Lumos Privacy Policy

 

Last Updated: April 2025

Lumos is committed to protecting your information and using it responsibly. We want to make sure that we are clear about how we will use your personal information and assure you that we will take appropriate measures to protect the personal information that we collect.

The processing of your personal information is carried out by or on behalf of the Lumos family of affiliated legal entities which includes Lumos Foundation (UK), Lumos Foundation USA, Inc., Friends of Lumos USA Ltd and Lumos Foundation Operations Limited (collectively ‘Lumos‘, ‘we‘, ‘us‘ or ‘our‘).

This privacy policy “Privacy Policy” sets out how Lumos collects, maintains, protects, discloses,and processes personal information:

  • which it collects on or through https://www.wearelumos.org/ [and other websites or applications operated by Lumos that may link to this Privacy Notice] (the “website“)
  • when you attend one of Lumos’ events (or events that we have co-organized);
  • when Lumos engages with you;
  • through [offline and] online communications (including emails, social media and the website); and
  • when you donate or volunteer for Lumos.

If you are located in the United Kingdom (“UK“), the European Union (“EU“) or the European Economic Area (“EEA“) or if our processing of our personal information is otherwise subject to applicable laws and regulations relating to privacy, protection or processing of personal information in the EEA, EU and UK, including the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR“) and the UK’s equivalent to the EU GDPR, (the “EEA-UK Privacy Laws“), please also refer to our EEA-UK Privacy Supplement below.

Please read our Privacy Policy carefully, along with our website’s terms and conditions. By accessing or using this website, you agree to this Privacy Policy. This Privacy Policy may change from time to time (see “Changes to the Privacy Policy”). Your continued use of this website after we make changes is deemed to be acceptance of those changes, so please check the Privacy Policy periodically for updates.

Please note that we operate a separate privacy statement for our recruitment activities which can be accessed here.

 

The Privacy Policy will cover:

  1. Who we are and what we do
  2. How and when we collect personal information
  3. What personal information we collect
  4. Why we collect and use your personal information
  5. How we share your personal information with others
  6. How we keep your personal information safe
  7. How long we keep your personal information
  8. Our website and use of cookies
  9. Changes to this policy
1. Who we are and what we do

Lumos exists to light a path to a brighter future for children.

Founded by author J.K. Rowling, we fight to tackle the causes of family separation and transform systems of care that take children away from their families and communities. We’re committed to ending the institutionalisation of children, so that every child can grow up in a safe and loving family, where they can thrive.

  • Lumos Foundation (UK) is a registered charity in England and Wales (1112575) and a registered company in England and Wales (5611912). Lumos Foundation Operations Limited is a subsidiary of Lumos Foundation and is a registered company in England and Wales (12369753).
  • Lumos Foundation USA Inc. is recognised by the US Internal Revenue Service as a 501(c)(3) tax exempt organisation based in the USA and is a separate non-profit organisation.
  • Friends of Lumos USA Ltd. is a subsidiary of Lumos Foundation USA Inc. and a registered charity in England and Wales (1170023) and a registered company in England and Wales (9502092).

Contact Information

If you have any questions about this Privacy Policy and how we use your information, wish to exercise any rights under this Privacy Policy, and/or make a request regarding this Privacy Policy please contact Lumos’ Global Data Protection Officer at:

  • Email: [email protected]
  • Telephone: UK: +44 20 7253 6464; USA: 1-646-867-0994
  • UK Post: Global Data Protection Officer, Lumos Foundation, 3-7 Temple Avenue, London, EC4Y 0DA
  • USA Post: 1350 Avenue of the Americas, Floor 2, Suite 266, New York, NY 10019
2. How and when we collect personal information

There are a number of ways Lumos collects information about you:

