Aegis Trust’s
Privacy Policy

 

Who are we?

  1. The Aegis Trust, registered at 34-36 Goosegate, Nottingham, NG1 1FF, hereafter “Aegis Trust” or “we”, is an international not-for-profit organisation working to prevent genocide and honouring the memory of victims of genocide.
  2. This policy sets out how we process personal data.  
  3. This policy applies to the personal data we process on
    the physical sites and digital websites we own and run, including the
    Aegis Trust websiteKigali Genocide MemorialGenocide Archive of Rwanda, and
    the
    Genocide Research Hub.
  4. We operate in the UK, Rwanda, the Central African Republic and the USA. This policy applies to all our entities in these geographical entities.
  5. Please note that ‘policy’ hereafter refers to this privacy policy, ‘users’ refer to individuals using our digital websites, and ‘visitors’ to individuals visiting our physical sites. ‘Data subjects’ refers to individuals to whom the GDPR applies to, including its principles and rights.

Who does this policy apply to?

  1. This policy complies with the EU General Data Protection Regulation 2016/679 (hereafter “GDPR”). Please note that the EU GDPR has been incorporated into UK law as the UK GDPR. In practice there is little change to the core data protection principles, rights and obligations.
  2. This policy applies to all users and visitors of our physical and digital sites, as well as our employees.
  3. In this policy, data processing refers to the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
  4. In this policy, Aegis Trust is a ‘data controller’. The data controller determines the purposes for which and the means by which personal data is processed. When working with data processors, companies or other bodies that process personal data on behalf of Aegis Trust, they must comply with this policy.

What are the principles of the GDPR?

This policy follows the seven principles outlined in the GDPR:

1.     Lawfulness, fairness and transparency: All personal data must be processed lawfully, according to the lawful basis for processing, and fairly at all times. Processing of personal data must be outlined in a policy that is transparent and available to data subjects. It is why we have this policy.

2.     Purpose limitation: Personal data must be processed for specified, explicit and legitimate reasons. When personal data is collected for specific purposes, it must only be used for this purpose. Personal data must not be processed in a manner that is incompatible with this purpose. The purpose of our processing of personal data is outlined in this policy.

3.     Data minimisation: Personal data must be adequate, relevant and limited to what is necessary in relation to purposes for which it is processed. This means we will only collect the personal data we need from you.

4.     Accuracy: Personal data must be accurate and up-to-date. We will take reasonable steps to ensure your personal data is up-to-date and provide you with the opportunity to update it.

5.     Storage limitation: Personal data must be kept for no longer than is necessary for the purposes for which it was processed. We may store some personal data for longer to fulfil legal, financial or organisational requirements (i.e. tax returns). This policy details for how long we store personal data.

6.     Integrity and confidentiality: Personal data will be processed, stored and shared in a safe and secure manner that protects data subjects against unauthorised or unlawful processing, accidental loss, destruction or damage, or breach. We outline the measures we take to keep your personal data secure in this policy.

7.     Accountability: A data controller should be able to demonstrate compliance with the GDPR, as outlined in this policy.

What personal data do we process?

  1. We process personal data about usersof our websites and visitors of the Kigali Genocide Memorial.
  2. We collect and process the following categories of personal data:
    • Websites: First name, last name, email address, residential address, phone number, IP address, payment information and transactional details, and tax information.
    • Sites: First name, last name, email address, residential address, phone number, payment information and transactional details, and tax information.
    • Employees: First name, last name, email address, residential address, bank details, national insurance number, employee benefits, salary and emergency information.
  3. We may collect and process the following categories of personal data with your explicit consent:
    • Photos you sent us and approve us using.
    • Quotes and/or testimonials you sent us and approve us using.
    • Voluntary responses to our online surveys.
    • Support queries when using our digital sites.
    • Comments on our forums when you post them.
  4. We do not collect any sensitive personal data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, generic data, biometric data processed solely to identify a human being, health-related data or data concerning your sex life or sexual orientation.
  5. Due to the nature of our physical sites, individuals under the age of 12 are not allowed. Individuals under the age of 12 are also not permitted to create an account on our websites. Therefore, no personal data about individuals under the age of 12 is collected. Individuals aged 12 to 18 years old can visit our physical sites and create an account on our physical sites under the supervision or a parent or guardian Similar information as outlined above will be collected.
  6. Please note cookies and website analytics are covered in our Cookies Policy.

How do we collect your personal data?

