Privacy Policy
How Global Helping Hands collects, uses, and protects your personal data.
Global Helping Hands is not required to appoint a statutory Data Protection Officer under Article 37 UK GDPR. However, we have a designated data protection contact (above) who handles all data protection matters.
1. Who We Are
Global Helping Hands (“we”, “us”, “our”) is a registered charity in England and Wales (Charity No. 1190360). Our registered address is The Future Works, 2 Brunel Way, Slough, SL1 1FQ.
This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under UK data protection law — including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. What Personal Data We Collect
Depending on how you interact with us, we may collect the following categories of personal data:
| Category | Examples |
|---|---|
| Identity data | Full name, title |
| Contact data | Email address, postal address, phone number |
| Financial data | Payment card details (processed by Stripe or PayPal — we do not store full card numbers) |
| Donation data | Donation amounts, frequency, campaign, donation reference number |
| Gift Aid data | Name, home address, Gift Aid declaration (required by HMRC) |
| Account data | Username, password (hashed), WooCommerce order history and donor account activity |
| Communication data | Emails or messages you send us, contact form submissions |
| Marketing preferences | Whether you have opted in or out of marketing communications |
| Technical / usage data | IP address, browser type, pages visited, time and date of visit, device identifiers |
| Cookie data | Cookie preferences and consent records |
We do not collect any special category data (such as health, religion, or political views) unless you choose to share it with us voluntarily and with explicit consent.
3. How We Collect Your Personal Data
- Directly from you — when you make a donation, create an account, sign up for our newsletter, contact us, fundraise, or submit a Gift Aid declaration.
- Automatically — when you browse our website, via cookies and similar technologies (see Section 9).
- Through our donation platform — when you complete a donation, your order and personal details are processed and stored by WooCommerce. Stripe and PayPal receive the data necessary to process your payment and return transaction confirmation to us.
4. Lawful Basis for Processing
Under UK GDPR Article 6, we rely on the following lawful bases for processing your personal data:
| Processing Activity | Lawful Basis |
|---|---|
| Processing donations and maintaining donation records | Contract (Article 6(1)(b)) — necessary to fulfil your donation |
| Gift Aid administration and HMRC reporting | Legal obligation (Article 6(1)(c)) — required by HMRC rules |
| Sending transactional emails (receipts, account notifications) | Contract (Article 6(1)(b)) |
| Sending marketing emails, newsletters, and campaign updates | Consent (Article 6(1)(a)) — you may withdraw at any time |
| Fraud prevention, security monitoring, and abuse prevention | Legitimate interests (Article 6(1)(f)) — see below |
| Website analytics and improving our service | Legitimate interests (Article 6(1)(f)) — see below |
| Retaining records for legal, accounting, and audit purposes | Legal obligation (Article 6(1)(c)) |
| Processing fundraising activity | Contract (Article 6(1)(b)) |
Legitimate Interests: Where we rely on legitimate interests, we have assessed that our interests do not override your rights and freedoms. Specifically:
- Fraud prevention and security — we have a legitimate interest in protecting our charity, donors, and beneficiaries from fraud and misuse of our services.
- Website security — we have a legitimate interest in maintaining the security and integrity of our website, systems, and donor data.
- Donation administration — we have a legitimate interest in maintaining accurate records of donations to ensure correct processing, receipting, and reporting.
- Responding to enquiries — we have a legitimate interest in retaining records of communications to enable us to respond effectively and resolve any disputes.
- Analytics — we have a legitimate interest in understanding how our website is used in order to improve it. We use anonymised or aggregated data where possible.
You may request a copy of our Legitimate Interests Assessment by contacting privacy@ghh.org.uk.
5. How We Use Your Personal Data
- To process your donations and issue receipts
- To administer Gift Aid declarations and submit claims to HMRC
- To manage your donor account and dashboard
- To respond to your enquiries, requests, or complaints
- To send you updates about your donations, campaigns you have supported, or your fundraising activity
- To send you marketing communications (only where you have consented)
- To comply with our legal and regulatory obligations as a registered charity
- To prevent fraud and maintain the security of our website and systems
- To improve our website and the services we offer
- To evaluate potential organisational changes (such as restructuring), where legally required
We will never sell your personal data to third parties. We will never use your data for automated decision-making or profiling that produces legal or similarly significant effects.