  • We may collect information provided by you directly, for instance, through filling out a form on our website, donating to us, signing up to or attending an event or training that requires personal registration details, speaking to us at events, meetings or conferences or emailing us.
  • We may collect information about your interactions with us, this might be a visit to our website, watching a video on our YouTube or Vimeo channel, interacting on social media, such as: Facebook, X, Instagram and LinkedIn, or any other digital platform used by us.
  • We may collect information provided indirectly about you from independent third-party platforms, such as fundraising platforms like Go Fund Me, Prizeo, Virgin Money Giving and JustGiving. These independent third parties will pass your data to Lumos where you have indicated that you wish to support us and have given your consent or it is a necessary part of completing a contract with you. Please check the privacy policy of any other platform if you are concerned about how they process and store your personal information.
  • We may collect information about you through personal introductions, or through information, which is publicly available, for example for major donors where we seek to find out more about you, your interests, motivations for giving and capacity to give greater support as well as to assess and manage potential risks.
  • Publicly available information may include information from newspapers, or other reputable media sources, open posting on social media sites or information that individuals put in the public domain on company websites, or professional networking sites and information from official sources such as Companies House, Charity Commission and other UK registers, the Electoral Roll, Who’s Who, and Debrett’s guides. We will notify individuals about this processing at the earliest practical opportunity. Where we decide not to make contact, we will delete all personal information obtained, other than basic contact details, to which we will apply a suppression flag to ensure we do not make contact in the future.
  • We may gather personal information if your activities relate to our work – for instance, if you are a public figure or you represent an organisation which we work with, or which is related to one of our advocacy campaigns we may gather information about you in order to inform our advocacy campaigning and make decisions (such as whether to engage with you to seek your support for our work).
3. What personal information we collect

We collect different information about you according to the relationship you have with us. Whatever your relationship with us, this information will be minimal and linked to the purpose for which we need it.

The information we collect may include personal details, such as:

  • Your title, full name.
  • Your date of birth, age or confirmation that you are over 18.
  • Your contact details which could include your postal address and/or email and/or phone number.
  • Details of any correspondence we have had with you relating to your support of us.
  • Your contact preferences.
  • Records of your donations.
  • Whether you have signed up to the Gift Aid scheme (where applicable).
  • Any fundraising appeals, campaigns or other promotions that you may have responded to.
  • Events or training courses that you have attended or enquired about.
  • Your health information that you gave us if you are participating in an event or taking part in any training, to help us ensure your safety.
  • Your photograph or video footage of you if you have attended or taken part in an event, with your permission.
  • Your photos, stories, interviews or videos provided to us with your consent in connection with our research, advocacy and participation work.
  • [Bank account details to process donations or purchase items.
  • The last four digits of your payment card number. The payment merchant that Lumos uses to process donations collects card details and stores card details for recurring payments.]
  • Your IP address, location or browser.
  • We use tracking tools in our email campaigns to monitor when you open or forward an email, click on links within the email, and the time, date and frequency of activity. We store this information in our database and use it to refine future email campaigns and supply you with more relevant information.
  • Your background details including professional details and the field in which you work, if you are a potential advocacy campaigner or work with our advocacy team.
  • Information about you which appears on publicly available sources such as media outlets (such as newspapers, blogs and magazines), company websites or open postings on social media (such as LinkedIn) including views and positions you have expressed, and details regarding your circumstances – for instance which political roles you hold or what your background is. This information supports our work with high net worth individuals, to understand their philanthropic interests and complete any necessary due diligence.

Sensitive personal information

We only collect this information if there is a clear and specific reason for doing so and will usually ask for your consent. For example, we will collect information about your dietary needs if you are attending an event at which food will be served, so we can provide the appropriate refreshments, or we will collect information about any disability or health condition that you have told us about to provide appropriate facilities and support at an event.

We would not ask for consent if it is information that you have clearly made public, for example, the political views of a political figure, or your religion if you are working with us because you represent a faith-based organisation.

Under 18s

As a charity working with children, Lumos embraces the fact that our supporters are of all ages. We are committed to safeguarding the welfare of all children and young people involved in our work.

If you are under 18, we will always ask for consent from a parent or guardian to collect information about you and to contact you in connection with our fundraising, communications and advocacy work. We may also collect the name and contact details of your parent or guardian, where appropriate.

4. Why we collect and use your personal information

We will only use your information where we have a legal basis to do so and will always respect your rights.

We use your information to support the work that we do to achieve our mission, to ensure we effectively communicate our work, campaigns and achievements and to maximise our fundraising activities. Your rights are important to us and we are committed to ensuring that your privacy is protected.

We may collect, use, share, and otherwise process your personal information for the following purposes on the following legal bases:

PurposeLegal Basis (under EEA-UK Privacy Laws)
To keep you updated about our work and projects.We use your information because it is in our legitimate interest to keep supporters informed about our work.
To invite you to events that we hold or training about our work and mission.We use your information based on our legitimate interest in promoting events related to our mission. Where required by law, we will seek your consent for certain types of communications.
To send you information about our fundraising and marketing activities and appeals, including:

  • to occasionally send you postal mail or telephone you about our work, appeals and upcoming activities and events (unless you have told us not to, or if you are in the UK are and registered with the Mailing Preference Service, Telephone Preference Service or the Fundraising Preference Service); and.
  • to occasionally use social media such as Facebook so you see targeted Lumos adverts on your newsfeed.
We rely on our legitimate interests to contact you by post or phone, unless you have told us you prefer not to hear from us.

