Privacy Policy

6 May 2020

This Privacy Policy sets out how Lumos uses and protects the personal data you share with us. We are totally committed to protecting your information and using it responsibly. We want to make sure that we are clear about how we will use your data and assure you that we will take appropriate measures to protect the personal data that we collect.

Please read our Privacy Policy carefully, along with our website's terms and conditions.

The Privacy Policy will cover:

1. Who we are and what we do

2. Why we collect and use your information

3. How and when we collect information

4. What information we collect

5. How we use the information we collect and our legal basis for processing your information

6. How we keep your information safe

7. Transferring your information outside the EEA

8. How long we keep your information

9. The website and use of cookies

10. Your rights and complaints

11. Changes to this policy

1. Who we are and what we do

Lumos is an international organisation founded by J.K. Rowling to help children worldwide out of harmful institutions and into loving family care by 2050. We tackle the root causes of family separation – poverty, trafficking and discrimination. Lumos speaks up on behalf of the millions of children trapped in orphanages and other institutions worldwide to transform their care, so every child can thrive in families and communities.

The processing of your data is carried out by or on behalf of the Lumos family of affiliated legal entities which includes Lumos Foundation (UK), Lumos Foundation USA Inc, Friends of Lumos USA Ltd and Lumos Foundation Operations Limited (collectively Lumos ‘we’, ‘us’ or ‘our’).

Lumos Foundation (UK) is a registered charity in England and Wales (1112575) and a registered company in England and Wales (5611912). Lumos Foundation Operations Limited is a subsidiary of Lumos Foundation and is a registered company in England and Wales (12369753).

Lumos Foundation USA Inc. is recognised by the US Internal Revenue Service as a 501(c)(3) tax exempt organisation based in the USA and is a separate non-profit organisation.

Friends of Lumos USA Ltd. is a subsidiary of Lumos Foundation USA Inc. and a registered charity in England and Wales (1170023) and a registered company in England and Wales (9502092).

If you have any questions about this Privacy Policy and how we use your information, please contact Lumos Global Data Protection Officer:

Email: privacy@wearelumos.org

Telephone: UK: +44 2072536464; USA: +1 (212) 343 – 4884

Post: Global Data Protection Officer, Lumos Foundation, Peninsular House, 30-36 Monument Street, London, EC3R 8NB

Please note that we operate a separate privacy statement for our recruitment activities which can be accessed here: https://www.wearelumos.org/careers-privacy-policy/

2. Why we collect and use your information

We will only use your information where we have a legal basis to do so and will always respect your rights.

We use your information to support the work that we do to achieve our mission, to ensure we effectively communicate our work, campaigns and achievements and to maximise our fundraising activities. Your rights are important to us and we are committed to ensuring that your privacy is protected.

In this policy we will outline the types of data we might use to achieve this; for example, we might use information available to improve our supporter experience, so you have a more fulfilling journey with Lumos and receive the types of communications which interest you most.

We hold and process your information for a number of reasons:

To keep you updated about our work and projects;
To invite you to events that we hold or training about our work and mission;
To send you information about our fundraising and marketing activities and appeals;
To administer our competitions and free prize draws;
To invite you to participate in or work with us in our advocacy campaigns;
To administer our research, surveys or feedback you have provided;
To process and keep a record of donations or payments made by you and related communications, and verify financial transactions to protect against fraud;
To support you and communicate with you when participating in fundraising events;
To claim Gift Aid on donations and Gift Aid declarations;
To provide products or information that you have requested;
To check with you on, and record, how you want us to contact you;
To ensure we do not send unwanted information to supporters or members of the public who have informed us they do not wish to be contacted;
To comply with legal obligations;
To manage Lumos and our business needs;
To notify you of changes to our policies.

3. Why and when we collect information

There are a number of ways we collect information about you:

