The most important points

It’s important we tell you everything about how we collect and use your data but there’s a lot of information and we believe strongly in transparency so here are the key points in case you don’t have time to read the full version right now:

  • We respect and look after your data – it’s yours and you should be in control of how it’s used.
  • We always follow GDPR and other UK law and aim for best practice.
  • If you give us your address, we’ll send you direct mail unless you ask us not to.
  • We only email or phone you about fundraising if you actively give us your consent.
  • You can tell us at any time if you don’t want to hear from us (details at the bottom of this notice).
  • We collect cookies on our website and may share them with social media platforms, but the only ones we use without your consent are the ones needed for the website to work. For everything else (including tracking and analytical cookies) we ask your consent.
  • We’re a small team and have to outsource some services, so your data will occasionally be passed to other organisations who we trust to look after it. We never share it with another organisation for their own use.
  • When you’re on our social media pages, you’re on their territory and subject to their rules and cookie usage so do check their privacy policy and your cookie settings.
  • We sometimes use external sources to build a profile of individual supporters to help make communications more relevant, but we never share it with others.

If you’re part of the community of children, families and health professionals with whom we work then there’s a special privacy policy for you here as some of the data we collect and the way we use it is different. If you’re applying for a job or volunteering opportunity with us then you can find some specific information relevant to you in the Privacy and Recruitment section of this policy.


What’s this policy about?

During your interactions with us we’re likely to collect a fair amount of personal data from you. This policy explains how we collect, use and protect any information you give us, when we might share it and how you can stay in control of how we use it. Above all, it underlines our commitment to making sure your privacy is protected (and along the way it explains how we use the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 to do so). After all, without you, our supporters, there is no Starlight.

Sometimes we may need to change our policies and we’ll do so by updating this policy document on our website and putting a note at the top outlining the changes so they’re clear. When we make significant changes that we think may influence your decisions, we’ll aim to tell you about these directly. If you’re not happy with any changes then do let us know.


What information do we collect and why?

We collect information from you so we can contact you as part of your ongoing relationship with us. We do this so that we can raise funds to support our work and so we can let you know about how else you can support us and the difference you help us to make. You might give your information to us directly, for example by phoning us or visiting our website, or indirectly, perhaps by clicking on a social media ad, signing up for a Facebook challenge, or giving it to an agency we’re working with. The information we collect includes:

  • Contact information, such as your name, address, email and phone number, so we can keep in touch with you.
  • Other personal information such as date of birth or occupation so we can understand the profile of our supporters (this helps us reach new supporters).
  • Consent and preferences information, so we can get in touch with you in the way you tell us you want us to.
  • Donation details (amounts, dates, payment methods).
  • Details of any fundraising events you’ve taken part in, so we can invite you to others.
  • Photographs, for use in marketing materials (if you’ve said we can).
  • Payment information, such as bank details if you set up a direct debit or credit card details if you donate via a card.
  • Records of our communications with you.
  • Gift Aid declaration details, to allow us to claim Gift Aid on your donations.
  • If you use our website or social media we collect and use data as shown below.


Privacy and our website and social media

When you visit our website, you’ll see we use ‘cookies’ (small text files that are downloaded onto your device and allow our website to recognise your device and store some information about preferences or past actions). Some of these are absolutely necessary for the website to work or to keep it secure and they are the only ones we use without your consent. We’ll only use tracking or analytical cookies, which help us understand how people use our site, if you tell us we can.

We use social media to talk to our supporters and share information about appeals, events and our work with children, families and health professionals. This might be by advertising or by posting on our own social media pages. We use pixels on our website from the advertising and social media platforms we use; these are a type of tracking cookie which share information with those platforms and tell them you’ve been on our website. When we advertise on social media, we may share your email with the social media provider. That lets them find you on their system by matching it with their own cookie information.

