Privacy policy

Why this policy matters

At Pushpa, we believe that trust is everything. That means protecting the personal data of our contributors (aka the brilliant people who make our work possible), our team, and everyone we work with is a responsibility we take seriously.

This policy sets out how we collect, store, use and protect personal data. It applies to everyone in the organisation — staff, volunteers, consultants, and anyone else who comes into contact with personal data while working with us.

We know this stuff can sound a bit dry — but it’s essential to making sure we operate with integrity and care. So let’s get into it.

What’s covered

This policy applies to personal data we handle or manage in any format - whether that’s spreadsheets, emails, paper forms or cloud-based tools. It includes:

  • Info about our contributors (like names, contact details, donation history)

  • Info about team members (past and present)

  • Any data that can be linked to an individual person, directly or indirectly

Our principles

We follow six key principles when handling personal data. These are rooted in good practice and legal requirements (including UK GDPR, where relevant):

  1. Be fair, lawful, and transparent

    We only collect and use personal data when we have a clear, legal reason to do so — and we always explain what we’re doing and why.

  2. Collect only what’s needed

    We don’t collect more data than we need, and we’re clear on what we’ll use it for.

  3. Keep it accurate and up to date

    We do our best to make sure data is correct. If someone tells us their info has changed, we update it promptly.

  4. Store it securely and responsibly

    Data is stored securely, whether it’s online or on paper. We limit access to people who genuinely need it.

  5. Don’t keep it longer than necessary

    We only hold onto data for as long as we need it - whether for reporting, legal or operational reasons.

  6. Respect people’s rights

    Anyone can ask to see their data, correct it, or ask us to delete it - and we’ll always do our best to respond quickly and transparently.

Security matters

We use a mix of technical and organisational safeguards to keep data safe:

  • Password protection and access limits on shared folders and tools

  • Strong passwords, changed regularly

  • Avoiding storing personal data on personal devices

  • Data backups and approved cloud services

If we work with third parties (like donation platforms), we make sure they’re also keeping data secure and compliant.

How long we keep data

We keep personal data only for as long as we need it - and we’ve set some broad timelines to guide us:

  • Contributor data: Kept for up to 6 years after their last donation, for reporting, financial records, and impact tracking

  • Staff/volunteer data: Kept for up to 6 years after leaving, unless we need to keep it longer for legal reasons

  • Financial records: Held in line with local financial regulations and audit requirements

Once data is no longer needed, we’ll delete or destroy it securely.

People’s rights

Everyone whose data we hold has the right to:

  • Know what data we’re holding and why

  • Access their own data

  • Ask us to correct, delete or stop processing their data

  • Withdraw consent (where consent is the legal basis for processing)

Anyone can contact us at hi@pushpafund.com to make a request. We aim to respond within 28 days.

Data rights for contributors

Pushpa is committed to making sure every contributor is in control of their personal information. Contributors have the right to:

  • Request access to their data (to see what information Pushpa holds about them)

  • Ask for inaccurate information to be corrected

  • Request that their data is deleted (unless there’s a legal reason it must be kept)

  • Object to how their data is being used

  • Ask for processing of their data to be stopped or limited

These rights are protected - and Pushpa will never make the process complicated, or ask for justification. It’s the contributor’s data, and their choice.

How contributors can make a request

Contributors can get in touch at any time to request access to, correction of, or deletion of their personal data.

They can either:

Email: hello@pushpafund.com

Or fill in the Data Request Form (available online or by request)

Once a request is received, Pushpa will:

  1. Acknowledge the request within 5 working days

  2. Provide a full response within 28 days (often sooner)

  3. Request proof of identity if needed to protect the contributor’s privacy

There is no charge for making a request, and Pushpa is always happy to help clarify anything if needed.

What’s held in a contributor profile

Depending on how someone supports Pushpa, the following types of personal data may be held:

  • Full name and contact details

  • Donation history and preferences

  • Communication preferences (e.g. if they’ve signed up for updates)

  • Any impact messages or stories they’ve shared with Pushpa

This information is only used to manage donations, communicate impact, and share updates (where consent has been given). Pushpa does not share or sell contributor data to third parties for marketing purposes - ever.

If something goes wrong

If there’s a data breach (e.g. data is lost, stolen, accessed without permission), we’ll:

  1. Act quickly to contain the breach

  2. Report it to relevant authorities if there’s a risk to individuals

  3. Let affected people know as soon as possible

  4. Review what went wrong and improve our systems

Training and awareness

We’ll make sure everyone who works with us knows how to handle data responsibly - starting with onboarding and continuing through regular refreshers. If your role involves managing or accessing sensitive data, you’ll get more in-depth training.

Shared responsibility

Data protection isn’t just an IT issue - it’s something we all play a part in. So if you see something that doesn’t feel quite right, or if you’re unsure about how to handle data, speak up. Drop a note to hi@pushpafund.com - no question is too small.

Updates

This policy will evolve as we grow and as laws and best practices change. We’ll make sure everyone’s kept in the loop if anything significant changes. Our Due Diligence Lead is responsible for reviewing this policy annually to make sure it stays up-to-date, practical, and aligned with our values and legal obligations.