We want to make sure that we are as clear as possible about our data practices and we’re currently checking to make sure that they’re compliant with the new data protection regulations which became law on 25th May 2018.
If we need to make changes to this policy that will affect how we process your information, we will let you know about the changes by the most appropriate method (eg by email, by post if we don’t have an email address for you, or as an update on our website) as soon as we can.
What does this policy cover?
This privacy policy covers all of Viva!’s work, our websites and everyone we have contact with.
About Viva!
Viva! was founded in 1994 by Juliet Gellatley, our Founder and Director. We’re a UK registered charity. We fight to stop animal cruelty, to protect our planet and our health through our undercover investigations, campaigns, education and outreach. Viva! also runs events and Festivals and creates masses of practical information to help people become vegan and move in the direction of a kinder lifestyle. Viva! relies on donations from the public to run our campaigns and outreach.
We take the security of your data very seriously and do our utmost to protect it. You have the right to know what information we hold about you, to correct it if it is wrong, to ask us to delete it and to object to what we do with your data (either to us or to our supervisory authority).
If you would like to exercise any of these rights, discuss what we do with your data or request a paper copy of this policy, you can contact us here:
- Email info@viva.org.uk
- Write to Viva!, 8 York Court, Wilder Street, Bristol BS2 8QH, UK
- Call us on 0117 944 1000 (Mon-Fri, 9-6).
Viva! has appointed a Data Protection Officer to oversee our data practices and usage. The person appointed is Jeremy Ludlow and he can be contacted using the methods listed above.
What does Viva! know about you?
We only hold data about you that you have voluntarily given to us, except in very specific circumstances. This means that we collect the information you enter when you sign up to our mailing lists or websites, donate to us, sign a petition or otherwise contact us. We also collect information when you set up a fundraising page with one of our fundraising suppliers.
In addition to the data we collect, we also generate some data about you. This means that we will know when you’ve opened an email from us or clicked on a link in an email. We will also store information about donations you make to us, purchases you make, consents that you have given to us and orders for resources such as leaflets.
How long do we store this data for and where do we get it?
When you have signed up to emails:
If you have signed up to receive email updates from us, we will continue to send you emails until you tell us not to. You can opt out of this service at any time by unsubscribing or changing your preferences, or by contacting us. If you don’t open any emails from us for more than a year, we may assume that you’re no longer interested and remove your contact details from the list.
When you have given consent, or otherwise contacted us, on behalf of a child:
We will keep details for both of you, and a record of your consent, until the child turns 18 years old (this is why we ask for a date of birth). If you are asked for consent, but do not provide it within a month, we will remove these details. Your details will not be used for any other purpose, unless you have other contact with Viva!.
If you are a public contact:
If you’ve given us contact details in order for us to make them publicly available, for example to publicise fundraising work, or as a professional to whom we can refer contacts, this information will only be released to the extent to which you’ve consented. We will also check with you periodically to make sure that you’re still happy for your details to be passed on in that way.
When we connect with you on social media:
If you communicate with Viva! by social media, Viva! will not record or store any information about you outside of that social media platform unless you give it to us directly (ie by passing your email address or phone number to us via Facebook Messenger) or you give your consent. Information that you store or transfer on a social media platform is subject to each provider’s own privacy policy.
What happens when we stop storing your data?
When we remove your data from our systems, we will remove any details that identify you as an individual from the records that we keep. We may keep anonymous records of financial transactions and other interactions for accounting and analysis purposes, but you will no longer be identifiable.
How do we use the data we hold about you
We use the information we have about you to perform actions that you have requested of us (such as fulfilling an order or sending you emails), to keep track of how you interact with Viva! so that we can send you relevant communications, to record your consent to certain activities, and to review the effectiveness of our campaigning and our other charitable functions.
This means that we will review the information that you give us, and the information that we generate, in order to work out how best to allocate our resources and to send you messages which are most relevant to you. We may use your donation history and location to send you specific communications or send you information about events in your area. If you don’t wish us to use your data this way, you can opt out at any time by contacting us.
