Privacy policy
Food And Solidarity Limited — Privacy Policy
ICO Registration Reference: ZB537641
Last updated: 25 May 2026
1. Who we are
Food And Solidarity Limited ("we", "us", "our") is a community organisation based in Newcastle upon Tyne. We operate a food parcel service, housing rights support, and community solidarity activities. We also act as a fiscal host on the Open Collective platform for community groups.
We are registered as a data controller with the Information Commissioner's Office (ICO) under reference ZB537641 (valid until 19 April 2027).
Registered address: 120–126 Buckingham Street, Newcastle upon Tyne, NE4 5QR
General enquiries: organiser@foodandsolidarity.org
Data protection enquiries: legal@foodandsolidarity.org
Phone: 07393 101018
Data Protection Officer assessment: We have assessed whether we are required to designate a Data Protection Officer under Article 37 UK GDPR. As a small community organisation that is not a public authority and does not carry out large-scale systematic processing of special category data, appointment of a DPO is not mandatory. We have nonetheless designated legal@foodandsolidarity.org as our primary data protection contact.
2. What this policy covers.
This policy explains what personal data we collect — both directly from you and indirectly via third-party platforms such as Open Collective — why we collect it, the lawful basis for each use, who we share it with, how long we keep it, and your rights under UK GDPR and the Data Protection Act 2018. It also explains what cookies our website (foodandsolidarity.org) uses and how you can control them.
A separate section at the end covers the WhatsApp Community Privacy Agreement for members.
Our data protection principles (Article 5 UK GDPR)
In all our processing activities we adhere to the seven data protection principles:
- Lawfulness, fairness and transparency — we process data on a lawful basis and are open about how we use it
- Purpose limitation — data is collected for specific, explicit, and legitimate purposes and not used for anything incompatible with those purposes
- Data minimisation — we collect only what is adequate, relevant, and necessary for each purpose
- Accuracy — we take reasonable steps to keep data accurate and up to date; please tell us if your details change
- Storage limitation — data is kept no longer than necessary; see our retention table in Section 9
- Integrity and confidentiality — data is processed securely and protected against unauthorised access, loss, or destruction
- Accountability — we are responsible for compliance with these principles and can demonstrate it
3. Personal data we collect
We apply the data minimisation principle across all our processing: we collect only what is adequate, relevant, and limited to what is necessary for the specific purpose. Where we no longer need data for the purpose it was collected, we delete it.
3a. Data you give us directly (Article 13 UK GDPR)
We collect the following personal data directly from you:
- First name and last name
- Email address
- Phone number
3b. Special category data — union membership (Article 9 UK GDPR)
We collect union membership information only where you apply for a striker solidarity food parcel. This is special category data. We collect the minimum information necessary to assess your application, rely on your explicit consent (Article 9(2)(a)), and delete it immediately once the assessment is complete. It is never used for any other purpose.
Is providing your data mandatory? You are not legally required to give us your personal data. However, without basic contact details (name, email or phone) we cannot process food parcel requests or respond to you. Without union membership information we cannot assess striker solidarity parcel applications. You may withdraw consent for communications at any time without affecting your access to essential services.
3c. Data we receive indirectly via Open Collective (Article 14 UK GDPR)
Food And Solidarity Limited acts as a fiscal host on the Open Collective platform (opencollective.com). In this capacity, Open Collective (operated by OFi Technologies LLC, USA) shares with us personal data about individuals who contribute to, or submit expense claims through, collectives we host. The categories of data we may receive include:
- Name and email address of contributors or expense claimants
- Contribution amounts and dates
- Expense reimbursement details and supporting information
- Organisation or collective affiliation
We use this data solely to fulfil our fiscal hosting obligations — receiving, holding, and disbursing funds on behalf of hosted collectives, and maintaining accurate financial records as required by law.
Your right to be informed (Article 14): Because this data reaches us via Open Collective rather than directly from you, we have an obligation under Article 14 UK GDPR to inform you of our processing within one month of receiving your data. Open Collective's own Privacy Policy notifies contributors that data may be shared with fiscal hosts. If you believe we hold your data via Open Collective and have not been informed, contact legal@foodandsolidarity.org and we will provide a full account of what we hold and why.
