The Golddigger Trust Privacy Policy
Introduction
This privacy policy explains what personal information Golddigger Trust ("we", "us", or "our") collects about you (and/or your child), why we collect it, how we use and protect it, and your rights under the UK GDPR and Data Protection Act 2018. This Privacy Policy does not apply to Golddigger Trust employees, whose personal information is governed by their employment contracts and the Staff Handbook.
Golddigger Trust is a Registered Charity in England and Wales (CIO) Number 116619 and operates as a Data Controller registered with the Information Commissioner’s Office (ICO). We are committed to making privacy a priority by ensuring your data is handled transparently, securely, and strictly for your benefit.
How We Categorise Your Data
To keep this policy easy to read, we group the personal data we collect into the following categories:
Identity Data: First name, last name, date of birth, identified gender, school attended, and photographs/videos.
Contact Data: Home address, postcode, email address, and telephone numbers.
Engagement Data: Detailed session case notes, timelines of events, attendance logs, and progress-tracking metrics used to evaluate a young person’s ongoing journey and development.
Transaction Data: Details of donations, financial gifts, regular giving, bank details (account number/sort code), Gift Aid status, and purchases from our online store.
Technical & Usage Data: IP address, browser type, cookies, and information about how you use our website or interact with our social media platforms.
Special Category Data: This is highly sensitive data that requires extra protection. It includes racial or ethnic origin, political opinions, religious beliefs, sexual orientation, physical or mental health details and actual or alleged criminal offenses (e.g., safeguarding disclosures).
1. If You Access Golddigger Trust Activities and Events (Young People)
What We Collect & Our Legal Grounds
-
Recommending the right activities based on age, gender, and location.
What data categories do we collect:
Identity, Contact
Our Lawful Basis for collecting this:
Performance of a Contract: Necessary to deliver the service you requested.
-
Sending confirmation emails, reminders, and resource packs.
What data categories do we collect:Identity, Contact,
Our Lawful Basis for collecting this:
Performance of a Contract and Legitimate Interests: Efficiently managing our services.
-
Medical histories, disclosures, emergency contacts, and session notes to keep you safe.
What data categories do we collect:
Identity, Contact, Special Category
Our Lawful Basis for collecting this:
Legal Obligation (Child protection legislation) and Vital Interests (Emergency safety).
Our Special Category Condition:
Article 9(2)(b): Employment, social security, and social protection law.
-
Recording notes to provide tailored support, evaluate personal growth, track ongoing engagement over time and to monitor service delivery,
What data categories do we collect:
Identity, Engagement Data, Special Category
Our Lawful Basis for collecting this:
Legitimate Interests: Necessary to effectively manage, evaluate, and safely deliver our charitable support programs.
Our Special Category Condition:
Article 9(2)(d): Processing carried out by a non-profit body with a philosophical/charitable aim.
-
Charting effectiveness for research or reporting to funders.
What data categories do we collect:
Identity, Usage (Anonymised)
Our Lawful Basis for collecting this:
Legitimate Interests: Demonstrating impact to maintain funding.
-
Using images for keepsakes, promotion, or supporter updates.
What data categories do we collect:
Identity (Images/Video)
Our Lawful Basis for collecting this:
Consent: Entirely optional and can be withdrawn at any time.
Safeguarding Overriding Clause
While we respect your confidentiality, safeguarding is our absolute priority. If we have reason to believe a young person is at risk of significant harm, we have a legal and moral duty to share information with relevant authorities (e.g., Social Services, Police, Schools) without consent. We do this under the lawful bases of Legal Obligation and Vital Interests.
How Long We Keep This Data
In line with national safeguarding best practices (NSPCC guidance) and the Limitation Act 1980, all records relating to a young person’s engagement, attendance, and mentoring notes are retained securely until the August after a young person turns 25. After this period, data is securely destroyed.
2. If You Support the Work We Do (Supporters & Volunteers)
What We Collect & Our Legal Grounds
-
Sending updates, event invitations, and fundraising campaigns.
What data categories do we collect:
Identity, Contact
Our Lawful Basis for collecting this:
Consent: You choose to opt-in and can opt-out at any time.
-
Managing financial gifts, Direct Debits, and processing Gift Aid with HMRC.