The data that we review or generate will only be used to promote the interests of Viva! directly. We will never share this information with other charitable organisations or pressure groups, or outside of our trusted service providers, without your explicit consent.
How will we contact you?
When will we send you emails?
At Viva!, we make a distinction between ‘marketing emails’ and ‘transactional emails’.
Marketing emails are emails that we send to you and a large group of other people, or which are automated, from our mailing list. These emails may include our regular newsletters, fundraising emails and campaign updates (among other things). We will only send these if you have asked us to, and you can withdraw your consent at any time.
Transactional emails are communications about specific actions you have taken or where we need to communicate something that is specific to you. These could include (but are not limited to): receipts for purchases or donations, order updates, queries about an order, renewal reminders, questions about your Gift Aid consent or any other enquiry that specifically relates to you. Transactional emails are often required (like receipts), automatic (like delivery updates or order confirmations) or from individuals (such as a Viva! staff member) and are often sent to you by our service providers (such as payment processors) rather than directly from Viva!. In most cases, we have an obligation to send these communications – or a legitimate reason to believe you are happy to receive them.
Occasionally, we may need to send an update about this policy to a large section of our contacts who have not specifically consented to be added to our emailing list. In these cases, we will ensure that their contact details are used for this purpose only.
When will we phone you?
Viva! never do telephone fundraising and we do not employ external fundraisers to do so on our behalf. If you give us your phone number, we will only use it to contact you about specific issues with donations or purchases, or to respond to queries where you have asked us to phone you.
Do we share your information with anyone?
We share the data that you give us with our trusted suppliers only where we need to in order to perform our work as a charity. This could include:
- Sharing your name and address with our mailing house and delivery services in order to send you post. This is never retained longer than necessary to carry out each particular task.
- Sharing your email address, name and postcode with our email provider, in addition to your mailing preferences, in order to send you emails
- Using hosted accountancy software to keep financial records.
- Using a hosted provider for our shop.
- Sharing your order details, name, address and contact details with the supplier who sends wine orders to our customers.
- Sending petition signatures/records of online petitions to the receiving organisation.
Some of our suppliers, such as our email provider, help us to generate information about you. Like all payment processors, ours will perform checks on payments made to detect potential fraud and analysis on the usage of their services.
We don’t share information with other organisations for their marketing or fundraising purposes and we will never do this without asking for your explicit consent first.
What safeguards do we use for sharing your information?
We only use suppliers who have a strong focus on data security and robust security practices. Some of our suppliers may transfer information about you to countries which are not within the European Union and are not designated ‘safe’ countries for EU data (ie ‘third countries’), but always with appropriate safeguards in place (such as the EU-U.S. Privacy Shield arrangement or Model Contract Clauses) which protect individuals’ data and rights to the legal standards required by the EU.
All of our payment processors are compliant with the PCI DSS official standard for handling payment details.
We are currently reviewing our third party processors to ensure that they comply fully with the new data protection regulations, and will update these details once we have completed the review.
Our websites
When you use our websites, certain information about how you use our site, your device and general location information will be stored and tracked by our third party supplier, Google Analytics. Like most organisations, we use Google Analytics to find out how our website is used so that we can make improvements and track the success of campaigns. Although we can view the activity of individual users on our websites, we have no way of identifying them personally.
However, although Google is our supplier, we do not have control over the data that they collect and store about you for their own purposes. If you are concerned about the information that Google holds about you, you can view their privacy policy here or update your privacy settings via this page.
Cookies
We use cookies on our websites to help us perform actions that you have requested (such as an online purchase, saving items in your ‘cart’, making a donation or logging in), to make the site run more smoothly and to track how our sites are used. Social media websites like Facebook and Twitter also place cookies on your device when you visit our site. To find out more about cookies and to manage your preferences, visit viva.org.uk/cookies.
