Privacy Policy

Crosslight Advice and the charities which support us are committed to protecting your data and your privacy. We aim to ensure that any information you give us is held securely and safely.

Crosslight strives to follow industry best practice regarding how we collect, store and use your personal data. We are registered with the Information Commissioner’s Office.

As you use our service, visit our website, get in touch with us, or take part in our campaigns and activities, we collect information. This enables us to provide our services to our clients and improve the quality and relevance of our communications with supporters. 

However you interact with us, we will never share your information with another organisation for their own marketing purposes and we will never sell your information for any reason whatsoever.

This policy explains how we collect, use and store your personal information. If you have any questions about this policy or how your data is handled, please contact us:

Head of Operations
Crosslight Advice
HTB Brompton Road
London
SW7 1JA

Email: info@crosslightadvice.org
Telephone: 0300 373 1180


1.   Who we are

Crosslight Advice (‘Crosslight’) is a registered charity (charity number 1163306) whose registered address is HTB Brompton Road, London, SW7 1JA. You can find out more about our work by following this link.

Crosslight is supported by a number of independent local charities that provide funding and resources for our branches. These are;

  • West Kent Debt Advice (charity number 1125756)

  • TW Money Advice Service (charity number 1162828)

  • St Paul’s Money Advice Centre (charity number 250015)

  • Chiswick Money Advice Centre (charity number 1185550)

These charities share a common purpose with Crosslight and exist to support the work of debt and benefit advice, money education and budget coaching in their local communities. Each works cooperatively and collaboratively with Crosslight, and share many systems, processes and policies with Crosslight.

In light of the close relationship between these supporting charities and Crosslight, each have agreed to adopt a common approach to privacy and data protection. This policy therefore covers Crosslight and each of the charities listed above, and we refer to all of these organisations as ‘we’ or ‘us’ in this policy.

The websites covered by this statement include crosslightadvice.org, themoneycourse.org, budgetbuilder.themoneycourse.org, spmac.org.uk, wkda.org.uk and twmas.org.uk.


2.   What information do we collect and why do we collect it?

The main reason we will use personal information is to help us effectively carry out our charitable activities i.e. providing debt and benefit advice, budget coaching and money education to those in need. However, we also use personal data to help us raise funds to support our work, and to help us manage our staff, agents and volunteers.

We will always try to be clear, honest and open with you whenever we collect and use your personal data. The overview below summarises the different reasons why we may collect and use your data. We won’t use your personal information for all of these purposes, it will depend on the nature of your relationship with us. 

a) Delivery of support to service users: We will usually need to record quite detailed personal information about those individuals who seek the help of Crosslight’s services. This is to ensure that the advice and information we provide is appropriate and accurate. We also need to ensure you are eligible for our charitable services and on rare occasions we may also need to use your personal information for the prevention of fraud and to identify any misuse or abuse of our services. It will also be used to help us monitor the effectiveness of the services we provide.

The information we will collect may include (among other things);

  • your contact and biographical information

  • information about your income, expenditure and financial transactions

  • information about your debts, financial standing and past or current insolvency actions

  • information about your housing situation, personal circumstances and employment situation

  • information about your gender, ethnicity, religion, or sexual orientation. We use this information to ensure that our service is open and accessible to everyone that needs our support. Any such information we collect will be used for solely for statistical purposes to enable the monitoring and reporting of the diversity of our clients. We will always ask for your consent to collect this information - see part 2(g) below

  • health information where this has an impact upon your ability to manage your finances or you require extra assistance or consideration in how we deal with your case. We will always ask for your consent to collect or share this information - see part 2(g) below

  • live monitoring and recording of telephone calls and email communications where necessary for regulatory compliance, to ensure service quality, or for training purposes and client satisfaction

b) Budget Builder software: Our Budget Builder is available to users to create and manage their own budgets, and is part of our Money Course resources. This site will record and store the user’s name, contact details and encrypted user-generated password to enable users to securely access the site and save their own budget information. Any other data stored is provided by users themselves and kept on a secure server.
We will use the user’s email address to send them information about the Money Course, their use of the Budget Builder, service updates and other relevant information about the user’s account.

