We respect and protect the privacy of our users. This privacy policy tells you how we collect and use information.
Policy statement
Good Things Foundation is a company registered in England and Wales with company number 05887661 and a charity registered in England and Wales with charity number 1165209. We understand that you are aware of and care about your own personal privacy interests, and we take that very seriously. We value our ability to provide you with information through our interactions, whether they are face to face interactions, through our digital platforms, or one of the other ways you can choose to interact with us.
This privacy notice together with our website terms and conditions and our cookie policy explains how we collect, store, use, protect and share your personal information that you provide to us or that we may otherwise obtain or generate which relates to you. Please take a moment to review this privacy notice and, if you have any questions or concerns about how we are looking after your information, feel free to get in touch via one of the methods under the header ‘How to contact us’ below.
What personal information do we collect?
Personal information means any information by which you can be directly or indirectly identified. We may collect the following personal information:
- name
- phone number
- postal address
- job title
- employment status
- age
- date of birth
- gender
- ethnic group
- unique learner number (UK)
- national insurance number (UK)
- education level
- health details
- disability status
- household status
How and where do we obtain personal information about you?
When you visit our websites we collect certain information or data about you automatically using tools like Google Analytics. We collect:
- Your IP address, which may reveal your general (but not specific) location relating to where you are connecting to the internet
- Details of which version of web browser you used
- Information on how you use the site for example
- What device you are using – mobile, tablet or laptop
- What browser you are using – Chrome, Safari, Edge etc
- How long you spend on the website
- Personal information when you register with us
- The actions you take on our website. We use Hotjar in order to better understand our users’ needs and to optimise our service and your experience. Hotjar is a technology service that helps us better understand our website users’ experience (e.g. how much time they spend on which pages and which links they choose to click) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf. For further details, please see the ‘about Hotjar’ section of Hotjar’s support site.
Find out more about our use of cookies here.
In addition, under the following circumstances, we may collect the following information:
If you sign up as a representative of an organisation to our network:
- Your job title
- the name, address and phone number of your organisation
- your email address.
If you take part in certain funding programmes operated by us you may need to further supply:
-
Your date of birth
-
your gender
-
your ethnic group
-
your unique learner number (UK)
-
your national insurance number (UK)
-
your education level
-
your health details
-
your household status
-
your employment status
-
your disability status
-
your postcode.
If you want to register and use the full set of features across all our sites, you will need to give:
-
Your first name
-
your last name
-
either your email address, phone number or postal address
-
a password.
If you get in touch with us, we collect personal information so we can respond to your request, query or comment. So we can help you with your enquiry, we may need to know:
-
Your first name
-
your last name
-
your email address
-
details of your enquiry which may contain some personal information you provide as part of your enquiry.
If you sign up for our newsletter, we’ll collect your name and email address.
If you choose to donate to us through services of organisations, such as JustGiving and Crowdfunder, we may collect personal data such as:
-
Your name
-
email address
-
postal address.
In addition ,we may receive your personal data such as your name, email address and postal address and details about your donations from a third party donation provider such as JustGiving or Crowdfunder if you choose to donate to us using such services .
How we use your personal information?
Under data protection law, we can only use your personal data if we have a proper reason, eg:
- Where you have given consent
- to comply with our legal and regulatory obligations
- for the performance of a contract with you or to take steps at your request before entering into a contract, or
- for our legitimate interests or those of a third party.
A legitimate interest is when we have a charitable or organisational reason to use your personal data, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own. You can obtain details of this assessment by contacting us (see ‘How to contact us’ below).
The information that we collect from you is to help us to support you better and run our services well. The information also helps us to respond to you and our funders.
On what basis do we use your personal information?
What we use your personal data for
Our reasons
- Create and manage your account with us
For our legitimate interests to deliver account services and access.