Lawful bases for processing
Under general data protection regulations (GDPR), we must let you know what our ‘lawful basis’ is for each way that we process your data. ‘Processing’ includes storing, sharing or analysing your data, as well as using it to contact you.
Viva! will justify processing your data using one of the following bases:
- Consent
- Legitimate Interest
- Fulfilment of Contract
- Legal Obligation
In addition, some parts of our processes may involve dealing with ‘Special Category Data’, which is sensitive information about you. The justifications we will use for processing this information are:
- Consent
- For the Purpose of Employment
- As a Charitable Organisation
- Where information has been made public
Activity | Lawful Basis |
Collecting information you give to us | Consent |
Storing information you give us | Legitimate Interest |
Allowing payment processors to process payments | Fulfilment of Contract or Legal Obligation |
Sharing information with other trusted service providers | Legitimate Interest |
Sharing your contact details with our email provider (when you have asked us to email you) | Fulfilment of Contract |
Sharing your contact details with our email provider (to send you updates about this policy) | Legal Obligation |
Sending you items when you ‘join’ | Fulfilment of Contract |
Sending you updates about adoptions | Fulfilment of Contract |
Sending you all post when you give regular donations | Legitimate Interest |
Storing donation records for required period | Legal Obligation |
Storing Gift Aid records for the required period | Legal Obligation |
Generating data about how you interact with us | Legitimate Interest |
Analysing / reviewing how you interact with us | Legitimate Interest |
Sharing your contact details with our mailing house | Legitimate Interest |
Storing and using information about you supporting Viva! | Legitimate Interest |
Storing and using information about your health | Legitimate Interest, As a Charitable Organisation |
Administering job applications and employment records | Legal Obligation, For the Purpose of Employment |
Contacting you about your data and how we use it | Legal Obligation |
Google Analytics
Page views, source and time spent on website are part of the user website activities information we can see with this cookie. This information cannot be tracked back to any individuals as it is displayed as depersonalised numbers; this is in order to help protect your privacy whilst using our website.
Using Google Analytics we can take account of which content is popular, helping us to provide you with reading and viewing materials which you will enjoy and find useful in the future.
We also use Google Analytics Remarketing cookies to display adverts on third party websites to our past site users, based on their past visits. The data we collect will only be used in accordance with our own privacy policy and Google’s privacy policy.
Should you not wish for your website visits to be recorded by Google Analytics, you are able to opt-out with the addition of a browser add-on: Google Analytics Opt-out Browser Add-on
Google Analytics Advertiser
We use Google Analytics Advertiser Features, which helps us to better understand site visitors, via anonymised data. This can include collecting information from:
- Google Display Network Impression Reporting
- DoubleClick Platform integrations
- Google Analytics Demographics and Interest Reporting
- Remarketing with Google Analytics
This information is collected via Google advertising cookies and anonymous identifiers, in addition to data collected through the standard Google Analytics implementation. It allows us to understand what type of users visit the site, which then allows us to improve the website’s offerings for a better user experience.
Google AdWords
We use Google AdWords to see which pages led to our users submitting contact forms to us, which allows us to create a more effective marketing campaign, and make better use of our paid search budget.
YouTube-Videos
We have integrated YouTube videos into our website, which are stored on http://www.YouTube.com and can be played directly from our website. These are all integrated in the “extended data protection mode”, i.e. no data about you as a user will be transmitted to YouTube, if you do not click on the videos to start playing them. Only when you play the videos the data referred to in the next paragraph will be transferred to YouTube. We have no influence on this data transfer.
By visiting the website, YouTube receives the information that you have accessed the corresponding subpage of our website. In addition, the data specified in Section 2 of this privacy policy will be transmitted. This is independent of whether YouTube provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your information will be directly associated with your account. If you do not wish to be associated with your profile on YouTube, you must log out before activating the button. YouTube stores your data as user profiles and uses them for purposes of advertising, market research and/or demand-oriented design of its website. Such evaluation takes place in particular (even for unlogged-in users) to provide demand-oriented advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact YouTube to exercise this right.