If users consent to receive general marketing information about Crosslight, we will also add them to our mailing list as detailed in part 2(d) below.

As stated above, we will never share your information with another organisation for their own marketing purposes and we will never sell your information for any reason whatsoever.

c) Money Course programme and website: The Money Course website allows users to access our Money Course money education resources for their own benefit or in order to run money education programmes for others. When signing up to a course or creating a user account on our website we request and store the user’s contact details, information about an individual’s current circumstances, and encrypted user-generated password to enable users to access the resources. We also store the answers to any online exercises a user may have taken so that we can provide feedback as part of a course. We use the user’s contact details to send them information about the Money Course, their use of the Money Course resources, and their progress through the course.

If users consent to receive general marketing information about Crosslight, we will also add them to our mailing list as detailed in part 2(d) below.

As stated above, we will never share your information with another organisation for their own marketing purposes and we will never sell your information for any reason whatsoever.

d) Fundraising, campaigning and marketing: Like all charities, we need to raise funds to support our work, as well as provide news and information to promote our aims and objectives. This may include things such as direct marketing, face-to-face activity, advertising (print, broadcast and digital) and public relations for marketing, fundraising, and income generation. This may include talking to you about specific appeals, promoting ongoing campaigns in which you can play an active role, competitions, sponsorships, events or volunteering opportunities.

The information we will collect may include (amongst other things);

  • your contact details and preferences

  • details of your previous interactions with us such as events you may have attended or donations you may have made

  • in certain situations, we may need use publicly available sources to carry out due diligence on donors to ensure that we are fundraising within the law.

e) Management of volunteers and agents: If you are one of our valued volunteers or agents we will need to use your personal information to manage your activities, deliver training, involve and update you on our projects and campaigns and to ensure your safety. This may include sending you newsletters or information about our activities so that you are best equipped to perform your role.

The information we will collect may include (amongst other things);

  • your contact and biographical information

  • references and searches regarding your background

  • any relevant health information - see part 2(g) below

  • information about your gender, ethnicity, religion, or sexual orientation - see part 2(g) below

  • information about your level of education and relevant training

  • feedback and comments about your volunteering experience, progress and appraisals

f) Staff administration: We employ a number of staff who are crucial to delivering our programmes and raising the funds to provide our charitable services, as well as providing a range of professional and technical support. This may include certain sensitive personal information - see section 2(g) below. We process the personal information of our employees for recruitment, staff administration, remuneration, pensions and performance management purposes.

g) Sensitive personal information: Under data protection law, certain categories of personal information are recognised as sensitive, including health information, ethnicity, religious beliefs, sexual orientation, and political opinions (‘sensitive personal data’). We will only collect sensitive personal data if there is a clear reason for doing so. This will include where we need this information to ensure that we provide appropriate advice or support to our service users; to ensure that our service is open and accessible to everyone who needs support; or to help us promote equality of opportunity and attract and retain diverse and talented people onto our team as staff or volunteers. We will only use sensitive information with your consent and for the purposes for which it is provided. You can withdraw your consent at any time.

h) Accepting donations: If you are kind enough to make donations to our charity, we may collect some or all of the following information in order to process you donations. We may also ask if you are able and prepared to Gift Aid any of your donations;

  • your contact details and preferences

  • payment details including details about your bank account and/or payment card

  • details of donations you have made previously

  • any Gift Aid declarations you have made


3.   Lawful processing

Like all organisations in the UK, we need a lawful basis to collect and use personal data. The law allows for six legitimate purposes which organisations can rely on to legally process people’s personal data. Of these, only three are relevant to us for the type of activities listed above:

  • Information is processed on it being a legitimate interest for us to do so

  • Information is processed based on an individual’s consent

  • Information is processed in line with a contractual relationship

a) Legitimate interests

This basis covers the majority of the personal information we collect and process. The law allows personal data to be legally collected and used by an organisation if it is necessary for a legitimate business (or in our case charitable) interest of the organisation.

