This policy covers Lightful Ltd (company number 09135963, registered in England and Wales), registered office 10 Queen Street Place, London, United Kingdom, EC4R 1AG.
Within this document ‘We’ and ‘Us’ will refer to Lightful Ltd as denoted previously.
As Lightful processes Personally Identifiable Information (PII) as a “Data Processor” for clients in addition to Processing PII on our own behalf as “Data Controller”; We have registered with the ICO under reference: ZA236704.
Your privacy is very important to us and we take the responsibility to protect personal data protection seriously. This policy applies to the websites (‘the sites’) under the Lightful.com parent domain including the Lightful website, platform and any products and applications or services accessed and offered through the Lightful.com parent and subdomains. This document explains how Lightful uses the information provided and the procedures and processes around personal data supplied to us.
Our processing and retention of personal information is governed by the UK GDPR and the Data Protection Act 2018 (collectively, “the Data Protection Legislation”), or any legislation that amends or replaces it. Lightful will also adhere to other related legislation such as:
- Privacy Electronic Communication Regulation (2003)
What Is personal data?
Personal data is defined by the UK GDPR and the Data Protection Act 2018 (collectively, “the Data Protection Legislation”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.
2. Your privacy
Lightful relies on “Legitimate Interests” when communication to Individuals that have registered for our own products and services and we offer an opt out upon this first data capture and subsequent communications that are sent. Individuals are welcome to unsubscribe from any communication at any time by either:
- Visiting your communication preference centre (Upon logging in)
- Email us at email@example.com
We operate under an ‘opt-in only’ communication policy when it comes to “marketing” to individuals that have not subscribed to our “platform” or “communities” sites. This means that we will only send communications to those that have explicitly stated that they are happy for us to do so via their preferred channel(s) (email, SMS, phone, post or other communication platform).
Our “marketing” consists of communications about our platform, services and developments; and will usually constitute a weekly e-newsletter, as well as ad-hoc updates. If you would like to receive such communications but have not opted in please email us at firstname.lastname@example.org.
If you are supplying your personal information in response to a charity fundraising which is “Powered” by our platform; the charity will require you to opt-in for marketing communications from that charity. Your details will still be passed to the charity for Donation, Gift Aid reconciliation and the legal requirements that depend on this. There is an option to remain anonymous, which can ensure that only your donation details will be passed across. Under no circumstances will your payment information be stored or passed to any third party other than the payment gateway
It is worth noting that before or at the time of collecting personal data we will identify the purposes for which any information is being collected ensuring it is both fair and lawful ensuring we only ask you for the information that is required, we will then use this information in relation to:
- Fulfilling those purposes specified by us and for other compatible purposes that we have obtained your consent for or as required by law.
- Retaining the personal information as long as necessary for the fulfilment of those purposes.
- We will protect personal information by reasonable security safeguards against loss or theft, as well as unauthorised access, disclosure, copying, use or modification.
- We will make readily available to you information about our policies and practices relating to the management of personal information.
We are committed to conducting our business in accordance with these principles to ensure that the confidentiality of personal information is protected and maintained.
We do not intentionally gather personal information from visitors who are under the age of 18. If you are under the age of 18, you are not permitted to submit any personal information to us. If we learn that an individual under 18 submits personal information to Lightful we will attempt to securely delete the information as soon as possible.
3. Changes to this policy
Lightful may update this policy when it sees fit or changes the purposes of processing in line with the services or products. The latest version of this policy will be linked across all sites under the parent domain; with the date of last revision present at the top of the document; this will succeed any previous version of the document and be enforced effective immediately. We will do our best to ensure this is communicated across multiple channels and will ensure we re-obtain consent for any new processing where required.
Your continued use of our products, services from point of change and notification of said change signifies your agreement with the new policy.
This policy was last updated on: 30/03/2021
4. Disclosure of information to third parties
We may on occasion work with selected third parties, data could be transferred to organisations such as Facebook, Twitter or LinkedIn or other organisations that “enhance” data the processes that may ensure may include wealth tagging, obtaining new contact details, social matching, geo-demographics; generation of look-a-like audiences or targeted advertisements.
If you do not wish for your data to be used in this manor then please opt-out by:
- Email us at email@example.com
We might also share information you have provided with selected third parties, charities you engage with to provide you with information on products and/or services that may be of interest or relevant to yourselves; only if you have given us permission to do so via an opt-in mechanism.
