Privacy statement

1. About this statement

At Porchlight we help people who have nowhere to go and no-one to turn to; some are homeless, others are struggling to cope with the pressures in their lives and need our support to keep on track. We help people with housing, mental health, education and employment, and their physical health and wellbeing. We make a positive impact on adults, children, families and communities as a whole.

Porchlight is a limited company registered in England and Wales, our registered company number is 1157482 and our registered charity number is 267116.

We need to process data about the people to whom we provide support, and those who support us through campaigns, donations or volunteering. Porchlight are committed to protecting the privacy of our stakeholders and take care to safeguard it. This privacy statement outlines what data is collected and how it will be used.

This privacy statement is as comprehensive as possible however it is not an exhaustive list of every aspect of data collection and processing. We would be happy to provide further information or explanation about our services, if you have any questions please do get in touch with us, details are in the About Us section at the end.

2. Why we collect your data & how we collect it

We will collect the personal data or sensitive personal data needed in order to communicate with you and to provide and administer services to you. The type and amount of data collected will depend on the nature of your interaction with Porchlight.

We collect information about you that you give us directly by calling our offices or helpline, filling in forms on our website, attending drop in sessions or events, by completing surveys or forms, or by corresponding with us on social media, by phone, email or otherwise.

We receive information from your use of our website as it collects technical information such as the IP address. Our website uses cookies to distinguish you from other users of our website, this helps us to provide you with a good experience and helps us to improve our website, these may be stored in your web browser or on your device.

We may also receive information about you from third parties; this may be another support agency which is referring a client to us, from sponsorship forms or fundraising websites, or from other publicly available sources.

3. What data we collect

The data we collect will vary based on the nature of your relationship and interaction with Porchlight.

a) Clients

We may collect any, but not necessarily all, of the following personal data such as:

• Your full name

• Contact details including postal address and address history, mobile and telephone numbers, and email addresses

• Gender

• Date of birth

• National insurance number

• NHS number

• Disabilities, allergies and medication

• Drug or alcohol use

• Relationship status

• If you are a care leaver or a looked after child

• Your economic status including benefits information

• Your work and education history, including if you were a member of the armed forces

• Correspondence or contact you have with us

• Your engagement with services

• Next of kin or emergency contact information

• Details of other agencies or providers you are working with

We may also collect sensitive personal data such as details about your physical or mental health, religion, sexual orientation, ethnicity, race, political and philosophical beliefs, and criminal records.

You have the option to give us a password (e.g. mothers maiden name, place of birth, or memorable word) to add to your file which we will use as a security question if you call us regarding your data.

Calls to our helpline may be recorded and this is for training purposes, to provide quality assurance, to help with complaint investigations, and to enable us to improve the service that we offer, you will be informed that your call will be recorded prior to any data collection.

b) Donors and Supporters

We may collect any, but not necessarily all, of the following information depending on the nature of your support and communication preferences:

• Your full name, titles and honours

• Contact details including postal address, mobile and telephone numbers, and email addresses

• Date of birth

• Occupation, community role or place of work

• And any other biographical information you choose to share with us including relational links

• Gift Aid declarations

We do not see or store card payment details for any donations made online through our website. Where a donation is made over the phone or via post, we will input the details securely on your behalf.

We strongly advise against sending payment details by email. If we receive an email containing any payment information this will be immediately processed and the email deleted. Paper donation forms are always destroyed once we have processed and donation details are recorded on our database.

If you choose to include Gift Aid with a donation, we are obliged to ask for your UK taxpayer status and full name, postal address including postcode. Your Gift Aid declaration and donation details must be held on our secure third party database for a minimum of 6 years as per Government guidelines and for financial auditing purposes.

Supporter Engagement:

We keep records of your correspondence and engagement with us which may include details about invitations to events, attending events or participation in fundraising events.

If you attend an event we are organising, we may ask you to provide information such as dietary and accessibility information.

Vulnerable donors and supporters:

We are committed to protecting vulnerable donors and supporters. Rarely we may also collect sensitive personal data on an individual where we believe a person to be vulnerable in order to comply with requirements under charity law and best practice as directed by the Fundraising Regulator. We will ensure that we do not send direct marketing and fundraising communications to these individuals.

Further information can be found in our Supporter Care Charter, Treating Donors Fairly procedure, and Ethical Fundraising procedure: https://www.porchlight.org.uk/data

4. How we use your data

a) Clients

If you are receiving advice, support, or a service from us we will need to process your data in order to fulfil our obligations to you in providing this service. The information you give us lets us know what support you need, and we keep a record of what support you have been given and how this has helped. We will offer you suitable job, education or training opportunities based on your needs, or may be able to refer you to other services provided by Porchlight or our delivery network which would be of benefit to you.

We will invite you to participate in activities such as client involvement forums and feedback groups, and will ask for your feedback when you exit our services.