3d. Data collected automatically via our website
When you visit foodandsolidarity.org, Squarespace and our analytics services automatically collect certain technical data, including:
- IP address (anonymised before storage by Google Analytics 4; retained in Squarespace server logs for 90 days for security purposes)
- Browser type and version
- Device type and operating system
- Pages visited and time spent on pages
- Referral source (how you arrived at the site)
Lawful basis: Processing of technical data for website security and fraud prevention relies on our legitimate interests (Article 6(1)(f)). Processing for analytics purposes relies on your consent (Article 6(1)(a)), given via our cookie banner. No analytics data is collected unless you have consented.
4. Lawful basis for processing
We rely on the following lawful bases under UK GDPR, mapped to each processing activity:
Consent (Article 6(1)(a))
We rely on your freely given, specific, and informed consent for:
- Sending marketing or promotional communications by email, SMS, or WhatsApp
- Collecting union membership information for striker solidarity parcel applications (explicit consent under Article 9(2)(a) as special category data)
- Non-essential cookies and the analytics and marketing data they generate — given via our cookie banner under PECR. The corresponding UK GDPR lawful basis for that data is also consent.
- Processing of website analytics data (Squarespace analytics, Google Analytics 4)
You may withdraw consent at any time by contacting legal@foodandsolidarity.org, following opt-out instructions in any communication, or adjusting your cookie preferences via the banner on our website. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Performance of a contract (Article 6(1)(b))
We rely on this basis for:
- Processing membership fees, donations, and other payments — processing your payment data is necessary to complete the transaction you have entered into with us
Legitimate interests (Article 6(1)(f))
We rely on legitimate interests for:
- Managing food parcel and support requests
- Sending transactional service communications (e.g. confirming a parcel collection)
- Community news and service updates (non-marketing)
- Community organising and campaigning activity
- Fulfilling our fiscal hosting obligations on Open Collective
- Processing technical data (including IP addresses) for website security and fraud prevention. Note: strictly necessary cookies involved in this are exempt from PECR consent under Regulation 6(4) PECR — a PECR exemption separate from the GDPR lawful basis.
A Legitimate Interests Assessment (LIA) has been conducted for each of these activities and is available on request from legal@foodandsolidarity.org. Our assessment is that our interests in operating a community solidarity service do not override your rights and freedoms.
Legal obligation (Article 6(1)(c))
We retain financial and payment records — including Open Collective fiscal host records — for 7 years to comply with HMRC requirements and the Companies Act 2006.
5. Electronic communications and PECR
The Privacy and Electronic Communications Regulations 2003 (PECR) are a separate legal framework sitting alongside UK GDPR. PECR governs electronic marketing messages and the use of cookies on our website.
PECR has its own consent standard. Under PECR:
- Strictly necessary cookies are exempt from consent under Regulation 6(4) PECR and may be set without prior consent.
- All other cookies (analytics, marketing, embedded content) require prior, informed, and freely given PECR consent before being set. We obtain this via our cookie banner.
- We will only send marketing or promotional messages (email, SMS, WhatsApp) with specific prior PECR consent.
- We may send transactional messages to existing contacts without separate PECR consent, where these relate directly to the service engaged with.
- You can opt out of marketing communications at any time by replying STOP to any SMS, following the unsubscribe link in any email, or contacting legal@foodandsolidarity.org.
- Opting out of marketing communications does not affect your access to our services.
- You can withdraw PECR consent for non-essential cookies at any time via the cookie settings link in our website footer.
Note on WhatsApp Business API messages: In addition to our WhatsApp Community groups (covered in the separate WhatsApp Community Privacy Agreement at the end of this policy), we may send individual or broadcast WhatsApp messages and SMS messages via Brevo, our communications platform. WhatsApp messages sent via Brevo come from the number +44 7441 396673. These messages are sent through the WhatsApp Business API and are subject to this Privacy Policy and the PECR consent requirements above. Meta processes data transmitted via the WhatsApp Business API under its own terms. Brevo acts as our data processor for these communications.
