Privacy notice

Updated: April 2026

This privacy notice outlines how The London Community Foundation collects, uses, stores, and shares your personal data when you interact with us as a website visitor, donor, fundholder, fundraising contact, grant applicant, funded organisation, trustee, supplier, service provider, employee, worker, volunteer, contractor, consultant, intern, or job applicant.

1. Data Controller and Contact Details

1.1. The London Community Foundation is the data controller for the personal data described in this notice.

1.2. The Charity’s Data Protection Officer is the Finance Director. If you have any questions about this notice or how we use your personal data, please contact us via the Charity’s usual contact channels.

2. Types of Data Held

The personal data we collect depends on how you interact with us. This may include:

  • Website visitors: technical data (for example IP address, device/browser information), usage data (pages visited and interactions), and cookie data (where used).
  • Donors, fundholders and fundraising contacts: identification and contact details, donation and giving history, communication preferences, records of meetings/calls, Gift Aid information where applicable, and (where relevant) due diligence information.
  • Trustees and supplier/service provider contacts: identification and contact details, role/organisation details, correspondence and records of meetings, and (where relevant) due diligence, declarations of interests, and information needed to manage governance and contractual relationships.
  • Grant applicants, funded organisations and connected individuals: identification and contact details, application and assessment information, due diligence/eligibility checks (where relevant), bank/payment details for grant payments (where relevant), monitoring and evaluation information, reports, correspondence, and information about individuals involved in projects (for example project leads or beneficiaries where provided).
  • Employees, workers, volunteers, contractors and recruitment: recruitment and selection information (CVs, interview notes, assessments, references and right to work), employment/engagement details (role, contract terms, working arrangements), payroll/tax/banking (where relevant), performance and training records, absence records, and IT/security information.
  • Special categories of personal data: we may process special category data where necessary and lawful (for example health information for sickness absence and reasonable adjustments; equality, diversity and inclusion information where collected; and information about trade union membership where relevant).
  • Criminal offence data: we may process criminal offence data where necessary and lawful (for example DBS checks for specific roles, or due diligence where relevant).

3. Sources of Personal Data

We collect personal data from you directly (for example when you visit our website, make an enquiry or donation, submit an application, communicate with us, or work with us). We may also receive personal data from third parties such as referees and recruitment agencies, identity/right-to-work or criminal record checking providers (where relevant), our service providers (for example IT, payroll or payment processors), partner funders, and from publicly available sources where relevant and permitted by law.

4. Use of Personal Data

We will only use your personal data where we have a lawful basis under UK GDPR. Depending on the context, this may include: (a) consent; (b) performance of a contract or taking steps at your request prior to entering into a contract; (c) compliance with a legal obligation; (d) vital interests; (e) public task (where applicable); and/or (f) our legitimate interests (for example to operate the Charity effectively, fundraise, make and administer grants, and recruit and manage our workforce).

Typical lawful basis

  • Operating and improving our website; administering cookies and similar technologies (where used).
    • Consent (for non-essential cookies) and/or legitimate interests.
  • Responding to enquiries and communicating with you.
    • Legitimate interests and/or performance of a contract.
  • Processing donations, managing fundholder relationships, stewardship, events and fundraising communications.
    • Performance of a contract; legitimate interests; consent (where required for marketing).
  • Administering grant applications, assessing eligibility and making decisions; paying grants; monitoring and evaluation; reporting to
    funders/fundholders.
    • Performance of a contract; legitimate interests; and/or public task (where applicable).
  • Managing Charity governance (including trustee appointment/administration, conflicts of interest and compliance) and managing supplier/service provider relationships.
    • Legal obligation; legitimate interests; and/or performance of a contract.
  • Running recruitment processes (shortlisting, interviews, assessments and making offers).
    • Legitimate interests and/or taking steps at your request prior to entering into a contract.
  • Onboarding and managing employment/engagement; payroll, pensions, expenses and benefits (where relevant); training and performance management.
    • Performance of a contract; legal obligation; legitimate interests.
  • Complying with legal and regulatory requirements; safeguarding and security; preventing and detecting fraud and misuse; protecting our legal rights.
    • Legal obligation; legitimate interests; vital interests (in emergencies).

5. Special Category Data and Criminal Offence Data

Where we process special category data (such as health information) or criminal offence data, we will only do so where it is necessary and we have both: (a) a lawful basis under Article 6 UK GDPR; and (b) an additional condition under Article 9 UK GDPR (for special category data) or the Data Protection Act 2018 (for criminal offence data). We apply appropriate safeguards, including limiting access to those who need it and using the information only for the relevant purpose.

6. Data Disclosures

We may share your personal data with trusted third parties where necessary for the purposes described above. This may include: service providers who support our operations (for example IT and cloud providers, CRM and grants management systems, finance and payroll providers, payment processors); professional advisers (legal, audit, insurance); partner funders and co -funders (where relevant); and regulators, law enforcement or other authorities where required by law or to protect our legal rights.

7. International Transfers

Some of our service providers may store or process personal data outside the UK. Where we transfer personal data internationally, we will ensure appropriate safeguards are in place, such as UK adequacy regulations or appropriate contractual protections (for example the UK International Data Transfer Agreement or Addendum), together with any additional measures required.

8. Retention

We keep personal data only for as long as necessary for the purposes for which it was collected, including to satisfy any legal, accounting, reporting, audit, safeguarding or regulatory requirements. Retention periods vary depending on the type of record. For example, recruitment records for unsuccessful candidates are typically kept for a limited period after the process ends; grant applications and monitoring records may be retained to administer grants and meet reporting and audit requirements; donor and fundholder records may be retained to manage relationships and comply with financial and tax rules; and website log data may be retained for security and troubleshooting. For more detail, please contact us.

9. Data Protection Rights

9.1. Under UK GDPR, you have rights in relation to your personal data, including: the right to be informed; the right of access; the right to rectification; the right to erasure (in some
circumstances); the right to restrict processing; the right to data portability (in some circumstances); the right to object (in some circumstances, including to processing based on
legitimate interests); and rights in relation to automated decision -making and profiling.

9.2. To exercise your rights, please contact us using the details above. You also have the right to make a complaint to the Information Commissioner’s Office (ICO) if you are unhappy with how we handle your personal data.

10. Automated Decision-Making

We do not normally make decisions about you based solely on automated processing (without human involvement). If this changes, we will inform you and explain the logic involved and your rights.

11. Changes to this Notice

We may update this notice from time to time. We will make the latest version available as appropriate (for example on our website and/or on request).