Privacy Policy
At Foundation Scotland we’re committed to protecting any personal information you share with us, or that we receive from other organisations, and keeping it safe.
Please read the following notice to understand how Foundation Scotland will treat your personal information. We are subject to the legal jurisdiction of Scotland and any data protection legislation that applies in that jurisdiction. For the purpose of the Data Protection Act 1998 (DPA) and the General Data Protection Regulation 2016(GDPR), the Data Controller is Foundation Scotland.
Who are we?
Foundation Scotland is an independent charity registered in Scotland with the Office of Scottish Charity Regulator [registration number SC022910] and a company limited by guarantee [company number SC152949]. We are a member of the UK Community Foundation (UKCF) network and are quality accredited by UKCF.
Why do we need your data?
We are Scotland’s community foundation. We strengthen local communities by providing a source of funding to community-led projects the length and breadth of Scotland; connecting people and organisations with good causes. To do this effectively, we work with a range of individuals, groups, and businesses. We use the knowledge we have about people – personal data - only to further the work of the Foundation now and in the future. We understand our responsibilities as stewards of this data and will protect your privacy. This notice describes how we do this.
Whose information do we collect?
We hold data on individuals who have given financial or other support to Foundation Scotland, those who might do, and those who apply to Foundation Scotland for funds, whether on behalf of an organisation or personally.
How do we collect information from you?
Most of the information we hold about you has been provided directly to us by you. Examples include when you enquire about our activities; make a donation; set up a fund; apply for funding; apply for a job or volunteer role, or attend events organised by us. We may also receive information about you from someone else. Examples include where existing supporters feel you may be interested in supporting our work and suggest your name to us or data collected via a service provider like Just Giving or Virgin Money Giving. In some cases, we may collect data from publically available sources. Examples include information gathered from news articles or online media, including social media. We may also use publicly available directories and similar information such as the Royal Mail’s National Change of Address database and Companies House.
What type of information is collected and why?
The data we collect depends on the nature of our relationship with you. At any time you can ask us to see what information we hold about you, ask us to correct or update information, or ask us to delete the information we hold.
For donors
We need to ensure your contact details are up to date. This will help us plan our development activities and ensure appropriate due diligence is carried out. To safeguard the assets and reputation of Foundation Scotland, we may keep the following information about you:
- Your name
- Contact details including your address, telephone number(s) and email address
- Information about how you like to be contacted
- Information about your interests
- Profiling information such as your age, gender identify, and ethnic group
- Information about the organisations you may have links to
- If you are a current UK tax-payer (for Gift Aid purposes)
This information will be stored in a way that enables us to keep track of your donations, process gift aid declarations, and monitor fund balances where applicable. It helps us to ensure any money you donate is spent in accordance with your wishes.
For grantees and their representatives
In order to solicit and process applications for funding from Foundation Scotland, we collect personal information from people representing the groups we support, who apply for funds or about individuals who apply for funds. This will include:-
- Your name
- Contact details including your address, telephone number(s) and email address
- Information about how you like to be contacted
- Information about your connection to the beneficiary or applicant organisation
- Profiling information such as your age, gender identify, and ethnic group
- Information about other organisations you may have links to
How long do you keep my data for?
We will keep data for as long as is needed to complete the task for which it was collected. Relationships between donors, fund recipients and Foundation Scotland are often long term. So we expect to keep your data for as long as the relationship exists, or until we no longer need it.
Is my data securely stored?
We primarily store personal data electronically. Any paper records we have will be scanned and stored electronically, and the paper copies destroyed wherever possible. Electronic records are all held in secure servers, with strong password protection. Necessary paper records are held securely in our office. In the case of archived information contained for legal compliance, in a secure area of our office buildings.
The primary electronic systems we use to process your personal information include:
- Our customer relationship management system (CRM), and related systems for sending communications such as DotDigital.
