Service Users Supporters Employees Applicants Volunteers
Privacy Notice
Who Are We?
We are the Social Care Council of the Church of Scotland, operating as CrossReach. We provide support for those in Scotland who find themselves in need of social care at any stage of their life. Most of our funding comes from local authorities, but we also rely on donations and legacies to help continue our vital work.
About This Privacy Notice
This privacy notice tells you what to expect when CrossReach collects personal information about you. We are legally obliged by the EU General Data Protection Regulation 2016 (GDPR) to make sure that we use your personal information only for the purpose for which it was requested, to make sure it is kept securely, to allow you to request access to it at any time without charge, and to securely dispose of it in the correct time frame, among other things. For the purpose of the GDPR, CrossReach and CrossReach Trading Ltd. control the data – they are the ‘data controller’.
What Information Do We Collect?
Depending on how you choose to interact with us, the personal information we collect from you/you share with us may include your name, postal address, email address, telephone or mobile number, financial details, date of birth and religious affiliation.
How Do We Collect Information?
We obtain personal information about you when you enquire about our services and ways to support us; register with us; send us emails; sign up for our newsletter; make a donation; purchase items from our shop; participate in our fundraising activities; apply for one of our volunteering roles; set up an account with us or otherwise provide us with your personal information.
You may give us your personal information indirectly through a donation on a third party fundraising site to which CrossReach is signed up, such as Just Giving/or Edinburgh Marathon Festival. These third parties will ask you whether you are happy to be contacted by us. We will not use your information to contact you unless you give explicit permission on these sites (for example, ticking a box) or unless you have already given us permission directly to contact you. You should check the Privacy Policy of these third parties when you provide your information to understand fully how they will process your data.
We also gather general information about your use of our website, such as which pages you visit most often and which services, events or news items are of most interest to you. We may also track which pages you visit when you click on links in CrossReach emails.
Information is also collected from ‘cookies’ placed on CrossReach’s main website and our trading shop site. ‘Cookie’ is a name for a small file, usually of letters and numbers, which is downloaded onto your device, like your computer, mobile ‘phone or tablet when you visit a website. Cookies let websites recognise your device so that the sites can work, or work better, and also gather information about how you use the site. A cookie, by itself, cannot be used to identify you. We use three categories of cookie as defined by the International Chamber of Commerce in their UK Cookie Guide:
- Strictly necessary cookies which are essential for you to move around our websites, place orders in a shopping basket etc.;
- Performance cookies which collect anonymous information about how you use our site, like which pages are visited most. No information which can identify you is kept;
- Functionality cookies which ‘remember’ your choices so as to improve your experience of the site, such as text size or location. They may also be used to remember services you have asked for such as watching a video or commenting on a blog. They are anonymous.
You can turn off cookies within your browser by going to 'Tools | Internet Options | Privacy' and selecting to block cookies. If you turn off cookies, you may not be able to use the full features of a website.