We use your consent (where required) to send electronic marketing messages.

For social media adverts, we may use your data based on our legitimate interests, but you can control how ads are shown to you through your social media settings.

To process your health information that you give us to cater for your dietary needs or needs as a consequence of a disability or health condition at an event.We only use this information with your explicit consent, to make necessary arrangements for your needs.
To administer our competitions and free prize draws.We use your information as it is necessary to carry out the competition or prize draw terms.
To invite you to participate in or work with us in our advocacy campaigns.We process your information based on our legitimate interest in engaging supporters in our advocacy work.
To administer our research, surveys or feedback you have provided.We use your information because it is in our legitimate interest to improve our work and supporter experience.
To process and keep a record of donations, or payments made by you and related communications, and verify financial transactions to protect against fraud.We process this information to meet our legal obligations, including fraud prevention, and to fulfil your donation.
To support you and communicate with you when participating in fundraising events.We process your information based on our legitimate interest in supporting your involvement in our fundraising activities.
If you are a UK resident, to claim Gift Aid on donations and Gift Aid declarations.We use your information to meet our legal obligation to HMRC to claim Gift Aid.
To provide products or information that you have requested.We use your information because it is necessary to fulfil your request.
To check with you on, and record, how you want us to contact you.We process this information to comply with data protection laws regarding how and when you prefer to be contacted.
To ensure we do not send unwanted information to supporters, or members of the public who have informed us they do not wish to be contacted.We use this information to meet our legal obligations and respect your preferences.
To analyse the data that we hold so that we can understand the profile, interests and preferences of our supporters. For example, to identify which supporters have previously participated in running events, and to send them details of future running events or to identify which supporters have an interest in the Wizarding World and to send them related products or promotions.We use your information based on our legitimate interests to better understand our supporters and improve our communications, while ensuring it does not override your rights.
To undertake research on potential high value supporters, to understand their philanthropic interests and ensure that we only contact people whose interests align with ours. We usually undertake this research ourselves, but may also engage a third party supplier to support us with this.We rely on our legitimate interests to ensure that our fundraising efforts are directed appropriately and respectfully.
To comply with legal obligations.We use your information where we are required to do so by law.
To manage Lumos and our business needs including:

  • to work with third party suppliers, where we can make use of their expertise in a specialist field, or where they can provide services at a more cost-effective rate than we could manage internally; and

to update our database records to keep them accurate.

We rely on our legitimate interests to ensure the effective running of our organisation, including working with trusted partners and maintaining accurate records.
To notify you of changes to our policies.We use your information to meet our legal obligations or based on our legitimate interest in keeping you informed.

You can withdraw your consent at any time, or object to us processing your data on the grounds of our legitimate interests, by contacting the Global Data Protection Officer.

5. How we share your personal information with others

As an international organisation, Lumos operates globally across the Lumos family of legal entities described above, and therefore may share your data within the Lumos family. For example, if, as a result of a Lumos campaign Lumos Foundation (UK) obtains contact details of supporters who are resident in the USA, Lumos Foundation (UK) may provide that supporter information to Lumos Foundation USA, Inc. so that we can better connect and tailor our communications to you. If your data is shared with a country outside of the UK and the European Economic Area, we will put legal arrangements in place to ensure an adequate level of protection.

We will never share your information with third parties for their own purposes, unless:

  • this is explained to you at the time we collect your information – for example passing your details to event organisers to secure your place or gain access to an event venue;
  • you give us your permission to, or
  • we are legally required to do so – for example, we are legally required to provide your data to the HMRC if you have agreed to us claiming UK Gift Aid on your behalf.

We sometimes use third party platforms and companies or suppliers to collect and process personal information on our behalf (an example of this would be a third party fundraising platform). [Lumos will not sell your personal data to third-parties.]

To enrich our content, we sometimes embed photos and video content from websites such as YouTube and X. As a result, when you visit a page with content embedded from, for example, YouTube or X, these sites may set a cookie.

The Lumos website also carries embedded ‘share’ buttons to enable users of the site to easily share articles with their own friends and family through a number of popular social networks, for example, Facebook and X. These sites may set a cookie when you are also logged in to their service.

Lumos does not control the dissemination of these cookies and you should check the relevant third party website for more information about these.