We may collect information provided by you directly, for instance, through filling out a form on our website, donating to us, signing up to or attending an event or training that requires personal registration details, speaking to us at events, meetings or conferences or emailing us.
We may collect information about your interactions with us, this might be a visit to our website, watching a video on our YouTube or Vimeo channel, interacting on social media such as FaceBook, Twitter, Instagram and LinkedIn or any other digital platform used by us.
We may collect information provided indirectly about you from independent third party platforms, such as fundraising platforms like CrowdRise, Omaze, Virgin Money Giving and JustGiving. These independent third parties will pass your data to Lumos where you have indicated that you wish to support us, and have given your consent or it is a necessary part of completing a contract with you. Please check the privacy policy of any other platform if you are concerned about how they process and store your data.
We may collect information about you through personal introductions or through information which is publicly available, for example for major donors where we seek to find out more about you, your interests, motivations for giving and capacity to give greater support as well as to assess and manage potential risks.
Publicly available information may include information from newspapers or other reputable media sources, open posting on social media sites or information that individuals put in the public domain on company websites or professional networking sites and information from official sources such as Companies House, Charity Commission and other registers, the Electoral Roll, Who’s Who and Debrett’s guides. We will notify individuals about this processing at the earliest practical opportunity. Where we decide not to make contact, we will delete all personal data obtained, other than basic contact details, to which we will apply a suppression flag to ensure we do not make contact in the future.
We may gather information if your activities relate to our work - for instance, if you are a public figure such as a Member of Parliament and other holders of public office or you represent an organisation which we work with or which is related to one of our advocacy campaigns we may gather information about you in order to inform our advocacy campaigning and make decisions - for instance, whether we engage with you to seek your support for our work or choose to work with you in another way.

4. What information we collect

We collect different information about you according to the relationship you have with us. Whatever your relationship with us, this information will be minimal and linked to the purpose for which we need it.

The information we collect may include personal details, such as:

Your title, full name
Your date of birth, age or confirmation that you are over 18
Your contact details which could include your postal address and/or email and/or phone number
Details of any correspondence we have had with you relating to your support of us
Your contact preferences
Records of your donations
Whether you have signed up to the Gift Aid scheme
Any fundraising appeals, campaigns or other promotions that you may have responded to
Events or training courses that you have attended or enquired about
Your health information that you gave us if you are participating in an event or taking part in any training, to help us ensure your safety
Your photograph or video footage of you if you have attended or taken part in an event, with your permission
Your photos, stories, interviews or videos provided to us with your consent in connection with our research, advocacy and participation work
Bank account details to process donations or purchase items
The last four digits of your payment card number. The payment merchant that Lumos uses to process donations collects card details and stores card details for recurring payments.
Your IP address, location or browser
We use tracking tools in our email campaigns to monitor when you open or forward an email, click on links within the email, and the time, date and frequency of activity. We store this information in our database and use it to refine future email campaigns and supply you with more relevant information.
Your background details including professional details and the field in which you work, if you are a potential advocacy campaigner or work with our advocacy team
Information about you which appears on publicly available sources such as media outlets (such as newspapers, blogs and magazines), company websites (such as Companies House) or open postings on social media (such as LinkedIn) including views and positions you have expressed, and details regarding your circumstances - for instance which political roles you hold or what your background is. This information supports our work with high net worth individuals, to understand their philanthropic interests and complete any necessary due diligence.

Sensitive personal data

We only collect this information if there is a clear and specific reason for doing so and will usually ask for your consent. For example, we will collect information about your dietary needs if you are attending an event at which food will be served, so we can provide the appropriate refreshments or we will collect information about any disability or health condition that you have told us about to provide appropriate facilities and support at an event.

We would not ask for consent if it is information that you have clearly made public, for example, the political views of a political figure, or your religion if you are working with us because you represent a faith-based organisation.

Under 18s

As a charity working with children, Lumos embraces the fact that our supporters are of all ages. We are committed to safeguarding the welfare of all children and young people involved in our work.

If you are under 18, we will always ask for consent from a parent or guardian to collect information about you and to contact you in connection with our fundraising, communications and advocacy work. We may also collect the name and contact details of your parent or guardian, where appropriate.

5. How we use the information we collect and our legal basis for processing your information

We will always make sure that we consider why we are processing your personal data and identify our legal basis for doing so.

We rely on the following legal bases:

Consent:

You have given us your consent - for example:

to send marketing emails and newsletters (subject to local law requirements); or
to process your health information that you give us to cater for your dietary needs or needs as a consequence of a disability or health condition at an event;

You can withdraw your consent at any time by contacting the Global Data Protection Officer:

Email: privacy@wearelumos.org
Telephone: +44 2072536464
Post: Global Data Protection Officer, Lumos Foundation, Peninsular House, 30-36 Monument Street, London, EC3R 8NB

Legal obligation:

We have a legal or statutory duty or requirement to process your information – for example:

confirming details of any donations or direct debit arrangements that you have set up with us; or
for us to claim Gift Aid on your donations.

Carrying out a contract:

We may also process your personal data where it is necessary to carry out the terms of a contract which we have with you (or when we are in the process of forming that contract with you).