| Name | Type | Duration | Description |
|---|---|---|---|
| __cf_bm | Functional | 30 minutes | Part of Cloudflare’s Bot Management service and helps manage incoming traffic that matches criteria associated with bots. |
| __Secure-1PAPISID | Advertisement | 2 years | Used for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalised Google advertising. |
| __Secure-1PSID | Advertisement | 2 years | Used for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalised Google advertising |
| __Secure-3PAPISID | Advertisement | 2 years | Builds a profile of website visitor interests to show relevant and personalized ads through retargeting. |
| __Secure-3PSID | Advertisement | 2 years | Builds a profile of website visitor interests to show relevant and personalized ads through retargeting. |
| __Secure-3PSIDCC | Advertisement | 1 year | Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalised Google advertising |
| _fbp | Advertisement | 3 months | This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website. |
| _ga | Analytics | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
| _gat_UA-6013685-33 | Analytics | 90 days | A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to. |
| _gid | Analytics | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
| _GRECAPTCHA | Functional | Session | reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis. |
| _hjAbsoluteSessionInProgress | Analytics | 30 minutes | Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie. |
| _hjid | Analytics | 1 year | This is a Hotjar cookie that is set when the customer first lands on a page using the Hotjar script. |
| _hjIncludedInPageviewSample | Analytics | 30 minutes | Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit. |
| _hjSession{site_id} | Analytics | 30 minutes | A cookie that holds the current session data. This ensues that subsequent requests within the session window will be attributed to the same Hotjar session. |
| _hjSessionRejected | Analytics | Session | If present, this cookie will be set to '1' for the duration of a user's session, if Hotjar rejected the session from connecting to our WebSocket due to server overload. This cookie is only applied in extremely rare situations to prevent severe performance issues. |
| _hjSessionUser{site_id} | Analytics | 1 year | Hotjar cookie that is set when a user first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID. |
| 1P_JAR | Functional | 1 month | Used to collect site statistics and track conversion rates. |
| aka_debug | Advertisement | Session | Vimeo sets this cookie which is essential for the website to play video functionality. |
| APISID | Advertisement | 2 years | Display personalized advertisements on Google sites, based on recent searches and previous interactions. HSID, SSID, APISID and SAPISID cookies enable Google to collect user information for videos hosted by YouTube. |
| CONSENT | Advertisement | Used by Google Search to personalise content and advertisement. | |
| fr | Advertisement | 3 months | Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin. |
| HSID | Advertisement | 2 years | Contain digitally signed and encrypted records of a user’s Google Account ID and most recent sign-in time |
| NID | Functional | 6 months | Contains a unique ID used to remember your preferences and other information such as your preferred language, how many search results you prefer to have shown on a results page (for example, 10 or 20), and whether you want to have Google’s SafeSearch filter turned on. |
| OGPC | Advertisement | 1 month | This cookie enables the functionality of Google Maps. |
| OTZ | Advertisement | 2 years | Used by Google Analytics that provides an aggregate analysis of Website visitors. |
| player | Functional | 30 minutes | Vimeo uses this cookie to save the user's preferences when playing embedded videos from Vimeo. |
| SAPISID | Advertisement | 2 years | Display personalized advertisements on Google sites, based on recent searches and previous interactions. HSID, SSID, APISID and SAPISID cookies enable Google to collect user information for videos hosted by YouTube. |
| SID | Advertisement | 2 years | Download certain tools from Google and save certain preferences, for example the number of search results per sheet or activation of the SafeSearch filter. Adjust the ads that appear in Google search. |
| SIDCC | Functional | 6 months | A security cookie to protect a user’s data from unauthorized access. |
| SSID | Advertisement | 2 years | Contain digitally signed and encrypted records of a user’s Google Account ID and most recent sign-in time |
| Sync_active | Other | Never | Contains data on visitor's video-content preferences - This allows the website to remember parameters such as preferred volume or video quality. The service is provided by Vimeo.com. |
| vuid | Analytics | 2 years | Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website. |
How Do We Use Your Information?
Legitimate interest and/or consent are the legal bases we rely on for the collection, storage and use of your personal information.
When we rely on legitimate interest, we make sure to consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. Our legitimate interests do not automatically override your interests.
When we rely on consent, we make sure that this has been freely given, and is specific, informed and unambiguous.
We will rely on legitimate interest and/or consent to:
- provide you with information (including fundraising or campaigning activities), services or products you have requested or which we feel may interest you, where you have not objected to being contacted or have actively consented to being contacted.
- process personal information for the purposes of customer analysis and direct marketing to help us with our activities and to provide you with the most relevant information.
- use strictly necessary cookies on our trading shop website to record, store and process personal information for customer orders.
- use performance and functionality cookies on our main website and our trading shop website to monitor and analyse information to enhance your experience of these sites. This information is anonymous.
