This policy covers Lightful Ltd (company number 09135963) who operate out of Second Home, 68-80 Hanbury Street, London, E1 5JL. Within this document ‘We’ and ‘Us’ will refer to Lightful Ltd as denoted previously.
As Lightful processes Personally Identifiable Information (PII) as a “Data Processor” for clients in addition to Processing PII on our own behalf as “Data Controller”; We have registered with the ICO under reference: ZA236704.
Your privacy is very important to us; first, and foremost Lightful adheres to the relevant legal requirements. This policy applies to the websites (‘the sites’) under the Lightful.com parent domain and the applications that Lightful own on the IOS and Android platforms. This document explains how Lightful uses the information provided and the procedures and processes around personal data supplied to us.
Our processing and retention of personal information is governed by the Data Protection Act 1998 (the “Act”) till the 25th May 2018 after this point the Data will be processed under the General Data Protection Regulation (GDPR), or any legislation that amends or replaces it. Lightful will also adhere to all other legislation such as:
- Privacy Electronic Communication Regulation (2003)
Lightful relies on “Legitimate Interests” when communication to Individuals that have registered for our own products and services and we offer an opt out upon this first data capture and subsequent communications that are sent. Individuals are welcome to unsubscribe from any communication at any time by either:
- Visiting your communication preference centre (Upon logging in).
- Email us at email@example.com or ring us on 0203 7723 813.
We operate under an ‘opt-in only’ communication policy when it comes to “marketing” to individuals that have not subscribed to our “platform” or “communities” sites. This means that we will only send communications to those that have explicitly stated that they are happy for us to do so via their preferred channel(s) (email, SMS, phone or post).
Our “marketing” consists of communications about our platform, services and developments; and will usually constitute a weekly e-newsletter, as well as ad-hoc updates. If you would like to receive such communications but have not opted in please email us at firstname.lastname@example.org or ring us on 0203 7723 813.
If you are supplying your personal information in response to a charity fundraising which is “Powered” by our platform; the charity will require you to opt-in for marketing communications from that charity. Your details will still be passed to the charity for Donation, Gift Aid reconciliation and the legal requirements that depend on this. There is an option to remain anonymous; which can ensure that only your donation details will be passed across. Under no circumstances will your payment information be stored or passed to any third party other than the payment gateway
It is worth noting that before or at the time of collecting personal data we will identify the purposes for which any information is being collected ensuring it is both fair and lawful ensuring we only ask you for the information that is required, we will then use this information in relation to:
- Fulfilling those purposes specified by us and for other compatible purposes that we have obtained your consent for or as required by law.
- Retaining the personal information as long as necessary for the fulfilment of those purposes.
- We will protect personal information by reasonable security safeguards against loss or theft, as well as unauthorised access, disclosure, copying, use or modification.
- We will make readily available to you information about our policies and practices relating to the management of personal information.
We are committed to conducting our business in accordance with these principles to ensure that the confidentiality of personal information is protected and maintained.
We do not intentionally gather personal information from visitors who are under the age of 18. If you are under the age of 18, you are not permitted to submit any personal information to us. If we learn that an individual under 18 submits personal information to Lightful we will attempt to delete the information as soon as possible.
Lightful reserve the right to update this policy when it sees fit or changes the purposes of processing in line with the services or products. The latest version of this policy will be linked across all sites under the parent domain; with the date of last revision present at the top of the document; this will succeed any previous version of the document and be enforced effective immediately. We will do our best to ensure this is communicated across multiple channels and will ensure we re-obtain consent for any new processing where required.
Your continued use of our products, services from point of change and notification of said change signifies your agreement with the new policy.
This policy was last updated on: 14/05/2018
We may on occasion work with selected third parties, data could be transferred to organisations such as Facebook, Twitter or LinkedIn or other organisations that “enhance” data the processes that may ensure may include wealth tagging, obtaining new contact details, social matching, geo-demographics; generation of look-a-like audiences or targeted advertisements.
If you do not wish for your data to be used in this manor then please opt-out by:
We might also share information you have provided with selected third parties, charities you engage with to provide you with information on products and/or services that may be of interest or relevant to yourselves; only if you have given us permission to do so via an opt-in mechanism.
Lightful works closely with many third parties (business partners, sub-contractors, technical or payment delivery services) in provisions of its product (“platform”) and other services that are on offer; we will ensure that contracts and data processing agreements are in place to ensure that if we are required to send your data, securely to these third parties that this is done in order to fulfil your request for information, product or service interactions/purchase.