Facebook

Lumos may engage in the following activities with Facebook:

  • Remarketing (or retargeting): Facebook have tags on some pages of our website which allows them to collect information about pages you’ve visited on our website, they will then serve you advertising on Facebook based on this information.
  • Lookalikes: we sometimes share with Facebook the email addresses of people who have registered to take part in one of our events or who have made a donation. The emails are used by Facebook to define a type of audience with similar characteristics, and then Facebook will serve adverts to people that match that type of audience – but not (necessarily) the people in the original email file. We do this to increase our profile and to raise more funds.
  • Custom Audiences: we may use Facebook Custom Audiences to share Lumos content with you while using Facebook services. For example, if you register to take part in a fundraising event, we may send your email address to Facebook who will serve you content relevant to that event and tips on how to raise more money. Custom Audiences works by using your email address and/or phone number to match to your account on Facebook. We will only do this where you have opted in to our marketing emails or phone calls, and your personal information is kept secure at all times.
  • Saved Audiences: we use Facebook Saved Audiences to remember which supporters on Facebook are most likely to respond to our fundraising, campaigning and marketing requests.

Note: updating your preferences with Lumos will not guarantee that you never see Lumos content on social media, since the social media site may select you based on other criteria and without your data having been provided by Lumos.

6. How we keep your personal information safe

We have appropriate organisational and technical controls in place to protect your personal information including the use of secure servers, firewalls, virus and malware protection and encryption and our systems are regularly independently tested and reviewed.

We employ a variety of physical and technical measures to keep your data safe and to prevent unauthorised access to or use or disclosure of your personal information.

Electronic data is stored on secure computer systems and we control who has access to information (using both physical and electronic means).

Lumos holds a Cyber Essentials certification.

While we take all of the measures that we’ve outlined above, unfortunately, the transmission of information using the internet is not completely secure. Although we will do our best to protect your personal information sent to us this way, we cannot guarantee the security of data transmitted to our site.

7. How long we keep your personal information

We will keep your personal information for as long as necessary to fulfil the purposes for which it was collected, including to meet any legal, accounting, or regulatory obligations. For example, we will retain records of donations and financial transactions for up to seven years to comply with applicable tax laws and regulations (including Gift Aid requirements in the UK).

If you request that we stop sending you marketing materials we will retain a minimal record of your contact details and your marketing preferences to ensure that we can honour your request not to be contacted by us.

Where we do not need to retain your personal information for legal or regulatory reasons, we will delete or securely anonymise it when it is no longer required.

If you would like to know how long we will hold any specific information, then please contact the Global Data Protection Officer and we can provide further details.

8. Our website and use of cookies

Our website uses cookies to help us understand our supporters better, and to improve your experience on our website. Cookies are small files saved to your computer’s hard drive that track, save and store information about your interactions and use of the website. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting, you may be unable to access certain parts of our website. For information on the types of cookies we use, how we use them and how you can control your cookie preferences, please click here to see our cookies policy

When you visit our website, we will collect data from your computer or other device such as a smart phone or tablet through the use of “cookies”. Cookies are created by your web browser when you visit our website. Every time you go back to our website, your browser will send the cookie file back to the website’s server.

They improve your experience of using our website, for example, by remembering your preference settings so that you are presented with information likely to be most relevant to you, and by measuring your use of the website to enable us to continuously improve our website to ensure that it meets your needs. Cookies can also be used to show you relevant Lumos content on social media services such as Facebook – these are known as “retargeting'” or “advertising” cookies.

9. Changes to the Privacy Policy

We may update this policy to reflect changes in how we use your information and you will always be able to see when it was last updated. All updates to the Privacy Policy will be posted on the website and effective upon posting. Please check this policy each time you are considering providing Lumos with your information.

EEA-UK PRIVACY SUPPLEMENT

This EEA-UK Privacy Supplement supplements the Privacy Policy with respect to our use of personal information to the extent that EEA-UK Privacy Laws apply to our processing of your personal information. You do not need to take any action as a result of this EEA-UK Privacy Supplement, but you do have certain rights as described below in the section headed Your rights.”

Information required to be disclosed under EEA-UK Privacy Supplement regarding the collection of your personal information that is not set forth in this EEA-UK Privacy Supplement is otherwise set forth in the Privacy Policy above. To the extent there is any conflict in respect of any processing subject to EEA-UK Privacy Laws between the Privacy Policy and this EEA-UK Privacy Supplement, this EEA-UK Privacy Supplement shall apply. Please read this EEA-UK Privacy Supplement carefully.

If you have any questions regarding our use of your personal information, or this EEA-UK Privacy Supplement, please contact the Global Data Protection Officer.

The Controller

To the extent that EEA-UK Privacy Laws apply to our collection and processing of your personal information, Lumos will be the “controller”. In simple terms, this means we: (i) “control” the personal information that we collect from you or other sources; and (ii) make certain decisions on how to use and protect such personal information.

