What this privacy policy covers
The Heart Research Institute UK (“HRI”) is committed to respecting and protecting your personal data and being transparent about what information we hold, whether you are a supporter, subscriber, or campaigner.
We have made improvements to this policy so that transparency is at the core of what we do.
The purpose of this policy is to give you a clear explanation about how the HRI collects and uses the personal data you provide to us and that we collect, whether online, via phone, email, in letters or in any other correspondence or from third parties.
We ensure that we use your information in accordance with all applicable laws concerning the protection of personal data. This policy explains:
- What information the HRI may collect about you;
- How we will use that information;
- Whether we disclose your details to anyone else;
- Your choices regarding the information you provide to us; and
- How we use cookies to provide services to you or to improve your use of our websites.
If you have any queries about this privacy and cookies policy please contact the Data Protection team at the HRI through our Contact form.
Under the data protection rules, the data controller is The Heart Research Institute (UK).
The collection of information
We collect information in the following ways:
- Information you give us. For example, when you engage with our social media or message boards, make a donation to us, register for an event or scholarship or otherwise provide us with personal data. When you register, we’ll ask for personal data, like your name, email address and telephone number to store with your account.
- Information we get from your use of our website and services, such as session statistics, approximate geolocation, browser and device information. We collect information about the services you use and how you use them, visit our websites or view and interact with our ads and content.
- Information from third parties. We may also receive information about you from third parties. This can include information such as your name, postal address, email address, phone number, your geographic location (for mobile devices), credit/debit card details and whether you are a taxpayer so that we can claim Gift Aid. We, like all profit and not for profit organisations, are able to confirm what browser you are using, IP address and computer operating systems that are being used and this information may be used to improve the services we offer.
Data Protection law recognises that certain categories of personal data are more sensitive. This is known as sensitive personal data and covers health information, race, religious beliefs and political opinions. We do not collect ‘sensitive personal data’ about our supporters, unless a supporter makes the information public or if you tell us about your experiences relating to heart disease (for example, if you act as a case study for us). In such a case we will always make it clear to you, when we collect this information from you, what sensitive personal data we are collecting and why and enter into a separate confidentiality agreement with you which provides more stringent parameters as to the use of supporter or patient information.
HRI website usage
If you register on our website then the following applies:
- HRI will collect your personal data when you register with us.
- Your sign-up collects information such as your name, email address and postcode.
- As part of the registration process and continued use of HRI services, you agree that any registration information you give to HRI will always be accurate, correct and up to date. Please get in touch should you need to amend any of your personal data.
- We collect and retain information about your interactions with us so that we can process your interactions and deal with future queries in a professional manner.
- We use cookies (subject to our cookies policy) to allow us to store limited information on an individual’s computer to either track them through tracking cookies or to allow people to have automatic logins as an example. We use this information to provide you with a good experience when browsing our website and to improve the functionality of our site.
Google Analytics
HRI uses Google Analytics 4 (“GA4”) to measure traffic and engagement across HRI’s website. We receive general analytics such as session statistics, approximate geolocation, browser and device information. General analytics obtained through GA4 are aggregated, anonymised statistics which do not include personal data or IP addresses. The information about your use of our website generated by GA4 may be transmitted to a Google server in the USA and stored there.
HRI may also share general analytics data with other Google Products, such as Google Signals or Google Ads to improve our website and our products and services, and to deliver personalised ads to you. By sharing and combining general analytics data with other data Google holds about you, such as your search history or your usage data from other devices, general analytics data may become personal data relevant to you.
By accepting GA4 cookies on HRI’s website you give your express consent to the collection and disclosure of general analytics data about you. You may also decline all cookies and other tracking technologies used to collect technical information and general analytics on you when browsing our website. If you do so, you can still access our website, but it may impact your user experience.
Your debit and credit card information
If you use your credit or debit card to donate to us, buy something or pay for a registration online or over the phone, we will ensure that this is done securely and in accordance with the Payment Card Industry Data Security Standard. You can find our more information about PCI DSS here.
We do not store your credit or debit card details at all, following the completion of your transaction. All card details and validation codes are securely destroyed once the payment or donation has been processed. Only staff authorised and trained to process payments will be able to see your encrypted card details.
Legal basis and legitimate interests
If we receive an email containing any credit or debit card details, it will be immediately permanently deleted, no payment will be taken and you will be notified about this. All purchases or donations should be completed through our secure online Give page.