- Providing our services, including Learn My Way, to you
Where we have a contract, to perform our contract with you or to take steps at your request before entering into a contract
Where we do not have a contract you, for our legitimate interests being the legitimate interests of providing our services to you
- Conducting checks to identify you and verify your identity or to help prevent and detect fraud against you or us
To comply with our legal and regulatory obligations
Where we do not have a legal or regulatory obligation, for our legitimate interests, ie to minimise fraud that could be damaging for you and/or us
- To enforce legal rights or defend or undertake legal proceedings
Depending on the circumstances:
—to comply with our legal and regulatory obligations
—in other cases, for our legitimate interests, ie to protect our business, interests and rights
- Customise our website and its content to your particular preferences based on a record of your selected preferences or on your use of our website
Depending on the circumstances:
—your consent as gathered in accordance with our ‘Cookies Policy’ below
—where we are not required to obtain your consent and do not do so, for our legitimate interests, ie to be as efficient as we can so we can deliver the best online experience to you
If you have provided such a consent you may withdraw it at any time by following the process set out in the ‘Cookies Policy’ (this will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn)
- Retaining and evaluating information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive or to check our website is working as intended
Depending on the circumstances:
—your consent as gathered in accordance with our ‘Cookies Policy’ below
—where we are not required to obtain your consent and do not do so, for our legitimate interests, ie to be as efficient as we can so we can deliver the best online experience to you
If you have provided such a consent you may withdraw it at any time by following the process set out in the ‘Cookies Policy’ (this will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn)
- Communications with you not related to marketing, including about changes to our terms or policies or changes to our services or other important notices
Depending on the circumstances:
—to comply with our legal and regulatory obligations
—in other cases, for our legitimate interests, ie to be as efficient as we can so we can deliver the best services to you
- Protecting the security of systems and data used to provide the services
To comply with our legal and regulatory obligations
We may also use your personal data to ensure the security of systems and data to a standard that goes beyond our legal obligations, and in those cases our reasons are for our legitimate interests, ie to protect systems and data and to prevent and detect criminal activity that could be damaging for you and/or us
- Statistical analysis to help us understand our users including gathering survey data and beneficiary data
For our legitimate interests, ie to be as efficient as we can so we can deliver the best services to you
- Updating and enhancing our user records
Depending on the circumstances:
—to perform our contract with you or to take steps at your request before entering into a contract
—to comply with our legal and regulatory obligations
—where neither of the above apply, for our legitimate interests, eg making sure that we can keep in touch with our user about our services
- Disclosures and other activities necessary to comply with legal and regulatory obligations that apply to our business, eg to record and demonstrate evidence of your consents where relevant
To comply with our legal and regulatory obligations
- Marketing our services to existing and former users
For our legitimate interests of promoting our services to existing and former users
- The audit of our services by us, third parties instructed by us and our funders and third parties instructed by us
For our legitimate interests of operating at the highest standards and of providing required information by our funders
- To engage and communicate with you as a representative of an Digital Inclusion Hub
For our legitimate interests of managing our Digital Inclusion Hub Network
- To provide customer support to you
For our legitimate interests of providing effective and efficient customer support
Certain personal data we collect is treated as a special category to which additional protections apply under data protection law. This includes:
Personal information revealing:
- Racial or ethnic origin
- political opinions
- religious beliefs
- sexual orientation
- philosophical beliefs
- trade union membership
- health information.
Where we process such special category personal data, we will also ensure we are permitted to do so under data protection laws.
Who we share your personal data with
We routinely share personal data with:
- Third parties we use to help deliver our services to you and to help us run our charity, e.g. marketing agencies, email providers, project management software providers, website hosts and website analytics providers
- our bank
- our funders
- our stakeholders
- Our Online Centre Network members
- our staff
- our trustees
- our volunteers
We only allow those organisations to handle your personal data if we are satisfied they take appropriate measures to protect your personal data.
We or the third parties mentioned above occasionally also share personal data with:
- Our and their external auditors, eg in relation to the audit of our or their accounts, in which case the recipient of the information will be bound by confidentiality obligations
- our and their professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations
- law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations
- other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency—usually, information will be anonymised but this may not always be possible. The recipient of any of your personal data will be bound by confidentiality obligations.
If you sign up to an organisation in our network, your personal information will also be shared with authorised people in that organisation.
We will never sell your information to third parties for direct marketing purposes.
Transferring your personal data out of the UK and EEA
The European Economic Area (EEA), UK and other countries outside the EEA and the UK have differing data protection laws, some of which may provide lower levels of protection of privacy.
Whilst we do not routinely do so it is sometimes necessary for us to transfer your personal data to countries outside the UK and EEA. In those cases we will comply with applicable UK and EEA laws designed to ensure the privacy of your personal data.
We will transfer your personal data to:
- any staff, volunteers or trustees located permanently or temporarily outside of the UK,
- our service providers located outside the UK, and
- our funders located outside the UK
As we are based in the UK we will also transfer your personal data from the EEA to the UK.
Under data protection laws, we can only transfer your personal data to a country outside the UK/EEA where:
- In the case of transfers subject to UK data protection law, the UK government has decided the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy regulation’) further to Article 45 of the UK GDPR,
- in the case of transfers subject to EEA data protection laws, the European Commission has decided that the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy decision’) further to Article 45 of the EU GDPR,
- there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you, or
- a specific exception applies under relevant data protection law.
Where we transfer your personal data outside the UK we do so on the basis of an adequacy regulation or (where this is not available) legally-approved standard data protection clauses recognised or issued further to Article 46(2) of the UK GDPR. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this policy.
Where we transfer your personal data outside the EEA we do so on the basis of an adequacy decision or (where this is not available) legally-approved standard data protection clauses issued further to Article 46(2) of the EU GDPR. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time we will not transfer your personal data outside the EEA unless we can do so on the basis of an alternative mechanism or exception provided by applicable data protection law and reflected in an update to this policy.
If you would like further information about data transferred outside the UK/EEA, please contact us (see ‘How to contact us’ below).
Websites that we do not own or control (Third party websites)
Our websites may contain links to other websites and use external services to provide functionality for the website. You are advised to adopt a policy of caution before clicking any external web links mentioned throughout this website and to be aware of and read their privacy policies.
We cannot guarantee or verify the contents of any externally linked website. You should therefore note you click on external links at your own risk and this website and its owners cannot be held liable for any damages or implications caused by visiting any external links.