Lightful works closely with many third parties (business partners, sub-contractors, technical or payment delivery services) in provisions of its product (“platform”) and other services that are on offer; we will ensure that contracts and data processing agreements are in place to ensure that if we are required to send your data, securely to these third parties that this is done in order to fulfil your request for information, product or service interactions/purchase.
If Lightful is bought out or its assets are acquired by a third party personal data held about its clients and users could possibly be one of the transferred assets.
Except as denoted above; Lightful will not disclose, distribute or sell personal data (sensitive or non) to any other organisation without prior consent/contractual obligation unless we have a legal obligation or right to do so.
5. Overseas transfers
From submitting or uploading information on our sites or platform you are agreeing to the storage, processing and possible transfer of this data as required by Lightful and set out within this policy.
We will store your personal data in the UK wherever possible. This means that it will be fully protected under the Data Protection Legislation.
Where this is not possible we may store some of your personal data within the European Economic Area (the “EEA”). The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein. This means that your personal data will be fully protected under the EU GDPR and/or to equivalent standards by law. Transfers of personal data to the EEA from the UK are permitted without additional safeguards.
In some cases we may store some or all of your personal data in countries outside of the UK or EEA (e.g. USA). These are known as “third countries”. We will take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the Data Protection Legislation. We will always follow latest advice and guidance available from the ICO.
6. Our sites
Our sites are currently hosted in Ireland; the provider that hosts the website build has its backups restricted to the UK. We hold a current and valid contract with the supplier who provides the hosting. We do however use content delivery networks which copy our website code around the globe for quicker downloading - no actual personal data resides in these edge locations.
The sites services currently cover the following areas:
- Services – Our clients may sometimes engage with us for a variety of purposes around processing a natural persons data that they have obtained permission to process or to analyse/create profiles on. Please get in contact with that organisation direct if you do not wish for Lightful to process your data.
- Platform– This is where you would be registering direct with Lightful for the use of Lightful’s platform (“the platform”) to aid with social media and supporter engagement. Please see the additional terms & conditions for using this product.
- Communities – This is where you can register direct with Lightful to share ideas, participate in discussions or access content through our secure portal.
Our sites, products and services are restricted and aimed for access to those that are over 18 only and we don’t knowingly target anyone below this age. If we find you are below that age and you are using our products or services we may remove you and any related data from the system without notice.
7. Lawful processing of your data
There are many lawful reasons that mean that we can process (use) your personal information;
- Legitimate Interests – For Example, this would-be Marketing around the Products or Services you have subscribed to.
We essentially have a genuine and legitimate reason, and none of your rights or freedoms will be harmed or overwritten by this reason. These legitimate Interests would be the following:
- Analytics – We may aggregate or use on a personal level, customer analysis, profiling and Direct Marketing combining information from multiple sources; providing that it does not infringe on your rights or freedoms.
- Research – To investigate the product roadmap and ensure our services and products are developed in accordance with demand.
- Due Diligence – To prevent fraud when subscribing to certain products or services, we may need to conduct further investigations around Fraud, Bribery and Corruption.
- Direct Marketing – We will contact you via Telephone and Email if you have subscribed to our services for additional offerings, administration and research.
- Personalisation – We will personalise, enhance or improve our communications, products and services to our customers for their benefit.
- Performance of a contract – For Example, this would be the Products/Services you subscribe to.
- Consent – For Example, this would be additional marketing or passing details on to certain Third Parties.
We have completed the following Legitimate Interest Assessments (LIA):
- Prospective charities
- Charities that have registered on our platform.
8. Personal data we collect
The information that we collect that is either Direct or In-Direct will be combined in all instances to ensure that our products and services are tailored accordingly.
9. Direct data provision
The sites, applications use various forms that may collect personal data to enable you to subscribe, register and request products and services. If you have registered for any of Lightful’s products or services and/or have created an online account (profile); then you may have provided us with personal data that may include your:
- Contact details (including postal addresses, telephone and email)
- Date of birth
- Social handles (Facebook, Twitter, LinkedIn or other)
- Payment details (credit or debit card number and expiry date); This is tokenised upon initial submission of the details.
- Other information as needed to personalise the products/services
The sites might also collect personal data in the form of:
- Log files – This would include things like IP addresses, browser type and version, time zone settings, browser plugins, operating system and platform.
- Website usage, how long users spend on the sites and what they click on, how many times and what they interact with.
- User generated data (messages, posts, comments, queries and support tickets).