6. Retention Periods
We retain your personal data only for as long as necessary for the purpose for which it was collected, or as required by law.
| Data Category | Retention Period | Reason |
|---|---|---|
| Donor records and donation history | 6 years from the end of the financial year in which the donation was made (up to 7 years in practice) | HMRC requirement — records must be kept for 6 years from end of the accounting period to which they relate |
| Gift Aid declarations | 6 years from the end of the financial year in which the donation was made (up to 7 years in practice) | HMRC legal obligation — Gift Aid records kept for 6 years from end of relevant accounting period |
| Donor account data | Duration of account + 2 years after closure | Legitimate interests / legal obligation |
| Financial transaction records | 7 years | Charity accounting requirements |
| Marketing consent records | Until consent withdrawn + 1 year | Evidence of consent (UK GDPR) |
| Email marketing data (unsubscribed) | Suppression list retained indefinitely | To prevent re-contact |
| Contact form / enquiry records | 2 years | Legitimate interests (dispute resolution) |
| Website analytics / usage data | 26 months | Google Analytics default / legitimate interests |
| Cookie consent records | 1 year | PECR compliance evidence |
| Security and access logs | 90 days | Fraud prevention / legitimate interests |
At the end of the relevant retention period, personal data is securely deleted or anonymised.
7. Your Rights Under UK Data Protection Law
- Right of Access — You may request a copy of the personal data we hold about you (Subject Access Request). We will respond within one calendar month.
- Right to Rectification — You may ask us to correct inaccurate or incomplete personal data.
- Right to Erasure — You may ask us to delete your personal data where we no longer have a lawful basis to hold it. Note: we may be unable to erase certain data we are legally required to retain (e.g. Gift Aid records).
- Right to Restriction — You may ask us to restrict how we use your data while a dispute is being resolved.
- Right to Object — You may object to processing based on legitimate interests or for direct marketing. We will stop unless we have compelling legitimate grounds.
- Right to Data Portability — Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, machine-readable format.
- Right to Withdraw Consent — Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. To unsubscribe from marketing, use the link in any email or contact us directly.
- Right to Complain — You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk or by calling 0303 123 1113.
To exercise any of your rights, please email privacy@ghh.org.uk with the subject line Data Subject Request, including your full name and the email address associated with your account or donation. We will respond within one calendar month and may request proof of identity before processing your request.
8. Sharing Your Personal Data
We do not sell, rent, or trade your personal data. We share your data only in the following limited circumstances:
Payment Processors:
- Stripe — processes card payments via our WooCommerce checkout. Stripe is PCI-DSS compliant and acts as a data processor under a Data Processing Agreement with us.
- PayPal — processes PayPal payments. PayPal operates under its own privacy policy and acts as an independent controller for data you provide directly to PayPal.
Analytics:
- Google Analytics (Google LLC) — we use Google Analytics to understand website usage. Data is anonymised where possible. See Section 9 for full details.
Email Marketing:
- Mailchimp (The Rocket Science Group LLC, USA) — we use Mailchimp to send marketing emails and newsletters to donors who have given their consent. Mailchimp acts as a data processor on our behalf and stores subscriber email addresses on servers in the United States. Data is transferred under Standard Contractual Clauses approved by the UK ICO. You can unsubscribe at any time via the link in any marketing email.
SMS Communications:
- We use SMS to send one-time passcodes (OTP) for account login verification and donation updates. Your mobile number is used solely for these purposes and is not shared with third-party marketing providers.
Legal and Regulatory Bodies:
- HMRC — we share Gift Aid declarations and donor details as required by law.
- The Charity Commission — we may share information as required by our regulatory obligations.
- Law enforcement — we may disclose data where required by law or court order.
Service Providers: We may use trusted third-party suppliers (e.g. email delivery, website hosting) who process data on our behalf under written Data Processing Agreements and are contractually required to process data only on our instructions.
We will never share your data with other charities, commercial organisations, or third parties for their own marketing purposes.
9. Cookies
Cookies are small text files placed on your device when you visit our website. They allow the website to recognise your device and remember certain information.
We operate a cookie consent management system on our website. Non-essential cookies are not set until you have given your active consent. You may withdraw or change your cookie preferences at any time via the Cookie Settings link in our website footer.
| Cookie Name | Purpose | Provider | Type | Lifetime |
|---|---|---|---|---|
| ghh_cookie_consent | Records your cookie consent preferences | GHH | Necessary | 1 year |
| PHPSESSID | Maintains your session across pages | GHH (WordPress) | Necessary | Session |
| woocommerce_cart_hash | Maintains your donation basket | GHH (WooCommerce) | Necessary | Session |
| wp_woocommerce_session_* | Stores session data for the donation basket | GHH (WooCommerce) | Necessary | 2 days |
| _ga | Distinguishes users for analytics | Google Analytics | Analytics | 2 years |
| _ga_* | Maintains analytics session state | Google Analytics | Analytics | 2 years |
| _gid | Distinguishes users (short-term) | Google Analytics | Analytics | 24 hours |
| __stripe_mid | Fraud prevention for payment processing | Stripe | Necessary | 1 year |
| __stripe_sid | Fraud prevention for payment processing | Stripe | Necessary | 30 minutes |
This cookie table is reviewed periodically. If you discover a cookie not listed here, please contact us at privacy@ghh.org.uk. Our emails may also contain small tracking pixels to confirm delivery. You may prevent this by disabling image loading in your email client.