  1. We use the following legal basis for processing:
    • Consent: the majority of users and visitors’ personal data is processed with your consent when creating an account with us, visiting our physical site and/or making a purchase.  
    • Contract: employees’ personal data is collected in order to fulfil their contractual obligations.
    • Legal obligation: to comply with financial requirements (i.e. tax returns) and other employer obligations. It is possible we will need to disclose personal data to respond to other legal queries.
    • Legitimate interest: to conduct wealth screening to inform our fundraising efforts.
  2. We collect and process personal data directly from you:
    • On our websites:

Personal
Data

Collection
Method

Legal
Basis for Processing

First and last name

·      Whenyou create an account on one of our websites

·      When you contact us

·      When you sign up to one of our newsletters and/or email lists

·      When you respond to one of our fundraising campaign, appeals, or competitions

·      When you fundraise or volunteer on our behalf

·      When you make a donation

Consent, Legal Obligation (to process
donations) and Legitimate Interest

Email address

·      When you create an account on one of our websites

·      When you contact us

·      When you sign up to one of our newsletters and/or email lists

·      When you respond to one of our fundraising campaign, appeals, or competitions

·      When you fundraise or volunteer on our behalf

·      When you make a donation

Consent, Legal Obligation (to process
donations) and Legitimate Interest

Residential address

·      When you create an account on one of our website

·      When you fundraise or volunteer on our behalf

·      When you make a donation

Consent, Legal Obligation (to process
donations) and Legitimate Interest

Phone number

·      When you create an account on one of our websites

Consent

Payment information and transactional
details

·      When you complete a transaction

·      When you make a donation

·      When you volunteer or fundraise on our behalf

Consent, and Legal Obligation (to
process donations and payments)

Tax information

·      When you complete a transaction

·      When you make a donation

·      When you volunteer or fundraise on our behalf

Consent, and Legal Obligation (to
process donations and payments)

 On our physical sites:

Personal
Data

Collection
Method

Legal
Basis for Processing

First and last name

·      When you complete a transaction

·      When you make a donation

Consent, Legal Obligation (to process donations)
and Legitimate Interest

Email address

·      When you complete a transaction

·      When you make a donation

Consent, Legal Obligation (to process
donations) and Legitimate Interest

Residential address

·      When you complete a transaction

·      When you make a donation

Consent, Legal Obligation (to process
donations) and Legitimate Interest

Phone number

·      When you complete a transaction

·      When you make a donation

Consent

Payment information and transactional details

·      When you complete a transaction

·      When you make a donation

Consent, and Legal Obligation (to
process donations and payments)

Tax information

·      When you complete a transaction

·      When you make a donation

Consent, and Legal Obligation (to
process donations and payments)

 Other personal data:

Personal
Data

Collection
Method

Legal
Basis for Processing

·      Photosyou sent us and approve us using.

·      Quotes and/or testimonials you sent us and approve us using.

·      Voluntary responses to our online surveys.

·      Support queries when using our digital sites.

·      Comments on our forums when you post them.

 

You supply us with this personal data when you:

1.     Fill out a survey

2.     Post on our forums

3.     Send us information for us to publish on one of our websites

4.     Post photos on our Google business page

5.     Submit feedback or a query

6.     Send a communication or a query

Consent

 On our employees:

Personal
Data

Collection
Method

Legal
Basis for Processing

First and last name

Upon signing of employment contract

Contract

Email address

Upon signing of employment contract

Contract

Residential address

Upon signing of employment contract

Contract

Phone number

Upon signing of employment contract

Contract

Bank details

Upon signing of employment contract

Contract

National insurance number

Upon signing of employment contract

Contract

Employee benefits and salary
information

Upon signing of employment contract
and during period of employment

Contract

Emergency information

Upon signing of employment contract

Contract and Legal Obligation (in case
of an emergency)

  1. We collect and process personal data from third parties, who act as our processors:

Third
Party

Personal
Data Collected

Method of
Collection

Legal
Basis for Processing

Financial and tax institutions such as
HRMC in the UK and the IRS in the USA

·      Information required to pay employees and other service providers (see above)

·      Information required to submit our tax returns (see above)

·      When you make a payment, donation or volunteer/fundraise on our behalf

·      When you sign an employment contract with us

Consent, Contract and Legal Obligation

Payment service providers and third
party providers like JustGiving or Virgin Giving Money or Google

·      Information required to process a payment/transaction including donations (see above)

·      Information required to use our website and create an account (see above)

·      When you make a payment, donation or volunteer/fundraise on our behalf

 

Consent and Legal Obligation

Wealth screening service providers
such as iWave

·      First and last name

·      Residential address

·      Email address

·      When you register on one of our websites

·      When you make a payment, donation or volunteer/fundraise on our behalf

Legitimate Interest


Please note we ensure that all processors we work with have a privacy policy, strong data protection practices and follow best practice set by the EU GDPR and in this privacy policy. You can review our third party providers’ privacy policy on their websites.

