Privacy Policy At Cornerstone, we’re committed to protecting and respecting your privacy. This policy explains when and why we collect personal information about people who visit our website, how we use it, the conditions under which we may disclose it to others and how we keep it secure. We may change this policy from time to time, so please occasionally check this page to ensure you have the most up-to-date version. Any questions regarding this policy and our privacy practices should be sent by email to [email protected] or by writing to Data Protection Officer, Cornerstone, The Circle, Dudhope Castle, Dundee, DD3 6HF. Alternatively, you can telephone 01382 220238. Who are we? Cornerstone is one of Scotland’s largest charities whose purpose is to deliver expert care and support for people with learning disabilities, autism and complex care needs in Scotland. We are a registered charity (Scottish Charity No. SC004780). The company is registered in Scotland as Cornerstone Community Care operating as Cornerstone, Company No. SC070762 and our registered office is Johnstone House, 52-54 Rose Street, Aberdeen, AB10 1HA. How do we collect information from you? We obtain information about you when you use our website, for example, when you contact us about products and services, to donate or if you register to receive one of our publications. What type of information is collected from you? The personal information we collect might include your name, address, email address, details of your enquiry and/or donation, IP address, and information regarding what pages you have accessed and when. If you make a donation online or purchase a product from us, your credit card information is not held by us, it is collected by our third-party payment processors, who specialise in the secure online capture and processing of credit/debit card transactions, as explained below. How is your information used? We may use your information to: process a donation that you have made; respond to your enquiry or your registration for one of our events; process orders that you have submitted; carry out our obligations arising from any contracts entered into by you and us; seek your feedback, views or comments on the services we provide; notify you of changes to our services; hold your details on our client relationship management system; send you communications, which you have requested and that may be of interest to you. These may include information about newsletters, campaigns, appeals, and other fundraising activities When we use your personal information, we are required to have a lawful basis for doing so. Depending on what personal information we process and why, there are various lawful bases upon which we may rely. The lawful bases we may rely on include: consent: where you have given us clear consent for us to process your personal information for a specific purpose contract: where our use of your personal information is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract; legal obligation: where our use of your personal information is necessary for us to comply with the law (not including contractual obligations); legitimate interest: where our use of your personal information is necessary for our legitimate interests or the legitimate interests of a third-party (unless there is a good reason to protect your personal information which overrides our legitimate interests). Where you make a donation or a payment we will send you communications to acknowledge the transaction and to let you know about the impact of the donation you have made. You will be asked for your communication preferences at the stage of making the transaction, and we will use these preferences to communicate with you in the future. In some instances, we may ask for information such as your date of birth, or emergency contact to help fulfil our legal requirements, for example; to fulfil gambling commission requirements, mass participation events insurance requirements and to fundamentally keep our supporters safe. You may ask us to stop sending such communications or change your communication preferences at any time by contacting us by email [email protected] or telephone on 01382 220238. If you have a website login you will also be able to update your details in the ‘My details’ section of the site. How long we keep your information We review our retention periods for personal information regularly. Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. We are legally required to hold some types of information to fulfil our statutory obligations (for example, information about your donation and/or gift aid you have given us for seven years after the tax year in which you donated). We will hold your personal information on our systems safely and securely for as long as you are an active stakeholder or a donor and thereafter, for 7 years after your last donation, or for as long as is necessary for the purposes we have set out above. We will always store your records securely, for as long as they require to be retained. We will review and delete any information that we no longer have a legitimate reason to keep. Who has access to your information? We will not sell or rent your information to third parties. We may pass your information to our third-party service providers, agents, subcontractors and other associated organisations to complete tasks and provide services to you on our behalf (for example, to process donations and send you mailings). However, when we use third-party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure and not to use it for their own direct marketing purposes. Please be reassured that