If Lightful is bought out or its assets are acquired by a third party personal data held about its clients and users could possibly be one of the transferred assets.
Except as denoted above; Lightful will not disclose, distribute or sell personal data (sensitive or non) to any other organisation without prior consent/contractual obligation unless we have a legal obligation or right to do so.
From submitting or uploading information on our sites or platform you are agreeing to the storage, processing and possible transfer of this data. Lightful will ensure that data processing agreements and contracts are set up with data processors. Rest assured, in the first instance with our wishes to be fully compliant with the Global Data Protection Regulation (GDPR); we will try to keep data within the EEA through partnered organisations; if outside of these areas it will be done in accordance with the guidance from the Information Commissioners Office (ICO).
Our sites are currently hosted in Ireland; the provider that hosts the website build has its backups restricted to the UK. We hold a current and valid data processing agreement with the supplier who provides the hosting. We do however use content delivery networks which copy our website code around the globe for quicker downloading. This is just the front end – no actual personal data resides in these edge locations.
The sites services currently cover the following areas:
- Services – Our clients may sometimes engage with us for a variety of purposes around processing a natural persons data that they have obtained permission to process or to analyse/create profiles on. Please get in contact with that organisation direct if you do not wish for Lightful to process your data.
- Platform– This is where you would be registering direct with Lightful for the use of Lightful’s platform (“the platform”) to aid with social media and supporter engagement. Please see the additional terms & conditions for using this product.
- Communities – This is where you can register direct with Lightful to share ideas, participate in discussions or access content through our secure portal.
Our sites, products and services are restricted and aimed for access to those that are over 18 only and we don’t knowingly target anyone below this age. If we find you are below that age and you are using our products or services we may remove you from the system.
Our applications are currently hosted on both the Android and IOS Stores; this essentially allows access to “The Platform” on a mobile device. You will be agreeing to relevant terms when your download and access from these sources, these agreements will be with the software providers to download the software and then the separate Lightful Terms and Conditions for use of the platform when you either register or sign in.
There are many lawful reasons that mean that we can process (use) your personal information;
- Legitimate Interests – For Example, this would-be Marketing around the Products or Services you have subscribed to.
We essentially have a genuine and legitimate reason, and none of your rights or freedoms will be harmed or overwritten by this reason. These legitimate Interests would be the following:
- Analytics – We may aggregate or use on a personal level, customer analysis, profiling and Direct Marketing combining information from multiple sources; providing that it does not infringe on your rights or freedoms.
- Research – To investigate the product roadmap and ensure our services and roducts are developed in accordance with demand.
- Due Diligence – To prevent fraud when subscribing to certain products or services, we may need to conduct further investigations around Fraud, Bribery and Corruption.
- Direct Marketing – We will contact you via Telephone and Email if you have subscribed to our services for additional offerings, administration and research.
- Personalisation – We will personalise, enhance or improve our communications, products and services to our customers for their benefit.
- Performance of a contract – For Example, this would be the Products/Services you subscribe to.
- Consent – For Example, this would be additional marketing or passing details on to certain Third Parties.
We have completed the following Legitimate Interest Assessments (LIA):
- Prospective charities
- Charities that have registered on our platform.
The information that we collect that is either Direct or In-Direct will be combined in all instances to ensure that our products and services are tailored accordingly.
The sites, applications use various forms that may collect personal data to enable you to subscribe, register and request products and services. If you have registered for any of Lightful’s products or services and/or have created an online account (profile); then you may have provided us with personal data that may include your:
- Contact details (including postal addresses, telephone and email)
- Date of birth
- Social handles (Facebook, Twitter, LinkedIn or other)
- Payment details (credit or debit card number and expiry date); This is tokenised upon initial submission of the details.
- Other information as needed to personalise the products/services
The sites might also collect personal data in the form of:
- Log files – This would include things like IP addresses, browser type and version, time zone settings, browser plugins, operating system and platform.
- Website usage, how long users spend on the sites and what they click on, how many times and what they interact with.
- User generated data (messages, posts, comments, queries and support tickets).
Our “platform” will also collect information on how and what you use within our services and the frequency in which those interactions take place. This information is used to help improve our services for both yourself and other users.
You may have provided permission for our client or another company/organisation to share your data with third parties, including ourselves. This could have been when you consented by providing your data to these other organisations and would be in line with their privacy policies.
Lightful’s sites and platform use Fullstory which essentially a session recording tool provided by Fullstory which will record all interactions made by yourself on the sites or platform. This service uses the cookies as derived above to help the Lightful understand how users interact with the individual pages and features and bug resolve.