What Personal Information We Collect

We collect and process limited categories of personal information as further set forth in the “What Personal Information We Collect[2]  section in the Privacy Policy above.

How We Obtain Your Personal information

In connection with providing our services and operating the website, we collect and process your personal information from you and other third parties and/or publicly available sources listed in the How And When We Collect Personal Information section in the Privacy Policy above.

How We Use your Personal information

There is a need to process personal information for the purposes and on the legal bases set out in the Why We Collect and Use Your Personal Information section in the Privacy Policy above.

No automated decision-making, including profiling, is used when processing your personal information.

Disclosure and Transfer of Personal information

We may share your personal information with certain service providers as necessary to fulfil the purposes set out in How We Share Your Personal Information With Others section of the Privacy Policy. We reserve the right to disclose your personal information as required by law, or when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, request from a regulator, national security, for the purposes of public importance or any other legal or investigatory process involving us. Should we, or any of our affiliated entities, be the subject of a takeover, divestment or acquisition we may disclose your personal information to the new owner of the relevant business and their advisors on the basis of our legitimate interest.

To the extent your personal information is transferred to a Non-Equivalent Country (as defined below), such transfers will only be made in accordance with EEA-UK Privacy Laws. For the purposes of this EEA-UK Privacy Supplement, “Non-Equivalent Country” means a country or territory other than (i) a member state of the EEA; (ii) the UK; or (iii) a country or territory which has at the relevant time been decided by the European Commission, the Government of the UK or the UK Information Commissioner’s Office (as applicable) in accordance with the applicable EEA-UK Privacy Laws to ensure an adequate level of protection for personal information.

For further information about the safeguards/derogations used, please contact the Global Data Protection Officer.

Security and Retention of Personal information

We take measures designed to protect the security of your personal information as described in the How We Keep Your Personal Information Safe section in the Privacy Policy above.

We will keep your personal information only for as long as is reasonably necessary for the purposes set out in the Privacy Policy unless a longer retention period is required by law or regulatory obligations which apply to us, or where necessary to defend or pursue legal claims. We will not keep more personal information than we need for those purposes.

Your Rights

To the extent the EEA-UK Privacy Laws apply to our processing of your personal information, you may have the following rights:

  • Access: You have the right to ask for a copy of the personal information that we hold about you free of charge, however we may charge a “reasonable fee,” if we think that your request is excessive, to help us cover the costs of locating the information you have requested.
  • Correction: You have the right to notify us of changes to your personal information if it is inaccurate or it needs to be updated.
  • Deletion: If you think that we should not be holding or processing your personal information anymore, you may request that we delete it. Please note that this may not always be possible due to legal and regulatory obligations.
  • Restrictions on use: You have the right to request that we stop processing your personal information (other than storing it), if: (i) you contest the accuracy of it (until the accuracy is verified); (ii) you believe the processing is against the law; (iii) you believe that we no longer need your personal information for the purposes for which it was collected, but you still need your personal information to establish or defend a legal claim; or (iv) you object to the processing, and we are verifying whether our legitimate grounds to process your personal information override your own rights.
  • Object: You have the right to object to processing, including: (i) for direct marketing; (ii) for research or statistical purposes; or (iii) where processing is based on legitimate interests, unless we reasonably demonstrate compelling legitimate grounds for the processing.
  • Portability: If you wish to transfer your personal information to another organisation (and certain conditions are satisfied), you may ask us to do so, and we will send it directly if we have the technical means.
  • Withdrawal of consent: If you previously gave us your consent (by a clear affirmative action) to allow us to process your personal information for a particular purpose, but you no longer wish to consent to us doing so, you can contact us to let us know that you withdraw that consent. This will not affect the lawfulness of processing based on consent before its withdrawal.

These rights are not absolute and in certain circumstances their exercise may not be possible including when personal information must be maintained to comply with applicable laws.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

To exercise these rights and controls, please contact the Global Data Protection Officer.

Complaints

Should you wish to lodge a complaint with regards to how your personal information has been processed by us under:

  • the UK GDPR and/or Data Protection Act 2018, please contact the UK Information Commissioner’s Office – https://ico.org.uk/global/contact-us; or
  • the EU GDPR, please contact your local supervisory authority in particular in the EU Member State of your habitual residence, place of work, or place of the infringement, concern or complaint.

We would, however, appreciate the opportunity to address your concerns before you approach the relevant supervisory authority, so please contact us in the first instance by reaching out to the Global Data Protection Officer.