1. WHO WE ARE
The Donor Debit platform is operated by Buffalo Fundraising Consultants Limited. Buffalo Fundraising Consultants Limited is referred to in this Privacy Notice as “us” or “we” and you can contact us using the details set out in paragraph  below. In this policy we describe the types of personal data which we collect and how it is used.
2. WHAT IS PERSONAL DATA?
Personal data includes all information held in electronic form or manually in a structured filing system relating to a living individual who can be identified from that data (or from that data and other information in our possession) and includes personal contact information and images.
3. WHAT PERSONAL DATA DO WE HOLD?
We hold personal data which you provide to us – for example, by completing a donation form when setting up a Direct Debit. The personal data that we collect and store contains the following:
Contact details such as name, email and address
Financial information, such as your bank account number, sort code, account holder name
Donation details such as amount, frequency and the chosen area of support
Gift Aid eligibility
We might also collect additional information on behalf of your chosen charity who will act as the data controller (e.g. your contact preferences)
In addition, we may also collect certain limited information (such as your browser type and IP address) automatically.
4. PURPOSES FOR WHICH PERSONAL DATA IS USED
We use your personal data for the following purposes:
We pass your information and details of our donation to your chosen charity who will act as the data controller.
We use your information to validate if the account details are correct and to verify if your chosen account accepts Direct Debits.
The information will be used to send you confirmation of your donation and the details of the Direct Debit that will be setup.
The information will be used to collect the donation you specified and manger any Direct Debit indemnity claims.
We will only use your information where we have obtained appropriate permissions from you (e.g. with tick boxes) and will only use the information in accordance with this Policy, or where it is required and authorised by law.
5. LEGITIMATE INTERESTS FOR THE USE OF YOUR DATA
We use your personal data, as permitted by the General Data Protection Regulation, where necessary for the following legitimate business interests:
To enable charities to receive donations
To provide charities with a means of collecting the details required to process donations via Direct Debits and managing the ongoing processing of the collections
To enable charities to send the notification required by the Direct Debit scheme
To identify and prevent fraud
6. DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES
We work closely with a number of trusted partners with whom we need to share personal information to help us operate the Donor Debit service. These include:
banks and payment providers - to authorise and complete payment transactions;
your chosen charity;
law enforcement bodies in order to comply with any legal obligation or court order and, where we are otherwise requested to provide information, we may provide it but only in accordance with applicable privacy and data protection laws
We may also provide information to third party service providers who process information on our behalf to help run some of our internal business operations including email distribution, IT services and customer services.
We will only share information with such organisations where we have your permission to do so in accordance with this policy, or where we believe it is necessary for a legitimate reason connected with the services we offer.
7. RETENTION OF PERSONAL DATA
We use the following criteria to determine the period for which personal data is retained:
for the period required for the purposes set out in paragraph 4 above; and/or
as required by the General Data Protection Regulation or other applicable law or regulation. Account numbers will be masked 90 days after a direct debit has lapsed or been cancelled.
8. ACCESS AND CONTROL OF PERSONAL DATA
In certain circumstances, you have the following rights under data protection laws:
access to your personal data;
rectification of your personal data;
restricting the use of your personal data;
erasure of your personal data; and/or
objecting to the processing of your personal data.
The circumstances in which you may take any of the above actions are set out in the General Data Protection Regulation.
You also have the right to lodge a complaint with a supervisory authority and, where we request your consent to process your personal data, to withdraw consent at any time by contacting us using the details set out in section 9 below.
9. HOW TO CONTACT US
If you have any questions about our use of your personal data, please contact us using the details below:
Donor Debit Team, Buffalo Fundraising Consultants Ltd, Whitefriars, Lewins Mead, Bristol, BS1 2NT
10. CHANGES TO THIS POLICY
We may update this Privacy Notice from time to time to reflect changes to our usage of personal data.