The data collected by Fullstory is stored in the X and is subject to the General Data Protection Regulation, with added security around transfers from the EU-Privacy Shield.
Personal Data including that which is sensitive would be redacted by Lightful for purposes around Data and Anlaytics, for bug queries that users report, this information will be used to aid the users with their request.
To opt-out of full story please visit the following link:
This will disable it across all sites where these cookies are used. Opting out will create a cookie that tells FullStory to turn off recording on any site which uses the FullStory Services. The presence of this cookie is required to continue opting out, so if you clear your browser cookies, you will have to opt-out again. (We regret that there isn’t a better way to make the opt-out more permanent, but due to technical reasons, this really is the best we can do at present).
Depending on your settings or the privacy policies for social media and messaging services like LinkedIn, Instagram, Facebook, WhatsApp or Twitter, you might have given us permission to access information from those accounts or services. This information will be used to identify traits, trends in our data or on prospects based on interests or groups in addition to opportunities for Marketing to audiences that share similar profiles or are key influencers within these interests or groups.
This may include information found in places such as Companies House and information that has been published in articles/ newspapers and on social media. This information will be used to supplement information that Lightful currently holds or used to identify or target prospects/currently known individuals for marketing for our goods or services.
Business to Business
When Lightful contact you on the Business-to-Business front, your name might have been sourced from the Charity Commission Database or other available sources; we will ensure that things like the Corporate TPS Register are applied in addition to Internal suppressions and should you have been identified as not a partnership or sole-trader we will be contacting you under legitimate interests and give you the chance to opt-out from hearing from us again.
Lightful may use your information to notify you about important functionality changes/alterations and updates on Policies in place and anything else that can be classed as “administration” such as updates to this policy and the terms & conditions of the services we provide. The purposes for collation and processing personal information could be one or more of the following:
- Provision of the services, information or products requested; this may include sending you emails on how you can better use our services, these messages may also be displayed via an Instant message (IM) when you have logged into the “communities” or the “Platform” and may appear on the social media platforms you subscribe to. You can opt out (Unsubscribe) from E-Mail messages at the bottom of every Email; and for social media by emailing email@example.com or ringing us on 0203 7723 813.
- Administration of your “profile” and any payments made considering the above; including identification of you as a user within our system; responding to any comments or questions and for our support team to provide a service.
- Recording your interactions, sessions and relationship with us; including using this information to help with site improvements or co-ordinate bug fixing.
- Managing this relationship with marketing and communication preferences.
- Updating you on new products and services on offer which may be supplementary (Requiring an “opt-in”) for, non-service related updates, releases or system outages.
- Equal opportunities monitoring; this is primarily for staff and volunteers within Lightful.
- Non-automated profiling (which has human intervention)– consisting of the following:
- Segmenting – this is essentially using variables we hold in the database to classify you as a particular user or into a cohort of users.; this can be defined as “generic profiling”.
- Propensity modelling which essentially is using variables within held data to score you based on an outcome which will be to include you in particular mailings or offers.
- Wealth screening (analysing Individuals personal information to ascertain material wealth; this can either be done internally or using selected third parties); we may also append this information to your record on our databases.
- Social; accessing publicly available information from social network sites such as Facebook, Twitter, LinkedIn and others to ascertain engagement with specific causes/interests/groups etc.
- Appending/cleansing to the data Lightful currently holds on you – consisting of the following:
- New address details from available sources such as National Change of Address database (Royal Mail); where you have agreed, we may use this address.
- Consented telephone numbers from selected third parties; where you have agreed we may use this number.
- Gone away or deceased flags from selected third parties.
- Compliance or other legal requirements that have either come from an authoritative figure or legal representation. This may also include any reasonable steps to protect Lightful against any fraudulent, unauthorised or illegal activity.
We may also use the information submitted for performance monitoring and data analysis that will help us improve our sites and offerings. We may also request and use “user feedback” which will form from comments, queries or suggestions; this will be used to improve our products and services.
Lightful may contact you for marketing purposes which would include news, activities and developments or as specified from the initial request or subsequent data gathering forms or from the preferences as outlined in your profile. You can opt in or out of these by contacting Lightful support by emailing firstname.lastname@example.org or ringing us on 0203 7723 813.
Ultimately most of this information is used to help enhance our features and services. It is worth noting that the IP address data collected cannot be used to identify you personally on its own, would need to be combined with other information generated to construct a profile of you.
