Smile Train Privacy Policy

Last modified: 21 October 2020

Smile Train UK (“Us”, “We”, “Our” or “Smile Train”), is a charitable company limited by guarantee with registered charity number 1114748. Our registered address is: York House, Wetherby Road, York YO26 7NH.

We are committed to protecting your privacy and will only use the information that we collect about you lawfully in accordance with data protection legislation. This policy is intended to give you an understanding of how and why we use the information you provide to us both online (our website is located at the URL www.smiletrain.org.uk (“the Website”)) and otherwise.

To further understand how we gather personal information from and/or about children, see our Privacy Policy for Children under the Age of 13.

Because we want to demonstrate our commitment to your privacy, this Privacy Policy notifies you of:

What personal information do we collect about you?

How will we use the personal information about you?

Profiling and our use of social media tools

Marketing and Fundraising Communications

Our Legal Basis for processing personal information

Will we share personal information with others?

How do we protect the security of personal information?

International Data Transfers

How long do we keep your personal information for?

Your privacy rights

How will we let you know of changes to our privacy policy?

How to contact us

 

Please read this policy carefully to understand how we will collect, use and store your personal information.

Questions regarding this statement should be directed to Smile Train by sending an email to . Please reference this Privacy Policy in your subject line.

1. What personal information do we collect about you?

1.1 We collect personal information about you for a number of reasons, including communicating with you, responding to requests for information, and to process donations.

The personal information we collect can include:

  1. Your full name;
  2. postal address
  3. telephone number(s)
  4. email address
  5. bank details
  6. credit and debit card details;
  7. records of your correspondence with us
  8. your communication preferences
  9. donation and gift aid details
  10. your connection to the charity
  11. your participation in charity events and campaigns;
  12. IP addresses
  13. CV or application for any job advertised in our 'Careers' section;
  14. information you may enter onto the Website; and
  15. other information you share with us.

1.2 On occasion we also collect sensitive personal data about individuals, for example, health information. We will normally only record this data where we have your explicit consent, unless we are permitted to do so in other circumstances under data protection law. For example, we may make a record that a person is in a vulnerable circumstance in order to comply with requirements under charity law and the Code of Fundraising Practice to ensure that we do not send fundraising communications to them.

1.3 We also collect information about the use of our website using cookies (see our Cookie Policy).

1.4 There is also information about your computer hardware and software that is automatically collected by Smile Train. This information can include: your IP address (the unique identifying number of a computer), the browser you use, for example Internet Explorer, Firefox etc., domain names, access times and referring Website addresses. This information is used by Smile Train for the operation of the service, to maintain and improve the quality of the service, and to provide general statistics regarding use of the Website.

2. How will we use the personal information about you?

We will process your personal information for the following reasons:

To administer your donation including processing Gift Aid;

To acknowledge donations and send a thank you letter

To deliver services, literature and/or other materials and information you have requested from us;

To send you updates about our work and charitable programmes, along with information about how you can help us raise funds, get involved with the charity and participate in our events.

For our own internal administrative purposes and to keep a record of your relationship with us;

To manage your communication preferences;

To create profiles of our supporters and potential supporters, in order to more effectively and efficiently fundraise (see section 3 below

To conduct research, for example, via surveys about your opinion of current services offered by Smile Train or of potential new services which may be offered;

To administer and send you information about our legacy programme;

To review your application to work for STUK and to communicate with you about your job application

To comply with applicable laws and regulations, and requests from statutory agencies.

3. Profiling (and our use of social media tools)

We may analyse your personal information and create a profile of your interests and preferences. This allows us to ensure communications are relevant and timely, and provide an improved experience for our supporters. It also helps us understand the background of our supporters so that we can make appropriate requests to those who may be willing and able to give more than they already do, enabling us to raise funds sooner and more cost-effectively.

3.1 When building such a profile, we may make use of additional information about you, including geo-demographic information. This information is taken from publicly available sources, for example from public registers, such as listed Directorships, typical earnings in a geographical area, information from the electoral roll, press reports and social media posts.

3.2 We may use your personal information to participate in Facebook's Custom Audience and Lookalike Audience programs, which enable us to display adverts to both existing and potential supporters  when they visit Facebook (and/ or Instagram which is also operated by Facebook). We choose to use Facebook Audience tools as a means to reach our current supporters and new supporters in order to pursue fundraising in the most cost-effective way. We may provide your personal information, including (currently) your email address, name, phone number and postal address to Facebook so that it can determine whether you are a registered account holder with them. Our adverts may then appear when you access their platforms. Your personal data is sent in an encrypted format which is deleted by Facebook (a) if it does not match with an account or (b) after they confirm you are an account holder.

3.3 When we work with Facebook to identify you on their platform and provide you with our adverts, we are joint controllers of your personal information with Facebook. We have an agreement with Facebook which sets out our responsibilities to you – for example, we are responsible for informing you about this activity. Both we and Facebook are responsible for keeping your information secure, and you can exercise your privacy rights against each of us individually. For more detailed information please see https://www.facebook.com/business/help/744354708981227 and Facebook's data policy.