What data categories do we collect:Identity, Contact, Transaction
Our Lawful Basis for collecting this:
Performance of a Contract (processing the transaction) and Legal Obligation (HMRC tax compliance).
-
Assessing suitability for volunteering roles and coordinating schedules.
What data categories do we collect:
Identity, Contact, Engagement Data,
Our Lawful Basis for collecting this:
Legitimate Interests: Managing our charity's volunteer workforce safely and effectively.
-
Using images for promotion, or supporter updates.
What data categories do we collect:
Identity (Images/Video)
Our Lawful Basis for collecting this:
Legitimate Interests: Recording and promoting our activities and events.
Individuals who do not wish to be photographed should notify a member of staff, the photographer or the event organiser. Where appropriate, we will take reasonable steps to respect such requests.
How Long We Keep This Data
General Supporter Data: If you request to stop receiving communications, we will remove your personal data within one year.
Financial & Gift Aid Records: We are legally required by UK tax law to retain financial transaction records for six years following the end of the financial year they relate to.
3. If You Pay for Goods or Services (Online Shop & National Training)
What We Collect & Our Legal Grounds
-
Fulfilling online shop orders and processing payments via secure third parties (e.g., PayPal).
What data categories do we collect:
Identity, Contact, Transaction
Our Lawful Basis for collecting this:
Performance of a Contract
-
Managing National Training bookings, processing licence fees, and tracking trainee details.
What data categories do we collect:
Identity, Contact, Transaction
Our Lawful Basis for collecting this:
Performance of a Contract
How Long We Keep This Data
Training Licences: We retain organizational data for six years after a training licence ceases.
Trainee Contact Details: We will retain the contact details of all trainees who are part of a licensed organisation to keep them up to date with relevant resource and training information (e.g. access to online resources, new training opportunities). If a trainee requests their information to be removed, they are entitled to do so, but they will lose access to online resources and may need to re-attend a training course to regain access.
4. Website, Cookies, and Social Media
When you visit our website or message us on platforms like Facebook or Instagram, we collect Technical & Usage Data.
Cookies: We use cookies (including Google Analytics and Squarespace) to track website performance and improve user experience. Non-essential cookies will not be dropped onto your device until you explicitly click "Accept" on our website cookie banner.
Social Media Communications: If you message us on social media regarding support for a young person, that interaction may be transferred to our secure internal database and handled under our young people’s section of this policy.
5. Where Your Data is Stored & International Transfers
We store data on password-protected devices, secure on-site locked cabinets, and encrypted cloud-based systems using enforced Multi-Factor Authentication (MFA).
From time to time, we use trusted third-party software applications to process data. Some of these providers (such as Google and Squarespace) store data on servers located in the United States.
Whenever your data is transferred outside the UK, we ensure it receives an equivalent level of protection. We do this by relying on:
The UK-US Data Bridge (the UK Extension to the EU-US Data Privacy Framework) for approved US companies.
International Data Transfer Agreements (IDTAs) and Standard Contractual Clauses (SCCs) approved by the UK Government.
We will never sell or lease your personal data to third parties for marketing purposes.
6. Your Rights Under UK GDPR
You have significant rights over how your data is handled. You can exercise any of these rights by contacting our Data Protection Lead:
Right to be Informed: Knowing how we use your data (as set out in this policy).
Right of Access: Requesting a copy of all personal data we hold about you (a Subject Access Request). We will provide this free of charge within one month.
Right to Rectification: Asking us to correct inaccurate or incomplete information.
Right to Erasure ("Right to be Forgotten"): Asking us to delete your data (this is subject to our legal obligations to retain records, such as safeguarding or financial logs).
Right to Restrict Processing: Asking us to pause using your data while a dispute is resolved.
Right to Object: Objecting to us using your data for legitimate interests or direct marketing.
Right to Data Portability: Requesting a digital transfer of your data to another organization.
7. Contact Us & Complaints
If you have any questions, wish to update your preferences, or want to exercise your data rights, please contact us:
Address: Golddigger Trust, The Refinery, 197 Ecclesall Road, Sheffield, S11 8HW
If you are unhappy with how we have handled your data, please contact us directly so we can resolve it. You also have the legal right to lodge a formal complaint at any time with the Information Commissioner’s Office (ICO) by visiting www.ico.org.uk.