Privacy Policy

Last updated: 22nd December 2025

1) Who we are

New Horizons Partnership Ltd, Charity number: NIC101401, is a charity registered in Northern Ireland. Our registered address is Units 28 – 31, Orchard Road Industrial Estate, Strabane, BT82 9FR. We are the “controller” of personal data we process.

How to contact us:

Email: claire@newhorizonspartnership.co.uk Tel: 078 40377732

Postal: Units 28 – 31, Orchard Road Industrial Estate, Strabane, BT82 9FR

Our  Data Protection Officer (DPO) is Claire Devine and you can contact her as above.

2) What personal data we collect

We collect and process personal data from the groups below:

  • Supporters & donors: identity and contact details; donation history; Gift Aid status; marketing preferences; payment references (we do not use payment processors at this time – 2025).
  • Service users/beneficiaries: identity and contact details; details necessary to deliver our services; where relevant, special category data (e.g., health information) with an appropriate legal basis and safeguards.
  • Volunteers & job applicants: identity and contact details; application/experience; references; right‑to‑work; criminal record checks where lawful and necessary.
  • Trustees & key contacts: identity/contact details required for governance and regulatory filings.
  • Website/app users: IP address, device and analytics data, and cookies or similar technologies (see Cookie Policy).

3) Why We Use Your Personal Data

As a Charity, we only use your information when we have a lawful reason to do so under UK GDPR. Below is a simple, transparent explanation of how and why we use your data.

Donations & Gift Aid

We use your details to:

  • Process and acknowledge donations
  • Manage Gift Aid claims (if you choose to opt in)
  • Lawful basis:
  • Contract (processing your donation)
  • Legitimate interests (administration)
  • Legal obligation (Gift Aid requirements)

Providing Our Services

To deliver our services, we may need certain information to:

  • Assess eligibility
  • Provide support and guidance
  • Keep individuals safe (safeguarding)

Lawful basis:

  • Legitimate interests
  • Vital interests or Public task (where relevant)

Special category data:

Used only where allowed under UK GDPR (e.g., explicit consent, safeguarding grounds, or health‑related reasons).

Volunteers & Staff

For people working with us—whether paid or voluntary—we use information to:

  • Recruit and onboard
  • Carry out necessary checks
  • Manage rotas, training, and HR requirements
    • Lawful basis
    • Contract
    • Legal obligation
    • Legitimate interests

Fundraising & Supporter Communications

We connect with supporters through:

  • Postal updates
  • Event invitations
  • Appeals and fundraising campaigns
  • Social media notifications on invitations/events/campaigns

Lawful basis:

Legitimate interests (postal and phone calls to non‑TPS numbers)

Consent (email and SMS, as required by PECR)

Governance, Reporting & Compliance

As a Charity, we must meet various legal and regulatory standards. We use data to:

  • Manage trustees and governance duties
  • Submit statutory reports and filings

Lawful basis:

Legal obligation

Legitimate interests

Safety & Security

To maintain a safe environment for our community and our team, we may use data for:

  • Incident logging
  • IT and network security monitoring

Lawful basis:

Legitimate interests

(Some uses may fall under recognised legitimate interests once new UK rules are finalised.)

 

Website Analytics & Cookies

We analyse how people use our website so we can improve your experience.

Lawful basis: Consent for non‑essential cookies and analytics (see our Cookie Policy)

Additional Information

Legitimate Interests:

Where we rely on legitimate interests, we carry out a balancing test (Legitimate Interests Assessment) to make sure our interests do not override your rights.

Marketing Rules:

Email and SMS updates follow PECR rules, which normally require consent. The soft opt‑in may apply where appropriate.

Changes in Law:

The Data (Use and Access) Act 2025 will introduce updated rules, including recognised legitimate interests and changes to cookie/PECR requirements. We will update our policy when the final rules are published.

4) Where we get your data

Directly from you (forms, events, phone, email, website).

Indirectly from fundraising platforms if used (not used at this time – 2025)

5) Sharing your data

We share data only when necessary, with:

Service providers (processors) such as: CRM and email platforms, payment processors, cloud/IT providers, event platforms, printers/mailing houses—bound by contracts that meet UK GDPR requirements.

Regulators and public bodies, e.g., HMRC for Gift Aid; law enforcement when required by law; the Charity Commission for Northern Ireland for regulatory purposes.

6) International transfers

If a supplier stores data outside the UK, we take steps required by UK GDPR (e.g., checking adequacy, using the International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, plus Transfer Risk Assessments and appropriate safeguards). You can request details of current transfer mechanisms.

7) How long we keep data (retention)

We apply “storage limitation”: we keep personal data only as long as necessary for the stated purposes, then delete or anonymise it. We maintain a retention schedule (available on request) and review it regularly

Donor records: 6 years after last donation (tax/limitation periods).

Gift Aid declarations: 6 years after the end of the accounting period they relate to.

Volunteer/applicant data: unsuccessful applicants – 6 to 12 months; volunteer records – 6 years after leaving.

Safeguarding/incident records: per statutory guidance and risk—often longer.

Marketing preferences: until withdrawn; audit logs retained to evidence consent/opt‑out.

8) Your rights

Under UK GDPR, you have the rights to be informed, access, rectification, erasure, restriction, data portability, object, and rights related to automated decision‑making/profiling (subject to conditions/exemptions). To exercise these rights, contact us (see Section 1- Who we are).

We will respond within one month (extendable by two months for complex requests).

Right to object to direct marketing: You can opt out at any time (every email/SMS includes an unsubscribe link; you can write or call us).

9) Children and vulnerable people

As we work with vulnerable adults, we use age‑appropriate notices, obtain consent as required, and apply extra safeguards (minimisation, access controls, vetted staff/volunteers).

10) Our use of legitimate interests (balancing test)

For activities where we rely on legitimate interests (e.g., supporter stewardship, postal fundraising, IT/network security), we assess necessity and balance our interests against your rights and reasonable expectations. You can request a summary of relevant LIAs.

11) Security

We apply technical and organisational measures appropriate to risk (access controls, encryption in transit and at rest where feasible, secure disposal, staff training, incident response).

12) Complaints

If you have concerns about our data practices, please contact us first.

You also have the right to complain to the

Office of the Information Commissioner (ICO):

Wycliffe House,

Water Lane,

Wilmslow,

Cheshire,

SK9 5AF.

Tel: 0303 123 1113

 

13) Changes to this notice

We will update this notice if our practices or the law change (e.g., final ICO guidance following 2025 consultations on cookies and recognised legitimate interests). We’ll post updates here and indicate the effective date.