When we process your personal information as part of our legitimate interests, we will always consider if it is fair and balanced to do so and whether it would be within your reasonable expectations that we would use your data in this way. We will balance your rights and our legitimate interests to ensure that the way in which we use your data never goes beyond what you would expect and is not unduly intrusive or unfair. For example, if you are one of our service users who asks us to assist you to resolve your difficulties, you would reasonably expect us to collect and process your personal data in order to be able to provide you with the best advice and support.

What are our legitimate interests?

Delivery of our charitable aims as set out in our charitable objects:

  • Provision of debt advice, benefit advice, budget coaching and money education, including the Money Course

  • Provision of related support services

  • Assistance with benefit applications, grants applications, benefit appeals on behalf of clients

  • Assistance with insolvency applications on behalf of clients

  • Training of team members in order to deliver our service, which may involve using your data for training purposes, including live monitoring or recording of phone calls and emails

Compliance:

  • To fulfill our safeguarding responsibilities and meet our welfare obligations towards vulnerable clients

  • Reporting criminal acts where appropriate and compliance with the legal instructions of law enforcement agencies

  • Monitoring the quality of our service to ensure we comply with regulatory requirements

  • Internal and external audit for financial, quality assurance, or regulatory compliance

  • Statutory reporting

Publicity and income generation:

  • Conventional direct marketing by direct mail and other forms or marketing, publicity or advertisement

  • Unsolicited communications to Churches and other organisations with whom we work closely in order to publicise our appeals and campaigns

  • Personalisation to tailor and enhance the supporter experience in our digital and postal communications

  • Analysis, targeting and segmentation to develop fundraising strategy and improve communication efficiency

  • Processing for research purposes

Operational management:

  • Employee and volunteer recording and monitoring for recruitment, safety, performance management or workforce planning purposes

  • Provision and administration of staff benefits such as pensions

  • Physical security, IT and network security

  • Processing for historical, research or statistical purposes

Financial management and control:

  • Processing of financial transactions and maintaining financial controls

  • Prevention of fraud, misuse of services, or money laundering

  • Enforcement of legal claims

Purely administrative purposes:

  • Responding to any solicited enquiry from any of our stakeholders

  • Delivery of requested products, resources or information packs

  • Administration of donations including direct debits and other existing financial transactions

  • Administration of Gift Aid

  • Providing 'thank you' communications and receipts

  • Maintaining 'do not contact' lists

b) Consent

We will seek your consent to process your data in any of the following ways. Where you give us consent to process your data we will always keep a clear record of how and when this consent was obtained.

  • Before we share information about service users: Our charitable activities includes us working on our clients’ behalf to to assist them to resolve their difficulties. This may involve speaking with, negotiating with, seeking information from, and intermediating on behalf of our service users with third party organisations. These third party organisations may include creditors, landlords, benefit agencies, the Courts, support agencies and other third parties in relation to the situation our service users are seeking about support about. We may also share personal information about service users when making referrals to other organisations who may be able to provide support. We will always ask the consent of our service users before we share any information with any such third parties in relation to their case.

  • If we collect ‘sensitive personal data’: We will always seek your consent to process or share any sensitive personal data about yourself (see 2(g) above), for example any health condition that may be relevant.

  • To send marketing or fundraising communications: We will always ask for your consent to send you marketing by email, SMS or other digital means. We will also ask you for your consent before contacting you by telephone for the purpose of marketing or fundraising

  • For certain recruitment practices: For those applying for a job or a volunteering position with us, we will ask for your consent to contact third parties such as referees, to undertake a DBS check if appropriate, or for other vetting purposes

c) Contractual relationships

This purpose primarily relates to how we process the data that we hold in relation to our staff, and in some circumstances, our volunteers and agents. The majority of our relationships with supporters and beneficiaries are voluntary and not contractual and so rely on a different legal basis.