3.4 If you do not want us to share your personal information with Facebook, then you can ask us not to by contacting us using the details in the “Contact Us” section below.

3.5 We rely on legitimate interests to process your personal information for these purposes (see section 5 below).

4. Marketing and Fundraising Communications

4.1 It is vital that we can communicate with our supporters and tell people about the important work that Smile Train undertakes. We would love to keep you up to date with our fundraising, marketing and campaign activity. We use a range of marketing and fundraising activities and channels to contact our supporters including through our website, social media, direct mail, SMS/text campaigns, telephone and email, as well as television advertising.

4.2 We will obtain your prior consent to send you information by e-mail, text and telephone. We will send you marketing materials by post on the basis of it being within our legitimate interests (see section 5 below).

4.3 We send the following types of fundraising and marketing material:

Updates about Smile Train's work and programmes including newsletters and other publications about our work and campaigns;

Fundraising appeals including requests for donations, information about how you can leave a legacy to us in your will, how you can raise money on our behalf or attend or take part in a fundraising event;

Invites to our fundraising and challenge events such as our annual golf day and carol concert, or runs, hikes and other challenges you can participate in and

Information about how you can volunteer to help support Smile Train by giving up your time or using your influence to progress our aims, along with updates on the impact of your work.

4.4 You can opt-out or update your communication preferences at any time by using the details in the “Contact us” section below. Any electronic communications will have a link to unsubscribe from future electronic communications, so you can manage your own consent. You can also opt-out of receiving marketing communications from us by signing up to the Fundraising Preference Service.

4.5 If you make any changes to your communication preferences, we will update your record as soon as we possibly can.  It may take up to 2 months for our systems to update and stop any postal communications from being sent to you.

4.6 If you tell us you do not wish to receive marketing or fundraising communications, you may still receive transactional and service-based communications confirming and servicing other relationships you have with us e.g. to administer or acknowledge your donation.

5. Our Legal Basis for processing personal information

5.1 Organisations that collect and use personal information must have a lawful basis for doing so under data protection law. The General Data Protection Regulation 2016/679 (“GDPR”) sets out six 'lawful bases' upon which personal information (and additional conditions for sensitive personal data) can legitimately be used. The GDPR requires us to tell you the legal basis which we rely on when processing your personal information. These include:

Obtaining your (explicit) consent to use your personal information for a particular purpose (for example to send you direct marketing by e-mail or SMS or to collect sensitive personal data);

Where the use of the personal information is in our “legitimate interests” (see section 5.2 below for more information);

Where we need to process your personal information in order to perform our obligations under a contract that we have entered into with you (for example to provide you with event tickets or other goods or services that you have purchased from us); and

To process personal information where we are under a legal obligation to do so (for example to process your gift aid declaration).

5.2 Personal information may be legally collected and used if it is necessary for a legitimate interest of the organisation or a third party using the personal information, as long as its use is fair and does not adversely impact the rights of the individual concerned. When we use your personal information, we will always consider if it is fair and balanced to do so and if it is within your reasonable expectations. We will balance your rights and our legitimate interests to ensure that we use your personal information in ways that are not unduly intrusive or unfair. Our legitimate interests include:

Charity Governance, including delivery of our charitable purposes, statutory and financial reporting and other regulatory compliance purposes and intergroup transfers of personal information between Smile Train UK and Smile Train Inc.;

Administration and operational management, including responding to solicited enquires, providing information that you have requested, research, events management, the administration of volunteers and employment and recruitment requirements.

Fundraising and Campaigning, including administering campaigns and donations, and sending direct marketing by post and social media, sending thank you letters, analysis, targeting and segmentation to develop communication strategies (including our use of social media as set out in section 3) and maintaining communication suppressions.

5.3 If you would like more information on our uses of legitimate interests or to change our use of your personal information in this manner, please get in touch with us using the details in the “Contact us” section below or see our legitimate interest analysis here.

6. Will we share personal information with others?

6.1 We do not share, sell or rent your personal information to third parties for marketing purposes. We will not otherwise disclose your personal information unless required to do so by a regulatory agency or law.

6.2 Smile Train UK is a wholly owned subsidiary of Smile Train Inc. When you provide personal information to Smile Train UK it will be held as part of the Smile Train database at its headquarters in the US. Smile Train UK and Smile Train Inc. have secure methods of data transfer in place and also comply with GDPR requirements on international data transfers by entering into an EU-approved agreement which contains appropriate safeguards. If you have any questions about this arrangement, please get in touch with us using the details in the “Contact us” section below.

6.3 We may allow our staff, consultants and/or external providers (processors) acting on our behalf to access and use your personal information for the purposes for which you have provided it to us/ are set out in this Policy (e.g. to deliver mailings, to analyse data and to process payments). We only provide them with the information they need to deliver the relevant service, and ensure that we have robust data processing agreements in place which govern the use and deletion of personal information.