How do we use your personal data?

1.     We process your personal data for the following purposes:

·      To create your account;

·      To allow you to fully use our websites (including using our forums and answering voluntary surveys) and sites;

·      To process a payment transaction (i.e when purchasing a ticket or other item);

·      To answer your questions, queries and provide support when encountering an issue using our digital or physical sites;

·      To provide you with requested information;

·      To improve our services by requesting feedback;

·      To meet any employment obligations (i.e. pay your salary);

·      To comply with any applicable laws, regulations, requirements or requests from statutory and/or law enforcement agencies, governments and/or courts of law (i.e completing our annual audits and tax returns);

·      To administer your donation, including Gift Aid processing;

·      To send you, when you have given us consent, information about our organisation, details about our fundraising efforts appeals campaigns or competitions, and our newsletters;

·      To keep a record of our relationship with you on our Customer Management System (Keap) for our own internal administrative and fundraising purposes;

·      To support your fundraising efforts when you fundraise on our behalf;

·      To support your volunteering efforts when you volunteer on our behalf; and

·      To improve our fundraising capacity and efforts. 

2.     To improve our fundraising capacity and efforts, we occasionally conduct wealth screening exercises of our users/visitors/constituents (using wealth screening software iWave, which is compliant with industry privacy standards and regulations).

We do so in order to make best use of our resources and to effectively and meaningfully engage with current and prospective donors and supporters.

When conducting wealth screening exercises, we will process personal data you have provided us (your first name, last name and residential address) to obtain additional publicly available information about you. This includes:

·      Previous charitable and political donations;

·      Publicly available information about board membership, volunteering and employment; and

·      Publicly available information about wealth metrics to determine your ability to donate.

We use this personal data to better inform our fundraising efforts, target our fundraising conversations, campaigns, appeals, and competitions, and improve our stewardship processes. This in turn enables us to be more cost-effective in our fundraising and generate more funds to fulfil our mission.

Please note that the personal data we collect for wealth screening is not shared with third party providers, partners or individuals. It is sometimes provided to us by vetted external consultants who follow the practices set in this privacy policy. This means, these consultants do not retain or use this information beyond their contract with us. If you have any questions about wealth screening, please contact us at info@aegistrust.org; or write to Aegis Trust at 34-36 Goosegate, Nottingham, United Kingdom, NG1 1FF.

With whom do we share your personal data?

Access to personal data will only be granted to those who need it for the purpose they need it, thereby following the principles of the GDPR outlined above.

We share your personal data with the following third party processors:

  1. Other entities of the Aegis Trust, located in the UK, Rwanda, Central African Republic and the USA, where we have significant charitable or operational presence. All these entities are covered by this policy. We share personal data to allow us to deliver our services;
  2. Third party service providers and sub-contractors, including website hosting providers, technical and engagement support services, payment processing services to allow us to deliver our services such as processing a payment or a donation, and allowing you to create an account/use our website;
  3. With third party providers, such as HMRC or IRS, to fulfil legal, financial, compliance or contractual obligations;
  4. Our professional advisors such as lawyers, accountants and financial advisors, located in the UK and Rwanda, in order to meet our legal and contractual obligations; and
  5. Third party consultants who assist us with our fundraising and wealth screening.
  6. Please note, that disclosure is also permitted by the GDPR without the consent of the data subject under certain circumstances, namely:

·      Inthe interests of safeguarding national security;

·      In the interests of crime prevention and detection which includes the apprehension and prosecution of offenders;

·      In the interests of assessing or collecting a tax duty;

·      In the interests of discharging various regulatory functions, including health and safety;

·      In the interests of preventing serious harm occurring to a third party; and

·      In the interests of protecting the vital interests of the data subject i.e. only in a life and death situation.

How do we store your personal data and for how long?