We sometimes do that because we don’t want you to be shown messages designed to bring in new supporters – they can use the email addresses we’ve given them to take you off their list of those who get the adverts. Sometimes we want them to send messages just to people who are on our database and they can use the email addresses to do that as well. We rely on what’s called ‘legitimate interest’ to do this (that means we have a valid reason for it, in this case because it helps us raise money) but if you don’t want your email address to be shared in this way just let us know by emailing [email protected].

Some social media providers operate ‘lookalike’ marketing, where they match a list of email addresses to their system and then find profiles of similar people to send adverts to. We recognise that some of our supporters don’t want their information shared in this way and so we only ever do that if you tell us you’re happy with it.

When you access one of our social media pages, they will collect your IP address and other data via their own cookies. We have no say over them doing that, it’s just how they work, and no control over how they use that data, but you can manage their cookie collection in the same way you can ours.

Sometimes we use social media platforms to make ‘first contact’ or base an activity around them. When we do that we collect personal data from you via those platforms and it is transferred securely to us. We only work with organisations which have their own privacy policies but we don’t have control over what they do with your data so please do always read the privacy policy of the platform before you put your data in.


How else do we use your information?

We want to make sure we communicate with you effectively (as well as in the ways that work for you) and only send you the information that’s relevant to you, including letting you know about the supporter opportunities most likely to be interesting to you. We do this by looking at the overall picture of the information we hold on you and sometimes we add to this by gathering our own information from external sources.

It’s important that we understand our supporters, both current and potential, and how they might want to help us. To do this, we sometimes look for publicly available information so we can identify people who might be able to help us raise significant funds or raise our profile. We only ever use credible sources and information that’s deliberately been made available to the general public (such as Companies House, national and local press and social media profiles) to do this. We might also use agencies such as Experian to improve our information. We know that not everyone is comfortable with this and you can opt out of it at any time by emailing [email protected].

We also use this sort of research to carry out due diligence on large donations we’re offered; this is part of our complying with legal and ethical obligations to protect Starlight so there’s no ‘opt-out’ option.

When working with suppliers we may collect personal information for the purpose of assessing credit risk.


You stay in control

We always want you to be in control of how we use your data so when you start your supporter journey we’ll always ask how you want us to contact you. When you give us your address, we assume you’re happy for us to send you fundraising information, including direct appeal letters, unless you ask us not to (you can tell us not to at any time). But we don’t make email, text or phone contact for fundraising purposes unless you tell us that’s okay.

We might call or email you for other reasons, for example if there’s a query over a direct debit you’ve set up. We know circumstances change and preferences change so we’ll ask you at intervals if you’re still happy to be contacted by phone or email and we always give you a clear way to say no to some or all communications (these are shown at the bottom of this notice).


Who sees the information we collect?

Our staff often need access to your information to do their jobs and we share it with them on that basis. We also share it with trusted third parties who help with some of our activities, for example:

  • Fulfilment agencies for a fundraising appeal
  • Event organisers
  • PR and marketing agencies
  • IT support providers
  • External software applications (such as our fundraising database or finance system)
  • Payment processors (including those who collect donations on our behalf)
  • Social media providers as set out in the Privacy and our website and social media section of this policy
  • Telemarketing, SMS and other direct marketing partners where you have explicitly told us we can

When we do any of this we make sure we have contracts in place which clearly say how the data can be used and which require them to follow GDPR.

We may also share information if we are legally obliged to do so (such as with HMRC or where requested by a regulatory body) and, where necessary, with legal and professional advisors (including our auditors).

We will never sell or share your information with other organisations to use for their own purposes.


How we keep your data safe

Most of the time we keep your data in electronic form. We take security very seriously and have measures in place to look after it, including:

  • Password protected access to all systems to ensure only those who are entitled to see information can do so
  • Encryption on laptops to minimise risk of data exposure if they are stolen
  • Back-ups in place to minimise any risk of data loss if our systems fail
  • Secure systems for data transfer, especially where sensitive data such as bank information is concerned

Where we keep paper copies of your personal information, we make sure these are kept securely.