- Our financial system, currently Access Dimensions
- Emails, documents, and spreadsheets held on local devices or cloud-based servers
- Non-sensitive details, such as your email address, when transmitted over the internet, can’t be guaranteed to be 100% secure. Whilst we take all possible means to protect your personal information, we cannot guarantee the security of any information you transmit electronically to us, and you do so at your own risk.
- Where we have given you a password to access certain parts of our website, you are responsible for keeping this password confidential. Please don’t share this password with others.
Who has access to my data?
Foundation Scotland staff, the Board and Committee Members will be granted secure access to your personal information where it’s necessary for them to carry out their duties on behalf of the Foundation. All staff are given training in data protection and are required to comply with our internal data protection policy.
Will my personal data be shared with third parties?
We will only ever share your personal information with third parties where it helps us to carry out our business functions and charitable activities, or where we have a legal obligation to do so. We will never sell or trade your information with third parties.
Third parties we may share your data with include:
- Our software suppliers, for example in processing communications sent to you
- Our WebMasters, who collect, process and store data in the performance of their contract with us
- Our bankers (for payments to fund recipients who are individuals)
- UK Community Foundations, for grant monitoring purposes
- HMRC on Gift Aided donations since we have a legal obligation to provide this information
- We will share information on fund applicants with fund panel members and donors. We will, however, redact personal information to the greatest extent possible. We will also publish data on fund recipients for groups/organisations (amounts/name of group/purpose), but we anonymise details for any individual recipients.
- To enable donors to follow up on applications, applicant email addresses may be shared with them.
- We will use external assessors to assess some of the applications we receive. We will, however, redact personal information to the greatest extent possible
- We may pass data to other organisations, known as Data Processors, to provide specific services to us. An example would be providing data to a mailing house to send a newsletter. A contract is always in place with a Data Processor, and they are not allowed to do anything with your data other than that which we’ve requested.
- We may share basic information on the attendees at an event or meeting with the host or other person who is a supporter of Foundation Scotland
- When donating you are using our chosen secure online facility, your donation is processed by a third party who specialise in the secure online capture and processing credit/debit card transactions. If you have any questions regarding secure transactions, please contact us.
Some of our suppliers run their operations outside of the European Economic Area (EEA). Although they may not be subject to the same data protection laws as companies based in the UK, we will take steps to make sure they provide an adequate level of protection in accordance with UK data protection law. By submitting your personal information to us, you agree to this transfer, storing or processing at a location outside of the EEA.
Our responsibilities
The law requires us to tell you the basis on which we process your data. Some activities may require your consent. If the law requires your consent to process data in a certain way, then we will obtain it before carrying out that activity.
Other activities carried out to fulfil a contract or agreement. Examples include holding funds or organising an event. Each requires us to know who you are and to process your information in order to do what you’ve asked us to do. In these instances, we will process your data based on that contract.
If personal data is required to be collected and processed to comply with the law, then consent is not required. This is the case for some data related to taxation. In all other cases, the law allows us to process your data if it is in our legitimate interest to do so, but only so long as we need to and your “interests or your fundamental rights and freedoms are not overridden”. Practically speaking this means we carry out an exercise to check that we will not cause you harm by processing your data, that the processing is not overly intrusive and that we will only do so in a way described in this privacy notice.
We will keep data for as long as is needed to complete the task for which it was collected. Relationships between donors, fund recipients and Foundation Scotland are often long term, and so we expect to keep your data for as long as that relationship exists, or until we no longer need it.
Your Rights
The law requires us to tell you that you have a variety of rights about the way we process your data. These are as follows:
- Where our use of your data requires consent, you may withdraw this consent at any time.
- Where we rely on our legitimate interest to process data, you may ask us to stop doing so.
- You may request a copy of the data we hold about you.
- You may change or stop how we communicate with you or process data about you, and if it’s not required for the purpose you provided it, then we will do so. Activities like processing Gift Aid donations, or managing Fund Agreements, may mean we can’t entirely stop processing your data. However, we will always endeavour to comply with such a request.