4.   Data retention

We remove personal data from our systems in line with our data retention policy below. The length of time each category of data will be retained will vary on how long we need to process it, the reason it is collected, and in line with any statutory requirements. After this point the data will either be deleted or rendered anonymous.

  • Call log: We keep a record of calls made to our service so that we can return calls and handle any enquiries. We will keep details on our call log for a maximum of 6 months unless the individual becomes a client.

  • Service User Enquiries and in-bound referrals: If anyone contacts us to enquire about accessing our service, or we receive personal information about potential service users from third parties who wish to refer individuals to us for support, we will keep any personal data for a maximum of 2 years, unless the individual becomes a Service User. This is to ensure we are able to respond to any enquiry and manage any missed appointments or subsequent actions, and for audit purposes.

  • Service User records: If someone becomes a client, we will keep their case records for a maximum of 6 years after their case is closed or we cease acting for them. This is to ensure we can provide further assistance if a client subsequently needs our help again, and for regulatory and audit reasons to ensure that we are able to manage any future complaints or enquiries.

  • Money Course website and Budget Builder subscribers: We will retain a user’s details for as long as they remain a subscriber.

  • Staff and Volunteer records: If someone becomes a member of our team, we will keep their personnel records for a maximum of 6 years after they cease working/volunteering for us in order to comply with employment regulations and for audit purposes.

  • Donor records: We will keep records of our donors for a maximum of 6 years after their last donation in order to comply with HMRC and charity law regulations, and for financial audit purposes.

  • Supporter / Marketing records: We will keep the contact details of those who have consented to receiving news and updates from us until they tell us that they no longer which to receive such information.

  • Recruitment records: Where you provide personal data and sensitive personal data when applying for a job or volunteering opportunity, such as the information on your CV, we will process, store and disclose this personal data to support the recruitment process. CVs and application details will be stored for a period of 2 years for audit purposes before being deleted, unless the individual becomes an employee.


5.   Data sharing

We will only share your personal data with others in very limited situations.

a) Within the Crosslight ‘family’: Because of our common purpose, the individual charities listed in section 1 above (which includes Crosslight and the charities which support us) share certain information between ourselves. We have therefore entered into a formal data sharing agreement which outlines the protection and procedures in place to regulate this sharing of data and ensures that it is handled in compliance with this Privacy Policy. The data we share between ourselves is limited to;

  • Fundraising, campaigning and marketing (as outlined in section 2d)

  • Management of volunteers and agents (as outlined in section 2e)

  • Staff administration (as outlined in section 2f)

  • Accepting donations (as outlined in section 2h)

b) Externally:

  • Service users: We may share your data if you are one of the users of our charitable services and we need to share your data in order to best support you. But we will only ever do this with your consent (see 3b above)

  • Companies that provide services to us: We may need to share personal information where we use third party suppliers, for example software providers or to send out emails or marketing information on our behalf. These organisations have their own data processing rules which you can read if you have any questions about how they process data, using the following links. We will always ensure that these providers are compliant with data protection regulations, and we delete information from these suppliers as soon as possible when it’s no longer needed. The current list of third-party providers includes: Trustfolio (to obtain credit reports for service users, and access to open banking with the consent of service users); Mailchimp (for email marketing); Squarespace (for web hosting); Thinkific (which we use to host team training and induction, the Money Course player and Leader’s Hub online); Active Campaign (for Money Course user messaging); Donorfy (for donations and grants administration); Typeform (for surveys, feedback, and Money Course exercises); Keybridge IT (acting as processors based in the UK who provide IT and system administration services); Meet Edgar (which we use to schedule and send social media posts); Xodo (for legal documentation and client authorities); and Weio (who administer and host our Money Course Budget Builder)

