← Back to Holly's Hope

Privacy Policy

Last updated: March 2026

Holly's Hope Ltd ("we", "us", "our") is committed to protecting the privacy of everyone who interacts with our organisation. This policy explains how we collect, use, store, and protect your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Holly's Hope Ltd is a not-for-profit organisation registered in England and Wales. Our registered address is in Northumberland, United Kingdom.

Data Controller: Holly's Hope Ltd

Contact: info@hollyshope.org.uk

2. What Data We Collect

We may collect the following personal data:

2.1 Website Contact Form

• Name
• Email address
• Phone number (optional)
• Enquiry subject and message content

2.2 Donations

• Name and email (as provided to our payment processors)
• Donation amount and date
• Gift Aid declaration (if applicable)

Important: We do not collect or store payment card details. All payment processing is handled by PCI-DSS compliant third-party providers (Zeffy for one-off donations, GoCardless for Direct Debit). Please refer to their respective privacy policies for details on how they handle payment data.

2.3 Workshop Bookings

• School/organisation name and contact details
• Name and email of booking contact

2.4 Website Analytics

If you consent, we use privacy-preserving analytics to understand how visitors use our website. This collects aggregate, anonymised data only (page views, referral sources, device types). We do not use tracking cookies or collect individual browsing profiles.

3. How We Use Your Data

We use your personal data only for the purposes for which it was collected:

• To respond to enquiries: If you contact us via our website form or email.
• To process donations: To acknowledge your donation, provide receipts, and manage Gift Aid claims.
• To deliver workshops: To arrange and confirm school workshop bookings.
• To improve our website: Anonymised analytics data helps us understand which content is most useful.

We will never sell, rent, or share your personal data with third parties for marketing purposes.

4. Legal Basis for Processing

Under UK GDPR, we process your data on the following legal bases:

• Consent: For website analytics and marketing communications (where applicable).
• Contractual necessity: To process donations and fulfil workshop bookings.
• Legitimate interests: To respond to enquiries, maintain our website, and prevent fraud.
• Legal obligation: To maintain financial records as required by UK charity law and HMRC.

5. Data Sharing

We share personal data only with the following categories of service provider, and only to the extent necessary:

• Zeffy: Processes one-off card donations on our behalf.
• GoCardless: Processes recurring Direct Debit donations on our behalf.
• Formspree: Processes contact form submissions (data is transmitted securely and not stored long-term).
• Website hosting (Vercel/Netlify): Hosts our website. No personal data is stored by the hosting provider beyond standard server logs.

We do not transfer data outside the United Kingdom or European Economic Area unless adequate safeguards are in place.

6. Data Retention

• Contact form submissions: Retained for up to 12 months, then deleted.
• Donor records: Retained for up to 7 years as required by HMRC for Gift Aid and financial reporting, then securely deleted.
• Workshop booking records: Retained for up to 2 years, then deleted.
• Analytics data: Anonymised and aggregated; no individual data is retained.

7. Cookies

Our website uses only the following cookies:

• Essential cookies: Required for the website to function (e.g., cookie consent preference stored in your browser's local storage).
• Analytics cookies (optional): Only set if you consent. We use privacy-preserving analytics that does not track individuals across websites.

We do not use advertising cookies, social media tracking cookies, or any third-party tracking pixels.

8. Your Rights

Under UK GDPR, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Ask us to correct inaccurate data.
• Right to erasure: Ask us to delete your data (subject to legal retention requirements).
• Right to restrict processing: Ask us to limit how we use your data.
• Right to data portability: Request your data in a standard format (CSV/JSON).
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Withdraw consent at any time for consent-based processing.

To exercise any of these rights, please email info@hollyshope.org.uk. We will respond within 30 days.

9. Security

We take appropriate technical and organisational measures to protect your personal data:

• Our website is served over HTTPS (SSL/TLS encryption).
• Payment processing is handled by PCI-DSS compliant providers.
• Access to personal data is restricted to authorised staff only.
• We conduct regular reviews of our data handling practices.

10. Children's Data

Our workshops are delivered in schools and may involve young people under 18. We do not collect personal data directly from children through our website. All workshop bookings are made by school staff or parents/guardians. Safeguarding policies apply to all our educational activities.

11. Changes to This Policy

We may update this policy from time to time. Any changes will be posted on this page with an updated "Last updated" date. We encourage you to review this policy periodically.

12. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Helpline: 0303 123 1113

We would appreciate the opportunity to resolve any concerns directly first. Please contact us at info@hollyshope.org.uk.