuring equality of opportunity and treatment.
We highlight the roles of some of our volunteers, and the amazing work that they are doing for AP Foundation, on our website – we will ask you whether you would like to be featured before doing this.
(iii) Donations
If you donate to us, we will use your details for administrative purposes, such as to process the donation, and to process a gift aid claim (if appropriate).
If you leave us a legacy we will contact you in relation to this, and may get in touch from time to time to ensure that we have the correct details for you.
(iv) Prevention and detection of crime
We process and share personal data for the purpose of the prevention and detection of crime. For more information please see the data sharing section below.
(v) Sharing with partners
We share information that we collect with our clients (including banks, regulators, retailers, and charities) (“Clients”) in order to prevent and detect crime.
(vi) Social media
We may interact with you on one of our social media pages:
Facebook: https://www.facebook.com/apfoundation
Instagram: https://www.instagram.com/
Twitter: https://www.twitter.com/
LinkedIn: https://www.facebook.com/apfoundation
Where you interact with us on these pages (including following and sending messages), we act as joint controller with the social media platform. You may visit the privacy notice of each social media website for further information about how your information is jointly processed.
We may reach out to you via your social media profile in order to make you aware of AP Foundation. We use tools available on Facebook and Instagram (called ‘custom audiences’ or ‘lookalike’ audiences) in order to help direct our services to the right audiences. If you do not want us to use your personal data for social media marketing, please let us know by contacting us using the details set out in the contact us section.
Both Facebook and Instagram’s services are provided by Meta Platforms Inc.
You can learn more about interest-based advertising from Facebook by visiting this page: https://www.facebook.com/help/794535777607370. To opt-out from Facebook’s interest-based ads, follow these instructions from Facebook: https://www.facebook.com/help/568137493302217.
You can learn about LinkedIn’s advertising by visiting this page: https://business.linkedin.com/marketing-solutions/ads.
You can learn about Twitter’s advertising by visiting this page: https://business.twitter.com/en/campaign/welcome-to-twitter-ads.html.
Facebook adheres to the Self-Regulatory Principles for Online Behavioural Advertising established by the Digital Advertising Alliance. You can also opt-out from Facebook and other participating companies through the European Interactive Digital Advertising Alliance http://www.youronlinechoices.eu/, or opt-out using your mobile device settings.
Social media insights
Our social media platforms provide us with insights about those who interact with our pages. For example, we use the Facebook Insights function in connection with the operation of our Facebook and Instagram pages and on the basis of the GDPR, in order to obtain anonymised statistical data about our users.
For this purpose, Facebook places a cookie on the device of the user visiting our page. Each cookie contains a unique identifier code and remains active for a period of two years, except when it is deleted before the end of this period.
Facebook receives, records and processes the information stored in the cookie, especially when the user visits the Facebook services, services that are provided by other members of the pages and services by other companies that use Facebook services. Our website also utilises Facebook pixels, which enables us to track website events. This allows us to view the aggregated number of people who have come to the website via an ad (but does not reveal your personal information).
(vii) Other processing
We will process your personal details when we are under a legal or regulatory obligation to do so. If we restructure or merge with another organisation, we may transfer your personal data in connection with that restructuring or merger.
We may process your personal data for other purposes, such as to ensure that content from our site is presented in the most effective way for you and your computer, or to notify you of changes to our policies.
To comply with the law we are required to confirm whether our processing of your personal information forms part of a legal or contractual requirement or obligation, and the possible consequences of failing to provide that information. You are not generally under any legal or contractual obligation to provide your information to us.
The legal basis for processing
It is a legal requirement that, when processing personal details, we have a legal basis for doing so. We rely on the following legal bases for processing:
(i) In some cases we have your consent to process your data – for example, when you agree to let us send you emails about our work and campaigns. You may withdraw consent at any time (and if you wish to do so, please use the contact details above).
(ii) In many cases we will process your data where it is in our legitimate interests to do so. We will only rely on this basis where we are satisfied that it is not unduly intrusive or onerous for the individuals. For example:
a. If you donate money to CST, we will process your data to further our legitimate interest of fundraising, to promote CST’s charitable aims.
b. If you volunteer with us, we will process that data to further our legitimate interest of providing appropriate services to prevent and detect crime, and/or to further our charitable aims.
c. If you provide information about an offender, potential offender, victim or other person (or, in the limited circumstances identified above, volunteer information about yourself), we may process that information in order to prevent or detect crimes.
(iii) We may also process information if we need to do so:
a. To perform a contract with a person;
b. To comply with a legal obligation; or
c. To protect an individual’s vital interests (for example, in a life-or-death situation).