Legitimate interest:

We consider that we have a legitimate interest to do so and have assessed that the processing is not likely to be too intrusive, or to unduly infringe on your rights and freedoms – for example;

To communicate with you about marketing and fundraising including:

To occasionally send you postal mail or telephone you about our work, appeals and upcoming activities and events (unless you have told us not to, or if you are in the UK are and registered with the Mailing Preference Service, Telephone Preference Service or the Fundraising Preference Service).
To occasionally use social media such as Facebook so you see targeted Lumos adverts on your newsfeed.
To ensure that we understand our supporters and so can contact them in a way that is timely and relevant, and to make sure that we are using our resources effectively, including:
To analyse the data that we hold so that we can understand the profile, interests and preferences of our supporters. For example, to identify which supporters have previously participated in running events, and to send them details of future running events or to identify which supporters have an interest in the Wizarding World and to send them related products or promotions.This activity is known and data matching and segmenting. To help us do this effectively we may make use of additional information about you when it is available from external sources such as postcode-based segmentation tools to help us understand social, demographic and financial characteristics. We will not use the results of this activity in a way that intrudes on your privacy or your previously expressed privacy preferences.
To undertake research on potential high value supporters, to understand their philanthropic interests and ensure that we only contact people whose interests align with ours. We usually undertake this research ourselves, but may also engage a third party supplier to support us with this.
To manage our everyday business needs;
To work with third party suppliers, where we can make use of their expertise in a specialist field, or where they can provide services at a more cost-effective rate than we could manage internally.
To update our database records to keep them accurate.

You have the right to object to us processing your data on the grounds of our legitimate interests. If you would like us to stop using your data on this basis, please contact the Global Data Protection Officer:

Email: privacy@wearelumos.org
Telephone: +44 2072536464
Post: Global Data Protection Officer, Lumos Foundation, Peninsular House, 30-36 Monument Street, London, EC3R 8NB

6. How we keep your information safe

We have appropriate organisational and technical controls in place to protect your personal information including the use of secure servers, firewalls, virus and malware protection and encryption and our systems are regularly independently tested and reviewed.

We employ a variety of physical and technical measures to keep your data safe and to prevent unauthorised access to, or use or disclosure of your personal information.

Electronic data is stored on secure computer systems and we control who has access to information (using both physical and electronic means).

We ensure all of our contractors who need access to your data to deliver services are meeting the same standards as a minimum.

Our payment merchant is PCI compliant, which means that it hosts and processes your data securely.

Lumos holds a Cyber Essentials certification.

While we take all of the measures that we’ve outlined above, unfortunately, the transmission of information using the internet is not completely secure. Although we will do our best to protect your personal data sent to us this way, we cannot guarantee the security of data transmitted to our site.

7. How we share your data with other organisations

As an international organisation, Lumos operates globally across the Lumos family of legal entities described above and therefore may share your data within the Lumos family. For example, if, as a result of a Lumos campaign Lumos Foundation (UK) obtains contact details of supporters who are resident in the USA, Lumos Foundation (UK) may provide that supporter information to Lumos USA Inc. so that we can better connect and tailor our communications to you. If your data is shared in a country outside of the EEA, we will put in place contractual clauses approved by the EU Commission as providing an adequate level of protection.

We will never share your information with third parties for their own purposes, unless:

this is explained to you at the time we collect your information – for example passing your details to event organisers to secure your place or gain access to an event venue;
you give us your permission to, or
we are legally required to do so - for example, we are legally required to provide your data to HMRC if you have agreed to us claiming Gift Aid on your behalf.

We sometimes use third party platforms and companies or suppliers to collect and process personal data on our behalf (an example of this would be a third party fundraising platform). We do comprehensive checks on the companies with whom we work, and put a contract in place that sets out our expectations and requirements including to take all reasonable care to ensure that they keep your data secure, only use your information in accordance with our instructions and for no other purposes.

To enrich our content, we sometimes embed photos and video content from websites such as YouTube and Twitter. As a result, when you visit a page with content embedded from, for example, YouTube or Twitter, these sites may set a cookie.

The Lumos website also carries embedded 'share' buttons to enable users of the site to easily share articles with their own friends and family through a number of popular social networks, for example, Facebook and Twitter. These sites may set a cookie when you are also logged in to their service.

Lumos does not control the dissemination of these cookies and you should check the relevant third party website for more information about these.

Facebook

Lumos may engage in the following activities with Facebook:

Remarketing (or retargeting): Facebook have tags on some pages of our website which allows them to collect information about pages you’ve visited on our website, they will then serve you advertising on Facebook based on this information.