Lightful do not have any access to individual’s card details; the payment provider that we use to collect payment (Stripe) has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider. They provide a secure payment gateway for us to process your payment for the product/services you are procuring. They also cover areas of fraud screening, IP address blocking and employ the internationally recognised 256-bit encryption. Payments are processed within the EU.
Our payment provider is regularly audited by the banks and banking authorities to ensure security within their systems. They also possess membership to the PCI Security Standard Council (PCI SSC) that define card industry global regulation. You can see that your data is secure through our payment provider when you see either a https:// in the URL and/or when the padlock is visible alongside the URL.
Minor requests for information might be dealt “Informally” not requiring the completion of a subject access request; this will be down to the Data Protection Officer’s (DPO) judgement. To surmise that you as the “natural person” have the following rights:
You have certain rights in relation to your personal data.
- The right to be informed – How data will be used through a fair processing notice/policies.
This basically means, we will be clear and transparent on what and how we will process data that you provide by ensuring we include this at every point of data collection.
- The right to rectification
You have the right to correct personal information If we possess inaccurate/out-dated data; this might encompass things such as a new postal or email address etc. Where possible we use publicly available sources to keep your records up to date; for example, the Post Office’s National Change of Address database and information provided to us by other organisations as described above.
- The right to erasure
You can request you are removed from all our systems and databases, which we will do our best to comply with and instruct you for reasons we have been unable to comply.
- The right to object/restrict data processing
You can request that we cease or do not begin to process your data.
- The right to object/restrict data processing for marketing purposes
You can request that we cease or do not begin to process your data for marketing purposes which would cover any ideal, aim or objective of Lightful in addition to us promoting our goods and services. We will only contact you for marketing purposes if you have opted in (consent) or we are relying on Legitimate Interests.
- The right to data portability
If you wish to access your data in an intelligible format we will provide it.
- The right to refuse automated profiling and decision making
If we are profiling your data that has all system driven logic and outcomes you can request that we cease or do not begin to do this.
- The right to access your information – (formally Subject Access Request).
If you would like to know how your data has been processed, then you can request a Subject Access Request. Lightful has one month (30 Calendar Days) to comply with the request for data upon proof of identification. All information provided by us will be supplied in an intelligible format, if you have a preferred format, please let us know and we will try to conform to that.
Through the forms and policies on our sites we hope that you understand when we request information, how we use the data and what actions you can take. Remember by enacting some of these rights you may inadvertently cause cancellation or restrictions on the services, products that you are subscribed to.
The ICO governs all aspects of data protection within the UK and should you have any concerns or wish to raise a complaint that Lightful is unable to resolve in the first instance; then please visit the following URL for more information. https://ico.org.uk/ they also have a plethora of information around your rights and Data Protection.
It is important in any circumstance before providing any information to any Third Party websites that you check their own privacy policies. Lightful does not accept any responsibility for the protection of your personal data supplied to these other sites or any “threats” that may arise from accessing them.
Lightful retains data for only as long as necessary and in line with the relevant data protection legislations or any legal requirement. We aim to keep data for no longer than 2 years and in line with our Data Retention policy.
Lightful strives to protect any information submitted to any of our sites; However, it would be impossible for us to guarantee that any information is completely safe due to the nature of the internet. Therefore, you acknowledge and accept this risk upon providing any personal data to Lightful.
Once the data provided has been transmitted to us successfully we will take reasonable steps to ensure that the data is secure and prevent any unauthorised access and loss of data as long as it is within our control. We can take no responsibility or be held liable for any damages arising that is beyond our control. We have an “always-on SSL policy” meaning that all data is encrypted in transit using SSL (HTTPS).
Data that we collect on you will be passed to an enforcement agency should we feel you are misusing our sites or services and we will provide this information to third parties if we have a legal obligation to do so.
Lightful strives to protect any information submitted to any of our sites; However, it would be impossible for us to guarantee that any information is completely safe due to the nature of the Internet. Therefore, you acknowledge and accept this risk upon providing any personal data to Lightful.
Lightful and its sites shall be governed by the law of the member state in which we are established, namely the United Kingdom, specifically England & Wales.
Our Data Protection Officer (DPO) is: Craig Humphries
If you have any queries on this policy, wish to contact the DPO or know further details on how Lightful uses personal data please contact us at: email@example.com
If you wish to opt-out of something specific; then either:
- Visit your communication preference centre (Upon logging in)
- Email us at firstname.lastname@example.org or ring us on 0203 7723 813.
Any general correspondence should go to:
Lightful Ltd, Second Home, 68-80 Hanbury Street, London, E1 5JL
Company Number: 09135963