6. Cookies and tracking technologies
Our website (foodandsolidarity.org) uses cookies. A cookie is a small text file placed on your device when you visit a website. We use four categories. Non-essential cookies are only set after you have given consent via our cookie banner.
6a. Cookie categories
Strictly necessary — no consent required (Regulation 6(4) PECR). The only strictly necessary cookie we set is Squarespace's CSRF protection cookie ('crumb'), which prevents cross-site request forgery. It is exempt from the PECR consent requirement and set automatically on every visit.
Analytics — PECR consent required. We use Google Analytics 4 (which anonymises IP addresses before storage) and Squarespace's built-in analytics. Data is aggregated. These cookies are only set after consent.
Marketing — PECR consent required. We use the Meta (Facebook) Pixel solely to measure the reach of our social media campaigns. We do not use Pixel data for Custom Audiences or retargeted advertising. See Section 7 for a note about our audience and Section 8 for our joint controller arrangement with Meta. These cookies are only set after consent.
Embedded content — PECR consent required. Our website embeds YouTube videos (using YouTube's privacy-enhanced mode at youtube-nocookie.com — no cookies are set unless you actively play a video), Instagram social media feeds, and Action Network campaigning forms or petitions. Embedded content is configured to load only after you have given cookie consent. When loaded, these providers set their own cookies as listed in the table below.
6b. Cookie table
| Cookie name | Provider | Purpose | Duration | Category |
|---|---|---|---|---|
| crumb | Squarespace | CSRF protection — prevents cross-site request forgery | Session | Strictly necessary |
| ss_cid | Squarespace | Anonymous visitor identifier for site analytics | 2 years | Analytics |
| ss_cvr | Squarespace | Anonymous visitor identifier for conversion tracking | 2 years | Analytics |
| ss_cvisit | Squarespace | Session identifier to track visit duration | 30 minutes | Analytics |
| ss_cvt | Squarespace | Timestamp of most recent page view | 30 minutes | Analytics |
| _ga | Google Analytics 4 | Distinguishes unique users; IP anonymised before storage | 2 years | Analytics |
| ga[ID] | Google Analytics 4 | Maintains session state; IP anonymised before storage | 2 years | Analytics |
| _gid | Google Analytics 4 | Distinguishes users; refreshed daily | 24 hours | Analytics |
| _fbp | Meta (Facebook Pixel) | Identifies browsers for campaign measurement (joint controller — see §8) | 3 months | Marketing |
| fr | Meta (Facebook Pixel) | Measures effectiveness of social media campaigns | 3 months | Marketing |
| datr | Meta | Browser identification for security and fraud prevention | 2 years | Marketing |
| VISITOR_INFO1_LIVE | YouTube (privacy-enhanced mode) | Estimates bandwidth; only set if video is actively played | 6 months | Embedded content |
| YSC | YouTube (privacy-enhanced mode) | Tracks video views within a session; only set if video is played | Session | Embedded content |
| ig_did | Instagram (Meta) | Device identifier for embedded feeds (loaded post-consent only) | 10 years | Embedded content |
| csrftoken | Instagram (Meta) | Security cookie for embedded feeds (loaded post-consent only) | 1 year | Embedded content |
| _anon_id | Action Network | Anonymous visitor identifier for Action Network pages and embedded forms (loaded post-consent only) | 1 year | Embedded content |
Note on Google Analytics 4 and IP addresses: GA4 automatically anonymises IP addresses before storage. We do not receive or store full IP addresses via GA4. Squarespace server logs retain IP addresses for up to 90 days for security purposes.
Note on Action Network: Action Network acts as our CRM and holds our member and supporter contact database. If you interact with Action Network pages or forms linked from our website, Action Network may set additional cookies beyond those listed. Their full privacy and cookie information is available at actionnetwork.org/privacy.
6c. Your cookie choices
When you first visit our website, our cookie consent banner allows you to accept or decline non-essential cookies by category. Accept and reject options are presented with equal prominence. You can change your preferences at any time via the "Cookie settings" link in our website footer.
You can also control cookies through your browser settings:
- Google Chrome: support.google.com/chrome/answer/95647
- Firefox: support.mozilla.org/kb/cookies-information-websites-store-on-your-computer
- Safari: support.apple.com/guide/safari/manage-cookies-sfri11471/mac
- Microsoft Edge: support.microsoft.com/microsoft-edge/cookies
To opt out of Google Analytics across all websites: tools.google.com/dlpage/gaoptout
Cookie banner compliance: Our Squarespace cookie banner is configured to block non-essential cookies until consent is given. Accept and reject options are presented with equal prominence. If you believe our banner is not functioning correctly, please contact legal@foodandsolidarity.org.
7. How we use your data
We use personal data to:
- Respond to and manage your requests for food parcels or other support
- Contact you about your request or our services
- Send you community news, updates, and campaign information (where you have consented)
- Process membership fees or donations
- Assess striker solidarity parcel eligibility (union membership used only for this purpose)
- Receive, hold, and disburse funds on behalf of collectives we host on Open Collective, and maintain accurate financial records
- Understand how our website is used and improve it (analytics cookies, with your consent)
- Measure the reach of our social media campaigns (Meta Pixel, with your consent — see note below)
- Analyse service take-up on an anonymised basis to improve our offer
No automated decision-making: We do not use automated decision-making or profiling. All eligibility decisions involve human review.
Note on Meta Pixel and our audience: Our organisation serves people who may be experiencing financial hardship or housing insecurity. We have considered the sensitivity of this in our use of the Meta Pixel, including by carrying out a Data Protection Impact Assessment (DPIA) as required by Article 35 UK GDPR. We use the Pixel solely to measure whether visitors to our website have come from our Facebook or Instagram posts. We do not use Pixel data to create Custom Audiences, retarget site visitors with advertising, or infer financial circumstances for any purpose. You can decline marketing cookies via our cookie banner, or adjust your Facebook advertising preferences at facebook.com/adpreferences. A copy of our DPIA is available on request from legal@foodandsolidarity.org.
8. Who we share your data with
We do not sell your personal data or share it with any third party for their own marketing purposes.
We share data only with the service providers listed below, where necessary to operate our services. We have entered into written data processing agreements (DPAs) with all processors as required by Article 28 UK GDPR. For transfers to countries without a UK adequacy decision, we rely on Standard Contractual Clauses (SCCs) and have conducted Transfer Risk Assessments (TRAs) in accordance with ICO guidance to verify that SCCs provide effective protection in each destination country.
Important note on Meta / WhatsApp: Meta Platforms Inc. processes your data as an independent data controller under its own Privacy Policy and Terms of Service, not as our processor. We have no control over Meta's own data practices. By using WhatsApp you are also subject to Meta's terms.
Note on Open Collective: OFi Technologies LLC (Open Collective) shares contributor and expense data with us as fiscal host. Their Privacy Policy is available at opencollective.com/privacypolicy.
Joint controller relationship with Meta (Facebook Pixel) — Article 26 UK GDPR
When you visit our website and the Meta Pixel is active (after consent), Food And Solidarity Limited and Meta Platforms Inc. are joint controllers for the data collected at the point of transmission to Meta. This is established by the Fashion ID principle applied in UK data protection law.
Food And Solidarity determines the purpose of using the Pixel (campaign reach measurement); Meta determines how it subsequently processes that data for its own purposes. Meta's Controller Addendum (facebook.com/legal/controller_addendum) governs our Article 26 UK GDPR joint controller arrangement. Meta is primarily responsible for enabling data subject rights in relation to the data it holds.
You may exercise your data subject rights against either Food And Solidarity (legal@foodandsolidarity.org) or Meta (facebook.com/privacy/policy).
