Privacy and cookie notice

This policy sets out how ACTAsia collect, use and store personal and other data for visitors and users of this website.

Who we are

This site is provided and managed by ACTAsia, registered as a non-profit organisation in the UK, the Netherlands, and Australia with 501(c)3 in the USA. It has offices in the UK, Australia, and in Guangdong Province, China.

At ACTAsia, we can only do the work that we do with the support of people like you. That’s why it’s important for us to ensure that we are transparent in the way we collect information from you – what we collect, why we collect it and how we use it. Our reason for collecting information is so that we can stay in touch with those people who support our work and are interested in knowing what we are doing to create a compassionate and kind world, through our work in Asia.

By using our website or providing us with your personal information, you are agreeing to our privacy policy. We may update this policy from time to time, so please check it regularly.

Personal data is information that identifies you or can be used to identify you. This policy relates to ACTAsia’s use of your data and any personal information you provide to us by email, through our website, by social media, in letters, in person and any personal information we may collect about you indirectly.

If you wish to get in touch please see our contact page.

What information we may collect about you and why

Your name and contact details

How we collect itHow we use it
When you donate (online or offline), sign a petition, register your interest at an event, sign-up to receive our email-updates, email or write to us with an enquiry, or interact with us in any other way, ACTAsia may collect personal information about you. This may include, but is not limited to, your:
• Name
• Email address
• Postal address
• Home phone number
• Mobile phone number
• Bank account or payment card details
• To give you the information or service you asked for
• To let you know about changes to our policies, or administration such as accounting and records
• To provide you with information we think may be of interest to you To process donations and collect Gift Aid
• To maintain databases of our supporters, including a record of how you prefer to be contacted
Lawful basis: legitimate interests
When you complete a registration form on our website.To register you as a user of this website, or to register you for a course we run.
Lawful basis: contract

Information about your device, and how you use our website

How we collect itHow we use it
When you visit this website, information about your device, operating system, browser and your IP address are automatically saved in log files on the web serverThis helps us ensure the security of our site by monitoring normal and malicious use of our site
Lawful basis: legitimate interests
If you login to our site we also collect details of your IP address and the time of your loginThis helps us ensure the security of restricted content for logged-in users or members
Lawful basis: legitimate interests
We collect details of your visits to our site, including which pages you visit and actions you take. This helps us to see what parts of our site are being used and to improve our site for our visitors and users
Lawful basis: legitimate interests

Ecommerce

How we collect itHow we use it
If you make a donation through our website we may collect your contact details and transaction references. To fulfil your purchase and keep a record for tax purposes. We never receive or store your card details.
Lawful basis: contract

Direct marketing

Direct marketing includes any communications we send you promoting the aims and work of ACTAsia. This may include news, fundraising appeals and ways you can support our work. We will only contact you by email if you have given us your consent to do so for direct marketing purposes.

Un-subscribing or opting-out of direct marketing

You can opt out of receiving direct marketing from us at any time by using the unsubscribe links in every marketing email we send. Or simply contact us at info@actasia.org to ask us to remove you from our contacts.

Special category data

We do not currently collect any special category data.

Minors under 16

This website is intended for visitors and users over the age 16 and as such we do not knowingly collect any information about children. If you are under 16 years of age, you should obtain permission from your parents or guardians beforehand whenever you provide personal information.

Sharing your personal information

We take your privacy seriously and will only use your personal information to respond to your queries, to provide the services you have requested, provide administration notices, or for the normal functioning of our website. Your personal information will never be shared with third parties for marketing purposes and will not be used by us for marketing purposes without your explicit consent.

We do use some third party companies who act as data processors, to provide services in order to run our website and in order to run our business. Your data may be shared or stored with them as follows.

ReasonLocation
We use a specialist server company called Layershift to host our website.A secure datacentre in the UK. Data is permanently held unless changed or deleted. Onsite backups are kept for 7 days.
We use a specialist server company called Hetzner to store additional backups of our website.A secure datacentre in Germany. Backup data is encrypted. Data is kept for 30 days.
We use a specialist email service provider called Mailgun (covered by the EU-US Privacy Shield Framework) to improve deliverability of email sent from this website.Secure datacentres in the USA. Data is retained only for the purposes of sending email and providing us with information about its delivery.
We use PayPal as our payment gateway provider to process card payments.Secure datacentres in the EEA.
We use Crashplan for backups of our computers which may contain personal information in emails or local copies of website backups.A secure datacentre in the USA. Backup data is encrypted.
We use MailChimp (covered by the EU-US Privacy Shield Framework) as our email marketing platform to store personal information and data and send out direct marketing and news.Secure data centres in the USA.

