Fair Processing Notice for Supporters: ItAllCounts


1. Who we are

Starlight Children’s Foundation is the national children’s charity dedicated to using the power of play to make the experience of illness and treatment better for children and for their families. We do this by working to make the hospital experience positive by providing play resources in health settings across the UK and by using play to create opportunities for social connection for seriously ill children and their families, both in and out of hospital. Through the work we do and the people we work with, we listen, learn and share knowledge, enabling others to join our mission.

In order to provide these services, we need to process the personal data of our donors and supporters. This Fair Processing Notice explains what data we process, why we process it, our legal basis, how long we keep it and your rights.

We will always make sure that personal data is protected and treated securely. Any information that we process will be held in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.


Our contact details

Starlight Children’s Foundation
Company number: 02038895 | Charity registration number 296058 (England and Wales) and SC 047600 (Scotland)
Registered address: Third Floor, 227 Shepherds Bush Road, Hammersmith, London, W6 7AU
Phone: 020 7262 2881

Our Data Protection Officer is Kristy Gouldsmith and she can be contacted at dpo@starlight.org.uk


2. Purpose of the Notice

We are committed to protecting your personal information and being transparent about what information we hold about you. This privacy notice applies to all donors and supporters. It explains how we collect, use, process and share your personal data and your rights in relation to the personal data we securely hold.

Starlight is the data controller for your personal data and is subject to the Data Protection Act 2018 (DPA), the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR). We use your information in accordance with all applicable laws concerning the protection of personal information. This policy explains:

  • What information we collect about you.
  • How we may use that information.
  • In what situations we may disclose your details to third parties.
  • Information about how we keep your personal information secure, how we maintain it and your rights to be able to access it.


3. Legal basis for collecting data

The law on data protection sets out a number of different reasons for which an organisation may collect and process your personal data, including:


In specific situations, we collect and process your data with your consent. You can withdraw your consent at any time.

For example, if we wanted to use a photograph of you in our marketing material, we would need your consent to do so.

When collecting your personal data, we’ll always make clear to you, which data is necessary in connection with a particular service.

Legal obligation

If the law requires us to, we may need to collect and process your data.

For example, we are required to maintain Gift Aid declaration records for HMRC

Legitimate interest

In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests.

For example, keeping your data on our software systems.


4. What data we collect, when we collect it and how we process it

Starlight collects personal information about our donors and supports in a variety of ways. It is collected directly from you and from our research.  We may also collect personal information from other external third parties, such as newspapers or social media. Your personal information may be stored in different places, including our office and/or IT filing systems.

Credit, debit card and payment information

Donations made via It All Counts are carried out securely and are processed in accordance with PCI DSS for card payment by our external payment provider, Stripe.  We do not receive any of your card details. To find out more about PCI DSS standards, visit their website at pcisecuritystandards.org.  Stripe’s privacy notice can be found here: https://stripe.com/en-gb/privacy

We also ask that any donation is accompanied by a Gift Aid form. This allows us to receive an additional 25% of your donation from HMRC. We only need your name, address and whether or not you are a UK taxpayer for Gift Aid.


We gather information about individuals in order to ensure that our communications are as effective as possible and to help identify new supporters. We want to send you the most relevant information and only promote donation opportunities that we believe you are most likely to be interested in.

In order to do this, we will use the record of your previous donations to us, any communications that you have had with us, any events that you have attended and any other information that you have given us to tailor our communications with you. We will also use data about how you use our website or links in our emails so we can make them more effective.

Marketing and communication preferences

We use marketing communications to keep you up to date with what we’re doing and how you can get involved or support us. This may include newsletters, surveys, financial appeals, events, fundraising opportunities or updates.

We use a variety of methods to send marketing to you including post and electronic channels.

We’ll always ask your permission before we send you electronic marketing via phone, email or text and you can always tell us if you no longer want to receive these communications.

The law allows is to send you marketing information by post without your consent, using the legal basis of legitimate interests. You can always tell us if you would prefer not to receive postal marketing.

We use social media to communicate with you and share information about campaigns, events or case studies. We do this through advertising on your social media or through posting messages and information on our own social media pages which you may choose to “like”, “follow” or interact with.


5. Who has access to your personal information?

Your personal information may be shared internally within Starlight only with the staff who need your personal information because it is necessary for the performance of their roles. Your data will be stored in, and processed by, our software applications.

Subject to our legal basis, we also share your data with:

  • marketing and PR agencies
  • mail house that help us with our fundraising mailings
  • payment providers
  • legal advisors and consultants
  • insurance providers
  • fraud agencies, if necessary
  • the Charities Commission, Fundraising Regulator, Information Commissioner’s Office, & CQC


6. Security of your personal information

We will treat your personal data with the utmost care and take all appropriate steps to protect it.

We will not transfer, process or store your data anywhere that is outside of the UK. However, data you provide to ItAllCounts is held and processed outside of the UK; the arrangements for security of this data are given in Section 8.


7. How long does Starlight keep your personal information?


All financial transaction details, including Gift Aid, are kept for 7 years for HMRC


We will keep your data as long as you still consent to receive our marketing. If you unsubscribe from our marketing, we will keep your data in a suppression list so that we don’t market to you by accident.


8. Data transfers

It All Counts is located in Australia and has servers in the United States. Your personal data will be transferred to — and maintained on — computers and servers located in Australia and the United States, where the data protection laws may differ from those in the UK. We use Standard Contractual Clauses as our safeguard for the transfer of personal data to Australia and the United States. Data protection laws permit the Information Commissioner’s Office to make decisions about the adequacy of protection for personal data in respect of transfers. These laws recognise that if a data exporter uses the “Standard Contractual Clauses”, as adopted by the European Commission, this will provide an adequate safeguard as required by law.


9. Your rights in connection with your personal information

You have rights in respect of our processing of your personal data which are:

  • To access to your personal data and information about our processing of it. You also have the right to request a copy of your personal data (but we will need to remove information about other people).
  • To rectify incorrect personal data that we are processing.
  • To request that we erase your personal data if:
    • we no longer need it;
    • if we are processing your personal data by consent and you withdraw that consent;
    • if we no longer have a legitimate ground to process your personal data; or
    • we are processing your personal data unlawfully.
  • To object to our processing, if it is by legitimate interest.
  • To restrict our processing, if it was by legitimate interest.
  • To request that your personal data be transferred from us to another company if we were processing your data under a contract or with your consent and the processing is carried out automated means.

If you want to exercise any of these rights, please contact us.

If you have any questions or concerns, please email DPO@starlight.org.uk as most matters can be resolved informally in the first instance.

You also have the right to lodge a complaint about our processing via the UK’s Information Commissioner’s Office.

ItAllCounts - Charity Platform