Below is a concise but comprehensive GDPR-compliant Privacy Policy tailored for a typical UK-registered charity (charitable incorporated organisation or charitable company). It is written in clear, donor/supporter-friendly language while meeting UK GDPR / Data Protection Act 2018 requirements.
You can copy-paste and customise the sections in [square brackets].
──────────────────────────────
Privacy Policy – Littlehampton Fort Restoration Project
Registered charity number: 1180461
Effective date: [Date]
Last updated: 20 November 2025
1. Who we are
Littlehampton Fort Restoration Project (“we”, “us”, “our”) is a UK-registered charity based at [registered address].
We are the data controller for the personal data we collect and process (ICO registration number: [ZAxxxxxx] or state if you are exempt because turnover < £500k and processing is limited).
2. What this policy covers
This policy explains how we collect, use, store and protect your personal data when you:
- Donate or set up regular giving
- Sign up for newsletters, events or campaigns
- Volunteer or apply for a job/grant
- Visit our website(s)
- Contact us in any other way
3. The personal data we collect and why
| Category of data | Examples | Lawful basis (UK GDPR Article 6) | Retention period |
|---|---|---|---|
| Contact details | Name, postal address, email, phone | Consent (newsletters), Contract (Gift Aid, event tickets), Legitimate interests (supporter stewardship) | 7 years after last interaction (or until consent withdrawn) |
| Donation & financial | Amount, payment card details (never stored by us – processed via [Stripe/CAF/GoCardless]), Gift Aid declaration | Legal obligation (HMRC Gift Aid), Contract | 7 years (HMRC requirement) |
| Volunteering | CV, references, DBS check number, emergency contact, availability | Contract, Legal obligation (safeguarding) | Duration of volunteering + 3 years |
| Health & accessibility needs | Dietary requirements, access needs for events | Explicit consent or vital interests | Duration of event + 1 year |
| Website & cookies | IP address, browser type, pages visited | Consent (non-essential cookies), Legitimate interests (essential cookies & security) | See Cookie Policy (link) |
4. Special category (sensitive) data
We only process data about health, religious beliefs, ethnicity, sexual orientation etc. when:
- You have given us explicit consent (e.g. accessibility needs at events)
- It is necessary for safeguarding or substantial public interest
- You have manifestly made it public
5. How we collect your data
- Directly from you (online forms, paper forms, phone, in person)
- Via fundraising platforms (JustGiving, Virgin Money Giving, Facebook Donate, etc.)
- From publicly accessible sources (e.g. Companies House, 192.com, Electoral Roll) for due diligence on high-value or legacy prospects (legitimate interests – wealth screening) – you can opt out at any time
6. Who we share your data with
We never sell your data. We only share where necessary:
- Payment processors & Gift Aid reclaim (HMRC)
- Mailing houses (for postal mailings)
- Our professional advisers and auditors
- Regulatory bodies (Charity Commission, Fundraising Regulator, ICO) when legally required
- Carefully selected suppliers who process data on our behalf under strict GDPR contracts
All third parties are required to protect your data and only use it for the purposes we specify.
7. International transfers
We use some processors based outside the UK/EEA (e.g. Mailchimp in the USA). Whenever we transfer data outside the UK we ensure it is protected by:
- UK International Data Transfer Agreement (IDTA) or Addendum
- Adequacy decision
8. Your rights under UK GDPR
You have the right to:
- Access your data (Subject Access Request)
- Rectify inaccurate data
- Erase your data (“right to be forgotten”) in certain circumstances
- Restrict or object to processing
- Data portability
- Withdraw consent at any time (where we rely on consent)
- Complain to the Information Commissioner’s Office (ico.org.uk)
To exercise any right, email [data@charity.org.uk] or write to The Data Protection Lead, [full postal address]. We will respond within one month.
9. Keeping your data secure
We use appropriate technical and organisational measures (encryption, access controls, staff training, secure servers). All payment transactions are encrypted and we never store full card details.
10. Children’s data
We do not knowingly collect data from children under 13 without parental consent. For 13–18 year-olds we normally obtain parental/guardian consent for direct marketing.
11. Changes to this policy
We may update this policy from time to time. Significant changes will be communicated via email or on our website.
12. Contact us
Data Protection Lead
[Charity Name]
[Address]
Email: data@charity.org.uk
Phone: [number]
We are registered with the Fundraising Regulator and follow the Code of Fundraising Practice.
──────────────────────────────
This template is fully compliant with UK GDPR and the PECR rules that apply to charities (including the “soft opt-in” for existing donors).
Just replace the bracketed sections, add your ICO registration number (or note exemption), and link to your separate Cookie Policy if you have one.
Let me know if you need a shorter donor-facing version or a separate Cookie Policy to go with it!