In some cases we will process “special” categories of personal data, or personal data about criminal convictions and offences. The law requires that, in these circumstances, a stricter approach is taken and we are required to satisfy an additional legal basis. The legal bases that we rely upon include (in summary):
(iv) Where we have the individual’s consent (or “explicit consent”) to process the information;
(v) Where the personal information has been made public by the relevant individual;
(vi) Where the processing is necessary to prevent or detect an unlawful act, prevent fraud, or protect the public from dishonesty, malpractice or other seriously improper conduct;
(vii) In connection with legal proceedings, to take legal advice, or to establish, exercise or defend legal rights;
(viii) For the administration of justice;
(ix) For safeguarding purposes in connection with individuals at risk; or
(x) For monitoring equality of opportunity and treatment in respect of certain prescribed characteristics.
Data sharing
We use organisations (“processors”) that process your personal information on our behalf, such as IT consultants, telephone system support, database support and telephone providers.
As set out above, we share data with our Clients in order to prevent and detect crime. We may also share it with event organisers in the context of events (such as if you are attending a conference or running the London Marathon for CST).
As stated above, we process information about offenders, potential offenders, victims or other persons for the purposes of the prevention or detection of crime. Information is sent to the relevant authority with the legal responsibility to investigate crimes, make arrests and/or charge people in order to bring them to justice. This could be your local police force or an agency such as the Home Office or HM Revenue & Customs. In relation to the Bespoke Lines, if you volunteer your personal details to us they will be passed on to the relevant partner organisation, as set out above.
We may also disclose your personal information to third parties if we are under a duty to do so in order to comply with any legal obligation, or in order to enforce or apply our terms of use for this site or other agreements; or to protect the rights, property or safety of us, our donors or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.
We export data to countries outside of the United Kingdom: please note that some of these countries may not have equal levels of data privacy law, while we will take steps to ensure that appropriate safeguards are put in place (such as putting contracts in place which are approved by the ICO).
Retention of data
We will only retain your personal details for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in relation to our activities related to the data we hold about you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through
Type of data | Typical retention period |
Volunteer data | Duration of volunteering and one year |
Direct marketing | While sending the direct marketing and for a further six months. |
Information in relation to the processing of donations | Seven years from the point of donation |
Information provided on the AP Foundation Give Information Anonymous Online Form, or Fearless Contact Us Anonymously Online Form, or anonymous two-way conversations – these may be made into reports about potential criminal activity, which are processed as set out in this policy. | Online form information is deleted promptly and typically within four hours of submission. Information from “conversations” online is typically retained for 28 days from the most recent contact (unless we consider that it is necessary to extend this period, taking account of the factors above). The reports are retained for up to seven years. |
Information provided for Bespoke Lines | As above subject to agreement with partner. |
Further details of retention periods for different aspects of your personal data are available on request by contacting the DPO using the details in this policy.
Your rights
You have rights in relation to the processing of your personal details, which are detailed below.
- In certain circumstances, you have the right to object to the processing that we have outlined in this policy.
- You have a right to access a copy of your personal data, and receive certain information about what the data is and how and why we are processing it.
- If you think that we hold inaccurate information about you, you have the right to request that we rectify it.
- In certain circumstances, you have the right to request that we delete your information (while there may be circumstances in which we need to keep your details).
- You can request that we restrict processing of your data, instead of deleting it, which means that we will keep the data but stop processing it for most purposes. Please note that this right only applies in certain limited circumstances, and that we cannot apply it retroactively – for example, if we have already disclosed a report to the police.
- You have rights to avoid being subject to decisions based solely on automated processing (including profiling) which has a significant effect on you. AP Foundation does not carry out such processing.
- You have the right to request a copy of certain personal data (to enable transferring it to another organisation) in certain circumstances.
Please note that these rights do not apply in all circumstances.
You can contact us at the details above if you have any questions or concerns; you are also entitled to make a complaint to the Information Commissioner’s Office (www.ico.org.uk).
Security
We use a secure server when you make a donation via our website. We also take appropriate technical and organisational security measures to ensure that the information disclosed to us is kept secure. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.
Updates to your details / this policy
If your personal details change, please help us to keep your information up to date by notifying us at the above address.
We will update this policy from time to time and will show the latest policy on our website. We will state when it was last updated at the top of the page. We will aim to notify you of any significant updates to this policy, where it is reasonable to do so.
This policy will be reviewed on an annual basis.
Last reviewed: 01 January 2023
Governance Committee: