This Privacy Notice applies to all supporters, donors and website users of, managed by us, FirstLight Trust (FLT), 34 Grosvenor Gardens, London SW1W 0DH.  Registered Charity number 1149496 (England and Wales) and number SC046296 (Scotland).

We take your Data Protection seriously and in accordance with the Data Protection Act 2018 (DPA) and UK GDPR, we have reviewed our policies, processes and security procedures to ensure compliance with these regulations.

This privacy notice is to inform you, our supporters, donors and website users, of the types of data we process about you, the reasons for processing your data, the lawful basis for processing, your rights and the retention periods of your data.

We act as Data Controllers for the personal data we collect and process.

If you have any questions about your data or how we handle it, please contact us on 0207 730 7545.


Under UK GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:

  1. a) processing is fair, lawful and transparent
  2. b) data is collected for specific, explicit, and legitimate purposes
  3. c) data collected is adequate, relevant and limited to what is necessary for the purposes of processing
  4. d) data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
  5. e) data is not kept for longer than is necessary for its given purpose
  6. f) data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
  7. g) we comply with the relevant GDPR procedures for any international transfers of personal data


FirstLight Trust is obliged to collect specific types of data for a variety of reasons.  When using our website, making a purchase or donation, or signing up to an event with us, we typically collect the following types of data:

  • Contact details such as name, email, phone number, address
  • Credit or debit card details
  • Cookie data


We collect data when you use our website or agree to make a donation via our platform for the following processing activities:

  • Creating and managing a user account
  • Making donations, purchases or attending events
  • Signing up for Newsletters / email updates
  • Technical administration of our website
  • To verify details of your payment method or credit card account

Our Cookie Policy explains what other data is collected when you visit our website and can be found


The law on data protection allows us to process your data for certain reasons only. In the main, we process your data in order to effectively manage the product or service contracts we have with you.

The table below categorises the types of data processing we undertake and the lawful basis we rely on.

Type of personal Data Reason for processing Lawful basis
Name, email address Signing up for Newsletters / email updates Consent
Name, email, phone number, address Creating and managing a user account

Making donations, purchases or attending events

Performance of contract
Credit or debit card details – these details are not stored by us.  They are passed securely to our payment processors.


To verify details of your payment method or credit card account


Making donations, purchases or attending events


Performance of contract
Cookie data – see our Cookie Policy here for further information


Technical administration of our website




Special categories of data include data related to information such as:  health, sexual orientation, race, ethnic origin, political opinion, religion, trade union membership, genetic and biometric data or Child data.

We do not collect any special category data.


Your failure to provide us with data may mean that we are unable to fulfil our requirements to perform the services requested with you.


In order to process donations we will need to share your information with our payment provider in order to complete a transaction and to HMRC for Gift Aid.

If we are requested by the police or a regulatory or government authority investigating illegal activities to provide information concerning your activities whilst using the network we shall do so.

We may share your data with third parties as part of a Company sale or restructure, or for other reasons to comply with a legal obligation upon us.


We have a data processing agreement in place with third parties we use to process your data under our instructions as part of providing our services to you. Third parties must implement appropriate technical and organisational measures to ensure the security and confidentiality of your data.


During some processing activities, our data processors are located outside of the UK or European Economic Area.  We ensure appropriate measures in place are in place to secure the data being transferred.


We ensure your data is protected against accidental loss or disclosure, destruction and abuse. As part of our ongoing compliance with UK GDPR, we have implemented processes to protect your data and will continue to monitor the effectiveness of these processes.

To this end all personal information stored by us is stored in a secure environment and encrypted in transmission.

Only employees, our partners and any sub-contractors who need the information to perform a specific job are granted access to personally identifiable information.

Our payment processors are PCI DSS compliant.


We only keep your data for as long as we need it for and in line with legal requirements, which will be at least for the duration of the contract for products and services as outlined in the table above.


Automated decision making means making decisions about you using no human involvement e.g. using computerised algorithms or programmes.

We do not undertake any automated decisions with your data.


You have the following rights, with some restrictions, in relation to the personal data we hold on you:

  1. a) the right to be informed about the data we hold on you and what we do with it
  2. b) the right of access to the data we hold on you
  3. c) the right for any inaccuracies in the data we hold on you to be corrected (rectified)
  4. d) the right to have data deleted in certain circumstances (erasure)
  5. e) the right to restrict the processing of the data
  6. f) the right to transfer the data we hold on you to another party (portability)
  7. g) the right to object to the inclusion of any information;
  8. h) the right to regulate any automated decision-making and profiling of personal data.

If you would like to exercise any of your rights, please contact us on 0207 730 7545.


Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. In certain instances, this may not be permissible and we will explain the reasons for this as part of our response.


We will make every attempt to ensure you are satisfied with our handling of your data requests, however, you are entitled to raise a complaint with the Information Commissioner (ICO) if you are not satisfied. You can contact the ICO at or by telephone on 0303 123 1113 (local rate) or 01625 545 745.



Dated: December 2021

Next review date: December 2022