Data protection laws mean that each use we make of personal data must have a “legal basis”. The relevant legal bases are set out in the General Data Protection Regulation (“GDPR”) (EU Regulation 2016/679) and in current UK data protection legislation.
These are:
Specific consent
Consent is where we have asked you if we can use your information in a certain way, and you agree to this (for example, when we send you marketing material via post, phone, text or email). Where we use your information for a purpose based on consent, you have the right to withdraw consent for any future use of your information for this purpose at any time and we will give you this option always.
Legal obligation
We have a basis to use your personal data where we need to do so to comply with one of our legal or regulatory obligations. For example, in some cases we may need to share your information with our various regulators or courts such as the Charity Commission, Fundraising Regulator, Information Commissioner or Gambling Commission, or to use information we collect about you for due diligence or ethical screening purposes.
Performance of a contract / Taking steps at your request to prepare for entry into a contract
We have a basis to use your personal data where we are entering into a contract with you or performing our obligations under that contract. Examples of this would be if you are applying to work/volunteer with us or being funded to undertake research.
Vital interests
We have a basis to use your personal data where it is necessary for us to protect life or health (for instance, if there were to be an emergency impacting individuals such as safeguarding issue which required us to contact people unexpectedly or share their information with emergency services).
Legitimate interests
We have a basis to use your personal data if it is reasonably necessary for us (or others) to do so and in our/their “legitimate interests” (provided that what the information is used for is fair and does not unduly impact your rights).
We consider our legitimate interests to include all of the day-to-day activities HRI carries out with personal data.
We only rely on legitimate interests where we consider that any potential impact on you (positive and negative), how intrusive it is from a privacy perspective and your rights under data protection laws do not override our (or others’) interests in us using your information in this way and make sure we only use personal data in a way or for a purpose that you would reasonably expect in accordance with this Policy, and that does not intrude on your privacy or previously expressed marketing preferences.
We operate on the basis that if you are a committed supporter of ours (meaning that you have supported our work within the last 2 years), you would reasonably expect to hear from us with updates in relation to the work that we do. For electronic communications, we require your consent to send you this material, but in relation to postal and telephone communications, we are using your personal data on the basis that it is a legitimate interest of yours to hear about the work, and a legitimate interest of ours to send it. As set out below, you the right to ask us not to send you this information at any point.
Processing | Legal basis |
---|---|
Provision of information requested by you | Consent |
Processing of donations, lottery and raffle tickets | Consent |
Maintaining an accurate supporter database | Legitimate interests |
Keeping supporters informed of our work | Consent/legitimate interests |
Direct marketing | Consent/legitimate interests |
HRI uses commercially contracted third party fundraising service providers who provide a service to us and are data processors. We require these third parties to comply strictly with our instructions and data protection laws and we will make sure that appropriate controls are in place. We regularly monitor their activities to ensure they are complying with HRI policies and procedures.
Rest assured, we will never share, sell, rent or swap your details with any third parties for the purposes of their own marketing or the monetising of your data other than where you have consented or where we are authorised by law to do so.
Marketing and social media
As an HRI supporter we want to ensure you receive the level of information about the HRI that is right for you and never want to annoy any current or potential supporter with our marketing material as this would be counterproductive.
Email/text marketing
If you actively provide your consent to us along with your email address and/or mobile phone number, we may contact you for marketing purposes by email or text message. By subscribing to HRI emails or opting in to email communication from HRI, you grant us the right to use the email for both email marketing purposes and advertisement targeting.
Post/telephone marketing
If you have provided us with your postal address or telephone number we may send you direct mail or telephone you about our work unless you have told us that you would prefer not to receive such information. We also actively check telephone numbers against the Telephone Preference Service and will only make telephone calls to you where your telephone number is listed on the TPS if you have specifically told us that you do not object to such calls and have consented to receive them.
Your choice
It is always your choice as to whether you want to receive information about our work, how we raise funds and the ways you can get involved. If you do not want us to use your personal data in these ways please indicate your preferences on the form on which we collect your data.
You may opt out of our marketing communications at any time by clicking the "unsubscribe" link in at the end of our marketing emails or sending us an "opt-out" text message, following the instructions we provide you in our initial text.
You can also change any of your contact preferences at any time (including telling us that you don’t want us to contact you for marketing purposes by telephone, or by post) by contacting our Customer Support Centre using our Contact form.
We will not use your personal data for marketing purposes if you have indicated that you do not wish to be contacted by us for such purposes. However, we will retain your details on a suppression list to help ensure that we do not continue to contact you.
