Good Finance is a project run by Big Society Capital. Big Society Capital respects your privacy and is committed to protecting your personal information.
The EU General Data Protection Regulation (the GDPR) and the Data Protection Act 2018 enhances an individual’s rights in relation to personal information about them. This privacy notice will inform you how we collect and look after your personal information under the GoodFinance brand in accordance with the GDPR and tell you about your privacy rights and how the law protects you. This privacy notice is provided in a layered format so you can click through to the specific areas set out below.
- Important information and who we are
- Legal basis for processing
- The situations where we collect personal information about you, what personal information we collect and why we collect it
- Transferring data to other countries
- Data retention
- Change of purpose
- Data security
- Your rights
- Complaints or queries
This privacy notice tells you what to expect when Big Society Capital, under the Good Finance brand, collects and processes your personal information.
It is important that you read this privacy notice together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.
Big Society Capital is the controller and responsible for your personal data (collectively referred to as ‘we’, ‘us’ or ‘our’ in this privacy notice).
Big Society Capital
New Fetter Place
8-10 New Fetter Lane
Changes to this privacy notice
We keep our privacy notice under regular review.
Duty to inform us of changes
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Third party links
This website includes links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
If you contact us via social media, the personal information you provide will remain on that platform and that platform will be the data controller. We encourage you to read the privacy notice of the relevant platform.
If you sign up to the Good Finance newsletter via social media, please see the section titled ‘Good Finance newsletter’ for details on what we use personal information for in this situation.
Under the GDPR, we must have a legal basis for processing your personal information. In the situations described above, we process your personal information for one of the legal bases set out below.
- Legitimate interests*. We may process your information where it is in our legitimate interests to do so as an organisation and without prejudicing your interests or fundamental rights and freedoms. It is in our interests to ensure that our processes and systems operate effectively and to process information to help us achieve GoodFinance’s aim of assisting charities and social enterprises navigate the world of social investment.
- Consent**. We may process your information where you give us your consent to do so. You have the right to withdraw this consent at any time by contacting us.
Please contact us if you need details about the specific legal ground we are relying on to process your personal information in each situation.
THE SITUATIONS WHERE WE COLLECT PERSONAL INFORMATION ABOUT YOU, WHAT PERSONAL INFORMATION WE COLLECT AND WHY WE COLLECT IT
1. Visitors to our GoodFinance website
When someone visits our website we use a third party service providers, Hotjar and Lead Forensics, to identify which organisations are viewing our website, which pages they are viewing and for how long. They do this by tracking information such as your IP address. This information is only processed by us in a way which identifies organisations who are visiting our website and does not identify any individuals.
We use another third party service provider, Google Analytics, to collect other anonymised, aggregated data about visitors’ use of the website such as where the visitor came from, the browser types and versions, time zone setting and location and operating system used. We do this to find out things such as the number of visitors to the various parts of the site and to enable us to make the content useful. Further information about how Google uses this information and how you can control the information sent to Google can be found here. We do not make any attempt to find out the identities of the individuals visiting our website. If we do want to collect personally identifiable information through our website, we will be upfront about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
We also use the “visitor action pixels” from Facebook and Linkedin on our website. This allows your user behaviour to be tracked after you have been redirected to the Good Finance website by clicking on a Facebook or LinkedIn ad. This enables us to measure the effectiveness of adverts for statistical and market research purposes. The data collected in this way is anonymous to us, i.e. we do not see the personal data of individual users. However, this data is stored and processed by Facebook and LinkedIn, which is why we are informing you, based on our knowledge of the situation. Facebook or LinkedIn may link this information to your Facebook or LinkedIn accounts and also use it for its own promotional purposes, in accordance with their Data Usage Policy here and here.
In order to improve the user experience on the website, we use Sumo to enable users to opt in to provide feedback, and we use Youtube embeds so that users are able to simply navigate out from the website to our video content hosted on Youtube. The fonts on the website are provided by Typekit and Google Fonts.
Good Finance newsletter*
Investors and advisors*
If you choose to be listed on our investor or advisor directory, the only personal information you will be asked for is your contact details and job role. We will also collect information about your organisation. Occasionally we will ask you to participate in surveys which help us to assess understanding and interest in social investment. If you are an investor, sometimes we will contact you to give you the opportunity of having the organisations you invest in featured in our case studies.
Good Finance diagnostic tool**
If you choose to use the Good Finance diagnostic tool the only personal information you will be asked for is your contact details. We will also collect information about your organisation. We will use this information to provide you with the diagnosis.
Third party service providers
We use third party service providers for parts of our website, IT systems and when we communicate digitally with you. Sometimes they will process the personal information which you provide us with.
2. Interactions with Big Society Capital Limited (BSC) or Access – the Foundation for Social Investment (Access) employees*
If you meet an employee of BSC or Access (a collaborator on the GoodFinance project), for example, at an event and give them your contact details they will keep this information in order to contact you in the future about topics which might be of interest to you and surveys which you might wish to participate in. They will also share this information with other staff members at BSC and Access and occasionally, they will pass it on to third parties who they think you would be interested to hear from. Similarly, we will sometimes receive your contact details from a third party who thinks you would be interested in hearing from us.
We, or our third-party providers, will transfer the personal information we collect about you to countries outside the EU, including the USA, on the basis that anyone to whom we pass it protects it in accordance with applicable laws. We are in the process of ensuring that, in the event that we transfer information to countries outside of the European Economic Area (which includes countries in the European Union as well as Iceland, Liechtenstein and Norway), your personal information receives an adequate level of protection in a way that is consistent with and which respects the EU and UK laws. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us a firstname.lastname@example.org.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Under certain circumstances, by law you have the right to:
- Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
If you have any questions about this Privacy Notice, or want to submit a written complaint about how we handle your personal information, please contact us via email@example.com.. You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.