- as necessary, disclose your information if required to do so by law (for example, for gift aid purposes or in response to a valid request from a competent authority), or in order to enforce our conditions of sale and other agreements. We may share your information with a limited number of third parties solely for the purpose of providing you with relevant information (mailing house) or fulfilling your trading orders (order fulfilment house). This is always carried out under our instruction as the data controller and is never for their marketing purposes. Where we need to use third party organisations to process personal data on our behalf, we have in place a contract with the organisation to ensure that the data is properly protected and treated in accordance with GDPR.
We respect any personal information that you share with us. You can choose not to hear from us or change your preferences for how we contact you at any time. Simply email your request to supporters@crossreach.org.uk or post to:
Supporter Relations
CrossReach
Charis House
47 Milton Road East
Edinburgh EH15 2SR
or phone 0131 454 4374
Storing your Information
We take the security of your personal information extremely seriously.
We have in place appropriate physical, technical and organisational measures to protect the personal information we have under our control, in both electronic and paper form, from improper access, use, alteration, destruction and loss.
We will keep your information for the purposes for which it was given and will not keep it any longer than is required to fulfil these purposes, unless required to do so to fulfil statutory obligations (for example, to claim Gift Aid).
Any debit or credit card details we receive via our trading shop website are passed securely to Sellerdeck Payments, our payment processing partner, according to the Payment Card Industry Security Standards.
Accessing and Updating Your Information
We aim to ensure that all information we hold about you is accurate andkept up to date. If any of the information we hold about you is inaccurate and either you advise us or we become otherwise aware, we will ensure it is amended and updated as soon as possible. We will restrict the processing of your information until we can be sure that it is accurate.
You may request a copy of any personal information that CrossReach has about you. Please email or write to us including a Subject Access Request form. CrossReach does not make a charge for supplying this information and will reply within 40 days of receipt of your request.
CrossReach
Charis House,
47 Milton Road East,
Edinburgh,
EH15 2SR
Tel: 0131 454 4374
Email: supporters@crossreach.org.uk
You may request that any personal information that CrossReach has about you be deleted or removed from our records, without undue delay, under the following circumstances:
- when the personal data is no longer necessary for the purpose for which it was originally collected/processed
- when you have withdrawn your consent for us to process and use your data in the ways described in this Privacy Notice (unless we need to retain for statutory purposes)
To do this, please use any of the means to contact us listed above.
We will inform any third parties, with whom we share your details under contract, of the requirement also to delete/remove your information from their records.
The personal information you share with us is yours. You have the right to obtain this information and re-use it for your own purposes. Should you request it, we will provide you with the information in a commonly-used, machine-readable format (for example, CSV file) without undue delay.
Your Rights
Under the GDPR you have the following rights:
The right to be informed of the information processing
This privacy notice provides you with this information.
The right to access your information
You may request access at any time to the information we hold about you by sending us a Subject Access Request Form, as described in this Privacy Notice.
The right to rectification
You are entitled to request that your personal information be corrected if it is inaccurate or incomplete. This is also covered in this Privacy Notice.
The right to erasure
This is also known as the ‘the right to be forgotten’. You can request that your personal details be deleted or removed from our records under the circumstances listed in this Privacy Notice. You should however be aware that we will retain information relating to you if we have a legal obligation to do so.
The right to restrict processing
This is your right to ‘block’ or suppress the processing of personal information. As described in this Privacy Notice, we will restrict the processing of your information in the event of an identified inaccuracy until this is rectified.
The right to data portability
This is your right to request a copy of your personal information for your own use across other services, as described in this Privacy Notice.
The right to object
This is your right to object to our processing of your personal information for the uses described in this Privacy Notice. We will offer you this right to ‘opt out’ in our first and every subsequent communication with you.
Rights in relation to automated decision making and profiling
You have the right to object to the processing of your information by automated means where this might lead to a decision with a significant effect on you. CrossReach does not and never will use automated decision making and profiling.
Your Right to complain
If you wish to raise a complaint outwith CrossReach, you have the right to complain to the Information Commissioner’s Office about anything relating to the processing of your personal information by CrossReach. You can contact the ICO via its website at www.ico.org.uk or at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