Your data rights
Under data protection laws, you have rights over personal data that we hold about you. We’ve summarised these below:
Right to access your personal data
You have a right to request access to the personal data that we hold about you. You also have the right to request a copy of the information we hold about you, and we will provide you with this unless legal exceptions apply.
If you want to access your information, send a description of the information you want to see via our Contact form.
Right to have your inaccurate personal data corrected
You have the right to have inaccurate or incomplete information we hold about you corrected. If you believe the information we hold about you is inaccurate or incomplete, please provide us with details and we will investigate and, where applicable, correct any inaccuracies.
Right to restrict use of your personal data
You have a right to ask us to restrict the processing of some or all of your personal data in the following situations: if some information we hold on you isn’t right; we’re not lawfully allowed to use it; you need us to retain your information in order for you to establish, exercise or defend a legal claim; or you believe your privacy rights outweigh our legitimate interests to use your information for a particular purpose and you have objected to us doing so.
Right to erasure of your personal data
You may ask us to delete some or all of your personal data and in certain cases, and subject to certain exceptions, you have the right for this to be done.
Right for your personal data to be portable
If we are processing your personal data (1) based on your consent, or in order to enter into or carry out a contract with you, and (2) the processing is being done by automated means, you may ask us to provide it to you or another service provider in a machine-readable format.
Right to object to the use of your personal data
If we are processing your personal data based on our legitimate interests or for scientific/historical research or statistics, you have a right to object to our use of your information.
If we are processing your personal data for direct marketing purposes, and you wish to object, we will stop processing your information for these purposes as soon as reasonably possible.
Please contact the Fundraising Department through our Contact form. Any access request may be subject to a fee of £10 to meet our costs in providing you with details of the information we hold about you. We will respond within 30 days of receipt of your written access request and confirmation of your ID.
Data retention
We have implemented a data retention policy that sets out the different periods we retain personal data for in respect of these relevant purposes. The criteria we use for determining these retention periods is based on various legal requirements; the purpose for which we hold data and whether there is a legitimate reason for continuing to store it (such as in order to deal with any future legal disputes); and guidance issued by relevant regulatory authorities including, but not limited to, the Information Commissioner's Office.
Personal data that we no longer need is securely disposed of and/or anonymised so you can no longer be identified from it. Some personal data may be retained by us in archives for statistical or historical research purposes although we will do this in a manner that complies with applicable data protection laws.
We continually review what personal data and records that we hold and delete what is no longer required. We never store payment card data after the transaction has been completed. A copy of our records retention policy can be made available on request.
Storage and transfer of personal data
The personal data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). This includes countries that the European Union authorities do not consider provides and adequate level of protection for personal data. However we have put in place suitable safeguards to protect your personal data when processed by the supplier such as entering into the European Commission approved standard contractual clauses. It may also be processed by staff operating outside the EEA who work for us or for one of our contracted suppliers. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.
Payment transactions are processed in the UK, using our PCI compliant service provider, and where required to be stored, are stored in the UK and Australia on secure servers.
We keep your personal data only for as long as required to operate the service in accordance with legal requirements and tax and accounting rules. Where your information is no longer required, we will ensure it is disposed of in a secure manner.
Complaints handling
Questions, comments and requests regarding this privacy policy are welcomed and should be sent through our Contact form. Please also use this form if you would like to make a complaint. We will address all complaints in accordance with our Complaints Handling Policy.
Under 18s
We are committed to protecting the privacy of the young people. Our fundraising activities request specific information about the age of participants. If you are under 18 and would like to get involved, please ensure that you have consent from a parent or guardian before giving us your personal data. When we collect information about a child or young person aged under 18 we will make it very clear as to the reasons for collecting this information and how it will be used. Specific Lottery and Raffle conditions apply, so please refer to the Lottery and Raffle Fundraising Policy referenced below and how that applies to young persons.
Lottery and Raffle Fundraising Policy
The Heart Research Institute Ltd uses the professional services of external suppliers to provide art unions and games of chance to support our functions and aims. Specific terms and conditions of these activities can be found on our Lottery and Raffles Terms and Conditions page.
Changes to this Privacy Policy
This Privacy Policy is effective from the date specified below and we may update the terms of this policy at any time, so please do check it from time to time. We will notify you about significant changes in the way we treat personal data by sending a notice to the primary email address you have provided to us or by placing a prominent notice on our website(s). By continuing to access or use our website, subscribing or supporting HRI after those changes become effective, you agree to be bound by the revised Privacy Policy.
Last updated
15 August 2023.