How long do we keep your information

We only keep your information for as long as we need to in order to run our charity and comply with the law. When you make a donation to us, we’re required by HMRC to keep details of this for seven years. We have to keep Gift Aid declarations and other financial information for the same length of time. Where we hold your data for fundraising and marketing, we’ll continue to do so until you tell us you don’t want us to keep it. This is because we know that giving can be sporadic and depend on financial circumstances at any time and we value those who can’t give regularly but do so in an emergency.


Privacy and recruitment

If you apply to join our team of staff or volunteers, we’ll gather certain information about you in order to consider your application and assess your suitability. This includes contact information, details of your job history and other information you include in your CV and covering letter. We might look at your LinkedIn profile or other publicly available information. We may ask about your nationality and visa status so we can comply with our legal obligation to make sure our staff have the right to work in the UK. We also collect other information about your background, such as ethnicity, so we can monitor our success in recruiting from a diverse pool of candidates, but we’ll only ever use that information anonymously for statistical purposes. We don’t share it with the people responsible for recruitment decisions.

If you apply for a job with us and are unsuccessful, we’ll keep your CV and contact information, as well as any information you give us at interview, for a period of six months from the date of your application. If you apply to join our volunteer team and we don’t have a suitable opening at the time we’ll ask you if we can keep your contact information on file in case something does come up.


Where do we keep your data?

We try and keep your data within the UK but it’s not always possible, for example where a software provider keeps data on servers elsewhere. We may transfer your data to countries within the European Union and when we do this we rely on the fact that the UK regulator has confirmed that data held in those countries is as well protected as it would be in the UK (this is called an ‘adequacy decision’). We occasionally work with an overseas partner outside of the European Union but we only ever do that if we can confirm your data will be held under rules at least as strong as UK GDPR and before we do it we will always tell you the country concerned and what safeguards are in place.


Your rights over your data

Your data belongs to you and you’re in control of what happens to it. As well as being able to express preferences for how you want to be contacted and give consent for certain uses, you can always:

  • Ask to see the information we hold on you and for information on how we store and use it. If the information we hold on you includes information on other people we may need to remove that before we share it with you
  • Ask us to correct data we hold on you if you think it’s wrong
  • Ask us to delete information we hold. You can do this if we no longer need it or if you’ve previously given us consent and you’ve changed your mind. You can also ask us to delete information if we no longer have legitimate grounds to process it (see ‘the reasons we can use to collect and process your data’ at the end of this policy) or if we’re doing so unlawfully. There is some data we can’t delete, such as that we’re required to keep by law.
  • Ask us to stop contacting you (either by a specific means or in general)
  • Ask us to stop or restrict how we use your data (unless we’re required to use it by law or are using it to fulfil a contract with you)
  • Ask us to transfer your information to another organisation

If you want to do any of these, please email us on [email protected]. If you’re not happy with the way we use your information, you can make a complaint by writing to or emailing the Data Controller (see information at the foot of this notice). If you’re still not satisfied then you can complain to the Information Commissioner’s Office.


Who to contact about your data

The Data Controller (the body responsible for your data) is Starlight Children’s Foundation, a charity registered in England and Wales (296058) and Scotland (SC 047600) and limited company (company number 02038895), whose registered office is Third Floor, 227 Shepherds Bush Road, Hammersmith, London, W6 7AU.

If you have any questions or concerns about your data then you can email us at [email protected] or call us on 020 7262 2881. Our Data Protection Officer, Kristy Gouldsmith, can be contacted at [email protected].


A legal note: the reasons we can use to collect and process your data

The law on data protection sets out a number of different reasons for which an organisation may collect and process your personal data, including:


In specific situations, we collect and process your data with your consent. You can withdraw your consent at any time. For example, if we wanted to use a photograph of you in our marketing material, we would need your consent to do so.

Legal obligation

If the law requires us to, we may need to collect and process your data. For example, we are required to comply with HMRC audits of our records.

Legitimate interest

In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests. For example, keeping your data on our software systems.


If we have a contract with you then we can collect and process your data to allow that contract to operate effectively.