6.4 In addition, we reserve the right to disclose your personal information to third parties, such as regulatory bodies, law enforcement agencies and professional advisers such as lawyers, accountants and auditors:

  1. in the event that we sell or buy any business or assets, in which case we will disclose your personal information to the (prospective) seller or buyer of such business or assets;
  2. if substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets
  3. if we are under any legal or regulatory duty to do so; and/or
  4. to protect the rights, property or safety of Smile Train, its personnel or others.

7. How do we protect the security of personal information?

7.1 All information provided to Smile Train is transmitted using SSL (Secure Socket Layer) encryption. SSL is a proven coding system that lets your browser automatically encrypt, or scramble, data before you send it to us. We also protect account information by placing it on a secure portion of our Website that is only accessible by certain qualified employees of Smile Train. Unfortunately, however, no data transmission over the Internet is 100% secure. While we strive to protect your personal information, we cannot ensure or warrant the security of such information.

7.2 We encourage you to review the privacy statements of websites you choose to link to from the Website so that you can understand how those sites collect, use and share your personal information. Smile Train UK is not responsible for the privacy statements or other content on sites outside of the Website.

8. International Data Transfers

8.1 The personal information we collect from you may be transferred to and processed and/or stored at a destination outside the UK and EU. Some countries outside of the UK and the EU have a lower standard of protection for personal information, including lower security requirements and fewer rights for individuals. If we send your personal information outside the UK and EU we will take reasonable steps to ensure that the recipient implements appropriate measures to protect your information (such as entering into the EU approved standard contractual clauses).  If you have any questions about the international data transfers we make, please get in touch with us using the details in the “Contact us” section below.

9. How long do we keep your personal information for?

9.1 We will keep your personal information for no longer than is necessary for the purposes for which it is processed, in accordance with our internal data retention policy.

9.2 The length of time that personal information will be kept may depend on the reasons for which we are processing the information and on the law or regulations that the information falls under such as financial regulations, statute of limitations, Health and Safety regulation etc., or any contractual obligation we might have – such as under grant funding agreements.

9.3 Subject to the above, we will typically store personal information relating to donors and supporters for 7 years after their last donation or interaction with us, after which time it will either be deleted, archived or anonymised.

9.4 If you request to receive no further contact from us, we will keep some basic information about you on our suppression list in order to avoid sending you unwanted materials in the future.

9.5 Where possible we cleanse and remove out of date personal information by checking it against publicly available records such as deceased records. This helps us to improve the delivery rate of our mailings and minimise wasted expenditure.

10. Your privacy rights

You have a number of rights under data protection legislation. These include:

  1. Right of access
    You have the right to know what personal information we hold about you and to ask, in writing, to see your records. We will provide you with details of the records we hold as soon as possible and at the latest within one month, unless the request is complex or we can rely on exemptions to withhold the personal information. We may require proof of identity before we are able to release the personal information to you. Please use the details in the “Contact us” section below if you would like to exercise this right.

  2. Right to withdraw consent
    Where we process your personal information on the basis of your consent (for example, to send you marketing texts or e-mails) you can withdraw that consent at any time. To do this, or to discuss this right further with us, please contact us using the details in the “Contact us” section below.

  3. Right to object
    You also have a right to object to us processing your personal information where we are processing it for direct marketing purposes, or where we are relying on the legitimate interests basis to do so (for example, to send you direct marketing by post). To do this, or to discuss this right further with us, please contact us using the details in the “Contact us” section below.

  4. Right to restrict processing
    In certain situations you have the right to ask for processing of your personal information to be restricted because there is some disagreement about its accuracy or legitimate use.

  5. Right of erasure
    In some cases, you have the right to be forgotten (i.e. to have your personal information deleted from our database). Where you have requested that we do not send you marketing materials we will need to keep some limited information in order to ensure that you are not contacted in the future.

  6. Right of rectification
    If you believe our records are inaccurate you have the right to ask for those records concerning you to be updated. To update your records please get in touch with us using the details in the “Contact us” section below.

  7. Right to data portability
    Where we are processing your personal information because you have given us your consent to do so or because it is necessary for us to process your personal information for the performance of a contract, you have the right to request that your personal information (that you have provided to us) is transferred from Smile Train to you or a third party in a commonly used format.

Complaints

If you are unhappy with the way in which we have handled your personal information, please contact us using the details below. You are also entitled to make a complaint to the Information Commissioner's Office - https://ico.org.uk/. We always appreciate the opportunity to discuss complaints with you before you feel it is necessary to approach the Information Commissioner's Office.

11. How will we let you know of changes to our privacy policy?

We may update this policy from time to time without notice to you, so please check it regularly. We will however aim to bring any significant changes to your attention. The privacy policy was last updated in October 2020.

12. How to contact us

Please contact us if you have any questions about our privacy policy or personal information we hold about you:

By phone: 0300 303 9630

By e-mail:

Or write to us at:
The Smile Train UK, Supporter Care Team
York House, Wetherby Road
York YO26 7NH