For more information on the purpose and scope of data collection and processing by YouTube, please refer to the privacy policy. There you will also find further information about your rights and setting options to protect your privacy:
https://www.google.com/intl/en/policies/privacy. Transfers to third countries are possible. As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR apply. More information on this topic is published here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.
Google Ads Conversion
We use the services of Google Ads to draw attention to our attractive offers with the help of advertising materials (so-called Google Ads) on external websites. We can determine in relation to the data of the advertising campaigns how successful the individual advertising measures are. We are interested in showing you advertisements that are of interest to you, to make our website more interesting for you and to achieve a fair calculation of advertising costs.
The advertising materials are delivered by Google via so-called “Ad Servers”. For this purpose, we use ad server cookies, through which certain parameters for measuring success, such as the insertion of ads or clicks by users, can be measured. If you access our website via a Google ad, Google Ads stores a cookie on your device. These cookies usually expire after 30 days and are not intended to identify you personally. For this cookie, the unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (mark that the user no longer wishes to be addressed) are usually stored as analysis values.
These cookies enable Google to recognize your Internet browser. If a user visits certain pages of an Ads customer’s website and the cookie stored on their device has not expired, Google and the customer can recognize that the user has clicked on the ad and has been redirected to this page. Each Ads customer is assigned a different cookie. Cookies cannot therefore be traced via the websites of Ads customers. We do not collect and process any personal data in the aforementioned advertising measures. We only receive statistical evaluations from Google. On the basis of these evaluations we can recognize which of the used advertising measures are particularly effective. We do not receive any further data from the use of advertising material; in particular, we cannot identify users on the basis of this information.
Due to the marketing tools used, your browser automatically starts a direct connection to the Google server. We have no influence on the extent and the further use of the data which are raised by the use of this tool by Google and inform you therefore according to our knowledge: By the integration of Ads conversion Google receives the information that you called the appropriate part of our Internet appearance or clicked an announcement of us. If you are registered with a Google service, Google may associate your visit with your account. Even if you are not registered with Google or have not logged in, it is possible that the providers may obtain and store your IP address.
Google Tag Manager
Information/purpose:
This website uses the Google Tag Manager. This service allows website tags to be managed through an interface. The Google Tag Manager only implements tags. This means that no cookies are used and no personal data is stored. The Google Tag Manager triggers other tags, which in turn collect data if necessary. However, the Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, it remains valid for all tracking tags if they are implemented with the Google Tag Manager.
Recipients:
Third party information: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Transfer to third countries are possible. As an appropriate safeguard we have agreed on standard contractual clauses pursuant to Art. 46 GDPR. More information on this topic is published here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.
Legal basis:
Art. 6 (1) f GDPR (legitimate interest)
Captchas
This website uses in specific cases the Google reCAPTCHA v2 to avoid the usage of text fields by automated programs/bots. It helps to support the security of our website and to avoid SPAM for the users. This is also our legitimate interest and fulfills our legal obligation.
The collected data are hardware and software information, such as device and application data and the result of integrity checks. These data will be sent to Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The data will not be used by Google for personalized ads.
Further information can be found in their privacy policy: https://policies.google.com/privacy. Further documentation can be found here: https://developers.google.com/recaptcha/ https://www.google.com/recaptcha/admin/create.
Cookies used: Type a. More information can be found in the “Cookies” section.
Recipients:
Third party information: Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Transfers to third countries are possible. As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR apply. More information on this topic is published here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.
Deletion:
Cookie lifetime: up to 24 months (this applies only to cookies which have been set by this website).