Our “platform” will also collect information on how and what you use within our services and the frequency in which those interactions take place. This information is used to help improve our services for both yourself and other users.
You can update personal information supplied by logging into your profile if you have created one or contacting Lightful support by emailing firstname.lastname@example.org
10. Third party organisations/our clients
You may have provided permission for our client or another company/organisation to share your data with third parties, including ourselves. This could have been when you consented by providing your data to these other organisations and would be in line with their privacy policies.
11. Full Story
Lightful’s sites and platform use Fullstory which essentially a session recording tool provided by Fullstory which will record all interactions made by yourself on the sites or platform. This service uses the cookies as derived above to help the Lightful understand how users interact with the individual pages and features and bug resolve.
Personal Data including that which is sensitive would be redacted by Lightful for purposes around Data and Analytics, for bug queries that users report, this information will be used to aid the users with their request.
To opt-out of full story please visit the following link:
This will disable it across all sites where these cookies are used. Opting out will create a cookie that tells FullStory to turn off recording on any site which uses the FullStory Services. The presence of this cookie is required to continue opting out, so if you clear your browser cookies, you will have to opt-out again. (We regret that there isn’t a better way to make the opt-out more permanent, but due to technical reasons, this really is the best we can do at present).
12. Social media
Depending on your settings or the privacy policies for social media and messaging services like LinkedIn, Instagram, Facebook, WhatsApp or Twitter, you might have given us permission to access information from those accounts or services. This information will be used to identify traits, trends in our data or on prospects based on interests or groups in addition to opportunities for Marketing to audiences that share similar profiles or are key influencers within these interests or groups.
13. Publicly available information
This may include information found in places such as Companies House and information that has been published in articles/ newspapers and on social media. This information will be used to supplement information that Lightful currently holds or used to identify or target prospects/currently known individuals for marketing for our goods or services.
Business to Business
If Lightful contacts you in connection with a Business-to-Business activity, your name might have been sourced from the Charity Commission Database or other available sources; we will ensure that things like the Corporate TPS Register are applied in addition to our existing internal data marketing consent suppressions and should you have been identified as not a partnership or sole-trader we will be contacting you under legitimate interests and give you the chance to opt-out from hearing from us again.
15. Use of information
Lightful may use your information to notify you about important functionality changes/alterations and updates on Policies in place and anything else that can be classed as “administration” such as updates to this policy and the terms & conditions of the services we provide. The purposes for collation and processing personal information could be one or more of the following:
- Provision of the services, information or products requested; this may include sending you emails on how you can better use our services, these messages may also be displayed via an Instant message (IM) when you have logged into the “communities” or the “Platform” and may appear on the social media platforms you subscribe to. You can opt out (Unsubscribe) from E-Mail messages at the bottom of every Email; and for social media by emailing email@example.com .
- Administration of your “profile” and any payments made considering the above; including identification of you as a user within our system; responding to any comments or questions and for our support team to provide a service.
- Recording your interactions, sessions and relationship with us; including using this information to help with site improvements or co-ordinate bug fixing.
- Managing this relationship with marketing and communication preferences.
- Updating you on new products and services on offer which may be supplementary (Requiring an “opt-in”) for, non-service related updates, releases or system outages.
- Equal opportunities monitoring; this is primarily for staff and volunteers within Lightful.
- Non-automated profiling (which has human intervention)– consisting of the following:
- Segmenting – this is essentially using variables we hold in the database to classify you as a particular user or into a cohort of users.; this can be defined as “generic profiling”.
- Propensity modelling which essentially is using variables within held data to score you based on an outcome which will be to include you in particular mailings or offers.
- Wealth screening (analysing Individuals personal information to ascertain material wealth; this can either be done internally or using selected third parties); we may also append this information to your record on our databases.
- Social; accessing publicly available information from social network sites such as Facebook, Twitter, LinkedIn and others to ascertain engagement with specific causes/interests/groups etc.
- Appending/cleansing to the data Lightful currently holds on you – consisting of the following:
- New address details from available sources such as National Change of Address database (Royal Mail); where you have agreed, we may use this address.
- Consented telephone numbers from selected third parties; where you have agreed we may use this number.
- Gone away or deceased flags from selected third parties.
- Compliance or other legal requirements that have either come from an authoritative figure or legal representation. This may also include any reasonable steps to protect Lightful against any fraudulent, unauthorised or illegal activity.
We may also use the information submitted for performance monitoring and data analysis that will help us improve our sites and offerings. We may also request and use “user feedback” which will form from comments, queries or suggestions; this will be used to improve our products and services.
