Privacy and Cookie Policy

We want you to feel confident and comfortable with how the Card Factory Foundation looks after your personal information. Our Privacy and Cookie Policy explains exactly how we collect, use and store any data that could identify you. This Policy applies to all interactions and may change, so please check back for updates. This version was last revised in October 2025.



1. Who we are

The cardfactory Foundation is a registered charity in England and Wales (registered charity number 1180081 and registered address: cardfactory, Century House, Brunel Road, Wakefield WF2 0XG), established to support communities and causes at moments that matter.

We are the Data Controller for the personal information we collect and process. If you have any questions about this policy or how we handle your data, please contact us at info@cardfactoryfoundation.org

Personal information is any information that can be used to identify you. We may collect the following data, primarily when you interact with us (e.g., through grant applications, contact forms, or email):

  • Identity and Contact Data: Your name, email address, postal address, telephone number, and employer name.
  • Financial Data: Bank account details (only for processing approved grant payments or donations).
  • Application Data: Information about your organisation, project, charitable status, and financial history (if applying for a grant).
  • Correspondence Data: Emails, letters, and records of any other correspondence you send us.
  • Technical & Usage Data (Website): Your IP address, browser type, device type, pages visited, and other basic website interaction data collected via Cookies.
  • Sensitive Personal Data (Special Category Data): We do not intentionally collect sensitive personal data (such as information about your race, health, political opinions, or religion). If such data is necessary for a specific purpose (e.g., to ensure fairness in grant-making related to protected characteristics) we will only process it with your explicit consent or if legally required.

 

We only use your personal data to fulfil our commitments to you or comply with the law. Specifically, we use your information to:

  • Charitable Operations: Process, assess, and manage grant applications; make and manage payments and donations.
  • Communication: Communicate with you about our work, events, or updates (if you opt in).
  • Legal Compliance: Meet necessary legal, audit, and regulatory requirements.
  • Website Improvement: Analyse website usage to improve the content and functionality of our online presence.

Our website uses Cookies (small text files placed on your device) to collect the technical and usage data mentioned. Cookies play a crucial role in improving your experience.

We use cookies for the following purposes:

  • Essential functioning: To ensure the proper and secure functioning of the website, including managing user sessions and preventing fraudulent activity.
  • Performance and analysis: To understand how visitors use our website (e.g., which pages are most popular, how long users stay) so we can continuously improve the user experience and site performance.

 

We use both session cookies (which are temporary and disappear once you close your browser) and persistent cookies (which remain on your device for a set period or until you delete them).

Your choices regarding cookies: You have the ability to set your browser to refuse some or all cookies or to alert you when a cookie is being sent. Instructions for managing cookies are typically found within your browser’s ”Help’, ‘Tools’ or ‘Edit’ menu.

However, please note that if you choose to disable or refuse cookies, some parts of the website may become inaccessible or not function properly, potentially affecting your browsing experience.

We process personal data in compliance with the UK GDPR and Data Protection Act 2018, relying on the following legal bases:

  • Consent: Where you have explicitly agreed to the processing, such as subscribing to a newsletter or optional communications. You can withdraw your consent at any time.
  • Contract: Where processing is necessary to perform a contract we have with you, such as fulfilling the terms of a grant agreement or donation.
  • Legal Obligation: Where we are required to comply with a legal or regulatory duty under UK law (e.g., reporting to the Charity Commission or HMRC).

  • Legitimate Interests: To operate effectively and support our charitable aims, provided your rights do not override these interests. This may include essential administrative tasks, monitoring website usage for improvements, and conducting due diligence on grant applicants.

We never sell your personal data. We may share your information with third parties only in the following circumstances:

  • Service Providers: Trusted third-party service providers who assist us in operating (for example, grant management platforms, accounting services, or IT support). These providers are required to adhere to strict data protection standards.
  • Regulators & Legal Bodies: Regulatory bodies such as the Charity Commission or HMRC, when required by law, or to respond to a legal process.
  • cardfactory Group: Where necessary for operational support, under strict data sharing agreements.

We take the security of your data seriously. We have implemented appropriate measures to protect your personal data from accidental loss, misuse, unauthorised access, alteration or disclosure. This includes secure systems, access controls and regular training for staff.

We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected, and to meet our legal, accounting, or reporting obligations.

Typically, we hold data for the following periods:

  • Grant and Donation Records (Successful): 7 years after the relationship ends, to meet legal audit and accounting requirements.
  • Applicant Records (Unsuccessful): Up to 2 years after the decision, to allow for administrative review and analysis of our grant process.
  • Mailing List Consent: Until you withdraw consent or unsubscribe.
  • Website Usage Data: For short periods, usually less than 12 months.

Under the UK General Data Protection Regulation (UK GDPR) you have the following rights concerning your personal data:

  • Right of Access: You can request a copy of the personal data we hold about you.
  • Right to Rectification: You can ask us to correct or complete inaccurate or incomplete data we hold about you.
  • Right to Erasure (‘Right to be Forgotten’): You can ask us to delete your personal data in certain circumstances.
  • Right to Restrict Processing: You can ask us to suspend the processing of your personal data in certain circumstances.
  • Right to Data Portability: You can request that we transfer your personal data to you or another party in a structured, commonly used, machine-readable format.
  • Right to Object: You can object to the processing of your personal data where we are relying on a Legitimate Interest.

To exercise any of these rights, please email us at info@cardfactoryfoundation.org

Complaints: If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. Their website is: www.ico.org.uk.