we will not release your information to third parties for them to use for their own purposes, unless you have requested us to do so, or we are required to do so by law, for example, by a court order or for prevention of fraud or other crime. We work closely with various third-party product providers to bring you a range of quality and reliable products and services. When you enquire about or purchase one or more of these products or services from a third-party provider, the relevant third-party product provider will use your details to provide you with information and carry out their obligations arising from any contracts you have entered into with them. To find out more about our third-party providers, please contact us at [email protected] or telephone 0300 131 3333. Financial transactions relating to our website and services are handled by our payment services providers, We will share transaction data with our payment services providers only to the extent necessary for processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds. You can find information about the payment services providers' privacy policies and practices at: Stripe GoCardless Paypal Other third-party providers include: Mailchimp The Access Group Jobtrain GivePanel Vuelio Unity Lottery In some cases, third parties will be acting as a controller of your personal information, and therefore, we advise you to read their privacy policy. Where these third-party product providers will share your personal information with us, we will use that personal information by following this privacy policy. When you are using our secure online donation pages, your donation is processed by a third-party payment processor, who specialises in the secure online capture and processing of credit/debit card transactions. If you have any questions regarding secure transactions, please contact us at [email protected] or telephone 0300 303 6163. We may transfer your personal information to a third-party as part of a sale of some or all of our business and assets to any third-party or as part of any business restructuring or reorganisation, or if we’re under a duty to disclose or share your personal information to comply with any legal obligation or to enforce or apply our terms of use or to protect the rights, property or safety of our supporters and customers. However, we will take steps with the aim of ensuring that your privacy rights continue to be protected and adopt a minimum data required approach. Your data may also be available to our website provider to enable us and them to deliver their service to us, carry out analysis and research on demographics, interests and behaviour of our users and supporters to help us gain a better understanding of them to enable us to improve our services. This may include connecting data we receive from you on the website to data available from other sources. Your personally identifiable data will only be used where it is necessary for the analysis required, and where your interests for privacy are not deemed to outweigh their legitimate interests in developing new services for Cornerstone. In the case of this activity the following will apply: Your data will be made available to our website provider The data that may be available to them include any of the data we collect as described in this privacy policy. Our website provider will not transfer your data to any other third party, or transfer your data outside of the EEA. They will store your data for a maximum of 7 years. This processing does not affect your rights as detailed in this privacy policy. How you can access and update your information In this section, we have summarised the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights. You can visit https://ico.org.uk/ for more information. You have the right to ask for a copy of the information Cornerstone holds about you. You also have rights to ask that we delete or amend the personal information that we hold about you in certain circumstances and/or that we restrict the processing of your personal information for specific purposes. Under the right to data portability, you can also ask us to provide you with the personal data we hold about you, for you to then reuse for your own purposes. You may also object to any processing of the personal data that we hold about you. You also have the right to complain to a supervisory authority and to withdraw consent. The accuracy of your personal information is important to us. If you have a website login you will be able to update your details in the My details section of the website. Alternatively, you change your email address or any of the other information we hold is inaccurate or out of date, please email us at [email protected] or write to us at Data Protection Officer, Cornerstone, The Circle, Dudhope Castle, Dundee, DD3 6HF. You can also telephone 0300 131 3333. Security precautions are in place to protect the loss, misuse or alteration of your information. Any of the above rights can be exercised by emailing us at [email protected] or writing to us at Data Protection Officer, Cornerstone, The Circle, Dudhope Castle, Dundee, DD3 6HF. Alternatively, you can telephone 01382 220238. Keeping your information secure We store your personal information on our systems within the UK and have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. For information on where our third-party providers store data, please refer to their relevant privacy policies. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. When you give us personal information, we take steps to ensure that it’s treated securely. Any sensitive information (such as credit or debit card details) is encrypted and protected with 128 Bit encryption software on SSL. When you are on a secure page, a lock icon will appear on web browsers such as Google Chrome, Microsoft Edge, Safari. Non-sensitive details (your email address, etc.) are transmitted normally over the internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password that enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. You acknowledge that personal data that you submit for publication through our website or services (such as “Share my story”) may be available, via the internet, around the world. We cannot prevent the use (or misuse) of such personal data by others. Use of 'cookies' About cookies A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed. Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies. Cookies that we use The cookies we use on our website fall into one of these categories: Necessary Statistic Marketing Necessary cookies Necessary cookies help make our website usable by enabling basic functions like page navigation and access to secure areas of the website, as well as for authentication and login state purposes. We use these cookies as an element of the security measures used to protect user accounts, including preventing fraudulent use of login credentials and to protect our website and services generally. This website cannot function properly without these cookies. Cookie Name Used by Expiration _cfduid Cloudflare 1 year TiPMix Azure N/A x-ms-routing-name Azure 1 Hour idsrv Identity Server framework N/A idsrv.session Identity Server framework N/A TempMember Website N/A TempMember_RequiresVerification Website 12 Hours cookieconsent_status Website N/A tid Website N/A AspNetCore.Antiforgery.XXXXXX Identity Server framework N/A ASP.NET_SessionId Website End of session .AspNet.Auth Website 2 Hours ARRAffinity Website End of session MemberLoggedIn Website End of session _stripe_sid Stripe End of session _stripe_mid Stripe 1 year nsr Stripe End of session Statistic cookies Statistic cookies help us to understand how our visitors interact with websites by collecting and reporting information anonymously. These cookies also allow us to personalise our website for you by remembering your preferences. Cookie Name Used by Expiration @@History/@@scroll|# Website End of session _ga and _gid Google Analytics 2 years _gat Google Analytics End of session ai_session and ai_user Website End of session p.gif Typekit End of session __utma Google Analytics 2 years __utmz Google Analytics 6 months __unam ShareThis 14 months cc_cookie_accept Website 365 days _BEAMER_XXXXXX Beamer 1 year _plantrack Planhat 1 year Marketing cookies Marketing cookies are used to track our visitors across the website. The intention is to display ads that are relevant and engaging for you, the user and thereby more valuable for publishers and third-party advertisers. Cookie Name Used by Expiration NID Google 6 months collect Google Analytics End of session r/collect Doubeclick.net End of session IDE, DSID, _ct_rmm Doubleclick.net 2 years DisplayName Website End of session VISITOR_INFO1_LIVE Youtube 179 days YSC Youtube End of session Cookies used by our service providers Our service providers use cookies and those cookies may be stored on your computer when you visit our website. Please refer to the privacy policy of the relevant service provider for information on relevant cookies. We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create reports about the use of our website. Google's privacy policy is available at: https://policies.google.com/privacy. The relevant cookies are: ga, _gid, _gat, __utma, __utmt, __utmb, __utmc, __utmz and __utmv. Managing cookies Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links: Google Chrome Mozilla Firefox Opera Internet Explorer Safari Microsoft Edge Please note that blocking all cookies will harm the usability of many websites. If you block cookies, you will not be able to use all the features on our website. Links to other websites Our website may contain links to other websites run by other organisations. This privacy policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for other sites' privacy policies and practices even if you access them using links from our website. In addition, if you linked to our website from a third-party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third-party site and recommend that you check the policy of that third-party site. 16 or Under We are committed to protecting the privacy of children aged 16 or under. If you are aged 16 or under‚ please get your parent/guardian's permission beforehand whenever you provide us with personal information. In line with our Fundraising with Vulnerable People Policy we will also seek the consent of parents/guardians where possible when we identify that a supporter is under the age of 18, and may choose to return donations where capacity is under dispute, or the donor is at risk of financial harm. You can request our Fundraising with Vulnerable People policy by emailing [email protected] or by calling the Fundraising Hotline on 0300 303 6163. There may be some fundraising products we promote which are only appropriate to those over the age of 18, such as Lottery products, events where the sale of alcohol will take place or some active events and challenges, individuals will be asked to provide their date of birth to ensure they meet legal requirements around gambling, event insurance or to keep our supporters safe. Review of this Policy We keep this policy under regular review. This policy was last updated in October 2023. Manage Cookie Preferences