Our websites also use interfaces with social media sites such as Facebook, LinkedIn, Twitter and others. These interfaces may allow the social media site to connect your visits to our websites with other personal information.
We may direct you to a third party organisation, such as JustGiving or Crowdfunder, to allow you to donate to us. You choose to donate and share data with these organisations at your own risk. These organisations have their own privacy statements which we recommend you read before sharing any information.
How long will we keep your personal information?
We have a records retention policy that sets out how long we keep your personal information. As a general rule, we keep your personal information for as long as is necessary but not for longer than we need it. We will keep your data for the following purposes:
- To comply with law;
- for the duration of a contract you are a party of;
- in connection with legal action or an investigation involving Good Things Foundation; or
- to provide you with information, access you have requested to digital channels (like our websites), our products and our services.
Each type of personal data may be kept for different periods of time. For more information, please contact us.
How we protect your personal information.
To help protect the data we collect and store, we have security measures in place to make sure nobody accesses your data who shouldn’t.
Access to your personal information is restricted to employees and service providers who need it to provide benefits or services to you. We also train our employees about the importance of confidentiality and maintaining the privacy and security of your information (Data protection). We commit to taking appropriate action to ensure our employees’ privacy responsibilities are upheld.
We have processes in place so we know if there are any suspected breaches with our information security. We update and test our security technology on an ongoing basis. We will notify those who need to be alerted to such issues where we are legally required to do so.
What if you do not want to provide us with your personal information?
Where you are given the option to share your personal information with us, you can always choose not to do so. If you choose not to provide us with your personal information, you object to our processing of your personal information, or you choose to withdraw any consent that you may have provided to processing it, we will respect such requests in accordance with our legal obligations. This may mean, however, that we may not be able to perform the actions necessary to achieve the purposes set out above, we may not be able to respond to you directly or fully resolve requests. It may also mean that you may not be able to make use of the services and products offered by us.
Exercise Your Rights under this Privacy Notice
We need your information to help us deliver elements of our service, but you have the following rights in relation to our use of this information.
You have the right to:
- Be informed – to be told about how we use your personal information
- Access – to get access to the personal information we hold about you
- Rectification – to correct inaccurate information and to update incomplete information
- Erasure – to ask us to delete your personal information
- Restrict processing – to change or reduce how we process your information
- Data portability – you can ask for the information we hold in an easy to use and share format
- Object – to stop us using your personal information in certain circumstances
- Rights in relation to automated decision making and profiling
You can find out more about your rights here.
If you have provided us with a consent to use your personal data you also have a right to withdraw that consent easily at any time.
You may withdraw consents by contacting us or, depending on the circumstances, press the unsubscribe policy. For example, if you don’t want to be on one of our mailing lists, you can choose to opt out at any time by following the “unsubscribe” instructions at the bottom of our promotional emails. If you have an account with us, you can also opt out by updating your preferences.
Withdrawing a consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn
Please contact us using the information below if you would like to do any of the following:
- Get a copy of your personal information (we may charge you a small fee)
- ask us to correct or update wrong information
- ask us to remove your information from our systems
- ask us to stop using your information in some cases
- stop marketing that uses your personal information
- make a complaint to us about how we’ve used your personal information.
We hope we will be able to resolve any issues you may have. If you are not happy with our response then you can also contact:
- the Information Commissioner in the UK
- a relevant data protection supervisory authority in the EEA state of your habitual residence, place of work or of an alleged infringement of data protection laws in the EEA
- Make a complaint or raise a concern
If you have any questions or to raise a concern about how we handle your personal information, you may contact us using any of the methods in the section below.
You can contact us to:
- make a complaint about our approach to data protection
- raise privacy concerns
- make a complaint about how we handle your personal information . To make a complaint, please email complaints@goodthingsfoundation.org and we will acknowledge your complaint within 2 working days.
Our use of cookies
A cookie is a small text file which is placed onto your device (eg computer, smartphone or other electronic device) when you use our website. We use cookies on our website. These help us:
- Design our site to better suit our users’ needs
- to diagnose problems with our server
- to administer our websites
- to analyse trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences
- enhance your experience of our websites
- recognise you and your device and store some information about your preferences or past actions.
For further information on cookies, when we will request your consent before placing them and how to disable them, please see our cookie policy.
Our legal obligations
We are registered as a Data Controller under the United Kingdom Data Protection Act 2018 and make sure that our data handling processes are compliant with the UK General Data Protection Regulation. If you choose to access this website from other locations then you do so at your own risk and are responsible for compliance with local laws of the country in which you reside.
Please contact us if you have any questions, problems or feedback regarding this Privacy Notice.
How to contact us
You can contact Good Things by post, email or telephone if you have any questions about this privacy policy or the information we hold about you, or to exercise a right under data protection law.
Good Thing’s contact details are shown below:
Office 514, Showroom Workstation
15 Paternoster Row
Sheffield
S1 2BX
legal.compliance@goodthingsfoundation.org
0114 349 1666
Changes to our policy
We may make changes to our policy from time to time. This policy was last reviewed: March 2023