  1. We store personal data on secure servers that are managed by us and our service providers in the UK, Rwanda, Central African Republic, and the USA. They are only accessible by a select number of employees who require access to these files to fulfil their employment duties.
  2. We also store your personal data on our Customer Relationship Management System, Keap, which complies with industry privacy standards. Only the necessary employees have access to the CRM system.
  3. Personal data that we store and/or share is protected by security and access controls, including username and password authentication, two-factor authentication, and data encryption. We always ensure that data processors or third parties with whom we share personal data are GDPR-compliant.
  4. We keep all financially-relevant information for a minimum of 7 years (and up to 12 years) to comply with the law.
  5. We keep all legally-relevant information indefinitely to comply with the law, unless we are requested and allowed to delete it.
  6. We keep all other information for a minimum of 5 years. If we do not hear from you within a period of 5 years, we will notify you that we will delete your personal data. Please note that we will not be able to recover your personal data once it is deleted.
  7. If you no longer want us to use your personal data for our work, you can request that we delete or remove your personal data from any lists we may hold by contacting us at info@aegistrust.org; or writing to Aegis Trust, 15 Bridge Street, Newark, Nottinghamshire, NG24 1EE, UK. Please note that we
    will retain information as necessary to comply with the law, prevent
    fraud, collect fees or resolve disputes.

How do you access your data and update your communications preferences?

  1. You can access some of the personal data we hold on you on your account on one of our websites. This includes: your first and last name, your contact information, and past transactions.
  2. You can request a copy of the personal data we hold about you by emailing us at office@aegistrust.org; or writing to Aegis Trust, 34-36 Goosegate, Nottingham, United Kingdom, NG1 1FF. We will aim to provide you with a copy of your personal data within 30 to 60 days.
  3. You can amend your communication preferences by:
    • Unsubscribing to any communication we send you including fundraising appeals/campaigns/competitions, general communications emails and updates and our newsletters. An ‘unsubscribe’ option will be provided on the communication itself when you receive it.
    • Reviewing your communication preferences on your account on one of our website and opting-out of receiving all or specific content.


What are your rights regarding your personal data?

As a data subjects, you have the following rights pertaining to this policy:

1.     The right to be informed: you have the right to know how and why we process your data which is outlined in this privacy policy and made available to you via our websites;

2.     The right of access: you have the right to contact us and make a subject access request to obtain a copy of the personal data we hold on you (see above);

3.     The right of rectification: you have the right to contact us to rectify any personal data we hold on you to ensure we hold up-to-date and correct information. To rectify your data, update the information on your registered account or email us at office@aegistrust.org; or writing to Aegis Trust, 34-36 Goosegate, Nottingham, United Kingdom, NG1 1FF;

4.     The right to erasure/be forgotten: you have the right to contact us to ask us to delete the personal data we hold on you or to destroy any inaccurate
personal data we may hold. To delete your data, delete your registered account and email us at 
office@aegistrust.org; or writing to Aegis Trust, 34-36 Goosegate, Nottingham, United Kingdom, NG1 1FF. Please note that in some instances we will need to retain minimal personal data to meet our contractual and legal obligations;

5.     The right to restrict processing: you have the right to restrict personal data processing. Please note we may still need to process minimal personal data to meet our contractual and legal obligations or provide you with our services. To restrict processing, update your communication preferences on your registered account or email us at office@aegistrust.org; or writing to Aegis Trust, 34-36 Goosegate, Nottingham, United Kingdom, NG1 1FF. Please note we will never contact you for direct marketing purposes without your explicit consent;

6.     The right to data portability: you have the right to be provided with your personal data in a format that is structured, commonly used and machine-readable. To obtain your data in a portable format, please email us at office@aegistrust.org; or writing to Aegis Trust, 34-36 Goosegate, Nottingham, United Kingdom, NG1 1FF;

7.     The right to object: you have the right to object to the processing of your personal data. For any complaints, please email us at office@aegistrust.org; or writing to Aegis Trust, 34-36 Goosegate, Nottingham, United Kingdom, NG1 1FF. You also have the right to request that the relevant data protection agency (i.e the ICO in the UK) carries out an assessment as to whether or not any of the provisions of the GDPR have been breached. The relevant data protection authority will be the data protection authority of the country: (i) of your habitual residence; (ii) of your place of work; or (iii) in which you consider the alleged infringement has occurred;

8.     Rights relating to automated decision-making and profiling: you have the right not to be subject to any automated decision-making process and to refuse automated profiling without prior approval. You also have the right to be informed about the functioning of any decision-making processes that are automated which are likely to have a significant effect on the data subject. Please note we do not conduct any automated decision-making using your personal data (i.e. targeted advertising). For any queries of automated decision-making and profiling, please email us at office@aegistrust.org; or writing to Aegis Trust, 34-36 Goosegate, Nottingham, United Kingdom, NG1 1FF.