Legal basis:
Art. 6 (1) c GDPR (when processing is necessary for compliance with a legal obligation)
Art. 6 (1) f GDPR (when processing according to the legitimate interest described above)
Google Maps
Information/Purpose:
This website uses the mapping service Google Maps. When using the feature information is transferred to Google and analysed for their purposes. As a rule, this information includes your IP address and the possibility that it will be transferred to one of Google’s servers in the USA. We use Google Maps to make the locations disclosed on our website easy to find. This constitutes our legitimate interest pursuant to Art. 6 (1) f GDPR.
Recipients:
We have entered into an agreement with Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland including the EU Standard Contractual Clauses, and in this way ensure that the level of data protection is adequate even if data is processed in the USA (Art. 46 GDPR). More information on this topic is published here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en. In addition, when activating the tool, you expressly declare your consent to the data transfer (Art. 49 (1) a GDPR). More information on the processing of your data by Google can be found here: https://www.google.com/intl/en/policies/privacy.
Legal basis:
Art. 6 (1) f GDPR (legitimate interest)
(Website) Facebook Custom Audiences / Conversion (“Facebook Pixel”)
Information/purpose:
This website uses the so-called “Facebook Pixel” and the Conversions API of the social network “Facebook” for the following purposes:
- Facebook (website) Custom Audiences
We use the Facebook pixel and the Conversions API for remarketing purposes to be able to contact you again within 180 days. This allows us to display interest-based advertisements (“Facebook Ads”) to users of the website when they visit the social network “Facebook” or other websites also using this tool. In this way, we pursue the interest in displaying advertisements that are of interest to you in order to make our website or offers more interesting for you.
- Facebook conversion
We also use the Facebook Pixel and the Conversions API to ensure that our Facebook Ads match the potential interest of users and are not annoying. With the help of the Facebook Pixel, we can track the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called “conversion”).
Due to the marketing tools used, (Facebook Pixel and Conversions API), your browser automatically establishes a direct connection with the Facebook server as soon as you have agreed to the use of cookies requiring your consent. Through the integration of the Facebook pixel and the usage of the Conversions API, Facebook receives the information that you have called up the corresponding website of our internet presence or clicked on an advertisement from us. If you are registered with a Facebook service, Facebook can assign the visit to your account.
The processing of this data by Facebook takes place within the framework of Facebook’s data policy. Special information and details about the Facebook pixel, the Conversions API and its functionality can also be found in the Facebook help area.
Used Cookies: Type C. For further information, see Cookie Section.
Recipients:
Joint Controller:
We are jointly responsible with Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Facebook) for the collection and transfer of data in this process. This applies to the following purposes:
- The creation of individualized or suitable ads, as well as for their optimization.
- Delivery of commercial and transaction-related messages (e.g. via Messenger).
The following processes are therefore not covered by joint controllership:
- The process that takes place after the collection and transmission is within the sole responsibility of Facebook.
- The preparation of reports and analyses in aggregated and anonymized form is carried out as a Processor and is therefore within our responsibility.
We have concluded a corresponding agreement with Facebook for joint controllership, which can be accessed here: https://www.facebook.com/legal/controller_addendum. This agreement defines the respective responsibilities for fulfilling the obligation under the GDPR with regard to joint controllership.
The contact details of the Controller and the data protection officer of Facebook can be found here: https://www.facebook.com/about/privacy.
We have agreed with Facebook that Facebook can be used as a contact point for the exercise of data subject rights (see Section 1.3). Without prejudice to this, the jurisdiction of the Rights of Data Subjects is not limited.
Further information on how Facebook processes personal data, including its legal basis and further information on the rights of data subjects can be found here: https://www.facebook.com/about/privacy. We transfer the data within the scope of joint controllership based on the legitimate interest pursuant to Art. 6 (1) f GDPR.
Information on the data security conditions can be found here. https://www.facebook.com/legal/terms/data_security_terms and on processing on the basis of standard contractual clauses can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum.
Further Recipients:
We transfer also the collected data to the relevant internal departments for processing and to other affiliated companies within the Beiersdorf Group or to external service providers, contract processors (e.g. platform-, hosting, support and analysis service providers) in accordance with the required purposes (for the execution of ad display and analysis). Platform/hosting providers will have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard we have agreed on standard contractual clauses pursuant to Art. 46 GDPR with these providers. More information on this topic is published here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.