If you are not satisfied with the way we have processed your data then you may complain to the Office of the Information Commissioner. https://ico.org.uk/
Communications
We may use the personal information we hold to communicate with our clients, donors and supporters. When we do so, we will be processing your data in line with one of the legal bases permitted by current data protection legislation. In most cases, this will be because we have a legitimate business interest in contacting you as a donor, supporter, or fund recipient (or a representative of a fund recipient). In each case, you have given us explicit consent to do so. You can withdraw consent at any time by following the unsubscribe link in our emails, or by contacting us directly.
Cookies
Cookies are small text files that are placed on your computer by websites that you visit. These files store information on how you behave when using the website and this information is shared with the website owners. When visiting our website, you will be asked to consent to us saving this information from your visit.
We only ever collect information that helps us to understand and improve the way it works. We use this understanding to help visitors get the most out of their visit to our site.
You can accept or decline cookies by modifying the settings in your browser. However, you may not be able to use all the interactive features of our site if the cookies are disabled. You’re also able to manage and delete cookies by visiting the setting within your chosen web browser.
How we use cookies?
Google Analytics – Google sets these cookies on our website. These cookies collect information about how visitors use our site. Google stores the information on servers in the United States. Google may transfer this information to third parties where required to do so by law, or where third parties process the information on Google’s behalf. Google state that they will not associate your IP address with any other data held by them.
YouTube - We sometimes embed videos from YouTube using YouTube’s privacy-enhanced mode. This mode may set cookies on your computer once you click on the YouTube video player. YouTube will not store personally-identifiable cookie information for playbacks of embedded videos using the privacy-enhanced mode.
Hotjar - Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback.
Cookie Name | Description | Retention Period |
AMP_TOKEN | Contains a token code that is used to read out a Client ID from the AMP Client ID Service. By matching this ID with that of Google Analytics, users can be matched when switching between AMP content and non-AMP content. | 1 year |
FPAU | Assigns a specific ID to the visitor. This allows the website to determine the number of specific user-visits for analysis and statistics. | session |
FPID | Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator. | 1 years |
FPLC | This FPLC cookie is the cross-domain linker cookie hashed from the FPID cookie. It’s not HttpOnly, which means it can be read with JavaScript. It has a relatively short lifetime, just 20 hours. | 20 hours |
__utma | ID used to identify users and sessions | 2 years |
__utmb | Used to distinguish new sessions and visits. This cookie is set when the GA.js javascript library is loaded and there is no existing __utmb cookie. The cookie is updated every time data is sent to the Google Analytics server. | 30 minutes |
__utmc | Used only with old Urchin versions of Google Analytics and not with GA.js. Was used to distinguish between new sessions and visits at the end of a session. | session |
__utmt | Used to monitor number of Google Analytics server requests | 10 minutes |
__utmv | Bevat custom informatie die door de webdeveloper is ingesteld via de _setCustomVar methode in Google Analytics. Deze cookie wordt iedere keer geupdate als er nieuwe gegevens naar de Google Analytics server worden gestuurd. | 2 years |
__utmx | Used to determine whether a user is included in an A / B or Multivariate test. | 18 months |
__utmxx | Used to determine when the A / B or Multivariate test in which the user participates ends | 18 months |
__utmz | Contains information about the traffic source or campaign that directed user to the website. The cookie is set when the GA.js javascript is loaded and updated when data is sent to the Google Anaytics server | 6 months |
_dc_gtm_ | Used to monitor number of Google Analytics server requests | 1 minute |
_ga | ID used to identify users | 1 years |
_ga_* | Used to identify and track an individual user session. | 2 years |
_gac_ | Contains information related to marketing campaigns of the user. These are shared with Google AdWords / Google Ads when the Google Ads and Google Analytics accounts are linked together. | 90 days |
_gat | Used to monitor number of Google Analytics server requests when using Google Tag Manager | 58 seconds |