10. International Transfers of Personal Data
Global Helping Hands is based in the United Kingdom. We do not share your personal data with partner organisations outside the UK. However, some of the third-party services we use operate on servers located outside the UK, primarily in the United States:
- Stripe — transfers data to the USA under Standard Contractual Clauses (SCCs) approved by the UK ICO.
- PayPal — transfers data to the USA and other countries under Standard Contractual Clauses and other approved transfer mechanisms.
- Google Analytics — data may be processed on Google servers in the USA under Standard Contractual Clauses.
Where data is transferred outside the UK, we ensure that appropriate safeguards are in place as required by UK GDPR Article 46, including Standard Contractual Clauses (SCCs) or adequacy decisions. In addition to the above, Mailchimp (The Rocket Science Group LLC) processes marketing subscriber data on servers in the United States under Standard Contractual Clauses approved by the UK ICO.
11. Security of Your Personal Data
- Encryption in transit — our website uses TLS/SSL encryption (HTTPS) for all data transmitted between your browser and our servers.
- Access controls — personal data is accessible only to authorised staff and volunteers who need it to perform their role.
- Password security — account passwords are stored in hashed format and never in plain text.
- Payment security — we do not store full payment card details. Card data is handled directly by Stripe (PCI-DSS Level 1 compliant) and PayPal.
- Regular updates — we keep our website software, plugins, and server infrastructure updated to address security vulnerabilities.
- Hosting security — our website is hosted on servers with firewall protection, intrusion detection, and malware scanning.
Data Breach Notification: In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours as required by UK GDPR Article 33, and will notify you directly where the breach poses a high risk to you.
Despite these measures, no method of transmission over the internet is 100% secure. If you have concerns, please contact us at privacy@ghh.org.uk.
12. Children’s Privacy
Our website and services are not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@ghh.org.uk and we will delete it promptly. For users aged 13–17, we recommend that a parent or guardian reviews this Privacy Policy with you.
13. Links to Third-Party Websites
Our website may contain links to third-party websites, including social media platforms and partner organisations. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies before providing any personal data.
14. Marketing Communications
Global Helping Hands does not send letters, correspondence, or any communications by post. All communications from us are sent electronically — by email, SMS, or via notifications on our website or app. If you receive any letter or postal communication claiming to be from Global Helping Hands, please do not act on it and contact us immediately at info@ghh.org.uk or 0333 090 2223 as it may be fraudulent.
We will only send you marketing emails, newsletters, or campaign updates if you have given your explicit consent to receive them. Marketing emails are sent via Mailchimp. You may unsubscribe at any time by clicking the Unsubscribe link in the footer of any marketing email, which is managed through Mailchimp’s unsubscribe system and takes effect immediately. You may also contact us at privacy@ghh.org.uk.
We use SMS to send one-time passcodes (OTP) for account verification and login, and to send donation confirmation updates. These messages are operational and security-related — they are sent on the basis of contract and legitimate interests and are not affected by marketing opt-out preferences.
To opt out of SMS marketing messages, reply STOP to any message or visit www.sto.pm/ghh. Note: opting out of SMS marketing will not affect OTP and account security messages, which are required for account access.
Unsubscribing from marketing will not affect transactional communications such as donation receipts, account notifications, or OTP login codes.
Qurbani completion notifications: For all Qurbani orders, we send an SMS notification to confirm when your Qurbani sacrifice has been completed. This message is sent to every Qurbani donor as a service completion update directly related to their order. It is sent on the basis of legitimate interests and is not a marketing communication — for those who observe the Sunnah of refraining from cutting hair and nails before the sacrifice, this notification confirms the sacrifice has taken place. This message is not affected by SMS marketing opt-out preferences.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the services we provide. When we make significant changes, we will update the Last Updated date at the top of this page, post a notice on our website, and where appropriate notify you by email. We encourage you to review this page periodically.
16. How to Contact Us
For any questions, requests, or concerns regarding this Privacy Policy or your personal data, please contact our data protection team:
Global Helping Hands
The Future Works, 2 Brunel Way, Slough, SL1 1FQ
Email: privacy@ghh.org.uk
Phone: 0333 090 2223
Web: ghh.org.uk
To submit a Subject Access Request or exercise any of your rights, please email privacy@ghh.org.uk with the subject line Data Subject Request, including your full name and the email address associated with your account or donation.
You also have the right to complain to the Information Commissioner’s Office:
www.ico.org.uk — 0303 123 1113