Note: Meta's role as controller for WhatsApp data is entirely separate and independent from its joint controller role for Pixel data.
| Service | Purpose | Location | Safeguard / role |
|---|---|---|---|
| Google (Drive / Analytics) | Document storage; website analytics (IP anonymised) | USA | UK adequacy / SCCs; TRA conducted; DPA in place |
| Meta (WhatsApp) | Community communications | USA | SCCs; TRA conducted; Meta is independent controller for WhatsApp data; DPA in place |
| Meta (Facebook Pixel) | Campaign reach measurement | USA | SCCs; TRA conducted; JOINT CONTROLLER for Pixel collection phase (Article 26) — see §8 |
| Brevo | SMS and WhatsApp Business API communications | EU (France) | UK adequacy decision; DPA in place |
| Action Network | CRM; contact management; campaigning and organising | USA | SCCs; TRA conducted; DPA in place |
| Open Collective (OFiTech) | Fiscal hosting platform | USA | SCCs; TRA conducted; shares contributor data with us as fiscal host; DPA in place |
| YouTube (Google) | Embedded video (privacy-enhanced mode) | USA | UK adequacy / SCCs; TRA conducted; DPA in place |
| Instagram (Meta) | Embedded social media feeds (post-consent only) | USA | SCCs; TRA conducted; DPA in place |
| Squarespace | Website hosting and analytics | USA | SCCs; TRA conducted; DPA in place |
| GoCardless | Payment processing | UK / International | SCCs where applicable; DPA in place |
| Stripe | Payment processing | USA | SCCs; TRA conducted; DPA in place |
| Wise | Payment processing | UK / International | SCCs where applicable; DPA in place |
| Square (squareup.com) | Payment processing | USA | SCCs; TRA conducted; DPA in place |
| CallHub.io | SMS and phone communications | Australia | SCCs (no UK adequacy); TRA conducted; DPA confirmed |
9. How long we keep your data
We keep personal data only for as long as necessary for the purpose for which it was collected. The table below sets out our specific retention periods and the basis for each.
| Data type | Retention period | Basis |
|---|---|---|
| Food parcel / support request records | 2 years after last contact or request | Legitimate interests — to resolve any disputes or queries |
| Membership data | Duration of membership + 1 year after leaving | Legitimate interests — administration and continuity |
| Financial / payment records (own) | 7 years from transaction date | Legal obligation (HMRC / Companies Act 2006) |
| Open Collective fiscal host records | 7 years from transaction date | Legal obligation (HMRC / Companies Act 2006) |
| Union membership (special category) | Deleted immediately after striker solidarity parcel assessment is complete | Explicit consent — purpose ceases on assessment |
| Campaign and organising data | 2 years after last engagement | Legitimate interests — community organising |
| WhatsApp community data | Deleted on leaving the community | Consent — withdrawn on departure |
| Communications opt-in records | Duration of consent + 3 years | Legal obligation — to demonstrate consent was given |
| Cookie consent records | 3 years from date of consent | Legal obligation — to demonstrate consent was given |
| Website technical / IP data (security) | 90 days (Squarespace server logs) | Legitimate interests — website security and fraud prevention |
When data is no longer needed we delete it securely. Financial records are retained for 7 years to comply with our legal obligations regardless of other considerations.
10. How we protect your data
Your data is stored on our Google Drive, protected by passwords, access controls, and two-factor authentication. Access is restricted to authorised staff and volunteers only.
No electronic storage system is entirely risk-free. In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected individuals without undue delay where required by Article 34 UK GDPR.
Where our processing activities are likely to result in a high risk to individuals' rights and freedoms, we carry out a Data Protection Impact Assessment (DPIA) before commencing that processing, as required by Article 35 UK GDPR. We have carried out a DPIA for our use of the Meta Pixel on a website serving potentially vulnerable individuals. DPIAs are reviewed periodically and when processing activities change materially. Copies are available on request from legal@foodandsolidarity.org.
If you have concerns about data security, contact legal@foodandsolidarity.org.
11. Children
Our services are not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe we hold such data, please contact legal@foodandsolidarity.org and we will delete it promptly.
12. Your rights
Under UK GDPR you have the following rights. You can exercise any of them by contacting legal@foodandsolidarity.org. We will respond within one month. Where a request is complex or numerous, we may extend this by a further two months; we will notify you within the first month if an extension is needed (Article 12(3) UK GDPR). This includes rights in relation to data we hold as a result of our fiscal hosting activities on Open Collective.
- Right of access (Article 15) — to request a copy of the personal data we hold about you.
- Right to rectification (Article 16) — to have inaccurate or incomplete data corrected. Please inform us if your details change so we can keep your data accurate.