_gat_* | Used to set and get tracking data | 1 hour |
_gid | ID used to identify users for 24 hours | 24 hours |
AnalyticsSyncHistory | Used to store information about the time a sync with the lms_analytics cookie took place for users in the Designated Countries | 30 days |
UserMatchHistory | These cookies are set by LinkedIn for advertising purposes, including: tracking visitors so that more relevant ads can be presented, allowing users to use the 'Apply with LinkedIn' or the 'Sign-in with LinkedIn' functions, collecting information about how visitors use the site, etc. | 30 days |
_fbc | Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers | 2 years |
_fbp | Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers | 3 months |
_twitter_sess | This cookie is set due to X integration and sharing capabilities for the social media. | Session |
ads_prefs | These cookies enable us to track visitor activity from our X ads on our website, and also to allow users to share content from our websites. They cookies do not provide us with any confidential information relating to your account. | 2 years |
aks | Determines the login state of a person visiting accountkit.com | 30 days |
aksb | Authenticates logins using Account Kit | 30 minutes |
auth_token | These cookies enable us to track visitor activity from our X ads on our website, and also to allow users to share content from our websites. They cookies do not provide us with any confidential information relating to your account. | 2 years |
bcookie | Used by LinkedIn to track the use of embedded services. | 1 years |
bscookie | Used by LinkedIn to track the use of embedded services. | 1 years |
c_user | Used in conjunction with the xs cookie to authenticate your identity to Facebook. | 90 days |
campaign_click_url | Records the Facebook URL that an individual landed on after clicking on an ad promoting Facebook | 30 days |
csm | Insecure indicator | 90 days |
csrf_same_site | These cookies enable us to track visitor activity from our X ads on our website, and also to allow users to share content from our websites. They cookies do not provide us with any confidential information relating to your account. | 2 years |
csrf_same_site_set | These cookies enable us to track visitor activity from our X ads on our website, and also to allow users to share content from our websites. They cookies do not provide us with any confidential information relating to your account. | 2 years |
ct0 | These cookies enable us to track visitor activity from our X ads on our website, and also to allow users to share content from our websites. They cookies do not provide us with any confidential information relating to your account. | 2 years |
datr | Used to prevent creation of fake / spammy accounts. Datr cookie is associated with a browser, not individual people. | 2 years |
dbln | Used to enable device-based logins | 2 years |
ddid | Used to open a specific location in an advertiser's app upon installation | 28 days |
dnt | These are third party X cookies. These cookies enable users, if they wish, to login to their X account share content from our websites with their friends. These cookies do not allow us access to your accounts or provide us with any confidential information relating to your accounts. These cookies also allow a news feed of tweets to appear on the website. | 2 years |
eu_cn | These are third party X cookies. These cookies enable users, if they wish, to login to their X account share content from our websites with their friends. These cookies do not allow us access to your accounts or provide us with any confidential information relating to your accounts. These cookies also allow a news feed of tweets to appear on the website. | 2 years |
external_referer | Our Website uses X buttons to allow our visitors to follow our promotional X feeds, and sometimes embed feeds on our Website. | 2 years |
fr | Contains a unique browser and user ID, used for targeted advertising. | 90 days |
gt | Twitter uses these cookies to support plugin integration with our website. If you use the Tweet plugin and log into your X account, X will set some of these cookies to remember that you are logged in. X will also use cookies for their own analytics purposes. | 1 year |
guest_id | This cookie is set by X to identify and track the website visitor. Registers if a users is signed in the X platform and collects information about ad preferences. | 1 years |
guest_id_ads | This cookie is for advertising when logged out | 1 years |
guest_id_marketing | This cookie is for advertising when logged out | 1 years |
ick | Stores an encryption key used to encrypt cookies | 2 years |
js_ver | Records the age of Facebook javascript files. | 7 days |