Lightful may contact you for marketing purposes which would include news, activities and developments or as specified from the initial request or subsequent data gathering forms or from the preferences as outlined in your profile. You can opt in or out of these by contacting Lightful support by emailing firstname.lastname@example.org.
Ultimately most of this information is used to help enhance our features and services. It is worth noting that the IP address data collected cannot be used to identify you personally on its own, would need to be combined with other information generated to construct a profile of you which is not an activity carried out by Lightful.
16. Payment details
Lightful do not have any access to individual’s card details; the payment provider that we use to collect payment (Stripe) has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider. They provide a secure payment gateway for us to process your payment for the product/services you are procuring. They also cover areas of fraud screening, IP address blocking and employ the internationally recognised 256-bit encryption. Payments are processed within the EEA.
Our payment provider is regularly audited by the banks and banking authorities to ensure security within their systems. They also possess membership to the PCI Security Standard Council (PCI SSC) that define card industry global regulation. You can see that your data is secure through our payment provider when you see either a https:// in the URL and/or when the padlock is visible alongside the URL.
17. Your rights and raising complaints
Minor requests for information might be dealt “Informally” not requiring the completion of a subject access request; this will be down to the Data Protection Officer’s (DPO) judgement. To surmise that you as the “natural person” have the following rights:
You have certain rights in relation to your personal data.
- The right to be informed – How data will be used through a fair processing notice/policies.
This basically means, we will be clear and transparent on what and how we will process data that you provide by ensuring we include this at every point of data collection.
- The right to rectification
You have the right to correct personal information If we possess inaccurate/out-dated data; this might encompass things such as a new postal or email address etc. Where possible we use publicly available sources to keep your records up to date; for example, the Post Office’s National Change of Address database and information provided to us by other organisations as described above.
- The right to erasure
You can request you are removed from all our systems and databases, which we will do our best to comply with and instruct you for reasons we have been unable to comply.
- The right to object/restrict data processing
You can request that we cease or do not begin to process your data.
- The right to object/restrict data processing for marketing purposes
You can request that we cease or do not begin to process your data for marketing purposes which would cover any ideal, aim or objective of Lightful in addition to us promoting our goods and services. We will only contact you for marketing purposes if you have opted in (consent) or we are relying on Legitimate Interests.
- The right to data portability
If you wish to have access your data in an intelligible format we will provide it in a format that provides clear understanding.
- The right to refuse automated profiling and decision making
If we are profiling your data that has all system driven logic and outcomes you can request that we cease or do not begin to do this.
- The right to access your information – (formally Subject Access Request).
If you would like to know how your data has been processed, then you can request a Subject Access Request. Lightful has one month (30 Calendar Days) to comply with the request for data upon proof of identification. All information provided by us will be supplied in an intelligible format, if you have a preferred format, please let us know and we will try to conform to that.
Through the forms and policies on our sites we hope that you understand when we request information, how we use the data and what actions you can take. Remember by enacting some of these rights you may inadvertently cause cancellation or restrictions on the services, products that you are subscribed to.
The ICO governs all aspects of data protection within the UK and should you have any concerns or wish to raise a complaint that Lightful is unable to resolve in the first instance; then please visit the following URL for more information at https://ico.org.uk/ they also have a plethora of information around your rights and Data Protection.
18. Links to third party sites
It is important in any circumstance before providing any information to any Third-Party websites that you check their own privacy policies. Lightful does not accept any responsibility for the protection of your personal data supplied to these other sites or any “threats” that may arise from accessing them.
19. Data retention
Lightful retains data for only as long as necessary and in line with the relevant data protection legislations or any legal requirement. We aim to keep data for no longer than 2 years where technical design and process allow, we may also restrict access or overwrite/anonymised personal data in line with our Data Retention policy.
20. Governing law
Lightful and its sites shall be governed by the law of England & Wales.
21. Further information
Our Data Protection Officer (DPO) is:
Craig Humphries – Director of Finance and Governance.
If you have any queries on this policy, wish to contact the DPO or know further details on how Lightful uses personal data please contact us at: email@example.com
If you wish to opt-out of something specific; then either:
- visit your communication preference centre on the Lightful Platform
- email us at firstname.lastname@example.org.
Any general correspondence should go to:
Lightful Ltd, 10 Queen Street Place, London, United Kingdom, EC4R 1AG
A company incorporated in England and Wales no. 09135963.