We will use data for statistical reporting in order to assess the quality of our services, to identify trends which help us improve existing services and develop new services, and to ensure we are meeting our contractual requirements. Statistical reports will not include any personal information which could be used to identify individuals.

We quality audit a set percentage of all our client files to ensure that our services are of a high standard and data collected is appropriate and proportionate, files will be audited by Porchlight staff and occasionally external auditors where the service is funded by another organisation (for example a local authority) or where Porchlight is seeking external accreditation for services. All auditors are bound by confidentiality and files will be anonymised if appropriate.

b) Donors and supporters

Processing and recording donations and Gift Aid:

The processing of one-off donations made on our website with debit and credit card payments is managed externally by Stripe using a secure payment transaction website. Stripe encrypts personal and credit card information during all transactions to protect your credit card information, when used according to manufacturer’s instructions. For more information about Stripe visit www.stripe.com

The processing of one-off donations made on post or telephone with debit and credit card payments is managed externally by Blackbaud using a secure payment transaction website. Blackbaud encrypts personal and credit card information during all transactions to protect your credit card information, when used according to manufacturer’s instructions. For more information about Blackbaud visit www.blackbaud.com

The processing of regular donations made on our website, via telephone or post with debit and credit cards or vouchers is managed externally by CAF on a secure payment transaction website https://www.cafonline.org

When you make a donation we will use your payment and contact details, donation amount, date and time of payment to process that payment and take any follow-up administration actions such as sending a thank you letter, telephone call or email unless you ask us not to acknowledge the donation.

We will keep a record of all your donations, giving history and gift aid details on our secure supporter database, Blackbaud Raiser’s Edge.

Staying in touch:

As a charity providing vital services to the most vulnerable, we cannot survive without the trust, confidence, support and generosity of the general public, major philanthropists, the business community, and grant-making trusts and foundations. In our endeavours to seek your support and funding for our work we need to keep you up to date with our fundraising, marketing and campaigning news, activities and updates on our support services.

We may use a range of activities and channels to contact current donors as well as to attract the support of prospective new donors – including our website, digital platforms, emails, fundraising challenges, fundraising events and receptions, direct mail appeals, meetings, and phone conversations.

We will obtain your consent to contact you by email and text message for marketing purposes. We will also obtain consent from all new supporters (who sign up after 25 May 2018) to make marketing calls.

We will send you marketing by post, on the basis of it being within our legitimate interests to do so, unless you opt out. We will also contact existing supporters by phone on this basis (unless they are registered with the Telephone Preference Service or have opted out of receiving marketing communications from Porchlight).

We balance our legitimate interests against your rights as an individual and make sure we only use personal information in a way or for a purpose that you would reasonably expect in accordance with this Policy and that does not intrude on your privacy or previously expressed marketing preferences.

Telephone Preference Service and Fundraising Preference Service:

We will contact you:

- with news and updates about our work including our newsletter Porchlight Post

- about fundraising appeals and activities including requests for donations, information about gift aid, information on how you can leave us a gift in your will, how you can raise money on our behalf, attend or take part in fundraising events and challenges, and how your donations and fundraising support have a positive impact on our work and Clients

- with details and invitations about our special supporter events including talks, workshops, seminars, conferences, receptions and functions

We will not hire companies or individuals to:

- knock on people’s doors to ask for donations of any kind be it cash, card payments or gifts in kind

- approach people in the street asking for bank details

- ‘cold-call’ people to ask for donations over the phone

Donors and supporters can update their contact preferences at any time by emailing datapreferences@porchlight.org.uk

5. The legal basis for processing your data

We will ensure that where we collect and process your data we will do so in accordance with the lawful bases defined by data protection laws, depending on the purposes for which we use your data, one or more of the lawful bases below may be relevant:

• Consent where we have obtained your consent to use your information for specific purposes

• Contract where we have entered into a contractual agreement with you

• Legal obligation where there is a requirement for us to record information such as Gift Aid declarations, or accounting and tax purposes

• Legitimate interests such as:

 Administration and Operational functions – including responding to enquiries, providing information and support services, research, analysis and evaluation, the administration of employment, volunteering, and recruitment.

 Governance – including the delivery of our charitable purposes, statutory and financial reporting, and other regulatory compliance purposes.

 Fundraising and Campaigning – including administering donations and campaigns, sending direct marketing by post, sending thank you letters or acknowledgements, research, analysis and evaluation, and maintaining communication suppression lists.

 Delivering services – ensuring safe and effective services are provided which protect both our staff and our Clients

Where legitimate interests has been identified as the lawful basis for processing data we will ensure that its use is fair and not intrusive and is only used in a way or for a purpose that you would reasonably expect.

If you do not wish to share your data with us we will be limited in the support or service that we can offer to you and may not be able to provide such services.