kdt | These are third party X cookies. These cookies enable users, if they wish, to login to their X account share content from our websites with their friends. These cookies do not allow us access to your accounts or provide us with any confidential information relating to your accounts. These cookies also allow a news feed of tweets to appear on the website. | 2 years |
lang | Used to remember a user's language setting | session |
li_gc | Used to store guest consent to the use of cookies for non-essential purposes | 2 years |
li_oatml | Collects information about how visitors use our site. | 30 days |
li_rm | Used as part of the LinkedIn Remember Me feature and is set when a user clicks Remember Me on the device to make it easier for him or her to sign in to that device | |
li_sugr | Used to make a probabilistic match of a user's identity outside the Designated Countries | 3 months |
liap | Cookie used for Sign-in with Linkedin and/or to allow for the Linkedin follow feature. | 90 days |
lidc | Used by the social networking service LinkedIn, for tracking the use of embedded services. | 1 days |
lissc | Pending | 1 year |
ln_or | Used to determine if Oribi analytics can be carried out on a specific domain | 1 day |
locale | This cookie contains the display locale of the last logged in user on this browser. This cookie appears to only be set after the user logs out. | 7 days |
lu | Used to record whether the person chose to remain logged in | 2 years |
m_user | Used to authenticate your identity on Facebook's mobile website. | 90 days |
muc_ads | These cookies are placed when you come to our website via X. A cookie from X is also placed on our website, with which we can later show a relevant offer on X | 1 years |
oo | 5 years | |
personalization_id | Unique value with which users can be identified by X. Collected information is used to be personalize X services, including X trends, stories, ads and suggestions. | 1 years |
pl | Used to record that a device or browser logged in via Facebook platform. | 90 days |
presence | The presence cookie is used to contain the user’s chat state. | Session |
rc | Used to optimize site performance for advertisers | 7 days |
remember_checked_on | These cookies enable us to track visitor activity from our X ads on our website, and also to allow users to share content from our websites. These cookies do not provide us with any confidential information relating to your account. | 2 years |
rweb_optin | These cookies enable us to track visitor activity from our X ads on our website, and also to allow users to share content from our websites. These cookies do not provide us with any confidential information relating to your account. | 2 years |
s | Facebook browser identification, authentication, marketing, and other Facebook-specific function cookies. | 90 days |
sb | Facebook browser identification, authentication, marketing, and other Facebook-specific function cookies. | 2 years |
sfau | Optimizes recovery flow after failed login attempts | 1 day |
spectroscopyId | These cookies are set by LinkedIn for advertising purposes, including: tracking visitors so that more relevant ads can be presented, allowing users to use the 'Apply with LinkedIn' or the 'Sign-in with LinkedIn' functions, collecting information about how visitors use the site, etc. | session |
syndication_guest_id | Used to collect information about users browsing behaviour for marketing purposes including digital display and social media advertising. | 2 years |
tfw_exp | These cookies enable us to track visitor activity from our X ads on our website, and also to allow users to share content from our websites. They cookies do not provide us with any confidential information relating to your account. | 2 years |
trkCode | This cookie is used by LinkedIn to support the functionality of adding a panel invite labeled 'Follow Us' | 1 year |
trkInfo | This cookie is used by LinkedIn to support the functionality of adding a panel invite labeled 'Follow Us' | 1 year |
twid | These cookies enable us to track visitor activity from our X ads on our website, and also to allow users to share content from our websites. They cookies do not provide us with any confidential information relating to your account. | 2 years |
usida | Collects a combination of the user’s browser and unique identifier, used to tailor advertising to users. | Session |
wd | This cookie stores the browser window dimensions and is used by Facebook to optimise the rendering of the page. | Session |
xs | Used in conjunction with the c_user cookie to authenticate your identity to Facebook. | 90 days |
If you have any questions about this privacy policy, about how we process your data, or if you wish to change the way we use your data, including how we communicate with you, then please contact us.
Contact information
Chief Finance and Operations Officer