Skip to main content

Privacy Policy

At Foundation Scotland we’re committed to protecting any personal information you share with us, or that we receive from other organisations, and keeping it safe.

Please read the following notice to understand how Foundation Scotland will treat your personal information. We are subject to the legal jurisdiction of Scotland and any data protection legislation that applies in that jurisdiction. For the purpose of the Data Protection Act 1998 (DPA) and the General Data Protection Regulation 2016(GDPR), the Data Controller is Foundation Scotland.

Who are we?

Foundation Scotland is an independent charity registered in Scotland with the Office of Scottish Charity Regulator [registration number SC022910] and a company limited by guarantee [company number SC152949]. We are a member of the UK Community Foundation (UKCF) network and are quality accredited by UKCF.

Why do we need your data?

We are Scotland’s community foundation. We strengthen local communities by providing a source of funding to community-led projects the length and breadth of Scotland; connecting people and organisations with good causes. To do this effectively, we work with a range of individuals, groups, and businesses. We use the knowledge we have about people – personal data - only to further the work of the Foundation now and in the future. We understand our responsibilities as stewards of this data and will protect your privacy. This notice describes how we do this.

Whose information do we collect?

We hold data on individuals who have given financial or other support to Foundation Scotland, those who might do, and those who apply to Foundation Scotland for funds, whether on behalf of an organisation or personally.

How do we collect information from you?

Most of the information we hold about you has been provided directly to us by you. Examples include when you enquire about our activities; make a donation; set up a fund; apply for funding; apply for a job or volunteer role, or attend events organised by us. We may also receive information about you from someone else. Examples include where existing supporters feel you may be interested in supporting our work and suggest your name to us or data collected via a service provider like Just Giving or Virgin Money Giving. In some cases, we may collect data from publically available sources. Examples include information gathered from news articles or online media, including social media. We may also use publicly available directories and similar information such as the Royal Mail’s National Change of Address database and Companies House.

What type of information is collected and why?

The data we collect depends on the nature of our relationship with you. At any time you can ask us to see what information we hold about you, ask us to correct or update information, or ask us to delete the information we hold.

For donors

We need to ensure your contact details are up to date. This will help us plan our development activities and ensure appropriate due diligence is carried out. To safeguard the assets and reputation of Foundation Scotland, we may keep the following information about you:

  • Your name
  • Contact details including your address, telephone number(s) and email address
  • Information about how you like to be contacted
  • Information about your interests
  • Profiling information such as your age, gender identify, and ethnic group
  • Information about the organisations you may have links to
  • If you are a current UK tax-payer (for Gift Aid purposes)

This information will be stored in a way that enables us to keep track of your donations, process gift aid declarations, and monitor fund balances where applicable. It helps us to ensure any money you donate is spent in accordance with your wishes.

For grantees and their representatives

In order to solicit and process applications for funding from Foundation Scotland, we collect personal information from people representing the groups we support, who apply for funds or about individuals who apply for funds. This will include:-

  • Your name
  • Contact details including your address, telephone number(s) and email address
  • Information about how you like to be contacted
  • Information about your connection to the beneficiary or applicant organisation
  • Profiling information such as your age, gender identify, and ethnic group
  • Information about other organisations you may have links to

How long do you keep my data for?

We will keep data for as long as is needed to complete the task for which it was collected. Relationships between donors, fund recipients and Foundation Scotland are often long term. So we expect to keep your data for as long as the relationship exists, or until we no longer need it.

Is my data securely stored?

We primarily store personal data electronically. Any paper records we have will be scanned and stored electronically, and the paper copies destroyed wherever possible. Electronic records are all held in secure servers, with strong password protection. Necessary paper records are held securely in our office. In the case of archived information contained for legal compliance, in a secure area of our office buildings.

The primary electronic systems we use to process your personal information include:

  • Our customer relationship management system (CRM), and related systems for sending communications such as DotDigital. 
  • Our financial system, currently Access Dimensions
  • Emails, documents, and spreadsheets held on local devices or cloud-based servers
  • Non-sensitive details, such as your email address, when transmitted over the internet, can’t be guaranteed to be 100% secure. Whilst we take all possible means to protect your personal information, we cannot guarantee the security of any information you transmit electronically to us, and you do so at your own risk.
  • Where we have given you a password to access certain parts of our website, you are responsible for keeping this password confidential. Please don’t share this password with others.

Who has access to my data?

Foundation Scotland staff, the Board and Committee Members will be granted secure access to your personal information where it’s necessary for them to carry out their duties on behalf of the Foundation. All staff are given training in data protection and are required to comply with our internal data protection policy.

Will my personal data be shared with third parties?

We will only ever share your personal information with third parties where it helps us to carry out our business functions and charitable activities, or where we have a legal obligation to do so. We will never sell or trade your information with third parties.

Third parties we may share your data with include:

  • Our software suppliers, for example in processing communications sent to you
  • Our WebMasters, who collect, process and store data in the performance of their contract with us
  • Our bankers (for payments to fund recipients who are individuals)
  • UK Community Foundations, for grant monitoring purposes
  • HMRC on Gift Aided donations since we have a legal obligation to provide this information
  • We will share information on fund applicants with fund panel members and donors. We will, however, redact personal information to the greatest extent possible. We will also publish data on fund recipients for groups/organisations (amounts/name of group/purpose), but we anonymise details for any individual recipients.
  • To enable donors to follow up on applications, applicant email addresses may be shared with them.
  • We will use external assessors to assess some of the applications we receive. We will, however, redact personal information to the greatest extent possible
  • We may pass data to other organisations, known as Data Processors, to provide specific services to us. An example would be providing data to a mailing house to send a newsletter. A contract is always in place with a Data Processor, and they are not allowed to do anything with your data other than that which we’ve requested.
  • We may share basic information on the attendees at an event or meeting with the host or other person who is a supporter of Foundation Scotland
  • When donating you are using our chosen secure online facility, your donation is processed by a third party who specialise in the secure online capture and processing credit/debit card transactions. If you have any questions regarding secure transactions, please contact us.

Some of our suppliers run their operations outside of the European Economic Area (EEA). Although they may not be subject to the same data protection laws as companies based in the UK, we will take steps to make sure they provide an adequate level of protection in accordance with UK data protection law. By submitting your personal information to us, you agree to this transfer, storing or processing at a location outside of the EEA.

Our responsibilities

The law requires us to tell you the basis on which we process your data. Some activities may require your consent. If the law requires your consent to process data in a certain way, then we will obtain it before carrying out that activity.

Other activities carried out to fulfil a contract or agreement. Examples include holding funds or organising an event. Each requires us to know who you are and to process your information in order to do what you’ve asked us to do. In these instances, we will process your data based on that contract.

If personal data is required to be collected and processed to comply with the law, then consent is not required. This is the case for some data related to taxation. In all other cases, the law allows us to process your data if it is in our legitimate interest to do so, but only so long as we need to and your “interests or your fundamental rights and freedoms are not overridden”. Practically speaking this means we carry out an exercise to check that we will not cause you harm by processing your data, that the processing is not overly intrusive and that we will only do so in a way described in this privacy notice.

We will keep data for as long as is needed to complete the task for which it was collected. Relationships between donors, fund recipients and Foundation Scotland are often long term, and so we expect to keep your data for as long as that relationship exists, or until we no longer need it.

Your Rights

The law requires us to tell you that you have a variety of rights about the way we process your data. These are as follows:

  • Where our use of your data requires consent, you may withdraw this consent at any time.
  • Where we rely on our legitimate interest to process data, you may ask us to stop doing so.
  • You may request a copy of the data we hold about you.
  • You may change or stop how we communicate with you or process data about you, and if it’s not required for the purpose you provided it, then we will do so. Activities like processing Gift Aid donations, or managing Fund Agreements, may mean we can’t entirely stop processing your data. However, we will always endeavour to comply with such a request.

If you are not satisfied with the way we have processed your data then you may complain to the Office of the Information Commissioner.


We may use the personal information we hold to communicate with our clients, donors and supporters. When we do so, we will be processing your data in line with one of the legal bases permitted by current data protection legislation. In most cases, this will be because we have a legitimate business interest in contacting you as a donor, supporter, or fund recipient (or a representative of a fund recipient). In each case, you have given us explicit consent to do so. You can withdraw consent at any time by following the unsubscribe link in our emails, or by contacting us directly.


Cookies are small text files that are placed on your computer by websites that you visit. These files store information on how you behave when using the website and this information is shared with the website owners. When visiting our website, you will be asked to consent to us saving this information from your visit.

We only ever collect information that helps us to understand and improve the way it works. We use this understanding to help visitors get the most out of their visit to our site. 
You can accept or decline cookies by modifying the settings in your browser. However, you may not be able to use all the interactive features of our site if the cookies are disabled. You’re also able to manage and delete cookies by visiting the setting within your chosen web browser.

How we use cookies?

Google Analytics – Google sets these cookies on our website. These cookies collect information about how visitors use our site. Google stores the information on servers in the United States. Google may transfer this information to third parties where required to do so by law, or where third parties process the information on Google’s behalf. Google state that they will not associate your IP address with any other data held by them.

YouTube - We sometimes embed videos from YouTube using YouTube’s privacy-enhanced mode. This mode may set cookies on your computer once you click on the YouTube video player. YouTube will not store personally-identifiable cookie information for playbacks of embedded videos using the privacy-enhanced mode. 

Hotjar - Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback.

If you have any questions about this privacy policy, about how we process your data, or if you wish to change the way we use your data, including how we communicate with you, then please contact us.

Contact information

Contact name

Chief Finance and Operations Officer