We are committed to protecting the privacy of the young people that we work with who are receiving support from our services, where we collect data from those aged under 13 we will always ask for parental or guardian consent.

Where we are working with young people from schools or youth groups in fundraising activities we will ensure that the appropriate controls are in place to protect their data and will only record generic information such as the number of young people taking part or the school/group they are part of.

6. Research and analysis

Supporter research and analysis:

We take seriously our duty to ensure that charitable donations are spent wisely, and that means doing some research and analysis to inform our decisions, set strategic objectives, develop fundraising and marketing strategies, forecast income and set budgets.

We carry out the following:

Analysing how emails are opened and read in order to ensure we are sending information that is relevant and of interest.

Segmentation – analysing information such as postcodes of supporters. This helps us to tailor appropriate communications to our donors and supporters as well as improve the care we provide you enhancing your engagement and experience as a Porchlight supporter.

Finding other people like you who might like to hear from us – we may use the email address you give us to help find more people like you, so that we can grow our supporter base through our online channels. We use third party services to do this including Google and social media accounts.

Analysing our supporter base to identify, communicate and engage with philanthropists and people who might choose to give a significant gift - we may undertake in-house desk research and engage specialist research companies to help us identify and engage with people who may wish to have a closer and more informed relationship with the charity and join our major donor funding programme by making a significant gift.

We will use information provided by you and that which is publicly available from sources such as Companies House, company websites, grant-making trusts and foundations websites, cultural and heritage websites, regional and local organisations websites like Kent Ambassadors, political and property registers, social network sites such as Linked In, and media archives. We may gather information on board memberships, governorships, trusteeships, directorships, patronages, typical earnings in a given industry or sector, hobbies, honours and publicly available news on philanthropic giving in articles published in print or online.

This information is vital to help us tailor our communication with you and to ensure it is relevant and timely. It helps us to understand you better so that we can make appropriate requests for significant financial support and send relevant invitations to join meetings, development groups and attend events which may be of interest. It provides a tailored, bespoke, positive experience for prospective philanthropists and high-net-worth supporters. We may also carry out research in this way to identify individuals not on our supporter database who may have an affinity to our cause but with whom we are not already in touch.

Under data protection legislation, you have the right to object your data being processed in this way. If you wish to opt out of being identified as a high net worth individual, please contact our Director of Fundraising & Communications at datapreferences@porchlight.org.uk

We are also legally required to carry out checks on individuals who donate large donations, to comply with our duties in respect of anti-money laundering legislation and the prevention of fraud.

7. Applying to work or volunteer with us

If you apply to work or volunteer with us your personal data will be collected to administer your application, and for equality and diversity monitoring. Personal data on all applicants is held for 12 months, unsuccessful applicant data is disposed of securely after 12 months while successful applicant data will be retained in personnel files.

We will need to share the data of successful applicants who are being offered a role in order to contact referees or to carry out a DBS check (role dependent); our application form requests your consent in order to allow us to do this.

If you sign up for our Job Alerts emails your name email address will be used to send you personalised email alerts with details of current vacancies at Porchlight. We will continue to send you job alert emails and retain your data indefinitely until you unsubscribe or request that we remove your details.

8. Website & Social Media

We use cookies on our website, a cookie is a small data file that is downloaded from a website onto your computer hard drive. A cookie allows us to recognise that you have used the site before, but will not contain any other personal data. Cookies help us to understand how we can improve our services to our clients and supporters. Cookies do not allow us to identify users personally. Find out more about how we use cookies.

We may use your personal information to inform relevant third parties such as your internet provider or law enforcement agencies in the that event you post or send any content that we believe to be inappropriate, offensive, or in breach of data protection laws.

9. Professional contacts

We will collect data on professional contacts and partners with whom we work or to whom we provide professional services (e.g. training). We may send our professional partners information and updates about our work and such contacts may opt out of receiving this information at any time.

Business to business fundraising contacts:

We maintain a record of information and communications related to businesses and their directors, grant-making trusts and foundations and their Trustees, statutory funding bodies, MPs, local Councillors and other holders of public office in order to undertake fundraising and campaigning activities in furtherance of our charitable aims. This will include a ‘point of contact’ name, a record of contact details such as postal and email addresses, phone numbers and publicly available information which will enable us to develop and manage positive ‘business to business’ working relationships with these individuals and individuals working for these organisations.

10. Retention of your data

We have an internal procedure which sets out the specified time for which we keep data, we refer to the data retention procedures of local authorities and national bodies in determining how long we will keep data and consider any legal requirements, legitimate interests, and guidance issued by regulatory bodies such as the Information Commissioners Office. Once the retention period has expired, we will securely dispose of data either by confidential waste disposal, anonymisation, or permanent deletion.

a) Clients

We generally keep records of people we have worked with for up to 7 years after their last engagement with us. There are exceptions for those who are care leavers or have been a looked after child where the law specifies that we must hold these records until the person’s 75th birthday, or where there are contractual requirements in place from funders who may require that we retain some data for longer periods.

b) Donors and supporters

We will store data relating to donors and supporters who have given a donation or engaged with the charity in the last seven years.