  • Legal and audit: Other circumstances in which we may share your personal data would be to fulfill our safeguarding obligations, for audit purposes, or if we are compelled to do so by a legal authority acting in compliance with the law. For example, the quality of advice we give is audited by our membership body and external quality auditors to ensure we are always giving the best advice possible. And as a regulated entity, we may also have to reveal information to our regulator, The Financial Conduct Authority. In these situations we will always ensure your data is treated confidentially and that it is not used for any unlawful or illegitimate purpose

We will never sell your personal information to anyone.

We will never share your personal information with an external organisation for their own marketing purposes.


6.   Your data rights

Where we are using your personal information based on your consent, you have the right to withdraw that consent at any time. You also have the right to ask us to stop using your personal information for direct marketing purposes.

The law also gives you a number of other rights in relation to your personal data. Contact us on info@crosslightadvice.org or on 0300 373 1180 and we will amend your details accordingly.

  • Right to be informed: You have the right to be told how your personal information will be used. This policy document, and shorter summary statements used on our forms and other communications, are intended to be a clear and transparent description of how your data may be used.

  • Right of access: You can write to us asking what information we hold on you and to request a copy of that information. We have 30 days to comply once we are satisfied you have rights to see the requested records and we have successfully confirmed your identity.

  • Right of erasure: In certain circumstances you have the right to be forgotten (i.e. to have your personally identifiable data deleted). In many cases however, we are required by law or other regulations to retain your data - for example we are required to keep data about service users, and staff/volunteers, for 6 years. If this applies, we will ensure that your data remains secure and is not used for any purpose other than those allowed. Please contact us if you have any questions about this.

  • Right of rectification: If you believe our records are inaccurate you have the right to ask for those records concerning you to be updated.

  • Right to restrict processing: In certain situations, you have the right to ask for processing of your personal data to be restricted because there is some disagreement about its accuracy or legitimate usage.

  • Right to data portability: Where we are processing your personal data under your consent the law allows you to request data portability from one service provider to another. This right is largely seen as a way for people to transfer their personal data from one service provider to a competitor and is unlikely to be relevant to your relationship with us.

  • Right to object: You have an absolute right to stop the processing of your personal data for direct marketing purposes.

  • Right to object to automated decisions: In a situation where a data controller is using your personal data in a computerised model or algorithm to make decisions 'that have a legal effect on you', you have the right to object. This right is more applicable to mortgage or finance situations. We do not use your data in such a way and so this right is not relevant in your relationship with us.


7.  COOKIES

We collect data using cookies. A cookie is a text file that is sent from our website/s as soon as you visit the site. It is stored on your computer’s hard drive and helps us to identify your computer (not you) and collects information in an aggregate, anonymous way.

Cookies may be used to collect information about your visit to our website/s, for example, traffic data, location data, device information, the date and time of your visit and the pages that you visit. The use of cookies is an industry standard for most major websites.

The cookie data that we collect we may use to:

  • Customise the content on our website/s and to help us understand visitor’s current and future needs

  • Process any requests, applications or transactions you may make

  • Aid internal administration and analysis

Managing cookies: Most browsers allow you to turn off the cookie function. To do this you can look at the help function on your browser.

Third party cookies: We occasionally work with third party suppliers who set cookies on our website to enable them to provide us with services. These are mainly used for reporting and advertising purposes so we can improve the way we communicate.

We occasionally use websites such as YouTube and Vimeo to embed videos and you may be sent cookies from these websites. We do not control the setting of these cookies, so we suggest you check the third-party website for more information about their cookies and how to manage them.

As some of these services may be based outside of the UK and the European Union, they may not fall under the jurisdiction of UK courts. If you are concerned about this you can change your cookie settings (see above).

Policy created: 09.04.18

Policy updated: 10.04.24