Deletion/Withdrawal:
The “Facebook Custom Audiences” function can be deactivated in the Cookie Settings and for logged in users at https://www.facebook.com/settings/?tab=ads#.
Cookie lifetime: up to 180 days after last interaction (this applies only to cookies which have been set by this website).
Legal basis:
Art. 6 (1) a GDPR (consent)
How do we protect your data?
Viva! takes the care of your personal information seriously and ensures there are appropriate technical controls in place to protect them. These include providing training for staff and volunteers who are responsible for handling your data, using secure storage and servers, Transport Layer Security (TLS) and firewalls, and carefully selected external organisations.
Viva! processes all card payments securely in accordance with Payment Card Industry (PCI) Security Standard legislation.
Your rights
You have the right to withdraw your consent at any time, to correct or view any information that we hold about you, to ask us to delete the information that we hold on you or to object to how we use that information.
Withdrawing Consent
You have the right to withdraw consent that you have previously given to us for communication, data processing or storing your data. You can do this by contacting us or, if you wish to update your preferences or unsubscribe from emails, clicking the relevant link in any email you receive from our mailing service.
You can also enter your details on the Fundraising Preference Service (FPS) website. This service is run by the Fundraising Regulator and allows you to stop email, telephone, addressed post, and/or text messages from a selected charity or charities by using the online service at www.fundraisingpreference.org.uk or by calling 0300 303 3517. Once your request is raised with the FPS, we will ensure that your new preferences take effect within 28 days of your request.
Please be aware that withdrawing consent to communication does not mean that we will also delete your contact details or other information that we hold about you. If you would like us to delete your information, see ‘right to erasure’.
Right to be Informed
You have the right to be informed about how we use your data in a concise, transparent and easily-intelligible way. We will usually provide this information to you by providing privacy notices alongside this policy, where appropriate, when you give us your data. If you would like a copy of this policy, you can either download this page or contact us to request a paper copy.
Right to Access and Correction
You have the right to access the data that we hold on you and to confirm that your data is being processed by us. You also have the right to have your information corrected if it is wrong. If you would like to request information from us or correct any data that we hold about you, please contact us.
Right to Restrict Processing
If you are unhappy about how we are processing your data, you have the right to restrict how we process the information that we hold on you in certain circumstances. If you would like to restrict processing, please contact us.
Right to Data Portability
If you would like to transfer the information that we hold on you to another organisation, or to receive it in a standardised form (‘comma-separated’ or plain text) that can be read and imported by most data systems, contact us to request a copy of your data.
Right to Erasure (or to ‘be forgotten’)
You have the right to request that we delete all of the information that we hold on you, but there are some cases in which we will not be able to delete your information. This could include when you have previously given a consent for Gift Aid claims, for which our legal obligation to keep records has not expired. In these cases, we will comply with your request as far as possible, and make sure to let you know what we cannot delete.
If you would like to exercise your right to erasure, please contact us.
Right to Object
You have the right to object to any processing of your information which is based on legitimate interests, direct marketing or profiling (automated decision-making). You also have the right to object to your data being processed by us for the purposes of scientific, historical or statistical research.
If you object to us using your information for the purposes of direct marketing (ie postal or email campaigns and appeals), we will ensure that we do not contact you further for those purposes.
You can also object to processing for which we have legitimate interest. If you do object to our processing of your data for this purpose, we will do our best to comply with your wishes. However, in some circumstances, we may not be able to stop the processing entirely.
If you wish to object to processing of any kind, you can contact us to let us know.
If you have objected to how we use your data and are not satisfied with our response, you also have the right to lodge a complaint with our supervisory authority: the Information Commissioner’s Office. They can be contacted by phone on 0303 123 1113 or via their online service.