Privacy Policy

How we collect, use, and protect your personal information.

This privacy policy explains how SHAX Charity collects, uses, and protects your personal information when you use our website and participate in our raffle. We are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR).

Last Updated: November 16, 2025
Effective Date: November 16, 2025

1. Introduction

Who We Are

SHAX is a Scottish registered charity dedicated to supporting people facing poverty and homelessness across Dumfries & Galloway. We operate fundraising activities, including a Christmas raffle, to support our charitable services.

Our website address is: https://shaxfundraising.co.uk

Legal entity: SHAX (Scottish Charity No. SC042940)

Data Controller

SHAX is the data controller for the personal information we collect. Our contact details are provided in the Contact Us section.

Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically.

2. Data We Collect

Personal Information

We collect the following types of personal information:

  • Contact Information: Name, email address, phone number
  • Payment Information: Billing address, payment method details (processed securely by Stripe)
  • Raffle Information: Ticket numbers, purchase history, prize claims
  • Communication Records: Correspondence with us via email, phone, or contact forms

Automatically Collected Information

When you visit our website, we may automatically collect:

  • IP address and browser information
  • Pages visited and time spent on site
  • Referring website information
  • Device and operating system information

Cookies and Tracking

We use cookies and similar technologies to enhance your experience and analyze website usage. See our Cookies section for more details.

3. How We Use Your Data

Raffle Administration

We use your personal information to:

  • Process raffle ticket purchases
  • Generate and send ticket confirmations
  • Conduct the raffle draw fairly and transparently
  • Notify winners and arrange prize collection
  • Maintain records as required by gambling regulations

Communication

We may use your contact information to:

  • Send important updates about the raffle
  • Respond to your enquiries and provide customer support
  • Send newsletters about our charitable activities (with your consent)
  • Notify you of future raffles and fundraising events

Legal Compliance

We process your data to comply with:

  • Gambling Act 2005 requirements
  • Charity Commission regulations
  • Tax and accounting obligations
  • Legal requests from authorities

Lawful Bases for Processing

We rely on the following lawful bases under UK GDPR:

  • Contract: to process ticket purchases, issue confirmations, run the draw, notify winners and fulfil prizes.
  • Legal obligation: to meet statutory requirements including gambling, tax and accounting regulations.
  • Legitimate interests: to secure our website and services, prevent fraud, and perform limited analytics to improve our services. We balance these interests against your rights.
  • Consent: for sending newsletters and marketing communications. You can withdraw consent at any time.

4. Data Sharing

Service Providers

We share information with trusted service providers who support our operations:

  • Payment processor: to process ticket purchases and prevent fraud
  • Email delivery provider: to send confirmations and service messages
  • Hosting provider: to run and secure our website
  • Delivery services: to arrange prize collection or delivery

Legal Requirements

We may disclose your information if required by law or to:

  • Comply with legal obligations
  • Protect our rights and property
  • Prevent fraud or illegal activities
  • Protect the safety of our users and the public

Data Protection

All third parties we work with are required to:

  • Use your data only for specified purposes
  • Implement appropriate security measures
  • Comply with GDPR requirements
  • Not use your data for their own purposes

5. Data Storage and Security

Data Retention

We retain your personal information for different periods depending on the purpose:

  • Raffle Records: 7 years (as required by gambling regulations)
  • Marketing Communications: Until you unsubscribe or request deletion
  • Website Analytics: 26 months (anonymized after 14 months)
  • Customer Support: 3 years after last contact

Security Measures

We implement appropriate technical and organizational measures to protect your data:

  • SSL encryption for data transmission
  • Secure servers with regular security updates
  • Access controls and staff training
  • Regular security audits and assessments

Data Breaches

In the unlikely event of a data breach, we will:

  • Notify the Information Commissioner's Office within 72 hours
  • Inform affected individuals if there is a high risk to their rights
  • Take immediate steps to contain and investigate the breach
  • Implement additional security measures as needed

International Transfers

Some of our service providers (for example, payment processors and analytics providers) may process data outside the UK/EEA. Where this occurs, we ensure adequate safeguards are in place, such as adequacy decisions or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.

6. Cookies and Tracking

What Are Cookies

Cookies are small text files stored on your device when you visit our website. They help us provide you with a better experience and understand how our site is used.

Types of Cookies We Use

Essential Cookies

These are necessary for the website to function properly. They include session cookies and security cookies.

Analytics Cookies

We use analytics tools to understand how visitors use our site. This helps us improve our website and services.

Functional Cookies

These remember your preferences and settings to provide a personalized experience.

Managing Cookies

You can control cookies through your browser settings. However, disabling certain cookies may affect website functionality.

Third-Party Cookies

Some cookies are set by services we use, such as our payment processor and analytics tools. These cookies are governed by the providers’ own privacy policies.

Examples of Cookies

  • session_id (session) – essential for site functionality – expires when you close your browser.
  • analytics_id – helps us understand site usage in aggregate – typical lifetime up to 26 months.
  • payment_session – supports secure payments and fraud prevention – typical lifetime up to 1 year.

If you publish a separate Cookie Policy, see that page for the full list and controls.

7. Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor's IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

8. Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

9. Your Rights

Under GDPR, you have the following rights:

Right of Access

You can request a copy of the personal information we hold about you.

Right to Rectification

You can ask us to correct any inaccurate or incomplete information.

Right to Erasure

You can request that we delete your personal information in certain circumstances.

Right to Restrict Processing

You can ask us to limit how we use your information in certain circumstances.

Right to Data Portability

You can request a copy of your data in a structured, machine-readable format.

Right to Object

You can object to certain types of processing, such as direct marketing.

Identity Verification & Exercising Your Rights

To exercise any of these rights, please contact us using the details in the Contact Us section. We will respond within one month of receiving your request.

We may request reasonable information to verify your identity before fulfilling your request.

Complaints

If you have concerns about how we handle your personal information, you can:

  • Contact us directly to resolve the issue
  • Complain to the Information Commissioner's Office (ICO)
  • Seek legal advice if necessary

10. Children's Privacy

We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us immediately and we will take appropriate steps to remove such information.

11. Contact Us

Data Protection Officer

For any questions about this privacy policy or to exercise your rights, please contact us:

Email: contact@shaxfundraising.co.uk
Phone: 01387 245358
Address: SHAX, Merrick House, The Crichton, Bankend Road, Dumfries, DG1 4TA
Registered Charity: SC042940

Information Commissioner's Office

If you wish to make a complaint about our data handling practices, you can contact the ICO:

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF