Data Privacy,
& Security Policy

Updated March 2025

Your privacy and data protection is important to us.  We are committed to safeguarding the privacy of our contacts, website visitors, staff members, volunteers and partners; and we fully endorse and adhere to the seven principles of data protection set out in the General Data Protection Regulation. This privacy and data protection policy sets out how we will treat your personal information.

Firebird Collective currently includes Firebird Foundation and Firebird Impact.  Your personal information is, where appropriate, shared within the Firebird Collective.  Firebird Foundation and Firebird Impact are the controllers of your personal data and we are responsible for its processing and how it is used.

Personal Data Collection

Personal data is information that relates to an identified or identifiable individual. The Firebird Foundation and Firebird Impact may collect, store and use the following kinds of personal information:

  • information that you provide to us to register your interest in our activities (for example our grant funding or attending an event);
  • Information gathered about you in the course of a grant or investment application or for management of a grant or investment to you;
  • Information about you as an employee or trustee of the charity;
  • Other information that you choose to send to us.

Conditions for processing

We process personal data because:

  • you gave us consent to do so (for example, when you applied for a grant);
  • we need to process and manage a contractual arrangement that you may have entered into;
  • we want to pursue our legitimate interests in grant and investment making and grant and investment management; and
  • we need to comply with our legal obligations as an organisation (for example, as an employer).

We will always have regard to your rights when making judgements about processing your data.

Using Personal Data

We will only ask for as much information as we need to effectively consider an application, to manage an award if you are successful, and to monitor its progress. When you submit an application and we ask for your consent to process your data, you are agreeing to us processing your data for the purposes and in the ways outlined in this section.

We sometimes collect sensitive personal data on individuals, for example to enable us to monitor the diversity of our applicants.
If you have applied for, or hold a grant or investment with us, we will use the information you give us during assessment and during the life of your grant or investment (if awarded) to administer the grant or investment. We might give copies of all or some of this information to individuals and organisations we consult when assessing applications, administering the programme, monitoring grants and investments and evaluating funding processes and impacts. These include accountants, external evaluators, other funders and other organisations or groups involved in delivering the project.

We may share information with organisations and individuals with a legitimate interest in our applications and grants, investments or specific funding programmes.
We might use the data you provide for research purposes, but we recognise the need to maintain the confidentiality of vulnerable groups. Your details will not be made public in any way, except as required by law.

We might also use your personal data to:

  • enable your use of the services available on our website;
  • send you general communications about our grants and investments and grant making;
  • deal with enquiries and complaints made by or about you.

We publish details of grants and investments awarded on our website, in our annual accounts. We will not publish address details for individuals who are awarded grants except where these are also the registered addresses of organisations we fund.
We will keep a record of your contact details for up to 10 years to enable us to maintain records of your application history should you apply again and to enable us to meet any regulatory and reporting requirements, including HMRC investigations. In addition to application data, we will retain any personal data related to the administration or operation of the grant or investment. After this time we will only retain the name of the recipients and the amount awarded and some basic details of the grant or investment made for archiving and research purposes.

Photographs and videos

We may request, commission, or receive images from those we work with. We use these to promote our work, and that of our partners, through our communication channels including our website, social media presence and publications. We sometimes also use videos, which may be commissioned by us or submitted by our partners, to illustrate the impact of our work. If we commission videos they may involve external film makers.

In using images and videos we will make every effort to ensure suitable permissions and compliance with GDPR are satisfied before use.

Personal Data Security

We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information.

The Firebird Foundation and Firebird Impact will store all the personal data you provide on our password-protected OneDrive if the application is related to a role with the Trust.

Disclosures

We may disclose information about you to any of our employees, Trustees, officers, agents, regulatory bodies, suppliers or subcontractors insofar as reasonably necessary for the purposes as set out in this privacy statement. We reserve the right to pass information passed to us by applicants to other Trusts, Foundations and Investors where they have a legitimate interest in the application or grant.

In addition, we may disclose your personal information:

  • to the extent that we are required to do so by law;
  • in connection with any legal proceedings or prospective legal proceedings;
  • in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk); and
  • to any person who we reasonably believe may apply to a court or other competent authority for disclosure of that personal information where, in our reasonable opinion, such court or authority would be reasonably likely to order disclosure of that personal information.

Except as provided in this privacy statement, we will not provide your information to third parties.

Your Rights

You may ask for access to any personal information we hold about you and we will provide this within a month. We may ask for appropriate evidence of your identity before doing this.

You can tell us you don’t want us to process your personal information for general communications at any time by writing to [email protected]

Other websites

Our website may contain links to other websites that are not under the control of and are not maintained by Firebird Collective. We are not responsible for the content or reliability of the linked websites.

Data Breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A breach can be accidental or deliberate. Examples of breaches can include:

  • Access by an unauthorised third party
  • Deliberate or accidental action (or inaction) by a controller or processor
  • Sending personal data to an incorrect recipient
  • Computing devices containing personal data being lost or stolen
  • Alteration of personal data without permission
  • Loss of availability of personal data

Any breach of data protection will be reported immediately to the CEO of the Firebird Foundation for inclusion in the Data Breach Log. Information recorded will include date of the breach, number of people affected, nature of the breach, description of the breach, how we became aware of the breach, description of the data in the breach.

Following a breach immediate remedial action will be taken and the details recorded in the breach log. This will include the consequences of the breach, whether or not all individuals affected have been informed of the breach (and if the decision was made not to inform them what the reasons for that were), what remedial action was taken and the date the ICO was informed of the breach (if required).

Breaches will be reported to the ICO if there is a likely risk to people’s rights and freedoms. If, on assessment, the risk is unlikely there is no need to report it however details of the breach and justification of the decision not to report it will be documented in the breach log.

More information on data breaches can be found on the ICO website.

Contact Us

If you have any questions about this privacy and data protection policy, or our treatment of your personal information, please email us at [email protected]

Back to Home

Accessibility Toolbar