Spark Support

Privacy Notice

This document serves as the Spark Support Privacy Notice, for the purposes of the General Data Protection Regulations and seeks to provide information about how Spark Support (referred to as us/we) process information.

1.   Who are we?

We are Spark Support, based at 8 Dawson Terrace, Harrogate, HG1 2AW.

Our general email address is hello@sparksupport.co.uk
Our named Data Protection Officer is Chantelle Browne, who can be contacted directly via email, chantelle@sparksupport.co.uk.

2.   How do I complain about the way my data has been handled?

In the first instance, please email hello@sparksupport.co.uk where one of our senior management team will assist you.
Should you be unhappy with the response, please email or write to our Data Protection Officer, who is detailed in point 1.

If you are unhappy with either response that Spark Support have provided you, you have the legal right to complain to the Information Commissioner’s Office (ICO). Details about how to do this can be found on their website: https://ico.org.uk/concerns/

3.   How can I see a copy of my personal data held by you?

To get a copy of your data (known as exercising a Subject Access Request), please email hello@sparksupport.co.uk or write to us at the address in point 1, stating your wishes. Due to the sensitive nature of some of the data we hold, we will need to perform thorough identity checks, to ensure the data is not going somewhere it shouldn’t. We will provide this without undue delay and at the most, within one month.

As per your legal right under GDPR, there is no charge for this.

We will provide the data in the best format we possibly can, which will be easily readable by you.

4.   How do I request data about me is corrected, deleted or restricted from processing?

To ask for your data to be corrected or deleted, please email us (see point 1) and one of our senior management team will ensure your request is dealt with as quickly as possible.

Please be aware, that there is some data that we will not be able to remove, due to legal obligations that we hold (e.g. ecommerce activity is required to be kept for tax and accounting reasons). Should we need to decline your request, we will explain fully and explain your options if you do not agree with our decisions.

If you wish for your data to be suppressed and believe you have the right to do so (to find out more on your rights, visit: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/), please email us (see point 1) with your request, and we will deal with it along with current legal guidelines, without delay.

5.   How do I object to you processing my data?

If you wish to opt-out from marketing from us (which we currently do not do), you may do so by clicking the unsubscribe button at the bottom of the email. You can also email us (see point 1) and we will take care of your request without delay.

We do not process personal data for statistical or research purposes.

We do not use your data for any automated decision making or profiling.

6.   What data do you store, why do you store it, where do you store it, and for how long?

Well, you certainly ask some tough questions, don’t you?! But that’s okay – we’re prepared for it.

We have split the data that we store into three categories – group data, ecommerce data, and HR data for staff. This data is stored in three distinct systems and is only ever able to be accessed by people who require this data to do their job.

We are extremely cautious about how we do things with regards to security and aim to set the standard enviably high.

To tell you about the data we store, the clearest way to do this is in a table set – explaining what and how we do things.

We do use some third parties to process information. These are extremely carefully selected and monitored.

We do not and will not use third party fundraising companies to acquire donors. We feel that pressuring people to donate is completely against our ethos and can severely damage people’s mental health – which would be totally counterintuitive for us to do.

6.1  Group Data

What we store

  • Screenshots of Facebook Posts
  • Action taken as a result
  • Handover information comprising of who is having a particularly tough day
  • Email address and information given to us when you sign up

Why we store it

  • Allow for informed decisions in the future
  • Check that the rules are being applied correctly
  • Allow other moderators to know what to look out for

How long for

  • Up to 2 years
  • Sign up information – not longer than 6 months.

What legal right?

  • Legitimate interest

What is the legitimate interest?

  • Management, safety and informed (non-automatic) decision making.
  • It is not possible to allow opt-out whilst a member participates in the group, as it disables our management and oversight.

Do we transmit this data to third parties?

  • This data is stored on Facebook, and only visible to moderators and staff who have necessary access.
  • Facebook do not use this data for advertising, as this is stored in a secret group.
  • Some data may be held in Office 365, under a secure storage area.

Do we transmit the data to another country?

6.2  Website Data

What we store

  • Web Server logs
    • IP Address
    • Web Browser User Agent String
    • What pages were visited
  • Google Analytics
    • Website Page Metrics

Why we store it

  • Identifying and diagnosing issues with the website and web server
  • Identify and resolve potential security risks
  • Identify improvements we can make to the website

How long for

  • Server logs: Up to 12 months
  • Google Analytics: Up to 25 months

What legal right?

  • Server logs: Legitimate Interest
  • Google Analytics: Not identified as personally identifiable data

What is the legitimate interest?

  • We need to ensure that if there is an error on our website, we can be notified of it and resolve it ASAP.
  • Security issues must be identified immediately – this can be done via a security log.
  • Anyone exploiting a security issue will never give consent for storage of data. It would be counterintuitive!
  • Getting consent for storage of data for logging is not practical and is prohibitive.

Do we transmit this data to third parties?

  • No personally identifiable data is transmitted. Log files are stored only on the server, and only accessible by the IT manager.

Do we transmit the data to another country?

  • No personally identifiable data is transmitted outside of the EU.
  • Web logs are stored locally on the web server, which is based in Microsoft Azure’s West EU datacentre.

6.3  Web Store / E-Commerce Data

What we store

  • Username
  • Encrypted and Salted Password Hash
  • Name
  • Address
  • Postcode
  • Phone number (if supplied)
  • Payment method
  • Order details

Why we store it

  • Ensure legal compliance and to fulfil a contract

How long for

  • Up to 7 years to ensure we’re compliant with VAT regulations and the Charities Act.

What legal right?

  • Fulfilment of a contract

What is the legitimate interest?

  • N/A

Do we transmit this data to third parties?

Do we transmit the data to another country?

  • Data we hold from within our shopping cart software is stored within Microsoft Azure’s West EU datacentres.
  • Data processed by Stripe Payments Europe may be transferred to their parent company, as per their privacy policy.
  • Data held in MailChimp is held in the United States. MailChimp are self-certified under the US-EU Privacy Shield. We have signed their data processing addendum, which can be reviewed as an attachment to this document.

6.4  Volunteer/HR Data

What we store

  • Name, contact details, address
  • Date of birth
  • Qualification information if supplied
  • DBS check result

Why we store it

  • To make sure that we have the ability to contact our volunteers
  • To allow us to reward our volunteers as necessary
  • To make provisions for safeguarding, as per legal obligation

How long for

  • Up to 10 years after leaving the organisation

What legal right

  • Legitimate interest

What is the legitimate interest?

  • Allow us to perform our safeguarding duties, and to allow us to reward and contact our volunteers as necessary.

Do we transmit this data to third parties?

  • DBS Check data: Processed via Disclosure Services. Data is input directly into their system as our umbrella body.
  • Little Bee Bakes and Cakes – our chosen supplier for volunteer rewards.
  • Royal Mail – To allow us to post items to our moderators.
  • Charlie HR – Our chosen HR platform. The data is stored in a secure environment for our use only.

Do we transmit the data to another country?

  • No

If you have any comments, questions or concerns relating to your data, privacy or security at Spark, please do email us – we’d rather you asked than worried. You can get in touch with us via hello@sparksupport.co.uk

After reading all that, you deserve a reward. So here’s a kitty.