Data and privacy policy
1. Policy Statement and Applicable Legislation
Pride Wide is committed to protecting the privacy and personal data of all individuals we interact with, including supporters, beneficiaries, survey participants, staff, and volunteers.
As an organization operating in Europe and the US, we adhere to the strictest applicable data protection standards, primarily:
- The General Data Protection Regulation (GDPR) (including UK GDPR and EU GDPR).
- Applicable US Federal and State Privacy Laws (e.g., state-level comprehensive consumer privacy laws like CCPA/CPRA, though non-profits are often exempt from the full requirements, adhering to them is a best practice for consistency).
- We are registered as a Data Controller with the UK Information Commissioner’s Office (ICO).
2. Key Roles and Responsibilities
| Role | Responsibility |
| Data Controller | Pride Wide (Determines why and how personal data is processed.) |
| Designated Privacy Lead / DPO | The CEO oversees compliance, handles data subject requests, and is the first point of contact for data protection issues. |
| All Personnel | Required to adhere to this Policy, receive appropriate training, and report any potential data breach immediately. |
3. GDPR Principles and Lawful Basis for Processing
We adhere to the seven GDPR principles: Lawfulness, Fairness & Transparency; Purpose Limitation; Data Minimisation; Accuracy; Storage Limitation; Integrity & Confidentiality; and Accountability.
For every data processing activity, we identify a Lawful Basis (Article 6) and a condition for processing Special Category Data (Article 9):
A. Lawful Bases (Examples)
| Data Type | Purpose | Lawful Basis (GDPR Art. 6) |
| Donor/Supporter Data (Name, Contact, Donation History) | Processing donations and managing the supporter relationship. | Contract (for gift aid/donation terms) or Legitimate Interest (for fundraising communications). |
| Survey Participant Data (Contact details for prize draws, if applicable) | Running survey for research and impact measurement. | Consent (explicitly given by the participant). |
| Website/Analytics Data (IP address, device ID, cookies) | Measuring digital output and website performance. | Legitimate Interest (for essential analytics) or Consent (for non-essential marketing/profiling cookies). |
B. Special Category Data (Surveys on LGBTQIA+ Issues)
The data collected in surveys relating to sexual orientation and potentially philosophical beliefs is considered Special Category Data under GDPR. We will only process this data if we meet one of the Article 9 conditions, such as:
- Explicit Consent: We will obtain explicit, unambiguous consent from the survey participant prior to collecting this data, clearly explaining the research purpose.
- Research Purposes: Processing is necessary for archiving, research, or statistical purposes, subject to robust safeguards and always using anonymised/ pseudonymised data where possible.
4. What Personal Data We Collect and Why
We collect different types of data based on your relationship with Pride Wide:
| Data Subject | Data Categories Collected | Purpose of Processing |
| Donors/Prospective Donors | Name, Email, Address, Phone, Donation Amount, Gift Aid/ Tax Status. | Fundraising, processing donations, sending receipts, and relationship management. |
| Members/ Subscribers | Name, Email, and Subscription preferences. | Managing the supporter/ subscriber relationship, providing information about Pride Wide’s work, and delivering publishing channels (e.g., newsletter, podcast, etc). |
| Survey Participants | Demographics, Responses on LGBTQIA+ issues, Special Category Data (sexual orientation, etc.), IP address (for integrity checks). | Academic/ public interest research, generating data for policy reports, measuring impact. |
| Website Users/Public | IP address, browser type, device details, pages viewed, time spent (via cookies/analytics). | Social listening, measuring digital campaign effectiveness, improving user experience. |
| Staff/Volunteers | CV/Resume, Bank Details, Email, Address, Phone, Emergency Contact, Background Check results. | Recruitment, payroll, contract management, and compliance with safeguarding policies. |
5. Data Processing Activities
A. Donor & Supporter Database (Purpose Limitation)
- We use supporter data strictly for the purposes disclosed: donation processing, and communicating about our work, unless you have explicitly opted out.
- We will never sell donor or supporter data to any third party.
B. Social Listening and Analytics (Data Minimisation)
- We monitor public social media posts and use analytics platforms to measure campaign success.
- We prioritize the use of aggregated and anonymised data. Where personal data (like a public username or IP address) is processed, it is for the explicit, legitimate interest of measuring our digital impact and is protected.
6. Data Security and Storage Limitation
A. Security
We implement appropriate technical and organizational measures to ensure the integrity and confidentiality of personal data, protecting it from accidental loss, unauthorized access, or destruction. Measures include:
- Data encryption (at rest and in transit).
- Access controls limited to Personnel who require the data for their role.
- Regular security audits of our digital platforms and data storage providers.
B. Retention
We will only retain personal data for as long as is necessary for the purposes for which it was collected (Storage Limitation).
- Donor Records: Kept for five years after the last donation to comply with financial and tax regulations (US 501(c)(3) and UK Charity Commission/HMRC).
- Survey Responses (Sensitive Data): Anonymised/Pseudonymised as soon as possible after data verification, with only anonymized results retained indefinitely for research integrity.
7. International Data Transfers
As an organization operating in the EU/UK and the US, data transfers occur between the jurisdictions.
When transferring EU/UK personal data outside the European Economic Area (EEA) or the UK, we ensure the transfer is protected by a lawful mechanism, such as:
- Standard Contractual Clauses (SCCs): Implemented in contracts with third-party processors.
- The EU-US Data Privacy Framework (if applicable): Ensuring the US recipient is certified under the Framework.
8. Your Rights (Data Subject Rights – GDPR)
Under GDPR, individuals whose data we process have enhanced rights. Pride Wide commits to upholding these rights globally, regardless of your location:
| Right | Description |
| The Right to be Informed | To be given clear, transparent, and easily accessible information about how we process your data (fulfilled by this Policy and specific Privacy Notices). |
| The Right of Access | To request a copy of the personal data we hold about you (Subject Access Request – SAR). |
| The Right to Rectification | To have inaccurate personal data corrected without undue delay. |
| The Right to Erasure | To request the deletion of your personal data (“Right to be Forgotten”), though this is not absolute and the data may be retained by Pride Wide for the purposes of:Exercising the right of freedom of expression and information.Legal compliance (e.g., tax or anti-money laundering laws).Public interest tasks or public health.When the data is needed or may be needed for the purposes of establishing, exercising, or defending legal claims. |
| The Right to Restrict Processing | To block or suppress the processing of your data in certain circumstances. |
| The Right to Data Portability | To receive your personal data in a structured, commonly used, and machine-readable format. |
| The Right to Object | To object to processing based on legitimate interests (e.g., direct marketing), at which point we must stop processing your data. |
| Rights related to Automated Decision Making and Profiling | To object to decisions based solely on automated processing. |
9. Data Breach Procedure
In the event of a personal data breach (e.g., accidental loss, destruction, unauthorized disclosure):
- All Personnel must immediately report the suspected breach to the Designated Privacy Lead.
- The Lead will investigate and, if the breach poses a risk to individuals’ rights and freedoms, will notify the relevant supervisory authority (e.g., the UK ICO or EU DPA) within 72 hours of becoming aware.
- If the breach poses a high risk to individuals, the affected individuals will be notified without undue delay.
Contact Information
If you have any questions about this Policy or wish to exercise any of your rights (e.g., Right to Access or Erasure), please contact:
Designated Privacy Lead / DPO: CEO
Email: info@pridewide.org
Address: Pride Wide, Cannon Place, 78 Cannon Street, London, EC4N 6AF, UK.