Data retention

We will only keep your data for as long as necessary. For data that we have identified as being covered under the legitimate interests lawful basis, this will be for no more than two years. For data identified as being covered under the contract lawful basis, this will be kept for a minimum of six years and no longer than ten years. This includes keeping records as required by law for tax and auditing purposes.

Cookies

Like most websites we set cookies to enable features on our website. You can find out more about cookies and how to manage them on the All About Cookies website.

We set strictly necessary cookies for security and to enable you to do things like login to our site.

Cookie nameReason
__cfduidSet by Cloudflare and used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.
wordpress_[hash]
wordpress_sec_[hash]
wordpress_logged_in_[hash]
Set by WordPress if you login to our site to store your authentication details.
wordpress_test_cookieTests whether or not your browser has cookies enabled.
wp-settings-{time}-[UID] Set by WordPress and used to customize your view of admin area interface (if applicable), and possibly also the main site interface.
give-ffmSet by our donation system.

We use third parties for some services such as website analytics, embedded maps, embedded videos and web fonts amongst others. Some of these may set performance cookies and some services such as Google Maps, Google Fonts and Youtube may collect IP addresses and/or set cookies. For more information on all of Google’s services please see Google’s privacy policy.

Cookie nameReason
_gidSet by Google Analytics to distinguish users. We have enabled IP masking which ensures IPs are anonymised before being sent to Google.
_gaSet by Google Analytics to distinguish users. We have enabled IP masking which ensures IPs are anonymised before being sent to Google.
SID, SAPISID, APISID, SSID, HSID, NID, PREFSet by Google Maps to measure the number and behaviour of Google Maps users. Google may collect some data including search terms, IP addresses, and latitude/longitude coordinates.
SID, LOGIN_INFO, PREF, SSID, SAPSID, APISID, CONSENT, YSC, HSID, VISITOR_INFO1_LIVESet by Youtube for embedded videos to control playback and to measure the number and behaviour of Youtube users.

Security

We take security very seriously and have taken appropriate measures to secure our website and your data. However please be aware that the internet is a public network and it is not possible to guarantee absolute security.

MeasureWhy
CloudflareA website application firewall that increases security by blocking known hackers, abusive bots and malicious IP addresses.
SSLEncryption to ensure secure transmission of your personal information when you submit a form on our website.
Firewalls and IP banningPrevent unauthorised access to our server and block malicious users or bots.
Activity loggingKeeps records of actions taken on our site to help identify security issues or breaches.
Uptime monitoringWe receive notifications if our website is offline or unreachable for more than 3 minutes. This helps us to ensure our website stays online and to alert us to any potential threats which may take the site down.
Two factor authentication logins for website administratorsThis adds an extra layer of security to prevent unauthorised access to our website administration area.
Security pluginsWe make use of several security plugins that scan for malware and infected files and block access to suspicious activities and notify us of any unusual activity patterns, or administrator logins.
Virtual Private Network (VPN)We use software to encrypt our traffic over the internet which ensures that data such as login information cannot be read by hackers.

Breach notifications

The ICO define a data breach as “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. We are required under law to tell the data protection regulator of data breaches within 72 hours. We are also required to notify individuals in certain circumstances and we will do so as required.

Your rights

  • Right to confirmation – you have the right to know if we hold personal data that concerns you
  • Right to access – you have the right to view and to obtain a copy of any personal data we hold that concerns you
  • Right to rectification– you have the right to the correction of any inaccuracies within the personal data we hold that concerns you
  • Right to erasure – you have the right to have your personal data removed from our systems
  • Right to complain – you have the right to complain to the data protection regulator (the ICO in the UK) but we would appreciate it if you would contact us in the first instance so that we can help with any issues.

If you wish to exercise any of your rights please contact us and we will be happy to help.

Changes to this policy

We may make changes to this policy from time to time. If we do we will update it here and a record of these is below.

  • Effective date: 25 May 2018. Version: 1.0.