If you request to receive no further contact from us, we will keep some basic information about you on our suppression list to avoid sending you unwanted materials in the future. If your data includes your giving history and financial details, we will anonymise the data if it needs to be used for monitoring or forecasting reports.

If you have gift aided your donations, under current HMRC rules we are obliged by law to retain your gift aid declarations and details of any donations for six years after the date of your last donation.

11. Security of your data

We have appropriate operational and technical measures in place to protect your personal data and ensure its confidentiality, integrity, and availability. All information provided to the charity is stored securely and accessible only to those who are authorised to have access to it. We will take all reasonable steps and measures to ensure that the information you give us is protected against loss, misuse, unauthorised access or disclosure.

In the unlikely event that a data breach should occur, the charity has a data breach procedure in place which details our responsibilities to swiftly mitigate and rectify any breach, and to report to the ICO and data subjects as required.

Porchlight is certified with ISO 27001:2013 Information Security Management which is the international standard that describes best practice for an ISMS (information security management system). We have been certified by external, independent and expert auditors as following best practice with regards to information security management.

Salesforce - we keep all our client and volunteers’ data in a secure Salesforce database, this is protected so that only authorised staff have access to view the records. Our Salesforce database can carry out “automated decision making”, an example of this is where we would enter a person’s address and it will automatically tell us the nearest support service to them. The automated decision making is based on information which is manually entered by staff, and this can be overridden at any time.

Blackbaud Raiser’s Edge – we keep all our supporter data in a secure Blackbaud database, this is protected so that only authorised staff have access to view the records. Blackbaud Raiser’s Edge does not carry out any automated decision making.

Cascade – we keep all our staff data in a secure IRIS database, this is protected so that only authorised staff have access to view relevant records. Cascade does not carry out any automated decision making.

We may use your personal information to inform relevant third parties such as your internet provider or law enforcement agencies in the that event you post or send any content that we believe to be inappropriate, offensive, or in breach of data protection laws.

12. Disclosure of your data

We will never sell, share or swap your details with any third parties for the purposes of their own marketing or the monetisation of your data.

Your data will only be shared with third parties where:

• It is to a secure data processor carrying out processing activities on our behalf

• We are required to do so by law, for example to regulatory bodies or law enforcement, or to enforce or apply our rights to protect the charity, for example in cases of suspected fraud or defamation

• It is necessary to protect the vital interests of an individual, for example where we believe you or another person might be in danger

• We have obtained your explicit consent to share it

We are required to share some information with our funders and commissioners for monitoring and quality assurance, and we also use anonymised data for internal equality and monitoring.

13. Use of data processors

We may use third party suppliers to manage mailing for fundraising appeals, campaigning, to conduct research or surveys, or for secure storage of personal information on our behalf where appropriate technical and security measures are in place.

We enter into contracts with all our data processors, and we require these third parties to comply strictly with data protection laws and will ensure appropriate controls are in place.

Our main processing systems are Microsoft Office 365, Microsoft Azure, Salesforce, Blackbaud and Cascade, these are cloud services hosted within the EEA. Should you wish to know the current list of third-party data processors we work with please contact datapreferences@porchlight.org.uk

14. Transfer of data outside the European Economic Area

In the unlikely event we were required to transfer data outside the EEA this would be done so in a secure manner and only where there is an adequate level of protection for the rights of data subjects in the receiving country, for example the EU-US Privacy Shield.

15. Your rights & complaints

Porchlight’s Data Subject Rights procedure gives you the full rights and protections under GDPR to access, rectify, erase, restrict, port, object, or complain regarding your data. The procedure and details on how to exercise your rights can be found here: https://www.porchlight.org.uk/data

To stop job alert emails, you can use the unsubscribe link included in every email or contact recruitment@porchlight.org.uk to request that your email address be removed.

To stop fundraising-related communications emails please send your request to datapreferences@porchlight.org.uk

If you would like to opt out of Google Analytics monitoring, please use this link: https://tools.google.com/dlpage/gaoptout/

16. About us

Our registered address is: Porchlight, 2nd Floor Watling Chambers, 18-19 Watling St, Canterbury, CT1 2UA. You can contact us on 01227 760078 or by email to headoffice@porchlight.org.uk

Porchlight is registered with the Information Commissioners Office and can be found on the ICO’s register of data controllers under the registration number Z7763784.

This statement was last updated May 2023, if any significant changes are made to the way in which we use your data we will update this privacy statement and make you aware in our next communication with you.