Please note
that in certain circumstances, these rights are limited, such as:

·      Law enforcement;

·      Intelligence services processing;

·      Functionsdesigned to protect the public;

·      Regulatory functions relating to legal, financial or health services;

·      Other regulatory functions;

·      Legal professional privileges;

·      Archiving in the public interest;

·      Research and statistics in the public interest; and

·      Health, education and social work data.

When do we update our policy?

  1. This policy was last updated in June 2023.
  2. We will update our privacy policy every 5 years, unless there is a significant change in our business operations (i.e. a new site, provision of a new service etc.).
  3. When we update our policy, we will notify you via email if you are already a registered user or on one of our email lists.
  4. Our new policy will also be published on our websites.

Aegis Trust Privacy Policy, effective date 26th of June 2023.

For any questions about this privacy policy, please email us at office@aegistrust.org; or writing to Aegis Trust, 34-36 Goosegate, Nottingham, United Kingdom, NG1 1FF.


Aegis Trust’s Cookies Policy

The Aegis Trust’s websites use cookies.

What are cookies?

1.     Cookies are tiny pieces of data saved on your computer or mobile device. 

2.     There are several types of cookie and they each have different functions or uses.

3.     In general, cookies are used to make the user’s web experience faster, convenient and personalised.

4.     When you visit the website again it will save your cookies preferences but you can always update/change them.

What cookies do we use?

We use the following categories of cookies on our own websites:

1.     Essential cookies: these are required for the operation of our website, for example to enable you to log in to secure areas of the website or make use of a shopping cart and e-payment services.

2.     Analytic/performance cookies: these allow us to recognise and count the number of visitors and to see how visitors move around our website when
they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.

3.     Functionality cookies: these are used to recognise you when you return to our website so that we can personalise our content for you and remember your preferences, e.g. whether you are signed up to email alerts.

4.     Targeting cookies: these record your visit to our website, pages you have visited and links you have followed. We may use this information to make our website and the advertising displayed to you more relevant to your interests, and may share this information with third parties for this purpose.

Please note that our third party providers will use their own cookies. When you visit a third party providers’ website, you will have the opportunity to review their own cookies policy. Please note, we do not have any control over third party providers’ own cookies and how they use them.

What information do we collect through cookies?

1.     When you visit one of our websites, we collect the following information from cookies:

    • Your IP address or proxy server IP address;
    • The domain name you requested;
    • The name of your internet service provider is sometimes captured depending on the configuration of your ISP connection;
    • The date and time of your visit to the website;
    • The length of your session;
    • The pages which you have accessed;
    • The number of times you access our site within any month;
    • The file URL you look at and information relating to it;
    • The website which referred you to one of our websites; and
    • The operating system which your computer uses.

2.     Please note that information collected through cookies is anonymous and therefore does not fall under the category of personal data, covered in our privacy policy.

3.     We use Google Analytics to analyse information collected through cookies and allow us to improve the performance and user experience of our websites.

How do you modify or disable cookies?

1.     You have a choice about which cookies you want us to collect.

2.     Please note that when you accept our cookies preference you consent for us to process the information collected through the selected cookies.

3.     You can modify your cookies preferences when accessing one of our websites. You will normally be given three options:

·      Recommended cookies: This will include all the cookies we recommend you accept in order to improve the performance of our websites and therefore your experience using our websites.

·      Essential cookies: This will include the minimal amount of cookies to allow you to use our websites optimally.

·      Select your own cookies preferences: This option will give you the opportunity to select which cookies you would like us to process from a long-list of cookies.

4.     You can also disable cookies preferences. You can disable, or reject all cookies. If you choose to reject all cookies, please note that some parts of our websites may not work properly.

5.     Please note that some internet providers will accept cookies by default. It is still possible to modify and/or disable them but will require an additional step to do so.

6.     You can find out more about cookies and how to disable them at: allaboutcookies.org.

When do we update our policy?

  1. This cookies policy was last updated in June 2023.
  2. We will update our cookies policy every 5 years, unless there is a significant change in our business operations (i.e. a new site, provision of a new service etc.).
  3. When we update our policy, we will notify you via email if you are already a registered user or on one of our email lists.
  4. Our new policy will also be published on our websites.

Aegis Trust
Privacy Policy, effective date 26th of June 2023.

For any questions about this cookies policy, please email us at office@aegistrust.org; or writing to Aegis Trust, 34-36 Goosegate, Nottingham, United Kingdom, NG1 1FF.