Lookalikes: we sometimes share with Facebook the email addresses of people who have registered to take part in one of our events or who have made a donation. The emails are used by Facebook to define a type of audience with similar characteristics, and then Facebook will serve adverts to people that match that type of audience - but not (necessarily) the people in the original email file. We do this to increase our profile and to raise more funds.

Custom Audiences: we may use Facebook Custom Audiences to share Lumos content with you while using Facebook services. For example, if you register to take part in a fundraising event, we may send your email address to Facebook who will serve you content relevant to that event and tips on how to raise more money. Custom Audiences works by using your email address and/or phone number to match to your account on Facebook. We will only do this where you have opted in to our marketing emails or phone calls, and your personal data is kept secure at all times.

Saved Audiences: we use Facebook Saved Audiences to remember which supporters on Facebook are most likely to respond to our fundraising, campaigning and marketing requests.

Note: updating your preferences with Lumos will not guarantee that you never see Lumos content on social media, since the social media site may select you based on other criteria and without your data having been provided by Lumos.

How we keep your information safe

We employ a variety of physical and technical measures to keep your data safe and to prevent unauthorised access to, or use or disclosure of your personal information.

Electronic data is stored on secure computer systems and we control who has access to information (using both physical and electronic means).

We ensure all of our contractors who need access to your data to deliver services are meeting the same standards as a minimum.

Our payment merchant is PCI compliant, which means that it hosts and processes your data securely.

Lumos holds a Cyber Essentials certification.

8. Transferring your information outside the EEA

Some organisations who work on our behalf may operate and manage information in other countries outside of the EEA. In those circumstances, we will make sure they provide an adequate level of protection in accordance with data protection legislation.

9. How long we keep your information

We will hold your personal information on our systems for as long as is necessary for the relevant activity, for example we will keep a record of donations subject to Gift Aid for at least seven years to comply with HMRC rules.

If you request that we stop sending you marketing materials we will keep a record of your contact details and appropriate information to enable us to comply with your request not to be contacted by us.

If you would like to know how long we will hold any specific information, then please contact us and we can provide further details.

10. Your rights and complaints

It is important that you understand your rights about your personal data and our use of it.You have a number of rights, including the rights to see, update, restrict, object to the use of or withdraw use of your data.

In particular, depending upon why we hold your data, you may have the following rights (which may not apply is some circumstances):

Right to be Informed about the data we are processing on you in this Privacy Policy and on our data collection forms.
Right of Access, also known as a Subject Access Request, to the personal data we hold about you, including how we first obtained your details, free of charge in most cases. Please note that we will require you to prove your identity before we disclose any information to you.
Right to Rectification of your personal data if it is incorrect, out of date or incomplete.
Right to Object to direct marketing (either through specific channels, or all channels) – you have the right to stop this type of processing at any time and will always be given the opportunity to object.
Right to be Forgotten which is a right to have your personal data deleted from our systems. You should be aware that there are some circumstances where we may need to keep your details, for example, if it is necessary to comply with a legal obligation on us, such as HMRC requiring us to retain certain data relating to donations for a certain period.
Rights related to Automated Decision Making so that we no longer process your data automatically to decide whether particular marketing activities are likely to be of interest or suggest an appropriate donation level based on your previous donation history. This is known as profiling and helps us to ensure that our marketing is relevant and appropriate.
Right to Restrict Processing of your personal data in certain circumstances for example if you contest the accuracy of the data we are processing, if our processing is unlawful, to pursue legal claims or where we are relying on legitimate interests to process data.
Right to Data Portability to have your data transferred to another organisation in certain circumstances.

You also have the right to withdraw your consent by contacting us at any time. Where we are relying on consent as our legal basis of processing, such as when you have given your permission for marketing by email, SMS text messaging or direct messages on social media or where you have provided us with your health information to participate in or attend an event.

Please contact us if you have any questions or concerns on how we collect and use your personal data, or on your rights, or if you wish to make a complaint:

Email: privacy@wearelumos.org
Telephone: +44 2072 536 464
Post: Global Data Protection Officer, Lumos Foundation, Peninsular House, 30-36 Monument Street, London, EC3R 8NB

You also have the right to make a complaint direct to the UK’s data protection authority, the Information Commissioner’s Office (ICO). The ICO can be contacted at: https://ico.org.uk/global/contact-us/.

11. Changes to the Privacy Policy

We may update this policy to reflect changes in how we use your information and you will always be able to see when it was last updated. Please check this policy each time you are considering providing Lumos with your information.

This policy was last updated on 6 May 2020

Updated: 06.05.2020