- Right to erasure (Article 17) — to request deletion of your data where there is no lawful reason to retain it, including cookie-based data (which you can also remove by clearing your browser cookies). Note: where data is retained under a legal obligation — such as 7-year financial and fiscal host records required by HMRC — we are unable to fulfil an erasure request for that data during the legally required retention period.
- Right to restriction (Article 18) — to ask us to limit how we process your data in certain circumstances.
- Right to data portability (Article 20) — to receive data you have given us in a portable, machine-readable format.
- Right to withdraw consent (Article 7(3)) — at any time, for any processing based on consent, without affecting prior lawful processing.
Right to object (Article 21) — important: You have the right to object at any time to processing of your personal data where we rely on legitimate interests as our lawful basis — including processing of data received via Open Collective in our fiscal host capacity, and processing of technical website data for security purposes. If you object, we must stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is for the establishment, exercise, or defence of legal claims. To exercise this right contact legal@foodandsolidarity.org.
Rights in relation to Meta Pixel data: For data processed under our joint controller arrangement with Meta, you may exercise your data subject rights against either Food And Solidarity (legal@foodandsolidarity.org) or Meta directly (facebook.com/privacy/policy). Meta's Controller Addendum confirms Meta's primary responsibility for enabling rights in relation to the data it holds.
13. Right to complain to the ICO
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). We would, however, welcome the opportunity to address your concern directly first — please contact legal@foodandsolidarity.org.
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
14. Changes to this policy
We may update this policy from time to time. The current version will always be available on our website at foodandsolidarity.org/privacy-policy. Where changes are significant we will notify you directly where possible.
WhatsApp Community Privacy Agreement
For Food & Solidarity members only
This agreement supplements the main Privacy Policy above and applies specifically to your participation in the Food & Solidarity WhatsApp community.
W1. Data controller
Food And Solidarity Limited is the data controller for data you share with us through WhatsApp. Our Business WhatsApp accounts are +44 7393 101018 and +44 7598 566043.
Meta's independent role for WhatsApp: Meta Platforms Inc. (WhatsApp) processes your data as a separate, independent data controller under its own Privacy Policy and Terms of Service. This is entirely distinct from Meta's joint controller role in relation to the Meta Pixel on our website (see Section 8). We do not control or have access to the data Meta holds about you as a WhatsApp user. If you have concerns about Meta's data practices, these should be directed to Meta.
W2. What data is collected
By joining the WhatsApp community your phone number and WhatsApp profile details (including profile photograph and any information on your profile) will be processed.
- Announcement group only: your data is shared only with Food & Solidarity's Business WhatsApp account. You will not be visible to other members.
- Community sub-groups: if you join any associated sub-groups, your phone number, profile photograph, and other WhatsApp profile details will be visible to other members of that group. Membership is restricted to Food & Solidarity members. By joining a sub-group you consent to this sharing.
W3. Purpose and lawful basis
Your data is used to facilitate communication within the Food & Solidarity community and to manage the community effectively. The lawful basis is consent (Article 6(1)(a)). You may withdraw consent at any time by leaving the community.
W4. Data security
We take appropriate technical and organisational measures to protect your personal data from unauthorised access, alteration, or destruction within the systems we control. We cannot control the security of Meta's own systems.
W5. Data retention
We retain your personal data for as long as you remain a member of the WhatsApp community. When you leave, your data will be removed from our records within a reasonable period, unless retention is required by law.
W6. Your rights and complaints
You have the same rights as described in sections 12 and 13 of the main Privacy Policy above. The same one-month response timeframe and Article 12(3) extension provision apply.
- To exercise your rights regarding data we hold: legal@foodandsolidarity.org
- To complain to the ICO: ico.org.uk | 0303 123 1113
- For concerns about Meta's data practices: whatsapp.com/legal/privacy-policy
W7. Consent and agreement
By adding yourself to this community you confirm you have read, understood, and agree to the terms of this WhatsApp Privacy Agreement and the main Food & Solidarity Privacy Policy. You understand that Meta processes your data as a separate controller under its own terms.
Food And Solidarity Limited · ICO Ref: ZB537641
legal@foodandsolidarity.org · organiser@foodandsolidarity.org · 07393 101018